Sorry, I don't think I explained very well. It won't be requests originating from the internet. Rath

Sorry, I don't think I explained very well. It won't be requests originating from the internet. Rather originating from within the worker. So it would basically be

- get webhook URL from DB
- build payload
- post payload to URL

But what I'm wondering is if the global fetch has any way of accessing anything other than the public internet and if it's safe to pass an untrusted URL

Ccharlie Sorry, I don't think I explained very well. It won't be requests originating fro...

Hello, I’m Allie!•3/3/24, 2:02 AM

It would also have firewall-free access to your origin, if you have one

Hello, I’m Allie!•3/3/24, 2:02 AM

But no, it can’t interact with your bindings

charlieOP•3/3/24, 2:02 AM

Ah there would be no origin

charlieOP•3/3/24, 2:03 AM

And I also just found this

First, we can now restrict the global fetch() function to accept only publicly-routable URLs. This makes applications totally immune to SSRF attacks! You cannot trick an application into accessing an internal service unintentionally if the code to access internal services is explicitly different.

from here https://blog.cloudflare.com/workerd-open-source-workers-runtime

The Cloudflare Blog

Introducing workerd: the Open Source Workers runtime

workerd is the JavaScript/Wasm runtime code that powers Cloudflare Workers, now open source under the Apache 2.0 license.

charlieOP•3/3/24, 2:04 AM

Sounds almost too good to be true haha. This is going to be the easiest implementation ever

Ccharlie Sounds almost too good to be true haha. This is going to be the easiest implemen...

Hello, I’m Allie!•3/3/24, 2:06 AM

Note though that this is specifically for the Workers runtime, and not the Workers Product. While you can configure the runtime to allow access to internal services, on Workers itself this should not be possible

Hello, I’m Allie!•3/3/24, 2:06 AM

Not least since said internal services aren’t really yours to access either

charlieOP•3/3/24, 2:08 AM

Yep, the restriction of not being able to access anything internal is exactly what I want

kian•3/3/24, 2:08 AM

Are you referring to using Cloudflare Workers or hosting https://github.com/cloudflare/workerd yourself?

charlieOP•3/3/24, 2:09 AM

Using cloudflare workers. No origin - just a queue consumer which makes the fetch

Unsmart•3/3/24, 2:15 AM

If you have a worker with a route assigned to it, you can fetch it because its a public url. But if you dont have any public urls they its only requestable through bindings which you can kinda compare to being a VPC from a traditional perspective

charlieOP•3/3/24, 2:18 AM

Yeah, the worker I'm going to setup for sending these webhooks won't have any public routes so I'm not worried about incoming requests. In the past I would have used something like https://github.com/stripe/smokescreen but with the way the service bindings are separated it seems that's not a concern here

GitHub

GitHub - stripe/smokescreen: A simple HTTP proxy that fogs over nau...

A simple HTTP proxy that fogs over naughty URLs - GitHub - stripe/smokescreen: A simple HTTP proxy that fogs over naughty URLs

squizzy•3/3/24, 5:46 PM

hey everyone i am wondering that once you create/ set up the website on cloudflare is there a possible way for you to like have a html source and you can out html in that source and it will implement to your website? thanks

CChaika I would read this: https://discord.com/channels/595317990191398933/1204401951026...

Rayane•3/3/24, 5:49 PM

Thank you for your answer

The page functions is just a astro page in SSR. So if i get a lot of requests my website can be inaccessible ?

Joy•3/3/24, 5:58 PM

Hello everyone
I have a few endpoints in one of my CF workers. I want if someone hits /endpoint-A, I want to make an API call to the /endpoint-B. Is this possible to implement?
I tried it too, but it returns me this error

Joy•3/3/24, 5:58 PM

Screenshot_2024-03-03_at_11.26.26_PM.png

JJoy Hello everyone I have a few endpoints in one of my CF workers. I want if someone...

Cyb3r-Jak3•3/3/24, 10:35 PM

You probabaly want to use a service bind to make a worker calls itself https://developers.cloudflare.com/workers/configuration/bindings/about-service-bindings/

RRayane Thank you for your answer 🙏The page functions is just a astro page in SSR. So i...

Chaika•3/3/24, 11:17 PM

I wouldn't think a single SSR page would be nearly that high. Are you doing something heavy compute-wise, dependencies, or else?

CChaika I wouldn't think a single SSR page would be nearly that high. Are you doing some...

Rayane•3/3/24, 11:28 PM

Just use React and retrieve the query parameters of URL

CoreySeren•3/4/24, 1:10 AM

I got an email that I have exceeded 50% of daily usage limit for Cloudflare Workers KV , can I see a breakdown of what endpoints that is coming from?

CCoreySeren I got an email that I have exceeded 50% of daily usage limit for Cloudflare Work...

Chaika•3/4/24, 4:14 AM

not as far as I know. Can't even break it down per namespace. You'd probably be best looking at worker analytics of workers you know which are using KV, and the specific limit you are exceeding

Original message was deleted

Rayane•3/4/24, 6:45 AM

const url = Astro.url;
const params = new URLSearchParams(url.search);
const firstKey = params.entries().next();

AmaraFray•3/4/24, 11:56 AM

Hey guys, how do I prevent http floods on my workers endpoint?

AmaraFray•3/4/24, 12:04 PM

Okay, usually whats the best practices for configuring WAF?

AmaraFray•3/4/24, 12:06 PM

I'll give a bit more context, I have a mobile application, who's backend is entirely serverless on workers.

Ideally I'm not expecting to go beyond the workers paid plan of 10$ for the first year, but still would like to be open to scaling. It is connected to my (api.*) subdomain

AmaraFray•3/4/24, 12:07 PM

im not worried about authentication issues or such, but what I am worried about is someone pinging the server a million times and driving up my request counts

AmaraFray•3/4/24, 12:07 PM

I currently am using WAF to block access to anything that's not a valid endpoint

AmaraFray•3/4/24, 12:08 PM

(I should mention it's my first time worrying about things like this so I might be missing something very obvious, please do just share resources if i have to do some reading)

AAmaraFray I'll give a bit more context, I have a mobile application, who's backend is enti...

Hello, I’m Allie!•3/4/24, 12:17 PM

You need to identify what could separate a real user from an unwanted bot/crawler. This is a bit more difficult, issuing to the fact you don't want to(and probably can't) spawn a captcha in response to an interaction. If your app only operates in certain regions, block all other regions. If your app is only to be used on client devices, block datacenter IPs.

HHello, I’m Allie!You need to identify what could separate a real user from an unwanted bot/crawle...

AmaraFray•3/4/24, 12:19 PM

Alright, firebase has something called app check? is there something similar for cloudflare i could implement?

AAmaraFray Alright, firebase has something called app check? is there something similar for...

Hello, I’m Allie!•3/4/24, 12:20 PM

Not by ddefault, though you may be able to build something similar with WAF rules manually

HHello, I’m Allie!Not by ddefault, though you **may** be able to build something similar with WAF ...

AmaraFray•3/4/24, 12:51 PM

Okayy I'll try to research into that, any resources i can look at?

AAmaraFray Okayy I'll try to research into that, any resources i can look at?

Hello, I’m Allie!•3/4/24, 12:52 PM

Maybe https://blog.cloudflare.com/eliminating-captchas-on-iphones-and-macs-using-new-standard/ ?

The Cloudflare Blog

Private Access Tokens: eliminating CAPTCHAs on iPhones and Macs wit...

Today we’re announcing Private Access Tokens, a completely invisible, private way to validate that real users are visiting your site.

Hello, I’m Allie!•3/4/24, 12:52 PM

Don't know if they actually cover implementation there

AmaraFray•3/4/24, 12:52 PM

thank youu, will look at it!

HHello, I’m Allie!You need to identify what could separate a real user from an unwanted bot/crawle...

AmaraFray•3/4/24, 12:53 PM

also how can I go about blocking datacenter IPs?

AAmaraFray also how can I go about blocking datacenter IPs?

Hello, I’m Allie!•3/4/24, 12:54 PM

You could find the Autonomous System Number of the big datacenter providers, and block by them?

Autonomous system (Internet)

An autonomous system (AS) is a collection of connected Internet Protocol (IP) routing prefixes under the control of one or more network operators on behalf of a single administrative entity or domain, that presents a common and clearly defined routing policy to the Internet. Each AS is assigned an autonomous system number (ASN), for use in Borde...

AmaraFray•3/4/24, 12:55 PM

okay alright! So this all has to be hardcoded into the WAF expression correct?

AAmaraFray okay alright! So this all has to be hardcoded into the WAF expression correct?

Hello, I’m Allie!•3/4/24, 12:56 PM

No, at least not for Enterprise Customers: https://developers.cloudflare.com/waf/tools/lists/custom-lists/#lists-with-asns

Cloudflare Docs

Custom lists · Cloudflare Web Application Firewall (WAF) docs

A custom list contains one or more items of the same type (for example, IP addresses, hostnames, or ASNs) that you can reference collectively, by …

HHello, I’m Allie!No, at least not for Enterprise Customers: https://developers.cloudflare.com/waf...

AmaraFray•3/4/24, 12:57 PM

ah, cries in not enterprise thanks anyways!

AAmaraFray _ah, cries in not enterprise_ thanks anyways!

Hello, I’m Allie!•3/4/24, 12:58 PM

You can also block IPs/ranges

TTaurlon Could you foresee any negative implications of doing this? For example, legitima...

Hello, I’m Allie!•3/4/24, 12:59 PM

Maybe? If you block a regional ISP, then there is probably going to be issues. If the endpoint you are protecting is only ever meant to be accessed by mobile devices, then it should be reasonably safe to block datacenter IPs

Hello, I’m Allie!•3/4/24, 12:59 PM

There's always the risk that a user is using a VPS as a VPN, and thus will get blocked

Hello, I’m Allie!•3/4/24, 12:59 PM

But no security policy is perfect

AmaraFray•3/4/24, 1:00 PM

would this work? https://community.cloudflare.com/t/blocking-datacenters/317059

AAmaraFray would this work? https://community.cloudflare.com/t/blocking-datacenters/317059

Hello, I’m Allie!•3/4/24, 1:01 PM

Maybe? It would prevent registered bots from being blocked, but that still doesn't preclude someone running a small VPS

Hello, I’m Allie!•3/4/24, 1:01 PM

Which would be blocked

HHello, I’m Allie!Maybe? It would prevent registered bots from being blocked, but that still doesn...