Workers requests count

user27213 · June 28, 2023, 11:53am

I created my first worker to get IP and location data from my visitors.
The limit is 100.000 requests per day so i made a counter on my own web application to make sure i stay within these limits (which i probably will, but nevertheless).

I am monitoring the request counter but in cloudflare it shows much more requests than the requests i make.

Today i didn’t make any request but the counter in cloudflare shows 17.

It is the only worker i have and i don’t understand how it can show more than 0 requests today

anon9246926 · June 28, 2023, 11:25pm

The trigger for the worker (namely the URL e.g. <worker>.<subdomain>.workers.dev) is a publicly available URL ergo is it possible for anyone to make requests to it even if they don’t visit your site.

user27213 · June 29, 2023, 6:51am

Thank you, since i created the worker a few days ago, the worker url is not an easy name and i am the only one who knows that url, i guess those requests are made by bots?

Is there any way to prevent that? Can i set the cors policy or prevent it in any other way?

anon9246926 · June 29, 2023, 7:05am

Quite likely.

CORS is for browsers only and makes no difference to server/CLI requests.

You can look at Rules.

As you are using it to collect data on your users (I will assume you alert them to the fact you are collecting this information) I might think you already know what bots or other non-users are making requests to the worker.

user27213 · June 29, 2023, 8:20am

But it is just collecting the data that cloudflare already has?

This is the script:

addEventListener("fetch", event => {
  const city = event.request.cf.city;
  const country = event.request.cf.country;
  const latitude = event.request.cf.latitude;
  const longitude = event.request.cf.longitude;
  const clientIP = event.request.headers.get("CF-Connecting-IP");

  const clientInfo = JSON.stringify({
    city: city,
    country: country,
    ip_address: clientIP,
    latitude: latitude,
    longitude: longitude
  }, null, 2);

  const response = new Response(clientInfo, {
    headers: {
      "content-type": "application/json;charset=UTF-8"
    }
  });

  const responseHeaders = new Headers(response.headers);

  responseHeaders.set('Access-Control-Allow-Origin', '*');

  return event.respondWith(
    new Response(response.body, {
      headers: responseHeaders,
      status: response.status,
      statusText: response.statusText
    })
  );
});

I have the responseHeader set (script is from an example online) but even if i put my own domain, i still can access it directly