As I understand it, Cloudflare proxies websockets between the client and server. However, unfortunately Cloudflare’s WAF rules are only applied to the intial connection to the site (subsequently ignoring traffic within the websocket). I would prefer that every request run the gauntlet of my WAF rules, so I’m considering disabling websockets on Cloudflare. Does anyone know how this will affect the end user experience?
I suppose, but Discord and many other customers that utilize the CF WS proxy don’t see it as a problem since they likely have very strict input validation on their server itself. If your main product utilizes WebSockets, you shouldn’t be relying on a WAF anyhow.
Thanks for the response; exactly what I was looking for!