diff --git a/src/content/docs/cloudflare-for-platforms/workers-for-platforms/platform/changelog.mdx b/src/content/docs/cloudflare-for-platforms/workers-for-platforms/platform/changelog.mdx deleted file mode 100644 index dbc63cd6a79edac..000000000000000 --- a/src/content/docs/cloudflare-for-platforms/workers-for-platforms/platform/changelog.mdx +++ /dev/null @@ -1,14 +0,0 @@ ---- -pcx_content_type: changelog -title: Changelog -release_notes_file_name: - - workers-for-platforms ---- - -import { ProductReleaseNotes } from "~/components"; - -Workers for Platforms users might also be interested in [the Workers changelog](/workers/platform/changelog/) which has detailed changes to the Workers runtime and the various configuration options available to your dispatch and user Workers. - -{/* */} - - \ No newline at end of file diff --git a/src/content/docs/cloudflare-for-platforms/workers-for-platforms/platform/limits.mdx b/src/content/docs/cloudflare-for-platforms/workers-for-platforms/platform/limits.mdx index 2e8e79d5d5a399a..1a8af79c45319d1 100644 --- a/src/content/docs/cloudflare-for-platforms/workers-for-platforms/platform/limits.mdx +++ b/src/content/docs/cloudflare-for-platforms/workers-for-platforms/platform/limits.mdx @@ -2,7 +2,7 @@ pcx_content_type: concept title: Limits sidebar: - order: 1 + order: 2 --- @@ -14,7 +14,9 @@ Cloudflare provides an unlimited number of scripts for Workers for Platforms cus ## `cf` object -The [`cf` object](/workers/runtime-apis/request/#the-cf-property-requestinitcfproperties) contains Cloudflare-specific properties of a request. This field is not accessible in [user Workers](/cloudflare-for-platforms/workers-for-platforms/reference/how-workers-for-platforms-works/#user-workers) because some fields in this object are sensitive and can be used to manipulate Cloudflare features (for example, `cacheKey`, `resolveOverride`, `scrapeShield`.) +The [`cf` object](/workers/runtime-apis/request/#the-cf-property-requestinitcfproperties) contains Cloudflare-specific properties of a request. This field is not accessible in [user Workers](/cloudflare-for-platforms/workers-for-platforms/reference/how-workers-for-platforms-works/#user-workers) by default because some fields in this object are sensitive and can be used to manipulate Cloudflare features (for example, `cacheKey`, `resolveOverride`, `scrapeShield`.) + +To access the `cf` object, you need to enable [trusted mode](/cloudflare-for-platforms/workers-for-platforms/platform/worker-isolation/#trusted-mode) for your namespace. Only enable this if you control all Worker code in the namespace. ## Durable Object namespace limits diff --git a/src/content/docs/cloudflare-for-platforms/workers-for-platforms/platform/pricing.mdx b/src/content/docs/cloudflare-for-platforms/workers-for-platforms/platform/pricing.mdx index fb452274e5d2ed2..d84f4f7659d979e 100644 --- a/src/content/docs/cloudflare-for-platforms/workers-for-platforms/platform/pricing.mdx +++ b/src/content/docs/cloudflare-for-platforms/workers-for-platforms/platform/pricing.mdx @@ -2,7 +2,7 @@ pcx_content_type: concept title: Pricing sidebar: - order: 1 + order: 3 --- diff --git a/src/content/docs/cloudflare-for-platforms/workers-for-platforms/platform/worker-isolation.mdx b/src/content/docs/cloudflare-for-platforms/workers-for-platforms/platform/worker-isolation.mdx new file mode 100644 index 000000000000000..c1f8f4c003f6683 --- /dev/null +++ b/src/content/docs/cloudflare-for-platforms/workers-for-platforms/platform/worker-isolation.mdx @@ -0,0 +1,53 @@ +--- +pcx_content_type: concept +title: Worker Isolation +sidebar: + order: 1 + +--- + +### Untrusted Mode (Default) + +By default, Workers inside of a dispatch namespace are considered "untrusted." This provides the strongest isolation between Workers and is best in cases where your customers have control over the code that's being deployed. + +In untrusted mode: + +- The [`request.cf`](/workers/runtime-apis/request/#incomingrequestcfproperties) object is not available in Workers (see [limits](/cloudflare-for-platforms/workers-for-platforms/platform/limits/#cf-object) for more information) +- Each Worker has an isolated cache, when using the [Cache API](/workers/runtime-apis/cache/) or when making subrequests using `fetch()`, which egress via [Cloudflare's cache](/cache/) +- [`caches.default`](/workers/reference/how-the-cache-works/#cache-api) is disabled for all Workers in the namespace + +This mode ensures complete isolation between customer Workers, preventing any potential cross-tenant data access. + +### Trusted Mode + +If you control the Worker code and want to disable isolation mode, you can configure the namespace as "trusted". This is useful when building internal platforms where your company controls all Worker code. + +In trusted mode: + +- The [`request.cf`](/workers/runtime-apis/request/#incomingrequestcfproperties) object becomes available, providing access to request metadata +- All Workers in the namespace share the same cache space when using the Cache API + +:::note +In trusted mode, Workers can potentially access cached responses from other Workers in the namespace. Only enable this if you control all Worker code or have appropriate cache key isolation strategies. +::: + +To convert a namespace from untrusted to trusted: +```bash +curl -X PUT "https://api.cloudflare.com/client/v4/accounts/{account_id}/workers/dispatch/namespaces/{namespace_name}" \ + -H "Authorization: Bearer {api_token}" \ + -H "Content-Type: application/json" \ + -d '{ + "name": "{namespace_name}", + "trusted_workers": true + }' + ``` + +If you enable trusted mode for a namespace that already has deployed Workers, you'll need to redeploy those Workers for the `request.cf` object to become available. Any new Workers you deploy after enabling trusted mode will automatically have access to it. + +### Maintaining cache isolation in trusted mode +If you need access to `request.cf` but want to maintain cache isolation between customers, use customer-specific [cache keys](/workers/examples/cache-using-fetch/#custom-cache-keys) or the [Cache API](/workers/examples/cache-api/) with isolated keys. + +## Related Resources +* [Platform Limits](/cloudflare-for-platforms/workers-for-platforms/platform/limits) - Understanding script and API limits +* [Cache API Documentation](/workers/runtime-apis/cache/) - Learn about cache behavior in Workers +* [Request cf object](/workers/runtime-apis/request/#the-cf-property-requestcf) - Details on the cf object properties \ No newline at end of file