Cloudflare Worker patterns for protecting public forms and lightweight APIs from common abuse: high-volume submissions, replayed forms, bots that fill hidden fields, and missing challenge verification.
- KV-backed sliding-window rate limiting.
- Honeypot and timestamp validation for public forms.
- Optional Cloudflare Turnstile verification.
- A Worker entrypoint with safe JSON responses and no-store caching.
- Tests using Node's built-in test runner.
- Example Wrangler configuration.
npm install
npm testCopy examples/wrangler.example.toml to wrangler.toml, create the KV namespaces, then set your Turnstile secret with Wrangler:
wrangler secret put TURNSTILE_SECRET{
"name": "Mazen",
"email": "mazen@example.com",
"message": "Please review this secure form workflow.",
"submittedAt": "2026-06-04T08:00:00.000Z",
"website": "",
"turnstileToken": "optional-client-token"
}website is a honeypot field and should stay empty for real users.
- Use Cloudflare Turnstile on public forms.
- Keep rate-limit keys narrow enough to avoid blocking shared networks too aggressively.
- Log only the minimum event detail needed for review and abuse tuning.
- Return generic errors to clients and keep detailed reasons in private logs.
Please report security issues to security@mirogate.com. See SECURITY.md.