Would be nice to have at least some basic endpoint safety.
CORS headers setup
const corsHeaders = {
'Access-Control-Allow-Origin': 'https://yourdomain.com', // Not '*'
'Access-Control-Allow-Methods': 'GET, POST',
'Access-Control-Allow-Headers': 'Content-Type, Authorization'
}
API Auth
const apiKey = request.headers.get('X-Api-Key');
const validKeys = await env.API_KEYS.get('keys', {type: 'json'});
if (!validKeys.includes(apiKey)) {
return new Response('Invalid API key', { status: 403 });
}
Per IP rate limit
// In wrangler.jsonc
"ratelimits": [{
"namespace_id": "1001",
"name": "API_RATE_LIMITER",
"simple": { "limit": 100, "period": 60 }
}]
// In worker
const { success } = await env.API_RATE_LIMITER.limit({
key: request.headers.get('CF-Connecting-IP')
});
if (!success) return new Response('Too Many Requests', { status: 429 });
CAPCHA auth
const turnstileToken = request.headers.get('CF-Turnstile-Token');
const isValid = await validateTurnstileToken(turnstileToken, env.TURNSTILE_SECRET);
Global rate limits
// Per-IP limit
await env.IP_RATE_LIMIT.limit({ key: ip });
// Per-user limit (if authenticated)
await env.USER_RATE_LIMIT.limit({ key: userId });
// Per-API key limit
await env.KEY_RATE_LIMIT.limit({ key: apiKey });
// Global limit per endpoint
await env.GLOBAL_RATE_LIMIT.limit({ key: endpoint });
Observability / logging
// Log security events
console.log(`SECURITY: Blocked request from ${ip} - Reason: Rate limit exceeded`);
// Use Cloudflare's built-in observability
export default {
async fetch(request, env, ctx) {
ctx.waitUntil(logToAnalytics(request, env));
return handleRequest(request, env);
}
}
Would be nice to have at least some basic endpoint safety.
CORS headers setup
API Auth
Per IP rate limit
CAPCHA auth
Global rate limits
Observability / logging