How can I restrict my backend API to only respond to API requests from my frontend hosted by Cloudflare

Hi, Cloudflare is my DNS provider and I’m using the “Accelerate & Protect” feature to protect my backend API endpoints.

Cloudflare is also serving my frontend (React App) via their CDN.

How can I configure the settings so my backend API only responds to API requests from my frontend hosted on Cloudflare? It doesn’t seem like Client Certificates is the solution because those work best for mobile & IoT clients.

Do the front-end API requests come from your server’s IP address?

I don’t think so. My frontend is bundled & minified, and hosted on Cloudflare’s CDNs so I assume the API requests come from my client’s local IP addresses if I’m not mistaken

Can you be more specific as to the source of your app? Is it on Cloudflare Pages, or written into a Worker?

Maybe an easier question: What’s the DNS record for your front end? Is it an “A” record that points to an IP address?

My app is built using Netlify and Cloudflare’s CDN serves my app

The DNS record for my frontend is a CNAME record (using the orange cloud “accelerate and protect” that points to my app on Netlify

Hi, just wanted to follow up here. Any ideas @sdayman? My site was DDoS’d on Thursday from an attacker who used rotating IP addresses and unfortunately Cloudflare’s Rate Limiting was not enough to prevent the attack. Can I restrict my backend to only responding to requests from my frontend & Google Bot?

Your frontend will be all different IPs because it comes from every user who visits. You can make a Firewall Rule to block unless they use a specific User-Agent or something but that’d still be easy for an attacker to just use.

A backend should easily be able to handle thousands of requests a second and have effective caching in place to not need database calls every time

I thought the frontend IPs are from Cloudflare’s list of IPs because Cloudflare is proxying my frontend requests (because Cloudflare also serves my frontend)!

My backend is generally able to handle the load and my backend autoscales as well but I won’t want to overprovision my servers 10x to handle malicious spikes like these:

Do you have any recommendations here?

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.