How to determine if a worker request is from a service binding vs external HTTP?
If I have a worker that I want to behave differently when invoked via service binding instead of outside http, how can I tell with certainty which method invoked it?
The use case here is to bypass auth and bot filtering measures on service binding calls that we know came from our network.
2 Replies
I don't think there's a native way. You could attach a custom header, as well as I believe you can technically attach arbitrary properties to
request.cf too if that's preferred.Thanks for the ideas James! 🙇♂️
If anybody comes across here in the future, I am using secret store to store an api key. If the incoming request has no
cf header and it has an x-internal-request-key header (I made this name up) with a value equal to the secret store api key, I let the request through and skip bot protection and jwt validation.
Otherwise, if cf is on the headers I know it came from an external source and I process it that way.
I do not think anybody can "spoof" the destruction of cf headers, CF will attach them to all external requests. But they simply do not exist on service binding fetch requests.