Stats
Actions
Tags
Help us improve
Share bugs, ideas, or general feedback.
From cloudflare-workers
Provides Cloudflare Workers security patterns including authentication, CORS, rate limiting, input validation. Use for securing APIs, JWT/API keys, or fixing auth failures, CORS errors, XSS/injection issues.
npx claudepluginhub secondsky/claude-skills --plugin cloudflare-workersHow this skill is triggered — by the user, by Claude, or both
Slash command
/cloudflare-workers:cloudflare-workers-securityThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Comprehensive security patterns for protecting Workers and APIs.
references/authentication.mdreferences/cors-security.mdreferences/input-validation.mdreferences/rate-limiting.mdreferences/secrets-management.mdreferences/security-headers.mdscripts/security-audit.shtemplates/auth-middleware.tstemplates/cors-handler.tstemplates/rate-limiter.tstemplates/secure-worker.tsIntegrates Cloudflare Zero Trust Access authentication into Workers apps using Hono middleware for JWT validation, service tokens, route protection, RBAC, and CORS handling.
Guides implementation of authentication, authorization, input validation, and OWASP Top 10 prevention. Covers password hashing, SQL injection prevention, CORS/CSP, JWT, and more.
Guides implementing authentication, authorization, input validation, rate limiting, and protection against common API vulnerabilities for REST, GraphQL, and WebSocket APIs.
Share bugs, ideas, or general feedback.
Comprehensive security patterns for protecting Workers and APIs.
// 1. Validate all input
const validated = schema.parse(await request.json());
// 2. Authenticate requests
const user = await verifyToken(request.headers.get('Authorization'));
if (!user) return new Response('Unauthorized', { status: 401 });
// 3. Rate limit
const limited = await rateLimiter.check(clientIP);
if (!limited.allowed) return new Response('Too Many Requests', { status: 429 });
// 4. Add security headers
response.headers.set('X-Content-Type-Options', 'nosniff');
response.headers.set('X-Frame-Options', 'DENY');
// 5. Use HTTPS-only cookies
headers.set('Set-Cookie', 'session=xxx; Secure; HttpOnly; SameSite=Strict');
* in production| Vulnerability | Symptom | Prevention |
|---|---|---|
| Missing auth | Unauthorized access | Verify tokens on every request |
| SQL injection | Data breach | Use parameterized queries with D1 |
| XSS | Script injection | Sanitize output, set CSP |
| CORS misconfiguration | Blocked requests or open access | Configure specific origins |
| Secrets in code | Exposed credentials | Use wrangler secret |
| Missing rate limits | DoS vulnerability | Implement per-IP limits |
| Weak tokens | Session hijacking | Use crypto.subtle for signing |
| Missing HTTPS | Data interception | Enforce HTTPS redirects |
| Insecure headers | Clickjacking, MIME attacks | Set security headers |
| Excessive permissions | Blast radius | Principle of least privilege |
async function verifyJWT(token: string, secret: string): Promise<{ valid: boolean; payload?: unknown }> {
try {
const [headerB64, payloadB64, signatureB64] = token.split('.');
// Verify signature
const key = await crypto.subtle.importKey(
'raw',
new TextEncoder().encode(secret),
{ name: 'HMAC', hash: 'SHA-256' },
false,
['verify']
);
const signature = Uint8Array.from(atob(signatureB64.replace(/-/g, '+').replace(/_/g, '/')), c => c.charCodeAt(0));
const data = new TextEncoder().encode(`${headerB64}.${payloadB64}`);
const valid = await crypto.subtle.verify('HMAC', key, signature, data);
if (!valid) return { valid: false };
// Decode payload
const payload = JSON.parse(atob(payloadB64.replace(/-/g, '+').replace(/_/g, '/')));
// Check expiration
if (payload.exp && Date.now() / 1000 > payload.exp) {
return { valid: false };
}
return { valid: true, payload };
} catch {
return { valid: false };
}
}
async function validateApiKey(
request: Request,
env: Env
): Promise<{ valid: boolean; clientId?: string }> {
const apiKey = request.headers.get('X-API-Key');
if (!apiKey) return { valid: false };
// Hash the key for lookup (never store plain keys)
const keyHash = await sha256(apiKey);
// Lookup in KV or D1
const client = await env.KV.get(`apikey:${keyHash}`, 'json');
if (!client) return { valid: false };
return { valid: true, clientId: client.id };
}
async function sha256(str: string): Promise<string> {
const buffer = await crypto.subtle.digest('SHA-256', new TextEncoder().encode(str));
return [...new Uint8Array(buffer)].map(b => b.toString(16).padStart(2, '0')).join('');
}
import { z } from 'zod';
const UserSchema = z.object({
name: z.string().min(1).max(100),
email: z.string().email(),
age: z.number().int().min(0).max(150).optional(),
});
async function handleCreate(request: Request): Promise<Response> {
try {
const body = await request.json();
const user = UserSchema.parse(body);
// Safe to use validated data
return Response.json({ success: true, user });
} catch (error) {
if (error instanceof z.ZodError) {
return Response.json({ error: 'Validation failed', details: error.errors }, { status: 400 });
}
throw error;
}
}
function addSecurityHeaders(response: Response): Response {
const headers = new Headers(response.headers);
// Prevent MIME type sniffing
headers.set('X-Content-Type-Options', 'nosniff');
// Prevent clickjacking
headers.set('X-Frame-Options', 'DENY');
// XSS protection
headers.set('X-XSS-Protection', '1; mode=block');
// Content Security Policy
headers.set('Content-Security-Policy', "default-src 'self'; script-src 'self'");
// HSTS
headers.set('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
// Referrer policy
headers.set('Referrer-Policy', 'strict-origin-when-cross-origin');
return new Response(response.body, { status: response.status, headers });
}
const ALLOWED_ORIGINS = ['https://app.example.com', 'https://admin.example.com'];
function handleCORS(request: Request, response: Response): Response {
const origin = request.headers.get('Origin');
if (!origin || !ALLOWED_ORIGINS.includes(origin)) {
return response; // No CORS headers
}
const headers = new Headers(response.headers);
headers.set('Access-Control-Allow-Origin', origin);
headers.set('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS');
headers.set('Access-Control-Allow-Headers', 'Content-Type, Authorization');
headers.set('Access-Control-Allow-Credentials', 'true');
headers.set('Access-Control-Max-Age', '86400');
return new Response(response.body, { status: response.status, headers });
}
Load specific references based on the task:
references/authentication.mdreferences/cors-security.mdreferences/input-validation.mdreferences/secrets-management.mdreferences/rate-limiting.mdreferences/security-headers.md| Template | Purpose | Use When |
|---|---|---|
templates/auth-middleware.ts | JWT/API key auth | Adding authentication |
templates/cors-handler.ts | CORS middleware | Handling cross-origin |
templates/rate-limiter.ts | Rate limiting | Preventing abuse |
templates/secure-worker.ts | Full secure setup | Starting secure project |
| Script | Purpose | Command |
|---|---|---|
scripts/security-audit.sh | Audit security | ./security-audit.sh <url> |