Skip to content

feat(worker): proxy security hardening — 7-layer defense-in-depth stack#62

Open
wgordon17 wants to merge 12 commits intogordon-code:mainfrom
wgordon17:worktree-proxy-security-hardening
Open

feat(worker): proxy security hardening — 7-layer defense-in-depth stack#62
wgordon17 wants to merge 12 commits intogordon-code:mainfrom
wgordon17:worktree-proxy-security-hardening

Conversation

@wgordon17
Copy link
Copy Markdown
Member

@wgordon17 wgordon17 commented Apr 9, 2026

Summary

  • Implements 7-layer defense-in-depth for CF Worker proxy endpoints: WAF rules (documented), request validation, session cookies, Workers Rate Limiting Binding, Turnstile challenges, AES-256-GCM sealed tokens with purpose binding, and SSRF hardening
  • Adds 6 new Worker modules (crypto, validation, session, turnstile, proxy, type declarations) with 132 new tests across 6 test files, plus integration tests for the /api/proxy/seal endpoint
  • Updates CSP to allowlist Turnstile domains, DEPLOY.md with WAF rules/secrets/local dev docs, and wrangler.toml with rate limiting binding and global_fetch_strictly_public flag

wgordon17 added 12 commits April 8, 2026 21:23
@wgordon17
docs(deploy): add WAF rules, Workers Secrets, and local dev documenta…
30d7dd3 
…tion
@wgordon17
feat(worker): add crypto module for sealed tokens and session signing
c7745fc
@wgordon17
feat(worker): adds session cookie infrastructure
94e16dd
@wgordon17
feat(worker): integrate security middleware into fetch handler
af55386
@wgordon17
feat(auth): adds Turnstile widget, seal helper, proxy utilities
94de310
@wgordon17
fix(worker): address security and QA review findings
908a195 
- sealApiToken: add purpose parameter, include in POST body (CRIT-001, 6/7 reviewers)
- ensureSession: wrap issueSession in try/catch, fallback to random sessionId on error (SEC-002, STRUCT-005)
- handleProxySeal: add VALID_PURPOSES allowlist + 64-char max-length for purpose field (SEC-003, QA-002)
- validateAndGuardProxyRoute: include CORS headers on validation error responses (SEC-004)
- session.ts: cache derived HMAC keys at module level to avoid repeated HKDF derivation (PERF-001/002)
- turnstile.ts: add 5s AbortController timeout to siteverify fetch (PERF-003)
- proxy.test.ts: update sealApiToken calls with purpose, assert body.purpose field, add error field test
- seal.test.ts: update purpose values to match VALID_PURPOSES allowlist
- crypto.test.ts: add cross-purpose isolation test (F-003)
@wgordon17
docs: add /api/proxy/seal endpoint to DEPLOY.md API table
8fedd8d
@wgordon17
fix(worker): pass sessionId to handleProxySeal for SC-11 audit logging
55b70c7
@wgordon17
fix(worker): add rate limiter error handling and invalid purpose test
39215e4
@wgordon17
fix(security): adds Turnstile domains to CSP, removes dead body.code …
a28a80d 
…path, adds rate limiter error test
@wgordon17
refactor(worker): removes dead code, uses SealError class
7a40118
@wgordon17
fix(worker): addresses PR review findings — security, perf, tests, docs
a0fc6dc 
- adds Turnstile token length guard (>2048) with boundary tests
- adds seal key derivation cache (_sealKeyCache Map, bounded by VALID_PURPOSES)
- passes pre-parsed pathname to validateAndGuardProxyRoute (eliminates redundant URL parse)
- unifies session key cache into single Map (removes duplicate getSessionHmacPrevKey)
- fixes structured error logging in ensureSession catch path
- removes dead options parameter from validateProxyRequest
- corrects HKDF key material descriptions in CryptoEnv and DEPLOY.md
- fixes test key comments to match actual decoded values
- adds 14 new tests covering previously-untested paths
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@wgordon17