As a precaution against distributed denial of service (DDOS) attacks, I allow access to my websites only through Cloudflare. Direct access – for example using my IP number – is not permitted. I put a bit of code in my htaccess file that checks to see if the Cloudflare IP Country header is present. That worked fine but would be pretty easy for a determined bad guy, gal, nonbinary person, or bot to defeat – especially since I posted here about it.
Recently CF added a Transform Rule feature. It consistently amazes me the great features that CF makes available on their free tier. Using a Transform Rule, I can create a custom, secret request header which I can then check for using htaccess. Something like this …
In CF: I didn’t really want or need the first, TOR part – but could not find a way around it. It adds the benefit of an extra block on TOR traffic, 95% of which is malicious.
In htaccess:
