Cloudflare CDN should set a header CF-Zone-Id and it should contain the ID of the cloudflare zone on behalf of which this request was processed by cloudflare. Cloudflare should block any other way (like cloudflare workers, or header override rules) from setting CF-Zone-Id on requests that originate from a cloudflare IP address. In other words, the header should be “unforgeable”.
Justification: Currently, making sure on the origin that an incoming request was processed by one’s cloudflare security settings (WAF, captchas, etc) is unnecessarily cumbersome.
- If I use host header overrides, for example because my origin requires the host header to be set to some value that is not equal to the external-facing domain name, then I cannot just check the host header to ensure that a request originating from a cloudflare IP was processed on behalf of my zone.
- I can still use authenticated origin pulls, however, I cannot use the shared, pre-set cloudflare certificate and instead need to use a custom per-zone or per-hostname certificate to ensure that other cloudflare customers cannot use workers or host header overrides to circumvent my security settings. Configuring this certificate is a hassle.
I would instead like to be able to rely on the combination of the unforgeable header ‘CF-Zone-Id’ and either the shared authenticated origin pull certificate or the cloudflare source IP address.
There is already a precedent for such headers in the form of the CF-Worker header, see Is the CF-Worker header from worker fetch() reliable?.