← ClaudeAtlas

cloudflare-workers-securitylisted

Security audit for Cloudflare Workers applications covering bindings (KV, D1, R2, Durable Objects, Queues, Vectorize), secrets vs vars in wrangler.toml, Worker routes and zones, request origin validation, CORS, mTLS to origin, Smart Placement, and Workers-specific runtime concerns. Use this skill whenever the user mentions Cloudflare Workers, wrangler, wrangler.toml, KVNamespace, D1Database, R2Bucket, DurableObjectNamespace, Env bindings, c.env, env.MY_KV, or asks "audit my Cloudflare Worker", "Workers security review", "wrangler secrets". Trigger when the codebase contains `wrangler` or `@cloudflare/workers-types` in package.json.
hlsitechio/claude-skills-security · ★ 1 · AI & Automation · score 65
Install: claude install-skill hlsitechio/claude-skills-security
# Cloudflare Workers Security Audit Audit a Cloudflare Workers application. Workers run in V8 isolates with specific platform bindings — security surface is partly app code, partly Cloudflare configuration. ## When this skill applies - Reviewing `wrangler.toml` / `wrangler.jsonc` config - Auditing binding usage (KV, D1, R2, Durable Objects, Queues) - Reviewing secret vs var declarations - Checking Worker routes and zone configuration - Auditing request handling for SSRF / data leakage ## Workflow Follow `../_shared/audit-workflow.md`. Companion: framework skill (`hono-security`, `nextjs-security`) for code-level concerns. ### Phase 1: Stack detection ```bash ls wrangler.toml wrangler.jsonc 2>/dev/null cat wrangler.toml wrangler.jsonc 2>/dev/null wrangler --version 2>/dev/null ``` ### Phase 2: Inventory ```bash # Bindings declared in wrangler.toml grep -nE 'kv_namespaces|d1_databases|r2_buckets|durable_objects|queues|vars|secrets' wrangler.toml 2>/dev/null # Binding usage in code grep -rn 'env\.\|c\.env\.' src/ # Fetch calls (potential SSRF if URLs are user-controlled) grep -rn 'fetch(' src/ | head ``` ### Phase 3: Detection — the checks #### Secrets vs vars `wrangler.toml` `[vars]` section is committed and visible in the dashboard. Secrets go via `wrangler secret put`. - **CFW-SEC-1** No production secrets in `[vars]`. Audit `wrangler.toml`: ```toml [vars] API_BASE_URL = "https://api.example.com" # OK, public STRIPE_SECRET_KEY = "sk_live_..."