We have public web site https://www.ourwebsite.com/ with masked rest API endpoint at https://www.ourwebsite.com/api. The /api path is proceeded by Worker and redirects to actual rest API with attached authentication secret. So using Workers and masking 3rd party rest API we have three advantages:

1. The rest API requests stay on the same domain.
2. No problem with CORS because - check no 1.
3. We hide the Rest API secret.

Everything works perfectly but the main concern is how to protect /api from external usage and abuse? Is here any method in CF to protect Rest API endpoint?

Assuming this is just being used internally, I think the best way to secure it with Cloudflare would probably be by using Cloudflare Access, and then using service tokens as authentication, so you just have to add 2 additional headers to your requests to authenticate with a script.

Our web site in public SAAS, not internal web site.

What do you mean then exactly with protecting your API endpoint from external usage?

I mean to let the /api path accessed only by our web site and protect from external usage like external web sites(CORS will do that for us), curl, some sort of software.

This topic was automatically closed after 30 days. New replies are no longer allowed.