>_
Marketplace

cloudflare-security-checker

Automatically validates Cloudflare Workers security patterns during development, ensuring proper secret management, CORS configuration, and input validation

$ Instalar

git clone https://github.com/hirefrank/hirefrank-marketplace /tmp/hirefrank-marketplace && cp -r /tmp/hirefrank-marketplace/plugins/edge-stack/skills/cloudflare-security-checker ~/.claude/skills/hirefrank-marketplace

// tip: Run this command in your terminal to install the skill

SKILL.md
View on GitHub →

name: cloudflare-security-checker description: Automatically validates Cloudflare Workers security patterns during development, ensuring proper secret management, CORS configuration, and input validation triggers: ["authentication code", "secret handling", "API endpoints", "response creation", "database queries"]

Cloudflare Security Checker SKILL

Activation Patterns

This SKILL automatically activates when:

  • Authentication or authorization code is detected
  • Secret management patterns are used
  • API endpoints or response creation is implemented
  • Database queries (D1) are written
  • CORS-related code is added
  • Input validation patterns are implemented

Expertise Provided

Workers-Specific Security Validation

  • Secret Management: Ensures proper env parameter usage vs hardcoded secrets
  • CORS Configuration: Validates Workers-specific CORS implementation
  • Input Validation: Checks for proper request validation patterns
  • SQL Injection Prevention: Ensures D1 prepared statements
  • Authentication Patterns: Validates JWT and API key handling
  • Rate Limiting: Identifies missing rate limiting patterns

Specific Checks Performed

❌ Critical Security Violations

// These patterns trigger immediate alerts:
const API_KEY = "sk_live_xxx";           // Hardcoded secret
const secret = process.env.JWT_SECRET;     // process.env doesn't exist
const query = `SELECT * FROM users WHERE id = ${userId}`; // SQL injection

✅ Secure Workers Patterns

// These patterns are validated as correct:
const apiKey = env.API_KEY;               // Proper env parameter
const result = await env.DB.prepare('SELECT * FROM users WHERE id = ?').bind(userId); // Prepared statement

Integration Points

Complementary to Existing Components

  • cloudflare-security-sentinel agent: Handles comprehensive security audits, SKILL provides immediate validation
  • workers-runtime-validator SKILL: Complements runtime checks with security-specific validation
  • es-deploy command: SKILL prevents deployment of insecure code

Escalation Triggers

  • Complex security architecture questions → cloudflare-security-sentinel agent
  • Advanced authentication patterns → cloudflare-architecture-strategist agent
  • Security incident response → cloudflare-security-sentinel agent

Validation Rules

P1 - Critical (Immediate Security Risk)

  • Hardcoded Secrets: API keys, passwords, tokens in code
  • SQL Injection: String concatenation in D1 queries
  • Missing Authentication: Sensitive endpoints without auth
  • Process Env Usage: process.env for secrets (doesn't work in Workers)

P2 - High (Security Vulnerability)

  • Missing Input Validation: Direct use of request.json() without validation
  • Improper CORS: Missing CORS headers or overly permissive origins
  • Missing Rate Limiting: Public endpoints without rate limiting
  • Secrets in Config: Secrets in wrangler.toml [vars] section

P3 - Medium (Security Best Practice)

  • Missing Security Headers: HTML responses without CSP/XSS protection
  • Weak Authentication: No resource-level authorization
  • Insufficient Logging: Security events not logged

Remediation Examples

Fixing Secret Management

// ❌ Critical: Hardcoded secret
const STRIPE_KEY = "sk_live_12345";

// ❌ Critical: process.env (doesn't exist)
const apiKey = process.env.API_KEY;

// ✅ Correct: Workers secret management
export default {
  async fetch(request: Request, env: Env) {
    const apiKey = env.STRIPE_KEY; // From wrangler secret put
  }
}

Fixing SQL Injection

// ❌ Critical: SQL injection vulnerability
const userId = url.searchParams.get('id');
const result = await env.DB.prepare(`SELECT * FROM users WHERE id = ${userId}`).first();

// ✅ Correct: Prepared statement
const userId = url.searchParams.get('id');
const result = await env.DB.prepare('SELECT * FROM users WHERE id = ?').bind(userId).first();

Fixing CORS Configuration

// ❌ High: Missing CORS headers
export default {
  async fetch(request: Request, env: Env) {
    return new Response(JSON.stringify(data));
  }
}

// ✅ Correct: Workers CORS pattern
function getCorsHeaders(origin: string) {
  const allowedOrigins = ['https://app.example.com'];
  const allowOrigin = allowedOrigins.includes(origin) ? origin : allowedOrigins[0];
  
  return {
    'Access-Control-Allow-Origin': allowOrigin,
    'Access-Control-Allow-Methods': 'GET, POST, PUT, DELETE, OPTIONS',
    'Access-Control-Allow-Headers': 'Content-Type, Authorization',
    'Access-Control-Max-Age': '86400',
  };
}

export default {
  async fetch(request: Request, env: Env) {
    const origin = request.headers.get('Origin') || '';
    
    if (request.method === 'OPTIONS') {
      return new Response(null, { headers: getCorsHeaders(origin) });
    }
    
    const response = new Response(JSON.stringify(data));
    Object.entries(getCorsHeaders(origin)).forEach(([k, v]) => {
      response.headers.set(k, v);
    });
    
    return response;
  }
}

Fixing Input Validation

// ❌ High: No input validation
export default {
  async fetch(request: Request, env: Env) {
    const data = await request.json(); // Could be anything
    await env.DB.prepare('INSERT INTO users (name) VALUES (?)').bind(data.name).run();
  }
}

// ✅ Correct: Input validation with Zod
import { z } from 'zod';

const UserSchema = z.object({
  name: z.string().min(1).max(100),
  email: z.string().email(),
});

export default {
  async fetch(request: Request, env: Env) {
    // Size limit
    const contentLength = request.headers.get('Content-Length');
    if (contentLength && parseInt(contentLength) > 1024 * 100) {
      return new Response('Payload too large', { status: 413 });
    }
    
    // Schema validation
    const data = await request.json();
    const result = UserSchema.safeParse(data);
    
    if (!result.success) {
      return new Response(JSON.stringify(result.error), { status: 400 });
    }
    
    // Safe to use validated data
    await env.DB.prepare('INSERT INTO users (name, email) VALUES (?, ?)')
      .bind(result.data.name, result.data.email).run();
  }
}

MCP Server Integration

When Cloudflare MCP server is available:

  • Query latest Cloudflare security best practices
  • Verify secrets are configured in account
  • Check for recent security events affecting the project
  • Get current security recommendations

Benefits

Immediate Impact

  • Prevents Security Vulnerabilities: Catches issues during development
  • Educates on Workers Security: Clear explanations of Workers-specific security patterns
  • Reduces Security Debt: Immediate feedback on security anti-patterns

Long-term Value

  • Consistent Security Standards: Ensures all code follows Workers security best practices
  • Faster Security Reviews: Automated validation reduces manual review time
  • Better Security Posture: Proactive security validation vs reactive fixes

Usage Examples

During Authentication Implementation

// Developer types: const JWT_SECRET = "my-secret-key";
// SKILL immediately activates: "❌ CRITICAL: Hardcoded JWT secret detected. Use wrangler secret put JWT_SECRET and access via env.JWT_SECRET"

During API Development

// Developer types: const userId = url.searchParams.get('id');
// SKILL immediately activates: "⚠️ HIGH: URL parameter not validated. Add schema validation before using in database queries."

During Database Query Writing

// Developer types: `SELECT * FROM users WHERE id = ${userId}`
// SKILL immediately activates: "❌ CRITICAL: SQL injection vulnerability. Use prepared statement: .prepare('SELECT * FROM users WHERE id = ?').bind(userId)"

This SKILL ensures Workers security by providing immediate, autonomous validation of security patterns, preventing common vulnerabilities and ensuring proper Workers-specific security practices.

Repository

hirefrank
hirefrank
Author
hirefrank/hirefrank-marketplace/plugins/edge-stack/skills/cloudflare-security-checker
2
Stars
0
Forks
Updated3d ago
Added1w ago

Actions

View on GitHubDownload ZIPReport Issue

Related Skills

skill-creator
openai/codex
54.7k
Plugin Settings
anthropics/claude-code
47.9k
MCP Integration
anthropics/claude-code
47.9k
payload
payloadcms/payload
39.0k
creating-financial-models
anthropics/claude-cookbooks
28.3k