Security & Compliance: Multi-Layer Edge Defence

Security Model

A nostalgic UI doesn’t mean nostalgic security. CF Messenger employs modern defence-in-depth across multiple layers.

Security Layers Snapshot

Layer	Technology	Purpose
Transport	TLS 1.3 via Cloudflare	Encrypted in-flight connections
Identity	UUIDv4 Sessions in KV	Session validation with 20m TTL
Access	Durable Object Guards	Room membership verification
Rate Limiting	Sliding Window (KV)	Brute-force and flood protection
Bot Protection	Cloudflare Turnstile	Non-interactive CAPTCHA
Content	Zod Validation	XSS and injection prevention

Layered Protection

A nostalgic UI shouldn’t mean nostalgic security. CF Messenger employs a modern security stack:

Session Tokens: UUIDv4 tokens stored in SESSION_KV with 20-minute TTLs, validated on every WebSocket connection.
Private Room Guards: DM room IDs embed sorted participant hashes. Durable Objects verify membership before accepting messages.
Rate Limiting: Sliding windows live inside each ChatRoom DO, with aggregate synchronisation to SESSION_KV.
Transport & CORS: TLS 1.3 enforced by Cloudflare; workers add strict Access-Control-Allow-Origin headers.
Bot Protection: Cloudflare Turnstile gates the login UI, with mandatory server-side siteverify token validation.
Content Safety: Zod validation and string escaping prevent reflected XSS and injection attacks.

Global WAF Shield

By adhering to a standard /api/ path structure, a single set of WAF rules protects the entire *.cfdemo.link zone.

Custom Rules

Zone-Wide Login Protection: Challenges POSTs to /api/auth/login lacking a cfdemo.link referer.
Universal API Guard: Blocks access to administrative or system endpoints.
Global Hygiene: Blocks automated scanners (curl, python-requests, etc.).

Rate Limiting

Multi-App Throttling: Hard cap of 5 login attempts per 10 seconds per IP, protecting against brute-force attacks across all subdomains.

Data Residency (UK-Only)

To demonstrate compliance capability, all Durable Objects and KV namespaces are pinned to the United Kingdom via location_hint.

"durable_objects": {
  "bindings": [
    { "name": "CHAT_ROOM", "class_name": "ChatRoom", "location_hint": "uk" },
    { "name": "PRESENCE_ROOM", "class_name": "PresenceRoom", "location_hint": "uk" }
  ]
}

End-to-End Encryption (Production Roadmap)

The current proof-of-concept focuses on transport security and access controls. Production deployment will add client-side end-to-end encryption (E2EE):

Message Encryption: Megolm session-based encryption, where each message is encrypted on the sender’s device before transmission
Device Key Management: Device keys and cross-signing to prevent device spoofing
Key Distribution: One-time keys and fallback keys for secure session establishment
Key Backup: Encrypted backup of recovery keys in user account
Infrastructure Privacy: Like Matrix’s model, CF Messenger infrastructure will never see plaintext messages—only encrypted payloads

This ensures end-to-end encryption operates independently from transport-layer TLS, providing defence-in-depth.

[!NOTE] For plaintext conversations (like this POC), we rely on TLS 1.3 for transport security. For production, clients will encrypt locally, ensuring only message recipients can decrypt.

Compliance & Caveats

As a Proof-of-Concept: This demo lacks automated GDPR deletion workflows and audit logging (Logpush). It should be treated as a demonstration of technical residency rather than a fully compliant production environment.

Sources & References

TLS 1.3 Security: RFC 8446 - TLS 1.3 Specification
Post-Quantum Cryptography: Cloudflare PQC Deployment and ML-KEM Standard
Matrix Protocol Security: Matrix Specification - Encryption
End-to-End Encryption (E2EE): Megolm Protocol
Cloudflare Turnstile: Bot Management Documentation
Data Residency Controls: Durable Objects Location Hints