Workers requests count

I created my first worker to get IP and location data from my visitors.
The limit is 100.000 requests per day so i made a counter on my own web application to make sure i stay within these limits (which i probably will, but nevertheless).

I am monitoring the request counter but in cloudflare it shows much more requests than the requests i make.

Today i didn’t make any request but the counter in cloudflare shows 17.

It is the only worker i have and i don’t understand how it can show more than 0 requests today

The trigger for the worker (namely the URL e.g. <worker>.<subdomain> is a publicly available URL ergo is it possible for anyone to make requests to it even if they don’t visit your site.

Thank you, since i created the worker a few days ago, the worker url is not an easy name and i am the only one who knows that url, i guess those requests are made by bots?

Is there any way to prevent that? Can i set the cors policy or prevent it in any other way?

Quite likely.

CORS is for browsers only and makes no difference to server/CLI requests.

You can look at Rules.

As you are using it to collect data on your users (I will assume you alert them to the fact you are collecting this information) I might think you already know what bots or other non-users are making requests to the worker.

But it is just collecting the data that cloudflare already has?

This is the script:

addEventListener("fetch", event => {
  const city =;
  const country =;
  const latitude =;
  const longitude =;
  const clientIP = event.request.headers.get("CF-Connecting-IP");

  const clientInfo = JSON.stringify({
    city: city,
    country: country,
    ip_address: clientIP,
    latitude: latitude,
    longitude: longitude
  }, null, 2);

  const response = new Response(clientInfo, {
    headers: {
      "content-type": "application/json;charset=UTF-8"

  const responseHeaders = new Headers(response.headers);

  responseHeaders.set('Access-Control-Allow-Origin', '*');

  return event.respondWith(
    new Response(response.body, {
      headers: responseHeaders,
      status: response.status,
      statusText: response.statusText

I have the responseHeader set (script is from an example online) but even if i put my own domain, i still can access it directly