Control cache access with WAF and Snippets
To limit access to the public bucket created for caching content, you can use Cloudflare’s WAF. The WAF provides an additional security layer to filter requests and ensure that only authorized traffic reaches your bucket.
The following diagram illustrates the flow of a user’s request through WAF, Cache, and R2.
flowchart LR accTitle: Connections with Cloudflare A[User's request] --> B[WAF] --> C[Cache] --> D[R2]
The WAF product uses token authentication to either sign or authenticate a request. You can then use this in either Workers or Snippets to control access.
You can presign URLs similar to S3 ↗, enabling you to share direct access to your content with a with an associated timeout. This approach can be implemented using a combination of Snippets, Rules, or Cloudflare Workers.
For optimal performance, we recommend separating the creation and validation processes as follows:
In the Workers documentation, in the section Signing requests, you can also find an example of how to verify a signed request using the HMAC.