Agent skill
cloudflare-security-checker
Automatically validates Cloudflare Workers security patterns during development, ensuring proper secret management, CORS configuration, and input validation
Stars
163
Forks
31
Install this agent skill to your Project
npx add-skill https://github.com/majiayu000/claude-skill-registry/tree/main/skills/development/cloudflare-security-checker-hirefrank-hirefrank-marketplac
SKILL.md
Cloudflare Security Checker SKILL
Activation Patterns
This SKILL automatically activates when:
- Authentication or authorization code is detected
- Secret management patterns are used
- API endpoints or response creation is implemented
- Database queries (D1) are written
- CORS-related code is added
- Input validation patterns are implemented
Expertise Provided
Workers-Specific Security Validation
- Secret Management: Ensures proper
envparameter usage vs hardcoded secrets - CORS Configuration: Validates Workers-specific CORS implementation
- Input Validation: Checks for proper request validation patterns
- SQL Injection Prevention: Ensures D1 prepared statements
- Authentication Patterns: Validates JWT and API key handling
- Rate Limiting: Identifies missing rate limiting patterns
Specific Checks Performed
❌ Critical Security Violations
typescript
// These patterns trigger immediate alerts:
const API_KEY = "sk_live_xxx"; // Hardcoded secret
const secret = process.env.JWT_SECRET; // process.env doesn't exist
const query = `SELECT * FROM users WHERE id = ${userId}`; // SQL injection
✅ Secure Workers Patterns
typescript
// These patterns are validated as correct:
const apiKey = env.API_KEY; // Proper env parameter
const result = await env.DB.prepare('SELECT * FROM users WHERE id = ?').bind(userId); // Prepared statement
Integration Points
Complementary to Existing Components
- cloudflare-security-sentinel agent: Handles comprehensive security audits, SKILL provides immediate validation
- workers-runtime-validator SKILL: Complements runtime checks with security-specific validation
- es-deploy command: SKILL prevents deployment of insecure code
Escalation Triggers
- Complex security architecture questions →
cloudflare-security-sentinelagent - Advanced authentication patterns →
cloudflare-architecture-strategistagent - Security incident response →
cloudflare-security-sentinelagent
Validation Rules
P1 - Critical (Immediate Security Risk)
- Hardcoded Secrets: API keys, passwords, tokens in code
- SQL Injection: String concatenation in D1 queries
- Missing Authentication: Sensitive endpoints without auth
- Process Env Usage:
process.envfor secrets (doesn't work in Workers)
P2 - High (Security Vulnerability)
- Missing Input Validation: Direct use of
request.json()without validation - Improper CORS: Missing CORS headers or overly permissive origins
- Missing Rate Limiting: Public endpoints without rate limiting
- Secrets in Config: Secrets in wrangler.toml
[vars]section
P3 - Medium (Security Best Practice)
- Missing Security Headers: HTML responses without CSP/XSS protection
- Weak Authentication: No resource-level authorization
- Insufficient Logging: Security events not logged
Remediation Examples
Fixing Secret Management
typescript
// ❌ Critical: Hardcoded secret
const STRIPE_KEY = "sk_live_12345";
// ❌ Critical: process.env (doesn't exist)
const apiKey = process.env.API_KEY;
// ✅ Correct: Workers secret management
export default {
async fetch(request: Request, env: Env) {
const apiKey = env.STRIPE_KEY; // From wrangler secret put
}
}
Fixing SQL Injection
typescript
// ❌ Critical: SQL injection vulnerability
const userId = url.searchParams.get('id');
const result = await env.DB.prepare(`SELECT * FROM users WHERE id = ${userId}`).first();
// ✅ Correct: Prepared statement
const userId = url.searchParams.get('id');
const result = await env.DB.prepare('SELECT * FROM users WHERE id = ?').bind(userId).first();
Fixing CORS Configuration
typescript
// ❌ High: Missing CORS headers
export default {
async fetch(request: Request, env: Env) {
return new Response(JSON.stringify(data));
}
}
// ✅ Correct: Workers CORS pattern
function getCorsHeaders(origin: string) {
const allowedOrigins = ['https://app.example.com'];
const allowOrigin = allowedOrigins.includes(origin) ? origin : allowedOrigins[0];
return {
'Access-Control-Allow-Origin': allowOrigin,
'Access-Control-Allow-Methods': 'GET, POST, PUT, DELETE, OPTIONS',
'Access-Control-Allow-Headers': 'Content-Type, Authorization',
'Access-Control-Max-Age': '86400',
};
}
export default {
async fetch(request: Request, env: Env) {
const origin = request.headers.get('Origin') || '';
if (request.method === 'OPTIONS') {
return new Response(null, { headers: getCorsHeaders(origin) });
}
const response = new Response(JSON.stringify(data));
Object.entries(getCorsHeaders(origin)).forEach(([k, v]) => {
response.headers.set(k, v);
});
return response;
}
}
Fixing Input Validation
typescript
// ❌ High: No input validation
export default {
async fetch(request: Request, env: Env) {
const data = await request.json(); // Could be anything
await env.DB.prepare('INSERT INTO users (name) VALUES (?)').bind(data.name).run();
}
}
// ✅ Correct: Input validation with Zod
import { z } from 'zod';
const UserSchema = z.object({
name: z.string().min(1).max(100),
email: z.string().email(),
});
export default {
async fetch(request: Request, env: Env) {
// Size limit
const contentLength = request.headers.get('Content-Length');
if (contentLength && parseInt(contentLength) > 1024 * 100) {
return new Response('Payload too large', { status: 413 });
}
// Schema validation
const data = await request.json();
const result = UserSchema.safeParse(data);
if (!result.success) {
return new Response(JSON.stringify(result.error), { status: 400 });
}
// Safe to use validated data
await env.DB.prepare('INSERT INTO users (name, email) VALUES (?, ?)')
.bind(result.data.name, result.data.email).run();
}
}
MCP Server Integration
When Cloudflare MCP server is available:
- Query latest Cloudflare security best practices
- Verify secrets are configured in account
- Check for recent security events affecting the project
- Get current security recommendations
Benefits
Immediate Impact
- Prevents Security Vulnerabilities: Catches issues during development
- Educates on Workers Security: Clear explanations of Workers-specific security patterns
- Reduces Security Debt: Immediate feedback on security anti-patterns
Long-term Value
- Consistent Security Standards: Ensures all code follows Workers security best practices
- Faster Security Reviews: Automated validation reduces manual review time
- Better Security Posture: Proactive security validation vs reactive fixes
Usage Examples
During Authentication Implementation
typescript
// Developer types: const JWT_SECRET = "my-secret-key";
// SKILL immediately activates: "❌ CRITICAL: Hardcoded JWT secret detected. Use wrangler secret put JWT_SECRET and access via env.JWT_SECRET"
During API Development
typescript
// Developer types: const userId = url.searchParams.get('id');
// SKILL immediately activates: "⚠️ HIGH: URL parameter not validated. Add schema validation before using in database queries."
During Database Query Writing
typescript
// Developer types: `SELECT * FROM users WHERE id = ${userId}`
// SKILL immediately activates: "❌ CRITICAL: SQL injection vulnerability. Use prepared statement: .prepare('SELECT * FROM users WHERE id = ?').bind(userId)"
This SKILL ensures Workers security by providing immediate, autonomous validation of security patterns, preventing common vulnerabilities and ensuring proper Workers-specific security practices.
Didn't find tool you were looking for?