Securing a Cloudflare-Proxied a Server Against Unauthorized Frontend Requests
System Overview:
You have three components under your control:
1. A relay server (public-facing, Cloudflare-proxied).
2. A web server that dynamically generates frontend code (HTML/JS).
3. A frontend that embeds JavaScript (from the web server) to fetch data from the relay server.
Problem:
Malicious users can:
- Discover your relay server’s public domain.
- Tamper with the frontend’s embedded JavaScript (e.g., modifying API calls or parameters).
- Spam/abuse the relay server directly with unauthorized requests. Goal:
Ensure the relay server only processes requests from your unmodified frontend code, while blocking requests from altered or unauthorized clients. MAINLY, THE BLOCKING REQUEST IS HAPPENED IN CLOUDFLARE SIDE.
You have three components under your control:
1. A relay server (public-facing, Cloudflare-proxied).
2. A web server that dynamically generates frontend code (HTML/JS).
3. A frontend that embeds JavaScript (from the web server) to fetch data from the relay server.
Problem:
Malicious users can:
- Discover your relay server’s public domain.
- Tamper with the frontend’s embedded JavaScript (e.g., modifying API calls or parameters).
- Spam/abuse the relay server directly with unauthorized requests. Goal:
Ensure the relay server only processes requests from your unmodified frontend code, while blocking requests from altered or unauthorized clients. MAINLY, THE BLOCKING REQUEST IS HAPPENED IN CLOUDFLARE SIDE.
1 Reply
Here is my hypothetical solution:
In the CF ervice, there is a feature to block requests based on URL queries. One of the options is a condition based on a regex pattern. If it matches, the request is forwarded to a relay server; otherwise, it is blocked.
I'm thinking about whether a complex regex pattern can be used as a key for data authenticity. This regex pattern would be provided to the web server, which would then generate a string that always matches the condition.
The CF service would check the regex pattern, so the attacker couldn’t easily bypass it and hit the relay server. The request would already be blocked by the CF.
So, is it valid to use a complex regex pattern as an authentication key?