Deny other site requests from Workers

web-developer · October 14, 2023, 1:40pm

In Cloudflare Workers, I use code like this

if (request.headers.get("Origin") !== "(Website)") { } return new Response('Unauthorized', { status: 403 }); }

I set it to reject all requests except those from my website.

However, using the above method, since the server code is executed even when rejecting requests from other websites, it counts towards the 100,000/day limit on the free plan. This means that a malicious user may intentionally send requests to exceed this limit. How can I prevent this?

Cyb3r-Jak3 · October 15, 2023, 11:36pm

You can create a WAF rule in front of your worker with something like
not any(lower(http.request.headers["origin"])[*] == "Website")
and have it be a block action. Make sure to have the workers.dev route disabled as well to prevent people from bypassing that way.

system · October 18, 2023, 11:36pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.