Also, are there any tips to help figure out what code the CPU limits are caused by?
Also, are there any tips to help figure out what code the CPU limits are caused by?
KLimits only go up
KSubrequests go from 50 to 1,000, CPU time goes from 50ms to 30s, I don't think there's really anything else
KThere isn't really any good solution for it - you can try timing with
Date.now()
LOkay I see, thank you. I recall that there was an issue with
Date.now()asyncI meant for local development, Date.now() isn't limited there
KIn deployed Workers it will still only progress on IO
LAh ok that makes sense. Thanks for the help
KMost Workers only really run into CPU issues when parsing a lot of data or stuff like WASM
LI'm thinking I might be hitting CPU limits with the
HTMLRewrtierI was thinking we could put another worker infront of this worker to detect if there are any issues. Do worker subrequests share the same memory/cpu limits?
KHow can I prevent Cloudflare Workers from counting Unauthorized accesses as requests?
KI am limited to 100,000 requests per day.
KBut it's not fair because someone can easily attack the website and send 100k requests.
KSo hence why I have an API Key so the website can only be authorized/accessed with it.
KBut it seems that Cloudflare Workers counts unauthorized accesses as requests, so someone can easily spam requests to my Workers site.
KAnd hit 100k with spams, and boom, I can't use it anymore.
KIs the API key static or do you look them up in a database somewhere else?
KAPI key is static
Kbut technically i change them manually
KUse the WAF to validate it, and blocked requests won’t reach your Worker
KIm trying to search up how to enable WAF um
Knot much things are being talked
KAre you using a custom domain on Cloudflare or the workers.dev URL? If you’re using workers.dev then there isn’t really anything you can do to protect it
KCustom domain yes
KOh shoot I have to buy it?
KI mean is there something on the Free plan
KThat at least can protect somewhat
WWAF is free
K
KSee here
CThat is account level WAF. You can do it per zone for free
W^
KHow would I do that?
CMagic Link: https://dash.cloudflare.com/?to=/:account/:zone/security/waf/custom-rules. Make a new rule that checks for the API key in the header and block requests that don't have it
Koh shoot so my API key has to be static
Kwait but is there a way to do this with only the subdomain....?
CI mean you can check that the header exists for it like
Authorization but the more specific you can get the more requests you will filter out. For subdomain, you just add an AND condition to the rule to match on the hostnameKwhat the heck
Kit said that
KI Was not allowed to capitalization Authorization
Kso it deleted my rule
CHere is an expression that I have
not any(lower(http.request.headers.names[*])[*] == "authorization") and http.host eq "example.com". Which checks that the host is example.comauthorizationKwith the authroization, i want to check if
Bearer [ACCESS_TOKEN], is it safe to do that with WAF?CSure, just make sure the people who have access to your dashboard, you would be okay with sharing the token with
KSo, let's say some user got blocked
Kwould it count as a "request" of the 100k requests per day
CNo. The request got blocked by Cloudflare before it even reached the worker
KSo I added an API key and subdomain. Do you have any more suggestions for the best protection from any attacks?
KYou're more experienced than me so I would like to know lol
CAPI Key is the best way. Means all requests need to have it so you can easily filter requests
