I have a website hosted from a cloud service storage provider - which charges me based on both bandwidth and GET requests. I want to avoid the potential for a malicious actor to exhaust my budget by issuing a large number of requests. My content is static, nothing is dynamic, so caching literally everything is not a problem.
I would want to enable the “Cache Everything” option through page rules, but this overrides “Ignore Query String”. This makes it so that an attacker can just request mypage.html?123 and keep replacing 123 with any random number, and each request will go to my origin server.
How do I work around this? My website is relatively small, and as such options restricted to business & enterprise plans are sadly not an option for me.
@sandro It is just static HTML, and default caching does not cache static HTML - I have to use a page rule for that (at least, that was my understanding?)
No, this is just a precaution to prevent excess billing from my origin host provider (I am also looking at cutting off access programatically if I detect a surge in traffic on the origin server, but I’d like to explore what other options I have first).
Rate limiting is definitely an option I considered - however I don’t really want to impede on legit users’ ability to refresh the page as much as they want while waiting for an update. Is it possible to enable rate limiting only for content that is not cached? So that a user can refresh the cached mypage.html as much as they want.
Thank you both for your replies, hope you have a great weekend!