Not expose the server IP is one practice (obfuscation) in a list of several options.
But that alone would not solve the problem being a RCE from HTTP, that is why edge proxy provider like Cloudflare[0] and Fastfy[1] proactivily added protections in his WAF products.
Even cloudflare had an outage trying to protect his customers[3].
No provider is perfect - It's totally possible to run your own FW behind it, or run CF Tunnel on a separate container that routes traffic to individual application containers using something like traefik, nginx proxy manager, etc.
Some Cloud functions like lambda support OCI container as a runtime target for example.
I understand that feeling but can be hard a provider that fill all that requirements without a expensive cost.
Integrate with the edge computing is part of the price you pay for all the conveniences like automatic builds, Cron and public reachable endpoints (and some of them almost free).
A minimal VPS with linux is always an alternative.
I ever plan do it with sqlite, loading it at memory during app start and flush data to s3 during runtime but it create more corner cases and logic to handle.
Yes but if there's going to be something lightweight and correct-by-default I'd prefer that, mostly because I have many machines to manage and a team of people to educate. I'd like default to be good instead of wasting time and risking.
But that alone would not solve the problem being a RCE from HTTP, that is why edge proxy provider like Cloudflare[0] and Fastfy[1] proactivily added protections in his WAF products.
Even cloudflare had an outage trying to protect his customers[3].
- [0] https://blog.cloudflare.com/waf-rules-react-vulnerability/ - [1] https://www.fastly.com/blog/fastlys-proactive-protection-cri... - [2] https://blog.cloudflare.com/5-december-2025-outage/