Skip to content

Security model

Authentication and session model

Cloudflare Access is the identity gate for protected host/path scopes.
workers/auth-gateway.js extracts token material from:
- cf-access-jwt-assertion
- Access cookies (CF_Authorization, cf_authorization)
- Authorization: Bearer
Gateway verifies tokens via AUTH_WORKER_VERIFY_URL.
GET /api/auth/session returns JSON session state used by layout/header UI.
GET /api/auth/logout redirects to /cdn-cgi/access/logout.

Protected route model

Protected prefixes are configured by PROTECTED_PATH_PREFIXES in wrangler.gateway.toml.
Worker route matching for /portal* and /admin* is required; otherwise edge protection does not run.
Failed verification redirects to /login?redirect=<requested-path>.

Browser security headers

public/_headers defines:

Content-Security-Policy (script/connect/form/frame/etc. controls)
Strict-Transport-Security
X-Frame-Options, X-Content-Type-Options, and related hardening headers
/api/* CORS and no-store cache behavior

CORS and API considerations

/api/* CORS in _headers allows configured methods/headers and origin.
If browser clients call additional worker origins, update CSP connect-src and form-action intentionally.

Common failure handling

Non-JSON /api/auth/session response should be treated as unauthenticated in UI.
Verify endpoint outages return gateway error responses and should trigger incident triage.
Wrong route bindings or env mismatches can silently weaken protection or break auth UX.

Security change checklist

Any change to _headers, worker routes, or auth env vars requires deploy validation.
For new protected areas, confirm both prefix config and Wrangler route coverage.
Rotate sensitive keys/tokens after suspected exposure.