[kentonv]

To clarify:

- Workers run in the colo that received the request. We currently literally have no capability to forward Workers requests to other colos. (It's possible we'll introduce that in the future, but it's not the case today.)

- Enabling Workers does not affect how your traffic is routed to colos. So if you're seeing Workers requests not going to the closest colo today, then regular non-Workers requests wouldn't either.

It sounds like the issue here is that your base Cloudflare plan is the "free" plan (confusingly-named because you're separately paying $5/month for workers on top of that).

When we have a colo that doesn't have enough capacity to handle all the local traffic, we often route free-plan traffic away from it, and they end up landing at the next-closest colo. This is completely unrelated to Workers -- it applies to any kind of Cloudflare traffic. If you upgrade to a higher plan level (e.g. pro at $20/month), you should see this happen much less often, if ever.

Sorry that this is confusing! We should probably document this better.

(I'm the lead engineer on Workers.)

[simonebrunozzi]

Kenton, what a great response.

I worked in tech for the past ~20 years and I've seen my fair share of exchanges like this one; your answer contains essentially everything I would have recommended:

- you clarified the issue

- you didn't take anything personally, but used a humble and warm approach to "defuse" the "rant"

- you admit the limitations of your company's current approach and immediately provide suggestions on how they can be improved (e.g. free plan being "confusingly-named", "We should probably document this better").

Only thing you might be missing is:

- Contact me at $email if I can be of further help

In any case, well done. Cloudflare has a great reputation and you are making it look even better.

[gravyboat]

Hey Kenton. I recently migrated a few of my static sites to Workers and was hoping you could clarify what the teams plan is around security headers. The only documentation I could find was some random blog post from 2 years ago that didn't help as the way workers function has changed since then and it's no longer as simple as just dropping in a few lines of code.

I'd love to easily configure security headers so my sites are getting good ratings again, but I couldn't find it in the documentation and it doesn't seem like there's been any update to support this. Is your team working on making security headers easier to enable for workers or is there something I missed for setting this up?

[kentonv]

Hi! Hmm, not sure I understand. In a Worker, you can set whatever headers you want on the response, in code. What problem are you running into exactly? What do you mean when you say "the way workers function has changed"?

[gravyboat]

Sorry if I wasn't clear. Yes I understand I can set whatever headers I want in a response via the edit options for my workers. The problem I'm running in to is that I created a worker for a static site and it has a massive 1 line JS blob for the script section that I have to go through to set this. I never created this, it's just what was set up when I used Wrangler to deploy my static site.

This is fine except it's a huge hassle to modify and I'm actually a bit surprised that by default workers don't use secure headers. I figured they would since they're pretty standard now and I'd rather have to disable them if I needed then to manually configure them. If someone isn't familiar with security headers there's also a good chance they would deploy their site and never enable them which makes sites running on workers less secure by default.

I'm going off this several year old blog post: https://scotthelme.co.uk/security-headers-cloudflare-worker/ that talks about how to set this up and it seems like functionality has changed a bit since then, or maybe I am misunderstanding their screenshots. Outside of this I can't find any documentation from Cloudflare about setting these headers that is more recent, or what I would need to set for a new worker that has recently been created to get this functionality.

So I guess my question is two fold, are there plans to make it easier to enable secure headers than to manually modify the worker itself? My plan is to do that currently once I stop slacking and decide to just parse this giant JS blob.

My second question is are there any plans to add documentation around functionality such as this? I was really shocked to see that secure headers weren't something that's simply enabled by default and even more so when I looked through the docs and didn't see any examples on how to set them up. Maybe my use case is niche, but I thought secure headers were pretty standard at this point.

[kentonv]

Hmm, it sounds like you originally deployed your site using Wrangler, but then you tried to edit it in the online editor. The code you saw was minified -- not intended to be edited directly.

The right way to edit the worker code is on your local machine before using wrangler to publish it. There should be a file in your project directory like `workers-site/index.js` which is your worker code in easily-editable format.

BTW, this file was copied from a template when you first generated the project. Earlier this year we updated the template to set several security headers:

https://github.com/cloudflare/worker-sites-template/commit/8...

But if you generated your project before that, you probably still have the old code. If you haven't made any changes yourself, you might want to regenerate your project so that it uses the latest template.

[gravyboat]

Okay that makes more sense and is just my bad then. I hadn't even looked at the index thoroughly as the minified JS correlated to the `workers-site/worker/script.js` and I didn't realize the index.js was responsible for generating that based on content mismatch.

I generated my worker the second week of May so it's totally possible that this wasn't in the release I generated with. Thanks for pointing out that the template had been updated.