CF is caching resources behing HTTP authentication and serving them without any auth


#1

Isn’t this a security issue?

If a resource, let’s say an image, is not served by my server without a successful HTTP auth, why is CF serving it publicly?

Cloudflare should not cache them, or cache them but make sure to serve them only if the client is sending valid credentials (which may be not so feasible)


#2

Sound like you’re using ‘cache everything’.
You can disable it for single files or entire folders with Page Rules


#3

I am using default settings, that’s why I said an image, because images are cached by default. But also css and js


#4

Both of these are possible. If you don’t want Cloudflare to cache those resources you can return a header to tell us not to https://support.cloudflare.com/hc/en-us/articles/202775670-How-Do-I-Tell-Cloudflare-What-to-Cache- or create a page rule for the assets set to bypass.

You can also set a private cache key using Cloudflare Workers. https://developers.cloudflare.com/workers/recipes/signed-requests/