☝️ Bump +1

Although, I think an easy win solution would be allowing us to lock to Cloudflare's IP addresses, which will allow us to proxy from Cloudflare, then use their WAF, DDoS, Rate Limiting, etc

Simple to implement from your guys end, no need to build out complex UIs, or networking infrastructure.

Bump!

I think Railway need to implement their own WAF & DDOS Protection, in my case, Cloudflare DDOS protection need some times to active, at that interval, the incoming attack will get through the origin server, and if Railway didn't have the internal protection to such attacks, the attacks then will be charged to our own account, and it seems not fair for the user to pay any amount for unexpected/unwanted request.

I agree with the Cloudflare IP lock solution for at least for now, but in the future I hope that Railway has it's own protection like Vercel/OVH did

Bump x2

We just got attacked and I would love a Railway Native WAF! In the meantime I will have to look at Cloudflare WAF, does that work with Railway or not
?

Same here. Railway should provide a standard WAF component. Cybercrime is all too common.

Bump +1.

I just put service up and started getting flooding with spam requests

say wallah im not tryna pay money for ppl spamming requests ; - ;

I think this is something we wanna keep our eye on. We tend to be pretty tight lipped about our ability to mitigate DDoS attacks, as it’s not a true WAF, but it’s something to be mindful of.

Bump +1 I think we need it that railway is secure by default and the options to handle in case of attack

same question. we need security in the form of a firewall 100%, is cloudflare the only way?

does cloudflare work fully with railway?

The moment I assigned a custom domain to a service, I started seeing seeing HTTP requests like GET /.git/config in the HTTP Logs. Not excessive, but a few times per day. I would like to be able to block IP addresses that misbehave. I am not a fan of using Cloudflare WAF because I would like to use Railway to not have to use Big Tech.

railway really really need a waf protection, it is to deploy reverse proxy and control it, if it is built-in, that would be a plus mark for railway.

Bump. this seems like a good product feature to have!

my site is spammed non-stop with garbage requests from "security" scanners. I've implemented some basic security middleware in my app to just ban these IPs but please implement some basic throttling of requests when a single IP is generating hundreds of 400s/500s to a single host.

I would also love to have it provided by Railway (which I'm happy to pay for) for the sake of simplicity. Using an additional external service just makes the thing bigger. However, if that option is too far away, I would also compromise for having a "privileged third party solution" like Cloudflare, where you guys at least offer a quick documentation for how to make it work best with Railway

I came across a service known as Anubis which blocks bots which you can deploy to Railway. I've written a starting guide here if anyone is interested: https://arankays.medium.com/configuring-a-react-application-on-railway-with-free-bot-protection-096c7e49d34c

Just piling on in that a native WAF would be really nice!

+1