zazaboon
CDCloudflare Developers
•Created by zazaboon on 4/27/2025 in #workers-help
DDoS Protection for the Workers API, and Does the DDoS Billing Waiver Also Apply to D1/R2?
I’m using ChatGPT for this translation, so please excuse any awkward English.
I’m planning to build a game leaderboard API on the paid tier of Cloudflare Workers.
Since Workers already come with built-in DDoS protection, would you still recommend:
attaching a custom domain,
placing that domain behind Cloudflare (orange-cloud), and
adding WAF / rate-limiting rules?
Or would that be over-engineering?
(The API is called directly from the game client, so JavaScript-based protections like Turnstile aren’t an option.)
Cloudflare states that we won’t be billed for traffic generated by a DDoS attack.
Does that waiver also cover any D1 queries or R2 operations that are triggered by those malicious requests passing through a Worker?
If these points are clear, we’re ready to adopt Workers for the project.
Thanks in advance!
2 replies