EC2 hosted javascript Archives - AWS Security Architect https://awssecurityarchitect.com/tag/ec2-hosted-javascript/ Experienced AWS, GCP and Azure Security Architect Thu, 26 Jun 2025 21:43:44 +0000 en-US hourly 1 https://wordpress.org/?v=6.9.1 214477604 How to Ensure All Client Browsers Go Through Cloudflare to Access JavaScript https://awssecurityarchitect.com/aws-public-apis/how-to-ensure-all-client-browsers-go-through-cloudflare-to-access-javascript/ https://awssecurityarchitect.com/aws-public-apis/how-to-ensure-all-client-browsers-go-through-cloudflare-to-access-javascript/#respond Thu, 26 Jun 2025 21:43:44 +0000 https://awssecurityarchitect.com/?p=325 How to Ensure All Client Browsers Go Through Cloudflare to Access JavaScript 1. Serve JavaScript from a Cloudflare-Proxied Domain Start by hosting your JavaScript file behind a custom domain, such […]

The post How to Ensure All Client Browsers Go Through Cloudflare to Access JavaScript appeared first on AWS Security Architect.

]]> How to Ensure All Client Browsers Go Through Cloudflare to Access JavaScript

1. Serve JavaScript from a Cloudflare-Proxied Domain

Start by hosting your JavaScript file behind a custom domain, such as static.yourdomain.com, and point this domain to your EC2 server, S3 bucket, or API Gateway endpoint.

Then, onboard this domain into Cloudflare and enable proxying (orange cloud icon in DNS settings). This ensures all requests to the JS file go through Cloudflare’s edge network.

2. Block Direct Access to the Origin

To prevent bypassing Cloudflare and directly hitting your origin (e.g., EC2 public IP or API Gateway URL), restrict access to only allow Cloudflare traffic.

a. On EC2 (Web Server IP Filtering)

Use Cloudflare’s IP ranges to configure your server or firewall. Only allow traffic from these ranges and deny everything else.


allow 173.245.48.0/20;
allow 103.21.244.0/22;
deny all;

You can apply these rules in your web server configuration (e.g., Nginx) or in your AWS EC2 security group inbound rules.

b. On API Gateway

Set up a CloudFront distribution in front of your API Gateway, and configure it so that only Cloudflare can reach CloudFront. You can enforce this using AWS WAF or Lambda@Edge to check for Cloudflare-specific headers (such as cf-connecting-ip).

3. Use a Firewall or AWS WAF to Enforce Cloudflare Traffic Only

Implement additional protections by verifying that incoming requests come from Cloudflare’s IP ranges or include a custom header added by Cloudflare (like X-From-Cloudflare: yes).

Using AWS WAF, you can block any request that doesn’t match these criteria.

4. Add Token or Cookie Validation for Extra Security

You can make the JavaScript file accessible only when a valid token or Cloudflare-managed cookie is present. This is useful if you want to require a challenge like CAPTCHA before download.

Use Cloudflare tools such as:

  • Cloudflare Bot Management
  • Firewall Rules with Cookie or Header matching
  • Page Rules for rate limiting or access control

Summary

Step Action
1 Host JavaScript behind a domain proxied by Cloudflare
2 Block all direct access to origin (EC2, S3, or API Gateway)
3 Allow only Cloudflare IPs via web server or security group
4 Optionally require custom headers, WAF rules, or tokens
5 Use Cloudflare features like CAPTCHA or rate limiting

 

The post How to Ensure All Client Browsers Go Through Cloudflare to Access JavaScript appeared first on AWS Security Architect.

]]> https://awssecurityarchitect.com/aws-public-apis/how-to-ensure-all-client-browsers-go-through-cloudflare-to-access-javascript/feed/ 0 325