Claude-skill-registry cloudflare-security-checker
Automatically validates Cloudflare Workers security patterns during development, ensuring proper secret management, CORS configuration, and input validation
install
source · Clone the upstream repo
git clone https://github.com/majiayu000/claude-skill-registry
Claude Code · Install into ~/.claude/skills/
T=$(mktemp -d) && git clone --depth=1 https://github.com/majiayu000/claude-skill-registry "$T" && mkdir -p ~/.claude/skills && cp -r "$T/skills/data/cloudflare-security-checker" ~/.claude/skills/majiayu000-claude-skill-registry-cloudflare-security-checker && rm -rf "$T"
manifest:
skills/data/cloudflare-security-checker/SKILL.mdsource content
Cloudflare Security Checker SKILL
Activation Patterns
This SKILL automatically activates when:
- Authentication or authorization code is detected
- Secret management patterns are used
- API endpoints or response creation is implemented
- Database queries (D1) are written
- CORS-related code is added
- Input validation patterns are implemented
Expertise Provided
Workers-Specific Security Validation
- Secret Management: Ensures proper
parameter usage vs hardcoded secretsenv - CORS Configuration: Validates Workers-specific CORS implementation
- Input Validation: Checks for proper request validation patterns
- SQL Injection Prevention: Ensures D1 prepared statements
- Authentication Patterns: Validates JWT and API key handling
- Rate Limiting: Identifies missing rate limiting patterns
Specific Checks Performed
❌ Critical Security Violations
// These patterns trigger immediate alerts: const API_KEY = "sk_live_xxx"; // Hardcoded secret const secret = process.env.JWT_SECRET; // process.env doesn't exist const query = `SELECT * FROM users WHERE id = ${userId}`; // SQL injection
✅ Secure Workers Patterns
// These patterns are validated as correct: const apiKey = env.API_KEY; // Proper env parameter const result = await env.DB.prepare('SELECT * FROM users WHERE id = ?').bind(userId); // Prepared statement
Integration Points
Complementary to Existing Components
- cloudflare-security-sentinel agent: Handles comprehensive security audits, SKILL provides immediate validation
- workers-runtime-validator SKILL: Complements runtime checks with security-specific validation
- es-deploy command: SKILL prevents deployment of insecure code
Escalation Triggers
- Complex security architecture questions →
agentcloudflare-security-sentinel - Advanced authentication patterns →
agentcloudflare-architecture-strategist - Security incident response →
agentcloudflare-security-sentinel
Validation Rules
P1 - Critical (Immediate Security Risk)
- Hardcoded Secrets: API keys, passwords, tokens in code
- SQL Injection: String concatenation in D1 queries
- Missing Authentication: Sensitive endpoints without auth
- Process Env Usage:
for secrets (doesn't work in Workers)process.env
P2 - High (Security Vulnerability)
- Missing Input Validation: Direct use of
without validationrequest.json() - Improper CORS: Missing CORS headers or overly permissive origins
- Missing Rate Limiting: Public endpoints without rate limiting
- Secrets in Config: Secrets in wrangler.toml
section[vars]
P3 - Medium (Security Best Practice)
- Missing Security Headers: HTML responses without CSP/XSS protection
- Weak Authentication: No resource-level authorization
- Insufficient Logging: Security events not logged
Remediation Examples
Fixing Secret Management
// ❌ Critical: Hardcoded secret const STRIPE_KEY = "sk_live_12345"; // ❌ Critical: process.env (doesn't exist) const apiKey = process.env.API_KEY; // ✅ Correct: Workers secret management export default { async fetch(request: Request, env: Env) { const apiKey = env.STRIPE_KEY; // From wrangler secret put } }
Fixing SQL Injection
// ❌ Critical: SQL injection vulnerability const userId = url.searchParams.get('id'); const result = await env.DB.prepare(`SELECT * FROM users WHERE id = ${userId}`).first(); // ✅ Correct: Prepared statement const userId = url.searchParams.get('id'); const result = await env.DB.prepare('SELECT * FROM users WHERE id = ?').bind(userId).first();
Fixing CORS Configuration
// ❌ High: Missing CORS headers export default { async fetch(request: Request, env: Env) { return new Response(JSON.stringify(data)); } } // ✅ Correct: Workers CORS pattern function getCorsHeaders(origin: string) { const allowedOrigins = ['https://app.example.com']; const allowOrigin = allowedOrigins.includes(origin) ? origin : allowedOrigins[0]; return { 'Access-Control-Allow-Origin': allowOrigin, 'Access-Control-Allow-Methods': 'GET, POST, PUT, DELETE, OPTIONS', 'Access-Control-Allow-Headers': 'Content-Type, Authorization', 'Access-Control-Max-Age': '86400', }; } export default { async fetch(request: Request, env: Env) { const origin = request.headers.get('Origin') || ''; if (request.method === 'OPTIONS') { return new Response(null, { headers: getCorsHeaders(origin) }); } const response = new Response(JSON.stringify(data)); Object.entries(getCorsHeaders(origin)).forEach(([k, v]) => { response.headers.set(k, v); }); return response; } }
Fixing Input Validation
// ❌ High: No input validation export default { async fetch(request: Request, env: Env) { const data = await request.json(); // Could be anything await env.DB.prepare('INSERT INTO users (name) VALUES (?)').bind(data.name).run(); } } // ✅ Correct: Input validation with Zod import { z } from 'zod'; const UserSchema = z.object({ name: z.string().min(1).max(100), email: z.string().email(), }); export default { async fetch(request: Request, env: Env) { // Size limit const contentLength = request.headers.get('Content-Length'); if (contentLength && parseInt(contentLength) > 1024 * 100) { return new Response('Payload too large', { status: 413 }); } // Schema validation const data = await request.json(); const result = UserSchema.safeParse(data); if (!result.success) { return new Response(JSON.stringify(result.error), { status: 400 }); } // Safe to use validated data await env.DB.prepare('INSERT INTO users (name, email) VALUES (?, ?)') .bind(result.data.name, result.data.email).run(); } }
MCP Server Integration
When Cloudflare MCP server is available:
- Query latest Cloudflare security best practices
- Verify secrets are configured in account
- Check for recent security events affecting the project
- Get current security recommendations
Benefits
Immediate Impact
- Prevents Security Vulnerabilities: Catches issues during development
- Educates on Workers Security: Clear explanations of Workers-specific security patterns
- Reduces Security Debt: Immediate feedback on security anti-patterns
Long-term Value
- Consistent Security Standards: Ensures all code follows Workers security best practices
- Faster Security Reviews: Automated validation reduces manual review time
- Better Security Posture: Proactive security validation vs reactive fixes
Usage Examples
During Authentication Implementation
// Developer types: const JWT_SECRET = "my-secret-key"; // SKILL immediately activates: "❌ CRITICAL: Hardcoded JWT secret detected. Use wrangler secret put JWT_SECRET and access via env.JWT_SECRET"
During API Development
// Developer types: const userId = url.searchParams.get('id'); // SKILL immediately activates: "⚠️ HIGH: URL parameter not validated. Add schema validation before using in database queries."
During Database Query Writing
// Developer types: `SELECT * FROM users WHERE id = ${userId}` // SKILL immediately activates: "❌ CRITICAL: SQL injection vulnerability. Use prepared statement: .prepare('SELECT * FROM users WHERE id = ?').bind(userId)"
This SKILL ensures Workers security by providing immediate, autonomous validation of security patterns, preventing common vulnerabilities and ensuring proper Workers-specific security practices.