In production, Cloudflare Workers attaches the following header to all outgoing requests:
cf-worker: <slug>.workers.dev
This is extremely useful for identifying the worker making the request, but is also used by various services to block workers. That's totally understandable on their part, but when developing in local mode, this header is not attached.
This can result in some pretty gnarly experiences when building an application entirely locally, everything working as expected, and then deploying to production workers and being hit with 403s or other errors from external services now that cf-worker is attached as a header.
One quick example is some Steam endpoints:
$ curl -I "https://steamcommunity.com/openid/login?openid.mode=check_authentication"
HTTP/1.1 200 OK
vs in workers prod:
$ curl -I "https://steamcommunity.com/openid/login?openid.mode=check_authentication" --header "cf-worker: foo"
HTTP/1.1 403 Forbidden
Is this something workerd should emulate when running locally? Or perhaps miniflare/wrangler to better represent a real world environment?
In production, Cloudflare Workers attaches the following header to all outgoing requests:
This is extremely useful for identifying the worker making the request, but is also used by various services to block workers. That's totally understandable on their part, but when developing in local mode, this header is not attached.
This can result in some pretty gnarly experiences when building an application entirely locally, everything working as expected, and then deploying to production workers and being hit with 403s or other errors from external services now that
cf-workeris attached as a header.One quick example is some Steam endpoints:
$ curl -I "https://steamcommunity.com/openid/login?openid.mode=check_authentication" HTTP/1.1 200 OKvs in workers prod:
Is this something
workerdshould emulate when running locally? Or perhaps miniflare/wrangler to better represent a real world environment?