Discord reports that they intentionally block CF Workers

I reported to Discord that I was getting an HTTP 401 UNAUTHORIZED immediately upon opening a WebSocket connection (with my Durable Object as the client), but only when I opened the connection from Cloudflare. The same code worked when run with wrangler dev --local and the code worked when running in a Worker if I opened a connection to something like wss://echo.websockets.org instead of Discord.

I got a response from Discord staff:

… due to a layered security approach, we’ve intentionally prevented CF workers from connecting to our Gateway sockets. I’ll try to see if we can update our documentation to include this information. Thank you for taking the time to report this issue, and sorry for the inconvenience around this!


I just wanted to report this to the community both to document this issue for other people who run into it, and because it seems like something Cloudflare should potentially consider contacting Discord about – one of the most popular APIs out there apparently sees a security risk in allowing Cloudflare customers to use one of their endpoints?


Discord uses Cloudflare to protect their infrastructure. Site owners can use the tools to block whatever traffic they choose including traffic that originates from a service they use.

1 Like

Of course - it’s not surprising to me that Discord is able to do this. It just seems like a problem for Cloudflare that Discord feels like they need to do this.

Concretely, it means people can’t build Discord bots on Cloudflare’s developer platform. I wasted a weekend on an implementation of a Discord bot using DOs, and now I will probably have to move to a different host. What other services might surprisingly not want to talk to my Workers?

Try running a http to http proxy on fly.io to connect to discord. You have full header controls from nodejs to discord servers, so you have to strip the CF specific headers from the worker inside the nodejs proxy. Then have your worker call the http proxy which calls the final 3rd party API.