Cache security and scoping

I’m familiar with the Cache API litmis but I’m thinking what is the scoping mechanism for caching.

Are these limits only for workers run under one plan?

Are cache entries scoped only to the plan under which runs the current worker, or maybe cache entries created by one worker can be accessed by another one, run by another person?

It sounds like you have two questions:

  1. Are space limits per account? I’m pretty sure the answer is yes for all limits.
  2. Can someone else access this data from another worker in another account? I’m pretty sure the answer is no.

@adaptive does a lot of work in this area and can hopefully confirm.

AFAIK the scope is restricted to whatever CF Worker route you point the CF Worker to i.e. domain.com/path/* or domain.com/*. See https://developers.cloudflare.com/workers/about/routes

1 Like

Thank you @eva2000 This means that every route is isolated then and no other can view the cache entries? I followed the link to routes, but found no official information about this cache behavior.

Just to clarify, I’m thinking about putting some data in there that I’d like to be not shared with other workers.

Might want to submit a support ticket to get actual clarification though.

Will do.

Hi there,

Thank you for contacting Cloudflare Support. Sorry about the bad automated answer.

Like a website, the assets that are put into the cache via the API, or by request, are only accessible by the account that put them there. To rephrase, I don’t have access to the assets that are put into the cache by your Workers, either by the API or by requesting them directly. So to answer your question directly:

If I put there a payload that should not be public, will other workers (from other accounts) will be able to access it?

No. Other Workers cannot access the assets that your Worker has put into the cache.

That being said, once it’s in the cache, it’s publicly available if your Worker is configured to run on a public route. I could have have access to the assets if your Worker was written in such a way that all I needed to do was go to the URL that your Worker runs on. In order to make sure that only you can access the assets that were put into the cache, you may have to either use Cloudflare Access to lock down your website to only yourself, use a Firewall Rule to restrict access to the URL that the Worker runs on, or a combination of both.

In the meantime, if you have further questions about this, please don’t hesitate to reach out.

4 Likes

This is awesome!

Thank you!

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.