Cloudflare's equivalent of AWS CF x-origin-verify

jakatsavras · June 3, 2023, 8:20am

Hello,

In AWS when configuring a CloudFront you are able to set a x-origin-verify header and with a long static string (sort of token) as a value. This header is checked by the origin server (in this case a load balancer) to make sure the string (token) matches. This is to make sure the request comes from the CloudFront distribution

We would like to start using Cloudflare for the DNS. Is there a way to set an equivalent header with a string (token) that a load balance can check to ensure the request comes from Cloudflare?

albert · June 3, 2023, 10:43am

First and foremost, you should:

Ensure your origin server only accepts connections from Cloudflare’s IP ranges.
Ensure your origin server only accepts requests with a HTTP Host header matching your website’s domain.

You can add a request header containing a pre-shared key using Transform Rules, however, this is not best practice for securing your origin server.

Please take a look at this post for more information on how to best secure your origin server:

Topic		Replies	Views
在originRules里面，如何主机标头重写？ Website, Application, Performance	0	580	November 13, 2023
CDN should provide CF-Zone-Id header Feature Request Submitting & Feedback	0	960	July 25, 2023
Authenticated Origin Pull on load balancer Security	3	1514	January 1, 2023
Can you use load balancer monitoring with authenticated origin pulls? Website, Application, Performance	2	4703	February 7, 2021
Why not use Authenticated Origin Pulls to secure origins for Cloudflare Access? Access dash-ssl-tls	5	5092	May 29, 2019

Cloudflare's equivalent of AWS CF x-origin-verify

Related topics