availability

Package: Invicti AppSec Core (on-demand)

NTA with Cloudflare Worker

This document walks you through deploying the Invicti Network Traffic Analyzer (NTA) Cloudflare Worker to monitor and forward HTTP traffic for API discovery.

Why this matters

APIs exposed at the edge are often undocumented and easy to overlook. By deploying the NTA as a Cloudflare Worker, you capture real traffic at the point where it enters your infrastructure, discovering APIs automatically without any changes to your application code.

Prerequisites

Before deploying, ensure you have:

Node.js (v16 or later recommended) installed
Git installed
A Cloudflare account with Worker administrator rights:
- Worker Scripts: Edit
- Zone Settings: Read
- (Optional) DNS: Edit if assigning a route to a custom domain
A domain registered with Cloudflare
Cloudflare Wrangler command-line tool installed:

npm install -g wrangler

A Kubernetes-hosted NTA instance running and reachable over HTTPS

Step 1: Clone the repository and install dependencies

Run this command to clone the Invicti NTA Cloudflare worker:

git clone https://github.com/Invicti-Security/Invicti-NTA-Cloudflare-Worker.git
cd Invicti-NTA-Cloudflare-Worker

Running this command installs all required packages listed in package.json:

npm install

Step 2: Configure environment variables

Update your wrangler.toml file to audit or edit the following configuration variables. You can also do it via Cloudflare UI, see below:

[vars]
NTA_TELEMETRY_ENDPOINT = "https://your-nta-instance.example.com/api/telemetry"
MAX_API_REQUEST_BODY_SIZE = 262144
MAX_API_RESPONSE_BODY_SIZE = 1048576
EXCLUDED_HTTP_STATUS_CODES = "1xx,3xx,4xx,5xx"
EXCLUDED_HTTP_METHODS = "CONNECT,OPTIONS,TRACE"
EXCLUDED_TRAFFIC_WITH_HEADERS = ""

NTA Telemetry endpoint configuration

Where NTA_TELEMETRY_ENDPOINT:

Must be an HTTPS URL of NTA server endpoint (API endpoint is /api/telemetry)
- If not, Cloudflare does not transmit telemetries to this server
Should point to Invicti, which receives traffic data from the worker
Self-signed certificates are not supported

Variable	Description
`NTA_TELEMETRY_ENDPOINT`	The HTTPS URL of your NTA instance (endpoint path: `/api/telemetry`). Self-signed certificates aren't supported.
`MAX_API_REQUEST_BODY_SIZE`	Maximum request body size in bytes. Default: `262144`.
`MAX_API_RESPONSE_BODY_SIZE`	Maximum response body size in bytes. Default: `1048576`.
`EXCLUDED_HTTP_STATUS_CODES`	Comma-separated list of HTTP status codes to exclude from capture.
`EXCLUDED_HTTP_METHODS`	Comma-separated list of HTTP methods to exclude from capture.
`EXCLUDED_TRAFFIC_WITH_HEADERS`	Comma-separated list of request headers that, if present, cause the request to be excluded from capture.

Step 3: Configure the route

Before deploying, configure the route for your Worker in the wrangler.toml file:

route = { pattern = "https://your-subdomain.yourdomain.com/*", zone_name = "yourdomain.com" }

Defining routes

Cloudflare Workers operate by being attached to specific routes within a domain. A route defines both a hostname and a URL path pattern. For example:

route = { pattern = "https://api.yourdomain.com/*", zone_name = "yourdomain.com" }

Serving multiple routes with a single worker

A single Worker can be assigned to multiple routes. You can configure this either in the Cloudflare dashboard or directly in your wrangler.toml file:

routes = [
  { pattern = "https://app.yourdomain.com/*", zone_name = "yourdomain.com" },
  { pattern = "https://api.yourdomain.com/*", zone_name = "yourdomain.com" }
]

Matching all subdomains

You can also use a wildcard to apply the Worker to all subdomains:

route = { pattern = "https://*.yourdomain.com/*", zone_name = "yourdomain.com" }

Step 4: Deploy the worker

Once the route is configured, deploy the Worker by running the following command. This command uploads your Worker script and makes it live on your configured routes in your Cloudflare environment:

npx wrangler deploy

If prompted, follow the login flow to authenticate with your Cloudflare account. The Cloudflare Dashboard opens in your internet browser.

Step 5: Verify the configuration

After deployment, verify the following:

The Worker appears in your Cloudflare dashboard under Workers & Pages
It is bound to a route (for example, yourdomain.com/) if configured
The NTA endpoint is receiving HTTP traffic events

Steps to verify the configuration:

Go to the Worker & Pages page for your domain, and ensure the new Cloudflare worker is installed.
Click on its name and in the Settings tab, select the settings again.
Click Edit route to see additional details and verify how worker failures should be handled.
When configuring the Worker route in the Cloudflare dashboard, you are asked to select a failure mode:
- Fail open (recommended): If the Worker is unavailable, requests skip the Worker and proceed to your origin server. This ensures that users are not affected by telemetry failures.
- Fail closed: If the worker fails, requests return an error page to users. Use this only if your Worker performs critical logic, such as access control.

warning

Setting Failure mode to Fail open for NTA Cloudflare Worker is recommended to ensure end-user traffic continues uninterrupted in case of any unexpected worker error.

Additional Configuration Notes

Filtering behavior can be customized through the configuration variables EXCLUDED_HTTP_METHODS, EXCLUDED_HTTP_STATUS_CODES, and EXCLUDED_TRAFFIC_WITH_HEADERS to exclude specific types of traffic.
For performance optimization, adjust the MAX_API_REQUEST_BODY_SIZE and MAX_API_RESPONSE_BODY_SIZE settings.

Step 6: Set up an NTA server

Follow Step 3: prepare and deploy Invicti Helm chart(nta-tap-plugin#step-3-prepare-and-deploy-the-invicti-helm-chart) in the NTA with Tap Plugin document to complete the configuration.

Example of how to expose Reconstructor via HTTPS using NGINX

Use the code snippet below for an example of how to expose Reconstructor via HTTPS using NGINX. You then need to save this content to /etc/nginx/sites-enabled/invicti-reconstruct and reload your NGINX:

server {
  listen 443 ssl;
  server_name your-domain.com www.your-domain.com;
  ssl_certificate     /etc/ssl/network-traffic-analysis.com/fullchain.pem;
  ssl_certificate_key /etc/ssl/network-traffic-analysis.com/your-domain.com.key;

  location / {
      proxy_pass http://localhost:8090;
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
  }
}

The NTA processes all data sent from the Cloudflare Worker, typically consisting of metadata about API traffic. This metadata is used for API discovery and to help reconstruct API specifications.

After the initial sync, the table in Discovery > API configuration > API sources is updated and the sync status is marked as completed. The Discovery > API discovery page refreshes to display any newly discovered APIs, which you can then optionally link to specific targets.

Need help?

Invicti Support team is ready to provide you with technical help. Go to Help Center

Was this page useful?

Why this matters​

Prerequisites​

Step 1: Clone the repository and install dependencies​

Step 2: Configure environment variables​

Step 3: Configure the route​

Defining routes​

Serving multiple routes with a single worker​

Matching all subdomains​

Step 4: Deploy the worker​

Step 5: Verify the configuration​

Step 6: Set up an NTA server​

Example of how to expose Reconstructor via HTTPS using NGINX​

Need help?​