Security

Cloudflare Zero Trust — admin

Protect /admin in production with a Cloudflare Zero Trust Access Self-Hosted Application:

1. Zero Trust → Access → Applications → Add Self-hosted
2. Set Application domain to your Worker hostname and Path to /admin
3. Add an Allow policy scoped to your identity provider and email/group
4. Do not add an Access policy on /api/v1 — clients use Bearer auth there

Full operator guide: docs/cloudflare-access-and-api-bearer.md in the repository.

Disable the workers.dev subdomain

Cloudflare automatically assigns a *.workers.dev public URL to every Worker. If that subdomain is reachable, requests to /admin bypass Zero Trust Access entirely.

In the Cloudflare dashboard → Workers & Pages → your Worker → Settings, disable the workers.dev route once your custom domain is live.

API Bearer token rotation

To rotate the API_BEARER_TOKEN secret:

1. Generate a new long random token
2. Run wrangler secret put API_BEARER_TOKEN and paste the value
3. Update the token in all CI/CD pipeline secret variables and API clients
4. Retire the old token — it is immediately invalidated on deployment

Store API_BEARER_TOKEN in secret pipeline variables — never in the repository or environment files that are committed.