Issue Summary: My Ruby on Rails application deployed on Railway is experiencing intermittent 403 Forbidden errors on state-changing POST requests (such as creating posts or comments).

Technical Details:Server Logs: The Rails logs indicate that the POST requests are completely successful, returning a 302 Found database commit and initiating a redirect.

The Error: Immediately following the redirect, the client browser receives a hard 403 Forbidden response at the network edge (GET requests stall out or drop).

The Trigger: This behavior occurs consistently when the POST payload contains raw HTML strings (generated by the Summernote rich text editor, e.g., , ). Standard, plain-text posts route with no issues. My application has built-in sanitization, but the traffic is being dropped before the application layer can fully complete the handshake cycle.

Question for Support:Is there a Web Application Firewall (WAF), automated XSS filter, or Cloudflare edge rule built into Railway's proxy infrastructure that is flagging raw HTML form parameters? If so, how can I configure or whitelist my custom domain to bypass these automated text-matching rules so my application can accept rich text edits directly?

I am tired of the AI blocking access to my app and users seeing a blank page with "Forbidden" when they already did their 2 factor login and are trying to post html content.