Deny other site requests from Workers

In Cloudflare Workers, I use code like this

if (request.headers.get("Origin") !== "(Website)") { } return new Response('Unauthorized', { status: 403 }); }

I set it to reject all requests except those from my website.

However, using the above method, since the server code is executed even when rejecting requests from other websites, it counts towards the 100,000/day limit on the free plan. This means that a malicious user may intentionally send requests to exceed this limit. How can I prevent this?

You can create a WAF rule in front of your worker with something like
not any(lower(http.request.headers["origin"])[*] == "Website")
and have it be a block action. Make sure to have the route disabled as well to prevent people from bypassing that way.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.