I have a worker running through a subdomain. I’ve a 100k per day requests limit but some times I get malicious traffic that consume all my daily requests limit. I looked into rate limit but it can’t find an option to apply on whole subdomain. Its only showing url path option.
Also, if that is not possible, what else I can do to stop malicious traffic.
You could go with / for path, however that’s not the ideal solution and cannot be accomplished, since it’ll match every request.
You’d have to upgrade to at least Pro plan to have such fields available to you, and even better WAF with Managed Rules and better performance overall.
If I may add here as a really good reference with updated info for further cases in terms of security and protection with Cloudflare from my colleague:
We can lock down our web host and allow only the Cloudflare to connect and similar techniques:
Nevertheless, consider blocking some of the known “bad user-agents”, “crawlers” or “bad ASNs” using below posts:
Last but not the least, kindly see more by reading Cloudflare articles which contain a lot of helpful information for better understanding and usage as well in terms of Security and Protection:
If you’re on Pro or above, you can also slow down / re-route malicious requests with Snippets before they hit Workers: Slow down suspicious requests · Cloudflare Rules docs. Snippets can be triggered based on the filter expression, so you can use hostname, user-agent, country, ASN or any other pattern to invoke your code.
