feat(cors-proxy): add anti-spoofing security measures

Security improvements for the Cloudflare Worker CORS proxy: - Add rate limiting per IP (60 requests/minute) using Cloudflare KV - Add file size limit (10MB max) to prevent abuse - Add HMAC signature verification (optional, for deterrence) - Add timestamp validation to prevent replay attacks - Block private IP ranges (localhost, 10.x, 192.168.x, 172.16-31.x) Client-side changes: - Add signature generation in digital-sign-pdf.ts - Add security warning about client-side secrets Documentation: - Update README with production security features - Update docs/self-hosting/cloudflare.md with CORS proxy section - Document KV setup for rate limiting - Add clear warnings about client-side HMAC limitations Files changed: - cloudflare/cors-proxy-worker.js - cloudflare/wrangler.toml - src/js/logic/digital-sign-pdf.ts - README.md - docs/self-hosting/cloudflare.md
2026-01-05 13:43:39 +05:30
parent 534eb01010
commit 8a96426254
5 changed files with 352 additions and 9 deletions
--- a/cloudflare/wrangler.toml
+++ b/cloudflare/wrangler.toml
@@ -6,11 +6,44 @@ compatibility_date = "2024-01-01"
 # If you are self hosting change the name to your worker name
 # Run: npx wrangler deploy

+# =============================================================================
+# SECURITY FEATURES
+# =============================================================================
+#
+# 1. SIGNATURE VERIFICATION (Optional - for anti-spoofing)
+#    - Generate secret: openssl rand -hex 32
+#    - Set secret: npx wrangler secret put PROXY_SECRET
+#    - Note: Secret is visible in frontend JS, so provides limited protection
+#
+# 2. RATE LIMITING (Recommended - requires KV)
+#    - Create KV namespace: npx wrangler kv:namespace create "RATE_LIMIT_KV"
+#    - Uncomment the kv_namespaces section below with the returned ID
+#    - Limits: 60 requests per IP per minute
+#
+# 3. FILE SIZE LIMIT
+#    - Automatic: Rejects files larger than 1MB
+#    - Certificates are typically <10KB, so this prevents abuse
+#
+# 4. URL RESTRICTIONS
+#    - Only certificate URLs allowed (*.crt, *.cer, *.pem, /certs/, etc.)
+#    - Blocks private IPs (localhost, 10.x, 192.168.x, 172.16-31.x)
+
+# =============================================================================
+# KV NAMESPACE FOR RATE LIMITING
+# =============================================================================
+# To enable rate limiting:
+# 1. Run: npx wrangler kv:namespace create "RATE_LIMIT_KV"
+# 2. Copy the returned id and uncomment the section below
+#
+# [[kv_namespaces]]
+# binding = "RATE_LIMIT_KV"
+# id = "YOUR_KV_NAMESPACE_ID_HERE"
+
 # Optional: Custom domain routing
 # routes = [
 #   { pattern = "cors-proxy.bentopdf.com/*", zone_name = "bentopdf.com" }
 # ]

-# Optional: Environment variables
+# Optional: Environment variables (for non-secret config)
 # [vars]
 # ALLOWED_ORIGINS = "https://www.bentopdf.com,https://bentopdf.com"