Preventing HTTPS inspection on workers?
Is it even possible?
I have some workers and I don’t want people to inspect my requests and see the logic I use in these workers.
So is there a way to prevent and block tools like Proxyman, Charles Proxy, etc?
Thanks
4 Replies
That already is a thing
Workers are a server-side execution thing. They don't get sent to the client in any form, only what you want to send to the client is sent.
No tool can see worker content.
Actually what I ask is if it’s possible to detect and block HTTPS inspection on my workers. Here’s a simple use case: i have a domain with a worker attached that redirects to an offer url so if I add that domain to Instagram link in bio, when someone tap on the link, the offer url. So if I use Proxyman on my phone and go to that IG profile and tap the link in bio, Proxyman will show me in response the location header with that offer url. I want to prevent that.
No, there's no way. They're just a proxy with logging, they aren't doing anything special and don't give any indication of being used
You get the same data from dev tools, which while detectable is very easy to use even with detection tooling
I was thinking of a combination of HTTP version and TLS Cipher presented when the worker is accessed directly by a device and behind Proxyman and similar. This should give me an idea of what the TLS Cipher should contain and HTTP version should be 2 and higher. Will this be easily avoidable?
Btw, does using Full (Strict) SSL has any benefits when my setup is using just a Cloudflare worker attached to a domain? From what I see, for this setup Flexible should be use as it encrypts only between visitor and Cloudflare (worker).