DDoS Protection for the Workers API, and Does the DDoS Billing Waiver Also Apply to D1/R2?
I’m using ChatGPT for this translation, so please excuse any awkward English.
I’m planning to build a game leaderboard API on the paid tier of Cloudflare Workers.
Since Workers already come with built-in DDoS protection, would you still recommend:
attaching a custom domain,
placing that domain behind Cloudflare (orange-cloud), and
adding WAF / rate-limiting rules?
Or would that be over-engineering?
(The API is called directly from the game client, so JavaScript-based protections like Turnstile aren’t an option.)
Cloudflare states that we won’t be billed for traffic generated by a DDoS attack.
Does that waiver also cover any D1 queries or R2 operations that are triggered by those malicious requests passing through a Worker?
If these points are clear, we’re ready to adopt Workers for the project.
Thanks in advance!
1 Reply
Thank you for your response—I’ll use a custom domain!
Regarding my latter question (“Does the DDoS billing waiver also apply to D1/R2?”), I think it’s best to start a separate thread to avoid confusion, so I’ll do that.
Thank you!