Example, I have website called https://api.example.com
Howdy @alirzadev and welcome to our community! Sorry we’ve been rather slow to get back to you!
Short answer is: Our proxying does not do anything to expose OR protect your remote site.
when you proxy, we:
- send the browser request with all of its http headers, body, etc to the remote service as is. We do add a few headers, like
X-BB-Ipto tell you things like the originating browser IP that get “hidden” since our system technically makes the request and thus the connection comes from our server, not the browser, but otherwise, it is sent as is
- relay the response to the browser as-is, from your server. We again add an http header or two - e.g. an
x-nf-request-idso that we can correspond a specific request to our internal logs, but we don’t materially change the response. This means we don’t do any of the following:
- say the request was proxied - the visitor will never know!
- say anything about where it was proxied to.
Re: protection, we intend to allow all traffic to reach your site. a DDoS looks a lot like a super bowl commercial or a shark tank launch. We will do our best to forward all traffic, unless we get tens of thousands of requests and it impacts the rest of our system. So no protection against floods is provided or intended - those could be legitimate traffic from our point of view.