djoka/bentopdf
1
0
Fork 0
Code Issues Pull Requests Actions 4 Packages Projects Releases Wiki Activity
Files
8a96426254a08a10c945b0ab963e89ea3198d69f
bentopdf/cloudflare/wrangler.toml
abdullahalam123 8a96426254 feat(cors-proxy): add anti-spoofing security measures 
Security improvements for the Cloudflare Worker CORS proxy:

- Add rate limiting per IP (60 requests/minute) using Cloudflare KV
- Add file size limit (10MB max) to prevent abuse
- Add HMAC signature verification (optional, for deterrence)
- Add timestamp validation to prevent replay attacks
- Block private IP ranges (localhost, 10.x, 192.168.x, 172.16-31.x)

Client-side changes:
- Add signature generation in digital-sign-pdf.ts
- Add security warning about client-side secrets

Documentation:
- Update README with production security features
- Update docs/self-hosting/cloudflare.md with CORS proxy section
- Document KV setup for rate limiting
- Add clear warnings about client-side HMAC limitations

Files changed:
- cloudflare/cors-proxy-worker.js
- cloudflare/wrangler.toml
- src/js/logic/digital-sign-pdf.ts
- README.md
- docs/self-hosting/cloudflare.md
2026-01-05 13:44:35 +05:30

50 lines
1.8 KiB
TOML
Raw Blame History

name = "bentopdf-cors-proxy"
main = "cors-proxy-worker.js"
compatibility_date = "2024-01-01"
# Deploy to Cloudflare's global network
# If you are self hosting change the name to your worker name
# Run: npx wrangler deploy
# =============================================================================
# SECURITY FEATURES
# =============================================================================
#
# 1. SIGNATURE VERIFICATION (Optional - for anti-spoofing)
# - Generate secret: openssl rand -hex 32
# - Set secret: npx wrangler secret put PROXY_SECRET
# - Note: Secret is visible in frontend JS, so provides limited protection
#
# 2. RATE LIMITING (Recommended - requires KV)
# - Create KV namespace: npx wrangler kv:namespace create "RATE_LIMIT_KV"
# - Uncomment the kv_namespaces section below with the returned ID
# - Limits: 60 requests per IP per minute
#
# 3. FILE SIZE LIMIT
# - Automatic: Rejects files larger than 1MB
# - Certificates are typically <10KB, so this prevents abuse
#
# 4. URL RESTRICTIONS
# - Only certificate URLs allowed (*.crt, *.cer, *.pem, /certs/, etc.)
# - Blocks private IPs (localhost, 10.x, 192.168.x, 172.16-31.x)
# =============================================================================
# KV NAMESPACE FOR RATE LIMITING
# =============================================================================
# To enable rate limiting:
# 1. Run: npx wrangler kv:namespace create "RATE_LIMIT_KV"
# 2. Copy the returned id and uncomment the section below
#
# [[kv_namespaces]]
# binding = "RATE_LIMIT_KV"
# id = "YOUR_KV_NAMESPACE_ID_HERE"
# Optional: Custom domain routing
# routes = [
# { pattern = "cors-proxy.bentopdf.com/*", zone_name = "bentopdf.com" }
# ]
# Optional: Environment variables (for non-secret config)
# [vars]
# ALLOWED_ORIGINS = "https://www.bentopdf.com,https://bentopdf.com"
Reference in New Issue View Git Blame Copy Permalink