Whitelisting (external domains) access to workers

For Workes & Pages, what is the name of the domain?

https://prod-ccow-bot-host-router.ram-manavalan.workers.dev/

What is the issue or error you’re encountering

Need to allowlist (external domain names) access to workers

What steps have you taken to resolve the issue?

We have two workers, exposing 3 API endpoints out, which cannot have auth-n-auth implemented because we are not allowed to store any auth/identity related data in Cloudflare. Given that, we do not want to keep these endpoints out and open for anyone to use and perform DDoS attack. We would like to allowlist only domains (that we allow) that can access these endpoints. Solutions we considered:

  • Implement a check in the worker code itself, using items like secret key, domain name, etc. However, this does not prevent DDoS.
  • Use Cloudflare WAF. However, WAF cannot be added to workers directly. It requires us to register a domain. Also, to experiment this, we need to purchase the add-on first. However, in my org, we will not be able to purchase until we try out.

Are there other options? In a nutshell, we are looking for a firewall based solution from Cloudflare that we are ready to pay, after trying it out.

What’s wrong with registering a domain? They’re dirt-cheap. If you’re already hardcoding the workers.dev hostname, it’s just as easy to hardcode a new domain.

Which add-on is that?

1 Like

Here is the add-on I was referring to.

Yes, I can always buy a cheap domain name with Cloudflare. And, I guess that would need me to add a new route too. All I want is some allowlisting at the firewall level and do not want to deal with routes.

However, if the WAF plug-in is going to be costlier than buying a cheap domain (and setting up a route), I would simply prefer the latter. But just want to confirm this understanding of mine before proceeding.

You generally wouldn’t need an account-level WAF. That is just a single WAF that can apply to all your Enterprise zones at once. It will not apply to a *.workers.dev hostname.

A zone WAF should work just as well as an Account WAF, with the exception of some of the enterprise-only settings, such as Bot Management.

1 Like