Protecting a static site and API route


I’m new to serverless sites and thought I’d try Cloudflare out.

My site is an SSR astro site in hybrid mode, so it has a couple of API routes. I’m using the astro cloudflare adapter, but was wondering how this ends up being deployed? Will the frontend be a Cloudflare page with the API routes converted to CF Workers?

I’m just trying to work out what I should be protecting against attack wise, and if there are any limits I should put on any Workers that might be used? (The routes are for form submission and info look up)

Coming from a server-ful(?) background I’d appreciate any help anyone can provide!



If you are using Cloudflare Pages, it will all stay within Cloudflare Pages.
Pages has what they call “Functions” which are just “special” Workers with some magic on top like file based routing and such, but you’ll never see them in your account as standalone Workers. They are versioned per deployment as well. They do share the same billing and Workers Paid plan, including the 100k requests/day/free limit.

In terms of protecting your Cloudflare Pages Applications, you can deploy CF Access over your preview deployments, and then use Bulk Redirects for your itself: Custom domains · Cloudflare Pages docs, to restrict public access of your to only your Custom Domain(s).

Then, you have all the normal security tools, waf and such. Cloudflare does include free unmetered rate limiting: Back in 2017 we gave you Unmetered DDoS Mitigation, here's a birthday gift: Unmetered Rate Limiting for Self Serve customers, although it is a bit limited on free it can still be helpful. You could apply caching for the information lookup, forced via Cache Rules, integrate turnstile with your form submission, etc.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.