Protecting API endpoints from DDoS Attacks
Hey 
I have a basic(ish) Express API with a handful of GET endpoints, but because itās an API that supports non-human interaction, traditional DDoS protection such as a managed challenge wouldnāt work in protecting malicious actors from DDoSāing my server, and if anything I need to reduce false positives by allowing almost all traffic to hit my origin.
Iāve thought about using Workers and KV to sync my userās API keys and validate them at Cloudflare before hitting my origin, but whilst this would keep my origin online during a DDoS, it would result in me potentially being charged into bankruptcy if I get hit with a major attack (such as billions of requests)
Iāve thought about doing something like implementing a WAF rule to block all requests where the Authorization header doesnāt include a prefix in all the API keys I issue to users, but this is of course super easy to bypass if someone figures it out.
Iāve thought about syncing every API key to WAF as a whitelist and block everything else, but this wouldnāt scale well as the expression for a rule can only be 4096 characters long.
If someone knows a way that I could effectively protect my API, that would be much appreciated
Iām on the Pro plan btw.
I have a basic(ish) Express API with a handful of GET endpoints, but because itās an API that supports non-human interaction, traditional DDoS protection such as a managed challenge wouldnāt work in protecting malicious actors from DDoSāing my server, and if anything I need to reduce false positives by allowing almost all traffic to hit my origin.
Iāve thought about using Workers and KV to sync my userās API keys and validate them at Cloudflare before hitting my origin, but whilst this would keep my origin online during a DDoS, it would result in me potentially being charged into bankruptcy if I get hit with a major attack (such as billions of requests)
Iāve thought about doing something like implementing a WAF rule to block all requests where the Authorization header doesnāt include a prefix in all the API keys I issue to users, but this is of course super easy to bypass if someone figures it out.
Iāve thought about syncing every API key to WAF as a whitelist and block everything else, but this wouldnāt scale well as the expression for a rule can only be 4096 characters long.
If someone knows a way that I could effectively protect my API, that would be much appreciated
Iām on the Pro plan btw.
