Add worker isolation docs, update limits/pricing pages, and remove old changelog page #24275
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -2,7 +2,7 @@ | |
| pcx_content_type: concept | ||
| title: Pricing | ||
| sidebar: | ||
| order: 3 | ||
|
|
||
| --- | ||
|
|
||
|
|
||
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,55 @@ | ||
| --- | ||
| pcx_content_type: concept | ||
| title: Worker Isolation | ||
| sidebar: | ||
| order: 1 | ||
|
|
||
| --- | ||
|
|
||
| ### Untrusted Mode (Default) | ||
|
|
||
| By default, Workers inside of a dispatch namespace are considered "untrusted." This provides the strongest isolation between Workers and is best in cases where your customers have control over the code that's being deployed. | ||
|
|
||
| In untrusted mode: | ||
|
|
||
| - The [`request.cf`](/workers/runtime-apis/request/#incomingrequestcfproperties) object is not available in Workers (see [limits](/cloudflare-for-platforms/workers-for-platforms/platform/limits/#cf-object) for more information) | ||
| - Each Worker has an isolated cache space when using the Cache API | ||
| - Workers cannot access cached responses from other Workers in the namespace | ||
dinasaur404 marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| - [`caches.default`](/workers/reference/how-the-cache-works/#cache-api) is disabled for all Workers in the namespace | ||
|
|
||
| This mode ensures complete isolation between customer Workers, preventing any potential cross-tenant data access. | ||
|
|
||
| ### Trusted Mode | ||
|
|
||
| If you control the Worker code and want to disable isolation mode, you can configure the namespace as "trusted". | ||
|
||
|
|
||
| In trusted mode: | ||
|
|
||
| - The [`request.cf`](/workers/runtime-apis/request/#incomingrequestcfproperties) object becomes available, providing access to request metadata | ||
| - All Workers in the namespace share the same cache space when using the Cache API | ||
|
|
||
| :::note | ||
| In trusted mode, Workers can potentially access cached responses from other Workers in the namespace. Only enable this if you control all Worker code or have appropriate cache key isolation strategies. | ||
| ::: | ||
|
|
||
| ### Maintaining cache isolation in trusted mode | ||
| If you need access to `request.cf` but want to maintain cache isolation between customers, use customer-specific [cache keys](/workers/examples/cache-using-fetch/#custom-cache-keys) or the [Cache API](/workers/examples/cache-api/) with isolated keys. | ||
|
|
||
|
|
||
| To convert a namespace from untrusted to trusted: | ||
dinasaur404 marked this conversation as resolved.
Show resolved
Hide resolved
|
||
| ```bash | ||
| curl -X PUT "https://api.cloudflare.com/client/v4/accounts/{account_id}/workers/dispatch/namespaces/{namespace_name}" \ | ||
| -H "Authorization: Bearer {api_token}" \ | ||
| -H "Content-Type: application/json" \ | ||
| -d '{ | ||
| "name": "{namespace_name}", | ||
| "trusted_workers": true | ||
| }' | ||
| ``` | ||
|
|
||
| If you enable trusted mode for a namespace that already has deployed Workers, you'll need to redeploy those Workers for the `request.cf` object to become available. Any new Workers you deploy after enabling trusted mode will automatically have access to it. | ||
|
|
||
| ## Related Resources | ||
| * [Platform Limits](/cloudflare-for-platforms/workers-for-platforms/platform/limits) - Understanding script and API limits | ||
| * [Cache API Documentation](/workers/runtime-apis/cache/) - Learn about cache behavior in Workers | ||
| * [Request cf object](/workers/runtime-apis/request/#the-cf-property-requestcf) - Details on the cf object properties | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.