I am currently considering Cloudflare Images to handle image serving for my website’s users. The pricing of 1 USD per 100,000 images, although seemingly high, is tolerable for me given Cloudflare’s reputation and the convenience of their service.
However, I am concerned about potential DDoS or “bill shock” attacks. A malicious party could potentially script an endless loop of requests for my images. If Cloudflare imposes global rate limits (as mentioned in their API reference for rate limits), my legitimate users might get denied access if these limits are reached. On the other hand, if there are no such limits, I could be faced with an unexpectedly large bill at the end of the month (“bill shock”).
Ideally, Cloudflare would apply rate limits on an IP basis to circumvent this issue, but it is unclear to me whether they do so.
I am thus seeking clarification: Does Cloudflare Images provide protection against DDoS and “bill shock” attacks? If it does, how does this work? I have not found relevant information beyond the article about global rate limits for API calls in their documentation.
https://developers.cloudflare.com/fundamentals/api/reference/limits