I’m getting close to launching an app… it’s more or less my first real app. I’ve done some small ones but this one is legit.
I always freak out when I launch an app…
- I don’t want my api to be attacked somehow
- I don’t want some code error I made to make tens of thousands of requests by accident.
- I don’t want to do something dumb and rack up a huge bill
I am tested my app and my Workers and everything at least so far seems to work really well.
I was thinking or building a rate limit so any ip could only make so many requests per day or something like that.
I’m never done rate limited before. I know Cloudflare has their built in abuse detection.
But are most rate limiting solutions for hitting api endpoints custom coded?
I don’t see it being very hard… Durable Objects would be perfect for this… but just wanted to get any insight.
I suspect you might be interested in this.
Generally speaking, the only real ways to stop API attacks are Rate limit, ML, and finger printing legitimate requests, rejecting the rest.
I don’t follow on this one.
You need to be careful and keep an eye on the usage, however, rate limit is in general rather cheap.
I do know of the new API Gateway. I will have to look into it more. Is it ready for production?
When I said… I don’t want some code error to make tens of thousands of requests by accident. I mean I don’t want bad code I may have written to cause a request loop.
I’ve done this in development before… a couple times. And of course I test for this and make sure it won’t happen. But mistakes do happen… it’s life.
I guess what I’m asking is… is there a way to shut down a service or Worker if you need to?
I’ve seen the advanced rate limiting… and while I have not deeply looked into it… I thought it only works if you host your app on Cloudflare.
I am only using Workers… KV… and Durable Objects for my API and persistent storage. I was planning on hosting on Vercel since my app is written in NextJS.
Thanks for your answers and help!
You either block the path with a firewall rule or remove the route from worker itself
It needs to be proxied, of course. But the origin can be anything.
Is there any documentation for this?
I don’t see what documentation I can provide here… it’s the basics of how all Cloudflare services work.