Skip to content

mirogate/cloudflare-worker-abuse-defense-kit

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

cloudflare-worker-abuse-defense-kit

Cloudflare Worker patterns for protecting public forms and lightweight APIs from common abuse: high-volume submissions, replayed forms, bots that fill hidden fields, and missing challenge verification.

What It Includes

  • KV-backed sliding-window rate limiting.
  • Honeypot and timestamp validation for public forms.
  • Optional Cloudflare Turnstile verification.
  • A Worker entrypoint with safe JSON responses and no-store caching.
  • Tests using Node's built-in test runner.
  • Example Wrangler configuration.

Quick Start

npm install
npm test

Copy examples/wrangler.example.toml to wrangler.toml, create the KV namespaces, then set your Turnstile secret with Wrangler:

wrangler secret put TURNSTILE_SECRET

Expected Payload

{
  "name": "Mazen",
  "email": "mazen@example.com",
  "message": "Please review this secure form workflow.",
  "submittedAt": "2026-06-04T08:00:00.000Z",
  "website": "",
  "turnstileToken": "optional-client-token"
}

website is a honeypot field and should stay empty for real users.

Production Notes

  • Use Cloudflare Turnstile on public forms.
  • Keep rate-limit keys narrow enough to avoid blocking shared networks too aggressively.
  • Log only the minimum event detail needed for review and abuse tuning.
  • Return generic errors to clients and keep detailed reasons in private logs.

Security

Please report security issues to security@mirogate.com. See SECURITY.md.

About

Cloudflare Worker patterns for rate limiting, Turnstile, honeypots, timestamp freshness, and safe public form responses.

Topics

Resources

License

Contributing

Security policy

Stars

Watchers

Forks

Releases

No releases published

Packages

 
 
 

Contributors