☝️ Bump +1

Although, I think an easy win solution would be allowing us to lock to Cloudflare's IP addresses, which will allow us to proxy from Cloudflare, then use their WAF, DDoS, Rate Limiting, etc

Simple to implement from your guys end, no need to build out complex UIs, or networking infrastructure.

Bump!

I think Railway need to implement their own WAF & DDOS Protection, in my case, Cloudflare DDOS protection need some times to active, at that interval, the incoming attack will get through the origin server, and if Railway didn't have the internal protection to such attacks, the attacks then will be charged to our own account, and it seems not fair for the user to pay any amount for unexpected/unwanted request.

I agree with the Cloudflare IP lock solution for at least for now, but in the future I hope that Railway has it's own protection like Vercel/OVH did

Bump x2

We just got attacked and I would love a Railway Native WAF! In the meantime I will have to look at Cloudflare WAF, does that work with Railway or not
?

Same here. Railway should provide a standard WAF component. Cybercrime is all too common.

Bump +1.

I just put service up and started getting flooding with spam requests

say wallah im not tryna pay money for ppl spamming requests ; - ;

I think this is something we wanna keep our eye on. We tend to be pretty tight lipped about our ability to mitigate DDoS attacks, as it’s not a true WAF, but it’s something to be mindful of.

Bump +1 I think we need it that railway is secure by default and the options to handle in case of attack

same question. we need security in the form of a firewall 100%, is cloudflare the only way?

does cloudflare work fully with railway?

The moment I assigned a custom domain to a service, I started seeing seeing HTTP requests like GET /.git/config in the HTTP Logs. Not excessive, but a few times per day. I would like to be able to block IP addresses that misbehave. I am not a fan of using Cloudflare WAF because I would like to use Railway to not have to use Big Tech.

railway really really need a waf protection, it is to deploy reverse proxy and control it, if it is built-in, that would be a plus mark for railway.

Bump. this seems like a good product feature to have!

my site is spammed non-stop with garbage requests from "security" scanners. I've implemented some basic security middleware in my app to just ban these IPs but please implement some basic throttling of requests when a single IP is generating hundreds of 400s/500s to a single host.

I would also love to have it provided by Railway (which I'm happy to pay for) for the sake of simplicity. Using an additional external service just makes the thing bigger. However, if that option is too far away, I would also compromise for having a "privileged third party solution" like Cloudflare, where you guys at least offer a quick documentation for how to make it work best with Railway

I came across a service known as Anubis which blocks bots which you can deploy to Railway. I've written a starting guide here if anyone is interested: https://arankays.medium.com/configuring-a-react-application-on-railway-with-free-bot-protection-096c7e49d34c

Just piling on in that a native WAF would be really nice!

+1

This is reasonable. We'd love to look into this as early as next quarter :)

nice request!

I have a similar situation that requires this — I have a service being built that needs to process files uploaded from users. Given that the users could try to upload malacious code that could compromise the container / service, I would like the block the service from being able to make any outbound requests (or at the very least, have a whitelist). This would protect other services in the network, the database, etc from being compromised.

This firewall would be per service — or service group, etc.

Hey guys, I wrote a guide on how to go about this https://medium.com/@dasfacc/firewall-your-railway-app-with-cloudflare-4709b287c494?sk=7525c83b10a67dc285563bb5e2da8008

Uses cloudflared to tunnel the traffic into railway.

I still agree that it would be a nice plus to be able to manage this directly on railway but the solution is easy enough and doesn't cost anything.

Very useful, thanks!

Bump! This remains a blocker for migrating our services to Railway. We'd either need a built-in WAF or, as others have suggested, a way to whitelist the IPs allowed to hit external services (e.g. restrict to Cloudflare's range).

hey @zack, not necessarily restrict access to cloudflare's range, simply tunnel the traffic through cloudflare, the range or otherwise access rules can be whatever you like, tunneling through cloudflare simply means they can't reah your service without passing throguh cloudflare (i.e. cloudflare is your firewall)

you can do this with other services as well, you could do it with aws if you wanted to, cloudflare is just the easiest and their whole shtick is saccess and security so it make ssnse

Sorry for the late ACK on this, now since we have "smart networking" that's backing our network flows feature. (https://railway.com/changelog/2026-01-30-db-metrics) We are looking into shipping a global fast edge and then we can open up the firewall rules externally for all of you all.

Appreciate the patience but should come next quarter.

even to accept aws cloudfront or cloudflare ip's and close others can be enought as a starting point