Protecting API endpoints from DDoS Attacks
Hey 
I have a basic(ish) Express API with a handful of GET endpoints, but because it’s an API that supports non-human interaction, traditional DDoS protection such as a managed challenge wouldn’t work in protecting malicious actors from DDoS’ing my server, and if anything I need to reduce false positives by allowing almost all traffic to hit my origin.
I’ve thought about using Workers and KV to sync my user’s API keys and validate them at Cloudflare before hitting my origin, but whilst this would keep my origin online during a DDoS, it would result in me potentially being charged into bankruptcy if I get hit with a major attack (such as billions of requests)
I’ve thought about doing something like implementing a WAF rule to block all requests where the Authorization header doesn’t include a prefix in all the API keys I issue to users, but this is of course super easy to bypass if someone figures it out.
I’ve thought about syncing every API key to WAF as a whitelist and block everything else, but this wouldn’t scale well as the expression for a rule can only be 4096 characters long.
If someone knows a way that I could effectively protect my API, that would be much appreciated
I’m on the Pro plan btw.
I have a basic(ish) Express API with a handful of GET endpoints, but because it’s an API that supports non-human interaction, traditional DDoS protection such as a managed challenge wouldn’t work in protecting malicious actors from DDoS’ing my server, and if anything I need to reduce false positives by allowing almost all traffic to hit my origin.
I’ve thought about using Workers and KV to sync my user’s API keys and validate them at Cloudflare before hitting my origin, but whilst this would keep my origin online during a DDoS, it would result in me potentially being charged into bankruptcy if I get hit with a major attack (such as billions of requests)
I’ve thought about doing something like implementing a WAF rule to block all requests where the Authorization header doesn’t include a prefix in all the API keys I issue to users, but this is of course super easy to bypass if someone figures it out.
I’ve thought about syncing every API key to WAF as a whitelist and block everything else, but this wouldn’t scale well as the expression for a rule can only be 4096 characters long.
If someone knows a way that I could effectively protect my API, that would be much appreciated
I’m on the Pro plan btw.
Welcome to the official Cloudflare Developers server. Here you can ask for help and stay updated with the latest news
86,942Members
Resources
Similar Threads
Was this page helpful?
