oh yea i wondered about that too. i have 1 public api endpoint in my sveltekit app. is there an eas

oh yea i wondered about that too.

i have 1 public api endpoint in my sveltekit app. is there an easy way to block access not from the same worker? just to reduce possible spam
(preferably in code, not a custom firewall rule)

SSilvan oh yea i wondered about that too. i have 1 public api endpoint in my sveltekit ...

Peps•3/4/25, 12:45 AM

believe you could use an Transform Rule to add the value of

cf.worker.upstream_zone

cf.worker.upstream_zone

to a header that arrives to your origin/webserver

PPeps believe you could use an Transform Rule to add the value of `cf.worker.upstream_...

SilvanOP•3/4/25, 12:54 AM

Hm i did look into that but i dont see any way of "selecting"

cf.worker.upstream_zone

cf.worker.upstream_zone

Maybe i would need WAF for that or im very blind

SSilvan Hm i did look into that but i dont see any way of "selecting" `cf.worker.upstrea...

Peps•3/4/25, 1:00 AM

the rule would be something like this

PPeps the rule would be something like this

SilvanOP•3/4/25, 1:03 AM

'cf.worker.upstream_zone' is not a valid value for expression because the use of field cf.worker.upstream_zone is not allowed

'cf.worker.upstream_zone' is not a valid value for expression because the use of field cf.worker.upstream_zone is not allowed

:bibicat:

SSilvan ``'cf.worker.upstream_zone' is not a valid value for expression because the use ...

Peps•3/4/25, 1:07 AM

ah right, I believe there should already be an

CF-Worker

CF-Worker

header that your origin/server receives

Peps•3/4/25, 1:07 AM

which has the same value as the upstream_zone one

PPeps ah right, I believe there should already be an `CF-Worker` header that your orig...

SilvanOP•3/4/25, 1:09 AM

that would only appear if my server side (worker) is requesting the API tho right?
in my case the browser also requests that api endpoint. maybe mTLS is actually what im looking for?

Peps•3/4/25, 1:10 AM

yep it would only appear if the request comes for a worker, which could be yours or someone else's

SilvanOP•3/4/25, 1:12 AM

Okay good to know i will definitely need this for another project. But in this case i guess its fine to just allow access to it

1984 Ford Laser•3/4/25, 10:00 AM

Will there ever be an option for higher memory Workers?

I know CF is always upgrading their servers but do those performance upgrades make their way to V8 isolates in a meaningful way? Does 1ms of CPU time now do markedly more work now than 1ms of CPU time 3 years ago?

Original message was deleted

1984 Ford Laser•3/4/25, 10:35 AM

Just some general thoughts I was having. I have reformatted to correctly match my thinking of those being two thoughts separate to each other

Ashley•3/4/25, 11:15 AM

I’d say it’s more likely the upcoming container product will allow you to have more / tune memory rather than Workers raising memory, but no info yet on whether that will be possible afaik

SilvanOP•3/4/25, 12:03 PM

Just double checking. It has been mentioned that worker assets are cached even tho its not shown. Means even images having

public, max-age=0, must-revalidate

public, max-age=0, must-revalidate

is fine right?

SilvanOP•3/4/25, 12:51 PM

i really cant get Build Environment variables to work when i put them in my wrangler config. i usually set them in the dashboard but id like to have some default ones in there like node_version. i tried

vars

vars

and

env production

env production

but neither will show up in the build details

Aster•3/4/25, 3:05 PM

Hey, I am using cloudflare workers and I noticed my workers are getting requests for a bunch of routes like

/js/.env

/js/.env

/aws.yml

/aws.yml

/config/settings.prod

/config/settings.prod

, etc.

I do use the WAF managed rules: Cloudflare Managed Ruleset, Cloudflare OWASP Core Ruleset, and
Cloudflare Leaked credentials Check

Do you know how I can make sure cloudflare blocks these suspicious requests?

Peps•3/4/25, 3:12 PM

every public site will get random crawlers/bots that will hit all types of endpoints/paths to see if they can dig something up

Peps•3/4/25, 3:12 PM

some of the managed ruleset WAF rules cover the very common ones, but not necessarily all possibilities out there

Aster•3/4/25, 3:21 PM

I would expect the CF WAF to block .env requests

Aster•3/4/25, 3:23 PM

We have enterprise plan, and we use our own domain

Aster•3/4/25, 3:23 PM

Aster•3/4/25, 3:24 PM

That's why I'm wondering what I am missing

Aster•3/4/25, 3:24 PM

cause /config/settings.prod why not let it slip, but

**/.env

**/.env

should be blocked all the time

Aster•3/4/25, 3:25 PM

Actually, the core ruleset is not enabled? It's just logging

Aster•3/4/25, 3:32 PM

Actually the rules are blocking a ton of things

aydrian•3/4/25, 3:32 PM

I'm using Tinybase to syncronize data using a Durable Object. I'm also persisting the data to the Durable Object storage. I want the data to be able to live longer than the Durable Object. Is there a way to persist the Durable Object storage to D1?

Original message was deleted

aydrian•3/4/25, 3:34 PM

Ah. I'm glad it was a misunderstanding on my part.

Kotkoroid•3/4/25, 4:29 PM

Hi, how do I set this up for queues?
https://developers.cloudflare.com/workers/wrangler/configuration/#non-inheritable-keys

Cloudflare Docs

Configuration - Wrangler · Cloudflare Workers docs

Use a configuration file to customize the development and deployment setup for your Worker project and other Developer Platform products.

fernvenue•3/4/25, 4:34 PM

Hi all, is there a way that I can download my Pages source files?

KKotkoroid Hi, how do I set this up for queues? https://developers.cloudflare.com/workers/w...

Kotkoroid•3/4/25, 4:42 PM

[[env.production.queues.producers]]

[[env.production.queues.producers]]

...interesting it has to be defined this way

captain•3/4/25, 5:39 PM

how private are pages projects...i just got a request for /js/twint_ch.js on my page.dev domain on my console logs....but that file doesn't exist and nobody should have access to anything i am doing that would request that...idea?

Ccaptain how private are pages projects...i just got a request for /js/twint_ch.js on my ...

Ashley•3/4/25, 5:41 PM

The internet is littered with bots and your pages.dev domain is public, and things like DNS are too, so bots end up finding it

AAshley The internet is littered with bots and your pages.dev domain is public, and thin...

captain•3/4/25, 5:41 PM

that's scary..how do they find it, is cloudflare publicizing it?

captain•3/4/25, 5:42 PM

or is there a mouse in the house and cloudflare dev ops need to wake up

SilvanOP•3/4/25, 5:44 PM

welcome to the internet.. its normal

Ccaptain that's scary..how do they find it, is cloudflare publicizing it?

Ashley•3/4/25, 5:46 PM

This is just how the internet works, anything public can be found and bots are everywhere - it’s nothing to worry about though, assuming what you have there isn’t private data or anything

SilvanOP•3/4/25, 5:49 PM

What im more confused about now is how i pass the ctx.waitUntil to a function

i ran into the classic

TypeError: Illegal invocation: function called with incorrect this reference

TypeError: Illegal invocation: function called with incorrect this reference

first. now when i pass down the entire platform into the function waitUntil ends up undefined (its available where im trying to pass it to the function)

do i really need apply/call in that situtation?

Ccaptain that's scary..how do they find it, is cloudflare publicizing it?

Chaika•3/4/25, 6:10 PM

Every pages.dev gets a certificate, certificates are all logged as part of Certificate Transparency (CT) Logs the second they are issued, bots listen to CT Logs

CChaika Every pages.dev gets a certificate, certificates are all logged as part of Certi...

captain•3/4/25, 7:01 PM

that seems to be a security risk the platform in users...why is that public?

Ccaptain that seems to be a security risk the platform in users...why is that public?

Isaac McFadyen•3/4/25, 7:01 PM

It's just how the internet works. It's not specific to Cloudflare, every platform works this way.

Isaac McFadyen•3/4/25, 7:01 PM

Any time a certificate is issued, anywhere (that is trusted by browsers), it's logged publicly.

Ccaptain that seems to be a security risk the platform in users...why is that public?

Chaika•3/4/25, 7:01 PM

opposite, Certificates Issuance are public to increase security. So no Certificate Authority can issue Certificates without it being known

Isaac McFadyen•3/4/25, 7:01 PM

https://letsencrypt.org/docs/ct-logs/

IIsaac McFadyen It's just how the internet works. It's not specific to Cloudflare, *every* platf...

captain•3/4/25, 7:02 PM

okay so...would it not be smarter to set these tempory pages.dev things via: page.dev/subfolder instead a a subdomain?

Ccaptain okay so...would it not be smarter to set these tempory pages.dev things via: pag...

Hard@Work•3/4/25, 7:02 PM

Some projects deployed to Pages may expect a (sub)domain to themselves

Ccaptain okay so...would it not be smarter to set these tempory pages.dev things via: pag...

Isaac McFadyen•3/4/25, 7:03 PM

The issue with this is that they have no way to know what you have on the production domain.

Isaac McFadyen•3/4/25, 7:03 PM

If you put it at /foo/foo then what if I have a file/folder in prod that's called /foo/foo?

Isaac McFadyen•3/4/25, 7:03 PM

It would overwrite it.

Ccaptain okay so...would it not be smarter to set these tempory pages.dev things via: pag...

Chaika•3/4/25, 7:03 PM

No, for security again, as pages.dev uses subdomains and is part of the public suffix list, browsers treat each subdomain as its own website, separated in terms of cookies, cors, etc

Chaika•3/4/25, 7:04 PM

If you were using subpaths, browsers would assume each pages website are part of the same security context/get around some limits of CORS, allow access to cookies, etc

Chaika•3/4/25, 7:05 PM

oh, even if you mean just for preview URLs it'd still be more way messy for the reasons Isaac said

oh yea i wondered about that too. i have 1 public api endpoint in my sveltekit app. is there an eas

Similar Threads

Similar Threads

Similar Threads