Protecting worker at *.workers.dev from denial of wallet attacks?
Howdy
As far as i investigated, there are two recommended ways I found for protecting the worker... one is WAF rules, i assume this works only on the worker coming through custom domain endpoint, while *.worker.dev endpoint stays unprotected
Another being rate limiter, which is kinda not solving the point of not running the worker, as ratelimit is evaluated within the worker
My understanding of above may be incomplete also.. But is there any recommended way to have "private worker" or some recommended way to not expose the worker to curious and intentionally malicious folk?
Ty
3 Replies
Oh i found at least, i can just disable the *.workers.dev route 🤣:bibicat_chill:
Allright for whoever curious, answering to myself
the working low-cost approach i came up with for now is having a cheap zone with 1 free WAF rule to ratelimit for all "public" workers and deploying all "public" workers there, which kinda makes me happy to a degree, but this is surely not an ideal way, as it is not at all granular but guess will do for beggar like me
and for private worker, i found i can do it with no routes + service binding
I think it's pretty ideal from a security standpoint although it's a bit annoying to constantly setup custom domains, it's what I do at least, disable all workers.dev and force running on specific domains.
Sane rate limits help, I'd consider as well what specific services are vulnerable to attack? I mean Workers request alone are pretty cheap at $0.30 per million, $100 dollars of requests is some ~333 million
@Chaika if i want to make me bankrupt bc i can and nobody knows who am i, i can generate that 🙂
I would be glad to see same basic rate limiter per worker, as i get with free domain plan tho and some big fat warning. Having some paid worker plan, just posting the hobby link here already exposes you to unpleasant surprises
but myworkers.cc or myslaves.xyz is almost giving that as well, just there should be some big fat warning at least somewhere in the docs