We are planning to start using Image Resizing for delivery optimized, resized images, that are hosted in some 3rd party storage location.
My first idea was to use /cdn-cgi/image/ with appropriate width/height/quality options, but I realized that it is extremely easy to abuse, since malicious user can just loop over sizes like width=1…1000000 and trigger producing resized images unlimited, which will quickly put a lot $$$ to our bill.
As a next idea I am considering using “Resize with Cloudflare Workers” where I can just simply check if request contains some param like size=big and this way control invocation of Resizing API only with few predefined dimensions.
My question is will it be cost effective? Such endpoint also can be abused, called many times and each call is spawning Workers. Am I correct? Or there are other ways to protect such setup from making our bill out of control?
yes you can use worker to prevent resizing with arbitrary sizes or add as many checks as you want.
Workers provide free trier of 100,000 requests/day. In addition to this you can setup WAF, Bots management or Page Rules to prevent abuse. These settings run before Worker invocation.
You can find the request flow in the security tab in your dashboard.
Thanks for the info.
With WAF we can, for example limit traffic by IP (rate limiting) or even block it somehow, but what exactly we can do in Page Rules in context of my question? Can request by cached before it gets into worker?
Requests are not cached before worker, since worker is a Dynamic content. But when worker fetches a cacheable asset, this upstream request is getting cached.
Page Rules in my example is just an auxiliary instrument to adjust security settings
e.g. you can control security levels Understanding the Cloudflare Security Level · Cloudflare Support docs
can you help mate , i think my website is getting abused. i dont know how to setup these rules . i have opened this thread here 3K user and 100K images are served Per day! am i getting abused
Since I will be using custom worker code, can the default URL https:///cdn-cgi/image/ be disabled? Otherwise this is always open for any kind of unwanted requests…
As an alternative you can use Authorization header in fetch request and make the origin to do authentication of incoming request.
Note: you need to add “origin-auth”: “share-publicly” in resizing options.
if origin returns 403, you won’t be billed on these requests FAQ · Cloudflare Image Optimization docs
This topic was automatically closed after 15 days. New replies are no longer allowed.