workers.dev spam
My workers are receiving a lot of spam lately on the workers.dev routes. Should they be disabled or is there a better way to handle it?
5 Replies
Disabling is the best way.
It is because bots scrape the certification issue list so they see the ones issued to your dev domain
Ok, thanks. That was my guess. I could not see the FQDN in the TLS certificate. But maybe I looked in the wrong place.
The TLS certificate does not contain the FQDN. So somebody thought about this but then something happend.
what are you talking about? There's a unique wildcard cert for every worker, here's a few examples: https://crt.sh/?q=tylerobrien.workers.dev
crt.sh | tylerobrien.workers.dev
Free CT Log Certificate Search Tool from Sectigo (formerly Comodo CA)
Yes, that is my conclusion too. So, the FQDN is not in the public certificate. But then there is an ordering process... Maybe the theory is a wild goosechase but somehow bots are finding the FQDN for my workers.
I think the certificate idea is wrong since the same certificate is used across different workers on the same subdomain. Not great that the workers.dev urls are enabled by default when there is no way to secure them from bots.