Hi.
We are planning to start using Image Resizing for delivery optimized, resized images, that are hosted in some 3rd party storage location.
My first idea was to use /cdn-cgi/image/ with appropriate width/height/quality options, but I realized that it is extremely easy to abuse, since malicious user can just loop over sizes like width=1…1000000 and trigger producing resized images unlimited, which will quickly put a lot $$$ to our bill.
As a next idea I am considering using “Resize with Cloudflare Workers” where I can just simply check if request contains some param like size=big and this way control invocation of Resizing API only with few predefined dimensions.
My question is will it be cost effective? Such endpoint also can be abused, called many times and each call is spawning Workers. Am I correct? Or there are other ways to protect such setup from making our bill out of control?
yes you can use worker to prevent resizing with arbitrary sizes or add as many checks as you want.
Workers provide free trier of 100,000 requests/day. In addition to this you can setup WAF, Bots management or Page Rules to prevent abuse. These settings run before Worker invocation.
You can find the request flow in the security tab in your dashboard.
Thanks for the info.
With WAF we can, for example limit traffic by IP (rate limiting) or even block it somehow, but what exactly we can do in Page Rules in context of my question? Can request by cached before it gets into worker?
Requests are not cached before worker, since worker is a Dynamic content. But when worker fetches a cacheable asset, this upstream request is getting cached.
Page Rules in my example is just an auxiliary instrument to adjust security settings
Since I will be using custom worker code, can the default URL https:///cdn-cgi/image/ be disabled? Otherwise this is always open for any kind of unwanted requests…