Workers limits count everything.
So, imagine I use a worker for a personal project,
there is no way to “firewall it” to unauthorized requests.
Obviously I implemented it in the worker logic but the counter counts everything.
Since browsers send an OPTIONS request before the actual GET/PUT/DELETE, the counter counts double every request.
Also, if I check the origin or originating ip address and issue a 403, the request is still counted.
Solution:
do not count if the result of the worker is anything different than 200 and do not count if the request is OPTIONS.
While I don’t agree with counting only 200 responses - Cloudflare will have to execute your script regardless of what response you eventually return - perhaps this can be resolved with a combination of putting your Workers on a custom route, on your own domain, and then adding a Firewall rule against that hostname or path that blocks OPTIONS requests.
Is there a better way to do this? Does the suggested option make sense? I’m not an expert either and seeking validation for this solution.