Skip to content
cfdemo.link

Security & Compliance

Defence in Depth

Section titled “Defence in Depth”

A nostalgic UI shouldn’t mean nostalgic security. CF Messenger employs a modern security stack:

  1. Session Tokens: UUIDv4 tokens stored in SESSION_KV with 20-minute TTLs, validated on every WebSocket connection.
  2. Private Room Guards: DM room IDs embed sorted participant hashes. Durable Objects verify membership before accepting messages.
  3. Rate Limiting: Sliding windows live inside each ChatRoom DO, with aggregate synchronisation to SESSION_KV.
  4. Transport & CORS: TLS 1.3 enforced by Cloudflare; workers add strict Access-Control-Allow-Origin headers.
  5. Bot Protection: Cloudflare Turnstile gates the login UI, with mandatory server-side siteverify token validation.
  6. Content Safety: Zod validation and string escaping prevent reflected XSS and injection attacks.

Global WAF Shield

Section titled “Global WAF Shield”

By adhering to a standard /api/ path structure, a single set of WAF rules protects the entire *.cfdemo.link zone.

Custom Rules

Section titled “Custom Rules”
  • Zone-Wide Login Protection: Challenges POSTs to /api/auth/login lacking a cfdemo.link referer.
  • Universal API Guard: Blocks access to administrative or system endpoints.
  • Global Hygiene: Blocks automated scanners (curl, python-requests, etc.).

Rate Limiting

Section titled “Rate Limiting”
  • Multi-App Throttling: Hard cap of 5 login attempts per 10 seconds per IP, protecting against brute-force attacks across all subdomains.

Data Residency (UK-Only)

Section titled “Data Residency (UK-Only)”

To demonstrate compliance capability, all Durable Objects and KV namespaces are pinned to the United Kingdom via location_hint.

"durable_objects": {
  "bindings": [
    { "name": "CHAT_ROOM", "class_name": "ChatRoom", "location_hint": "uk" },
    { "name": "PRESENCE_ROOM", "class_name": "PresenceRoom", "location_hint": "uk" }
  ]
}

Compliance Caveats: As a Proof-of-Concept, this demo lacks automated GDPR deletion workflows and audit logging (Logpush). It should be treated as a demonstration of technical residency rather than a fully compliant production environment.