I've been using Cloudflare to set up a url-accessible web build of a game I contribute to (R2 Bucket

I've been using Cloudflare to set up a url-accessible web build of a game I contribute to (R2 Bucket for the game's files, connected to a Worker to serve it to users). Since I'm pretty inexperienced when it comes to web infrastructure, I want to check my work security-wise.
There are no sensitive files in our build, so we're not worried about reading, but we obviously don't want users to be able to modify the contents of our R2 Bucket. The worker is coded to return 403 (or 400) for any requests that aren't

GET

GET

HEAD

HEAD

HEAD

HEAD. As best I can tell, this should make it impossible for users to modify our files, unless they can somehow modify the code of the worker itself (I assume they can't). Is that correct, or is there something else I need to do to make sure our web build is secure?

HHereToHelp I've been using Cloudflare to set up a url-accessible web build of a game I cont...

Hello, I’m Allie!•4/1/25, 1:11 AM

Assuming that you never call any functions that write/delete from the bucket, it doesn’t matter what requests they send to your Worker

Hello, I’m Allie!•4/1/25, 1:11 AM

They could send all of the POSTs they want, and it wouldn’t do anything

HereToHelpOP•4/1/25, 1:11 AM

Awesome, thanks for the confirmation!

く

くもりにくもったクラウドサービスlocaler•4/1/25, 6:40 AM

When I use Cloudflare Pages by calling wasm, I get CompileError: WebAssembly.instantiate(): Wasm code generation disallowed by embedderCompileError: WebAssembly.instantiate(): Wasm code generation disallowed by embedder.
Any guidance on how to resolve this would be appreciated.

glncy•4/1/25, 7:40 AM

Hi Everyone. New to cloudflare. I am trying to access AI via Curl and also using bindings but i am getting this error. thank you

{
  "result": null,
  "success": false,
  "errors": [
    {
      "code": 7010,
      "message": "Service unavailable"
    }
  ],
  "messages": [
    
  ]
}

{
  "result": null,
  "success": false,
  "errors": [
    {
      "code": 7010,
      "message": "Service unavailable"
    }
  ],
  "messages": [
    
  ]
}

Barry•4/1/25, 9:34 AM

When using the Browser Rendering API, has anyone encountered issues with transformed elements? I have some skewed elements on my website but they are not rendered, just an empty space. It's just a skewY(10deg) en the text is skewY(-deg), is that because it uses GPU or somethign? Can we tweak the API to force it?

くくもりにくもったクラウドサービスlocaler When I use Cloudflare Pages by calling wasm, I get `CompileError: WebAssembly.in...

Silvan•4/1/25, 12:13 PM

the wasm needs to be inside ur bundle. as mentioned here workers-and-pages-discussions

Silvan•4/1/25, 12:14 PM

Do i understand this right.

if i want to deploy a pure static page with worker assets i just need

  "assets": {
    "directory": "./dist",
    "binding": "ASSETS"
  }

  "assets": {
    "directory": "./dist",
    "binding": "ASSETS"
  }

and no main?

Silvan•4/1/25, 12:16 PM

nvm i dont need the binding either ofc

く

くもりにくもったクラウドサービスlocaler•4/1/25, 12:55 PM

Does this mean that Wasm with Base64-encoded Data URLs does not work with Cloudflare Pages?

くくもりにくもったクラウドサービスlocaler Does this mean that Wasm with Base64-encoded Data URLs does not work with Cloudf...

Isaac McFadyen•4/1/25, 12:58 PM

Correct, any dynamic code (code that is compiled or constructed during runtime) is disallowed on Cloudflare Workers and Cloudflare Pages for security reasons

Isaac McFadyen•4/1/25, 12:58 PM

https://developers.cloudflare.com/workers/runtime-apis/web-standards/#javascript-standards

Isaac McFadyen•4/1/25, 1:01 PM

If you're interested there's a good talk on the security model of Workers from the engineering lead on the Workers team: https://www.infoq.com/presentations/cloudflare-v8/

LLemon hey, did anyone tried to display `CF_PAGES_COMMIT_SHA` within a Vite React proje...

Lemon•4/1/25, 4:07 PM

if any other peep bashing their head with this trash documentation here is the solution

edit your

vite.config.ts

vite.config.ts

like so (or add these lines)

import { defineConfig } from 'vite'
import react from '@vitejs/plugin-react'

// https://vite.dev/config/
export default defineConfig({
  plugins: [react()],
  define: {
    "import.meta.env.CF_PAGES": JSON.stringify(process.env.CF_PAGES || "1"),
    "import.meta.env.CF_PAGES_URL": JSON.stringify(process.env.CF_PAGES_URL || "unresolved"),
    "import.meta.env.CF_PAGES_BRANCH": JSON.stringify(process.env.CF_PAGES_BRANCH || "unresolved"),
    "import.meta.env.CF_PAGES_COMMIT_SHA": JSON.stringify(process.env.CF_PAGES_COMMIT_SHA || "unknown"),
  },
})

import { defineConfig } from 'vite'
import react from '@vitejs/plugin-react'

// https://vite.dev/config/
export default defineConfig({
  plugins: [react()],
  define: {
    "import.meta.env.CF_PAGES": JSON.stringify(process.env.CF_PAGES || "1"),
    "import.meta.env.CF_PAGES_URL": JSON.stringify(process.env.CF_PAGES_URL || "unresolved"),
    "import.meta.env.CF_PAGES_BRANCH": JSON.stringify(process.env.CF_PAGES_BRANCH || "unresolved"),
    "import.meta.env.CF_PAGES_COMMIT_SHA": JSON.stringify(process.env.CF_PAGES_COMMIT_SHA || "unknown"),
  },
})

crossbeau•4/1/25, 4:08 PM

if I were to create say 3 pages projects:
my-app-dev=====\
my-app-stage========== single-project-repo. (dev branch, stage branch, main branch)
my-app-prod ===/

how could I handle indepedent variables for each with a single wrangler file? can I have global values for all and then manually set values for each using api ? or would api settings overwrite values set by wrangler ?

crossbeau•4/1/25, 4:08 PM

I know I can do this with workers, but just unsure of how to handle this for pages

LLemon if any other peep bashing their head with this trash documentation here is the s...

Isaac McFadyen•4/1/25, 4:09 PM

Per Vite docs, only variables prefixed with VITE_VITE_ will be exposed to the build without that config change, yes https://vite.dev/guide/env-and-mode.html#env-variables

IIsaac McFadyen Per Vite docs, only variables prefixed with `VITE_` will be exposed to the build...

Lemon•4/1/25, 4:13 PM

Nah bro I agree to disagree It took me 3 hours to debug this.
You have to put these variables into your config without this the import.meta.env wont see the Cloudflare injected variables and noone talks about this.
Without the config.ts there is nothing CF related in the import.meta.env https://38625370.trash-vars.pages.dev/
With the config.ts CF populates and injects the variables as should be by default https://2d4b43b9.trash-vars.pages.dev/

LLemon Nah bro I agree to disagree It took me 3 hours to debug this. You have to put th...

Isaac McFadyen•4/1/25, 4:14 PM

Yes I understand that, but that's because Vite only puts variables that start with the VITE_VITE_ prefix into import.meta.env, which is why that config change is required

Isaac McFadyen•4/1/25, 4:15 PM

CF_PAGES_COMMIT_SHACF_PAGES_COMMIT_SHA doesn't start with VITE_VITE_ and so Vite hides it because it assumes you don't want to expose it to client code

Lemon•4/1/25, 4:16 PM

Yeah I get it, but it would be nice to put these comments/precautions in to the CF docs (https://developers.cloudflare.com/pages/framework-guides/deploy-a-vite3-project/)
Could you push stuff like this to the CF team?

Cloudflare Docs

Vite 3 · Cloudflare Pages docs

Vite is a next-generation build tool for front-end developers. With the release of Vite 3, developers can make use of new command line (CLI) improvements, starter templates, and more to help build their front-end applications.

rad•4/1/25, 4:21 PM

are there any customer success stories of CloudFlare Workers to help shill CF?

Rrad are there any customer success stories of CloudFlare Workers to help shill CF?

Isaac McFadyen•4/1/25, 4:24 PM

A lot, but some aren't really public.

Vercel uses Workers for their edge runtime
Shopify uses Cloudflare, and presumably Workers but not publicly confirmed
civit.ai uses R2 and Workers for all file downloads
Nodecraft uses Workers for some of their APIs
And https://workers.cloudflare.com has logos of a bunch of companies (i.e. Discord, NPM, maxmind) but no details on how they actually use Workers.

Cloudflare Workers©

Build your next application with Cloudflare Workers

Rrad are there any customer success stories of CloudFlare Workers to help shill CF?

Cyb3r-Jak3•4/1/25, 4:25 PM

You can also look through case studies to see what matches best: https://www.cloudflare.com/case-studies/

Cloudflare Case Studies

Cloudflare customer case studies provide cyber security testimonials and customer use cases for a suite of website security and performance products.

Ccrossbeau if I were to create say 3 pages projects: my-app-dev=====\ my-app-stage=========...

crossbeau•4/1/25, 4:32 PM

like. how could I use a single wrangler.toml as a source of truth for 3 environments but also allow deviation for different environments where needed ?

crossbeau•4/1/25, 4:32 PM

do I just abuse secrets and individually add non-secrets as secrets at the project level?

Ostof•4/1/25, 4:46 PM

Hello, not sure if this is the right channel for this question. I have a astro pages project which is already deployed and wanted to add a durable object as a websocket server but have not found a way to do this.
Now I have converted to workers framework beta (https://developers.cloudflare.com/workers/frameworks/framework-guides/astro/) but cant get it working.

Maybe naively I have just created a simple DO class and added it to the config.json.

Is there a recommended way to add a durable objects to a pages or workers framework project add test it locally.

Cloudflare Docs

Astro · Cloudflare Workers docs

Create an Astro application and deploy it to Cloudflare Workers with Workers Assets.

crossbeau•4/1/25, 5:01 PM

is there a way using the API to create a Cloudflare Worker Associated to Github/Gitlab ?

HHereToHelp I've been using Cloudflare to set up a url-accessible web build of a game I cont...

dave•4/1/25, 5:24 PM

How big are the files? I wonder if Static Assets would be a better fit.

https://developers.cloudflare.com/workers/static-assets/

dave•4/1/25, 5:29 PM

Is there any trick I could do to make a Cron Worker trigger another Worker that is a domain zone (so caching works)?

manterfield•4/1/25, 5:35 PM

Heyo

. Is the Cache API secure in terms of storing content under signed URLs? That is a user makes a request to us with a signature in the URL that we verify (time restricted), we cache that for a bit.

The URL is unguessable, so effectively I'm asking if Cloudflare exposes a method that someone could enumerate or otherwise discover URLs that are cached?

Mmanterfield Heyo 👋 . Is the Cache API secure in terms of storing content under signed URLs?...

dave•4/1/25, 6:09 PM

If you accidentally config a cache rule to ignore search params, that could be a problem.

Ddave How big are the files? I wonder if Static Assets would be a better fit. https:/...

HereToHelpOP•4/1/25, 7:15 PM

I did try that, but yeah they're too big for just workers/pages unfortunately

matt•4/1/25, 7:36 PM

Did this ever go live? https://blog.cloudflare.com/data-anywhere-events-pipelines-durable-execution-workflows/

The Cloudflare Blog

Data Anywhere with Pipelines, Event Notifications, and Workflows

We’re making it easier to build scalable, reliable, data-driven applications on top of our global network, and so we’re announcing a new Event Notifications framework; our take on durable execution, Workflows; and an upcoming streaming ingestion service, Pipelines

Mmatt Did this ever go live? https://blog.cloudflare.com/data-anywhere-events-pipeline...

dave•4/1/25, 8:55 PM

See #workflows-beta

dave•4/1/25, 8:56 PM

I personally decided not to use Workflows. I found it much easier to have a Cron Worker poll a PostgreSQL database (through Hyperdrive).

HereToHelpOP•4/1/25, 10:50 PM

f02f6632 is the most recent deployment, made Apr 1 00:30 UTC. It's the one listed under "Active Deployment". For some reason though, it look like 84efc01c is still serving requests? Am I misreading this, or is there an outdated version of my worker's code still active? Do I need to do something to make sure all requests are handled by the latest version?

HereToHelpOP•4/1/25, 10:55 PM

I tried clicking "Deploy version" under "Active deployment", sending a new request, and re-checking, and the graph changed? Was it just a visual bug?

HereToHelpOP•4/1/25, 10:59 PM

It keeps randomly changing between the two versions of the chart when I refresh. I am very confused lol

HHereToHelp It keeps randomly changing between the two versions of the chart when I refresh....

Peps•4/2/25, 1:02 AM

yeah the new worker metrics are still a little bit buggy so it tends to do that

Peps•4/2/25, 1:02 AM

it's being worked on though

HereToHelpOP•4/2/25, 1:02 AM

Got it — thanks for the answer

Original message was deleted

crossbeau•4/2/25, 2:05 AM

Use .env.vars for testing local and gitignore that file. And use wrangler secrets putwrangler secrets put to put on deployed app

Soorya•4/2/25, 3:27 AM

Hey, is it required for me to update the durable object version everytime I need to deploy the project? Because I am currently getting an error

Cannot apply new-class migration to class 'DurableObject' that is already depended on by existing Durable Objects [code: 10074]

Cannot apply new-class migration to class 'DurableObject' that is already depended on by existing Durable Objects [code: 10074]

, As per chatgpt it might be because I need to update the vv in the workers. Does anyone have any idea and do I need to update the version everytime?

Original message was deleted

manterfield•4/2/25, 9:51 AM

For what I'm doing the signature in the URL is quite important. Cache outliving the expiry isn't necessarily a problem (assuming it will be removed within a 'reasonable' time post expiry - i.e. it won't live for days or weeks past). The payload under the URL isn't super sensitive, this is more a redundant protection for defence in depth. It would only be a problem if an external user could easily see all the URLs without knowing them in advance/without brute forcing.

Good thought about WAF in front of cache though - I don't think it will work for what I want, but will sanity check. Thanks!

Original message was deleted

crossbeau•4/2/25, 10:35 AM

So if you put secrets in my secrets put and you have non secret env vars in the toml it leaves the secrets untouched until you run that command again

Original message was deleted

crossbeau•4/2/25, 11:13 AM

Use terraform to create your worker or pages project and use it to configure and setup env vars and secrets. And then only use wrangler to deploy code

I've been using Cloudflare to set up a url-accessible web build of a game I contribute to (R2 Bucket

Similar Threads