# cloudflare-worker-abuse-defense-kit

Cloudflare Worker patterns for protecting public forms and lightweight APIs from common abuse: high-volume submissions, replayed forms, bots that fill hidden fields, and missing challenge verification.

## What It Includes

- KV-backed sliding-window rate limiting.
- Honeypot and timestamp validation for public forms.
- Optional Cloudflare Turnstile verification.
- A Worker entrypoint with safe JSON responses and no-store caching.
- Tests using Node's built-in test runner.
- Example Wrangler configuration.

## Quick Start

```bash
npm install
npm test
```

Copy `examples/wrangler.example.toml` to `wrangler.toml`, create the KV namespaces, then set your Turnstile secret with Wrangler:

```bash
wrangler secret put TURNSTILE_SECRET
```

## Expected Payload

```json
{
  "name": "Mazen",
  "email": "mazen@example.com",
  "message": "Please review this secure form workflow.",
  "submittedAt": "2026-06-04T08:00:00.000Z",
  "website": "",
  "turnstileToken": "optional-client-token"
}
```

`website` is a honeypot field and should stay empty for real users.

## Production Notes

- Use Cloudflare Turnstile on public forms.
- Keep rate-limit keys narrow enough to avoid blocking shared networks too aggressively.
- Log only the minimum event detail needed for review and abuse tuning.
- Return generic errors to clients and keep detailed reasons in private logs.

## Security

Please report security issues to `security@mirogate.com`. See `SECURITY.md`.