Is it possible to "spoof" http requests to pretend they're coming from the IP range of Cloudflare workers?

This comes from How can I guarantee that a request to my database only comes from a legitimate Cloudflare worker? as a background. It’s noted that the range of IP’s that are Cloudflare in origin is at https://www.cloudflare.com/ips/

The entire idea in the link above is a guarantee that a given referrer/request ONLY comes from Cloudflare, legitimately.

Which leads me to the question. Is it possible for anyone (non-Cloudflare) to make a http request using the Cloudflare IP range - and therefore look like that request is being generated by a Cloudflare worker legitimately, when it’s not?

1 Like

You could also implement Authenticated Origin Pulls:

Someone could deploy a malicious worker to their account and then the request would come from the Cloudflare IP ranges. You can whitelist Cloudflare IP addresses as a way to raise the attack barrier-of-entry, but you should still send requests from your worker with some sort of Authorization header/bearer token/JWT to know that the request is actually coming from an authorized CF worker. It is safe to store secrets in your worker code since the code isn’t ever visible to users and CF staff/support won’t look at it without your permission.

1 Like

Thanks @adaptive

On the receiving end, we will likely have a Lambda function, because our API is on AWS.

Do you know of any sample code/JS/Node.js which actually does a handshake with Cloudflare’s requests from Cloudflare to the origin (AWS Lambda function) to judge legitimacy before continuing to serve the request?

This seems like a pretty good/simple idea @Judge - thanks for this.

I guess that the requestor (posing as Cloudflare) could seed a key in a specific format + a random set string as proof of legitimacy.

The receiving end would simply contact the same string - to make a match. In this way, we can be 100% sure the request came from a legit Cloudflare worker.

@adaptive @Judge I presume the authenticated origin pulls is the 100% reliable/trusted method?

This topic was automatically closed after 30 days. New replies are no longer allowed.

Replying now, didn’t see it before, sorry.

Authenticated origin pull serves the same certificate to everyone. That won’t prevent another user from doing the same.

The defense in this case is that Cloudflare never (except for manually enabled and verified Enterprise customers in specific cases) allows changing the Host header. This includes Workers. So your origin will always receive the original Host, that can be the way to filter. Authenticated origin pulls and whitelists are additional to prevent circumvention of Cloudflare.

1 Like