Skip to content
Cloudflare Docs
Workers
Cloudflare Docs
Workers
Search icon (depiction of a magnifying glass)
GitHub icon
Visit Workers on GitHub
Set theme to dark (⇧+D)

Examples

Return HTML

Deliver an HTML page from an HTML string directly inside the Worker script.

const html = `<!DOCTYPE html><body>  <h1>Hello World</h1>  <p>This markup was generated by a Cloudflare Worker.</p></body>`
async function handleRequest(request) {  return new Response(html, {    headers: {      "content-type": "text/html;charset=UTF-8",    },  })}
addEventListener("fetch", event => {  return event.respondWith(handleRequest(event.request))})
Return JSON

Return JSON directly from a Worker script, useful for building APIs and middleware.

addEventListener("fetch", event => {  const data = {    hello: "world"  }
  const json = JSON.stringify(data, null, 2)
  return event.respondWith(    new Response(json, {      headers: {        "content-type": "application/json;charset=UTF-8"      }    })  )})
Fetch HTML

Send a request to a remote server, read HTML from the response, and serve that HTML.

/** * Example someHost at url is set up to respond with HTML * Replace url with the host you wish to send requests to */const someHost = "https://examples.cloudflareworkers.com/demos"const url = someHost + "/static/html"/** * gatherResponse awaits and returns a response body as a string. * Use await gatherResponse(..) in an async function to get the response body * @param {Response} response */async function gatherResponse(response) {  const { headers } = response  const contentType = headers.get("content-type") || ""  if (contentType.includes("application/json")) {    return JSON.stringify(await response.json())  }  else if (contentType.includes("application/text")) {    return await response.text()  }  else if (contentType.includes("text/html")) {    return await response.text()  }  else {    return await response.text()  }}
async function handleRequest() {  const init = {    headers: {      "content-type": "text/html;charset=UTF-8",    },  }  const response = await fetch(url, init)  const results = await gatherResponse(response)  return new Response(results, init)}
addEventListener("fetch", event => {  return event.respondWith(handleRequest())})
Fetch JSON

Send a GET request and read in JSON from the response. Use to fetch external data.

/** * Example someHost is set up to take in a JSON request * Replace url with the host you wish to send requests to * @param {string} someHost the host to send the request to * @param {string} url the URL to send the request to */const someHost = "https://examples.cloudflareworkers.com/demos"const url = someHost + "/static/json"/** * gatherResponse awaits and returns a response body as a string. * Use await gatherResponse(..) in an async function to get the response body * @param {Response} response */async function gatherResponse(response) {  const { headers } = response  const contentType = headers.get("content-type") || ""  if (contentType.includes("application/json")) {    return JSON.stringify(await response.json())  }  else if (contentType.includes("application/text")) {    return await response.text()  }  else if (contentType.includes("text/html")) {    return await response.text()  }  else {    return await response.text()  }}
async function handleRequest() {  const init = {    headers: {      "content-type": "application/json;charset=UTF-8",    },  }  const response = await fetch(url, init)  const results = await gatherResponse(response)  return new Response(results, init)}
addEventListener("fetch", event => {  return event.respondWith(handleRequest())})
Redirect

Redirect requests from one URL to another, or from one set of URLs to another set.

const destinationURL = "https://example.com"const statusCode = 301
async function handleRequest(request) {  return Response.redirect(destinationURL, statusCode)}
addEventListener("fetch", async event => {  event.respondWith(handleRequest(event.request))})
Accessing the Cloudflare object

Access custom Cloudflare properties and control how Cloudflare features are applied to every request.

addEventListener("fetch", event => {  const data =    event.request.cf !== undefined ?      event.request.cf :      { error: "The `cf` object is not available inside the preview." }
  return event.respondWith(    new Response(JSON.stringify(data, null, 2), {      headers: {        "content-type": "application/json;charset=UTF-8"      }    })  )})
Respond with another site

Respond to the Worker request with the response from another website (example.com in this example).

addEventListener("fetch", event => {  return event.respondWith(    fetch("https://example.com")  )})
A/B testing

Set up an A/B test by controlling what response is served based on cookies.

function handleRequest(request) {  const NAME = "experiment-0"
  // The Responses below are placeholders. You can set up a custom path for each test (e.g. /control/somepath ).  const TEST_RESPONSE = new Response("Test group") // e.g. await fetch("/test/sompath", request)  const CONTROL_RESPONSE = new Response("Control group") // e.g. await fetch("/control/sompath", request)
  // Determine which group this requester is in.  const cookie = request.headers.get("cookie")  if (cookie && cookie.includes(`${NAME}=control`)) {    return CONTROL_RESPONSE  }  else if (cookie && cookie.includes(`${NAME}=test`)) {    return TEST_RESPONSE  }  else {    // If there is no cookie, this is a new client. Choose a group and set the cookie.    const group = Math.random() < 0.5 ? "test" : "control" // 50/50 split    const response = group === "control" ? CONTROL_RESPONSE : TEST_RESPONSE    response.headers.append("Set-Cookie", `${NAME}=${group}; path=/`)
    return response  }}
addEventListener("fetch", event => {  event.respondWith(handleRequest(event.request))})
Aggregate requests

Send two GET request to two urls and aggregates the responses into one response.

/** * someHost is set up to return JSON responses * Replace url1 and url2 with the hosts you wish to send requests to * @param {string} url the URL to send the request to */const someHost = "https://examples.cloudflareworkers.com/demos"const url1 = someHost + "/requests/json"const url2 = someHost + "/requests/json"const type = "application/json;charset=UTF-8"/** * gatherResponse awaits and returns a response body as a string. * Use await gatherResponse(..) in an async function to get the response body * @param {Response} response */async function gatherResponse(response) {  const { headers } = response  const contentType = headers.get("content-type") || ""  if (contentType.includes("application/json")) {    return JSON.stringify(await response.json())  }  else if (contentType.includes("application/text")) {    return await response.text()  }  else if (contentType.includes("text/html")) {    return await response.text()  }  else {    return await response.text()  }}
async function handleRequest() {  const init = {    headers: {      "content-type": type,    },  }  const responses = await Promise.all([fetch(url1, init), fetch(url2, init)])  const results = await Promise.all([    gatherResponse(responses[0]),    gatherResponse(responses[1]),  ])  return new Response(results.join(), init)}
addEventListener("fetch", event => {  return event.respondWith(handleRequest())})
Alter headers

Change the headers sent in a request or returned in a response.

async function handleRequest(request) {  // Make the headers mutable by re-constructing the Request.  request = new Request(request)  request.headers.set("x-my-header", "custom value")  const URL = "https://examples.cloudflareworkers.com/demos/static/html"
  // URL is set up to respond with dummy HTML  let response = await fetch(URL, request)
  // Make the headers mutable by re-constructing the Response.  response = new Response(response.body, response)  response.headers.set("x-my-header", "custom value")  return response}
addEventListener("fetch", event => {  event.respondWith(handleRequest(event.request))})
Auth with headers

Allow or deny a request based on a known pre-shared key in a header. This is not meant to replace the WebCrypto API.

/** * @param {string} PRESHARED_AUTH_HEADER_KEY Custom header to check for key * @param {string} PRESHARED_AUTH_HEADER_VALUE Hard coded key value */const PRESHARED_AUTH_HEADER_KEY = "X-Custom-PSK"const PRESHARED_AUTH_HEADER_VALUE = "mypresharedkey"
async function handleRequest(request) {  const psk = request.headers.get(PRESHARED_AUTH_HEADER_KEY)
  if (psk === PRESHARED_AUTH_HEADER_VALUE) {    // Correct preshared header key supplied. Fetch request from origin.    return fetch(request)  }
  // Incorrect key supplied. Reject the request.  return new Response("Sorry, you have supplied an invalid key.", {    status: 403,  })}
addEventListener("fetch", event => {  event.respondWith(handleRequest(event.request))})
Block on TLS

Inspects the incoming request's TLS version and blocks if under TLSv1.2.

async function handleRequest(request) {  try {    const tlsVersion = request.cf.tlsVersion
    // Allow only TLS versions 1.2 and 1.3    if (tlsVersion != "TLSv1.2" && tlsVersion != "TLSv1.3") {      return new Response("Please use TLS version 1.2 or higher.", {        status: 403,      })    }
    return fetch(request)  }  catch (err) {    console.error(      "request.cf does not exist in the previewer, only in production",    )    return new Response("Error in workers script" + err.message, {      status: 500,    })  }}
addEventListener("fetch", event => {  event.respondWith(handleRequest(event.request))})
Bulk origin proxy

Resolve requests to your domain to a set of proxy third-party origin URLs.

/** * An object with different URLs to fetch * @param {Object} ORIGINS */const ORIGINS = {  "starwarsapi.yourdomain.com": "swapi.dev",  "google.yourdomain.com": "www.google.com",}
async function handleRequest(request) {  const url = new URL(request.url)  // Check if incoming hostname is a key in the ORIGINS object  if (url.hostname in ORIGINS) {    const target = ORIGINS[url.hostname]    url.hostname = target    // If it is, proxy request to that third party origin    return await fetch(url.toString(), request)  }
  // Otherwise, process request as normal  return await fetch(request)}
addEventListener("fetch", event => {  event.respondWith(handleRequest(event.request))})
Bulk redirects

Redirect requests to certain URLs based on a mapped object to the request's URL.

const externalHostname = "examples.cloudflareworkers.com"
const redirectMap = new Map([  ["/bulk1", "https://" + externalHostname + "/redirect2"],  ["/bulk2", "https://" + externalHostname + "/redirect3"],  ["/bulk3", "https://" + externalHostname + "/redirect4"],  ["/bulk4", "https://google.com"],])
async function handleRequest(request) {  const requestURL = new URL(request.url)  const path = requestURL.pathname.split("/redirect")[1]  const location = redirectMap.get(path)  if (location) {    return Response.redirect(location, 301)  }  // If request not in map, return the original request  return fetch(request)}
addEventListener("fetch", async event => {  event.respondWith(handleRequest(event.request))})
Cache API

Cache using Cloudflare's Cache API. This example can cache POST requests as well.

const someOtherHostname = "my.herokuapp.com"
async function handleRequest(event) {  const request = event.request  const cacheUrl = new URL(request.url)
  // Hostname for a different zone  cacheUrl.hostname = someOtherHostname
  const cacheKey = new Request(cacheUrl.toString(), request)  const cache = caches.default
  // Get this request from this zone's cache  let response = await cache.match(cacheKey)
  if (!response) {    //If not in cache, get it from origin    response = await fetch(request)
    // Must use Response constructor to inherit all of response's fields    response = new Response(response.body, response)
    // Cache API respects Cache-Control headers. Setting max-age to 10    // will limit the response to be in cache for 10 seconds max    response.headers.append("Cache-Control", "max-age=10")
    // Store the fetched response as cacheKey    // Use waitUntil so computational expensive tasks don"t delay the response    event.waitUntil(cache.put(cacheKey, response.clone()))  }  return response}
async function sha256(message) {  // encode as UTF-8  const msgBuffer = new TextEncoder().encode(message)
  // hash the message  const hashBuffer = await crypto.subtle.digest("SHA-256", msgBuffer)
  // convert ArrayBuffer to Array  const hashArray = Array.from(new Uint8Array(hashBuffer))
  // convert bytes to hex string  const hashHex = hashArray.map(b => ("00" + b.toString(16)).slice(-2)).join("")  return hashHex}
async function handlePostRequest(event) {  const request = event.request  const body = await request.clone().text()  const hash = await sha256(body)  const cacheUrl = new URL(request.url)
  // Store the URL in cache by prepending the body's hash  cacheUrl.pathname = "/posts" + cacheUrl.pathname + hash
  // Convert to a GET to be able to cache  const cacheKey = new Request(cacheUrl.toString(), {    headers: request.headers,    method: "GET",  })
  const cache = caches.default
  //Find the cache key in the cache  let response = await cache.match(cacheKey)
  // Otherwise, fetch response to POST request from origin  if (!response) {    response = await fetch(request)    event.waitUntil(cache.put(cacheKey, response.clone()))  }  return response}
addEventListener("fetch", event => {  try {    const request = event.request    if (request.method.toUpperCase() === "POST")      return event.respondWith(handlePostRequest(event))    return event.respondWith(handleRequest(event))  } catch (e) {    return event.respondWith(new Response("Error thrown " + e.message))  }})
Conditional response

Return a response based on the incoming request's URL, HTTP method, User Agent, IP address, ASN or device type.

const BLOCKED_HOSTNAMES = ["nope.mywebsite.com", "bye.website.com"]
async function handleRequest(request) {  // Return a new Response based on a URL's hostname  const url = new URL(request.url)
  if (BLOCKED_HOSTNAMES.includes(url.hostname)) {    return new Response("Blocked Host", { status: 403 })  }
  // Block paths ending in .doc or .xml based on the URL's file extension  const forbiddenExtRegExp = new RegExp(/\.(doc|xml)$/)
  if (forbiddenExtRegExp.test(url.pathname)) {    return new Response("Blocked Extension", { status: 403 })  }
  // On HTTP method  if (request.method === "POST") {    return new Response("Response for POST")  }
  // On User Agent  const userAgent = request.headers.get("User-Agent") || ""  if (userAgent.includes("bot")) {    return new Response("Block User Agent containing bot", { status: 403 })  }
  // On Client's IP address  const clientIP = request.headers.get("CF-Connecting-IP")  if (clientIP === "1.2.3.4") {    return new Response("Block the IP 1.2.3.4", { status: 403 })  }
  // On ASN  if (request.cf && request.cf.asn == 64512) {    return new Response("Block the ASN 64512 response")  }
  // On Device Type  // Requires Enterprise "CF-Device-Type Header" zone setting or  // Page Rule with "Cache By Device Type" setting applied.  const device = request.headers.get("CF-Device-Type")  if (device === "mobile") {    return Response.redirect("https://mobile.example.com")  }
  console.error(    "Getting Client's IP address, device type, and ASN are not supported in playground. Must test on a live worker",  )  return fetch(request)}
addEventListener("fetch", event => {  event.respondWith(handleRequest(event.request))})
Cache using fetch

Determine how to cache a resource by setting TTLs, custom cache keys, and cache headers in a fetch request.

async function handleRequest(request) {  const url = new URL(request.url)
  // Only use the path for the cache key, removing query strings  // and always store using HTTPS e.g. https://www.example.com/file-uri-here  const someCustomKey = `https://${url.hostname}${url.pathname}`
  let response = await fetch(request, {    cf: {      // Always cache this fetch regardless of content type      // for a max of 5 seconds before revalidating the resource      cacheTtl: 5,      cacheEverything: true,      //Enterprise only feature, see Cache API for other plans      cacheKey: someCustomKey,    },  })  // Reconstruct the Response object to make its headers mutable.  response = new Response(response.body, response)
  //Set cache control headers to cache on browser for 25 minutes  response.headers.set("Cache-Control", "max-age=1500")  return response}
addEventListener("fetch", event => {  return event.respondWith(handleRequest(event.request))})
CORS header proxy

Add the necessary CORS headers to a third party API response.

// We support the GET, POST, HEAD, and OPTIONS methods from any origin,// and allow any header on requests. These headers must be present// on all responses to all CORS preflight requests. In practice, this means// all responses to OPTIONS requests.const corsHeaders = {  "Access-Control-Allow-Origin": "*",  "Access-Control-Allow-Methods": "GET,HEAD,POST,OPTIONS",  "Access-Control-Max-Age": "86400",}
// The URL for the remote third party API you want to fetch from// but does not implement CORSconst API_URL = "https://examples.cloudflareworkers.com/demos/demoapi"
// The endpoint you want the CORS reverse proxy to be onconst PROXY_ENDPOINT = "/corsproxy/"
// The rest of this snippet for the demo pageasync function rawHtmlResponse(html) {  return new Response(html, {    headers: {      "content-type": "text/html;charset=UTF-8",    },  })}
const DEMO_PAGE = `  <!DOCTYPE html>  <html>  <body>    <h1>API GET without CORS Proxy</h1>    <a target="_blank" href="https://developer.mozilla.org/en-US/docs/Web/API/Fetch_API/Using_Fetch#Checking_that_the_fetch_was_successful">Shows TypeError: Failed to fetch since CORS is misconfigured</a>    <p id="noproxy-status"/>    <code id="noproxy">Waiting</code>    <h1>API GET with CORS Proxy</h1>    <p id="proxy-status"/>    <code id="proxy">Waiting</code>    <h1>API POST with CORS Proxy + Preflight</h1>    <p id="proxypreflight-status"/>    <code id="proxypreflight">Waiting</code>    <script>    let reqs = {};    reqs.noproxy = async () => {      let response = await fetch("${API_URL}")      return await response.json()    }    reqs.proxy = async () => {      let response = await fetch(window.location.origin + "${PROXY_ENDPOINT}?apiurl=${API_URL}")      return await response.json()    }    reqs.proxypreflight = async () => {      const reqBody = {        msg: "Hello world!"      }      let response = await fetch(window.location.origin + "${PROXY_ENDPOINT}?apiurl=${API_URL}", {        method: "POST",        headers: {          "Content-Type": "application/json"        },        body: JSON.stringify(reqBody),      })      return await response.json()    }    (async () => {      for (const [reqName, req] of Object.entries(reqs)) {        try {          let data = await req()          document.getElementById(reqName).innerHTML = JSON.stringify(data)        } catch (e) {          document.getElementById(reqName).innerHTML = e        }      }    })()    </script>  </body>  </html>`
async function handleRequest(request) {  const url = new URL(request.url)  let apiUrl = url.searchParams.get("apiurl")
  if (apiUrl == null) {    apiUrl = API_URL  }
  // Rewrite request to point to API url. This also makes the request mutable  // so we can add the correct Origin header to make the API server think  // that this request isn't cross-site.  request = new Request(apiUrl, request)  request.headers.set("Origin", new URL(apiUrl).origin)  let response = await fetch(request)
  // Recreate the response so we can modify the headers  response = new Response(response.body, response)
  // Set CORS headers  response.headers.set("Access-Control-Allow-Origin", url.origin)
  // Append to/Add Vary header so browser will cache response correctly  response.headers.append("Vary", "Origin")
  return response}
function handleOptions(request) {  // Make sure the necessary headers are present  // for this to be a valid pre-flight request  let headers = request.headers;  if (    headers.get("Origin") !== null &&    headers.get("Access-Control-Request-Method") !== null &&    headers.get("Access-Control-Request-Headers") !== null  ){    // Handle CORS pre-flight request.    // If you want to check or reject the requested method + headers    // you can do that here.    let respHeaders = {      ...corsHeaders,    // Allow all future content Request headers to go back to browser    // such as Authorization (Bearer) or X-Client-Name-Version      "Access-Control-Allow-Headers": request.headers.get("Access-Control-Request-Headers"),    }
    return new Response(null, {      headers: respHeaders,    })  }  else {    // Handle standard OPTIONS request.    // If you want to allow other HTTP Methods, you can do that here.    return new Response(null, {      headers: {        Allow: "GET, HEAD, POST, OPTIONS",      },    })  }}
addEventListener("fetch", event => {  const request = event.request  const url = new URL(request.url)  if(url.pathname.startsWith(PROXY_ENDPOINT)){    if (request.method === "OPTIONS") {      // Handle CORS preflight requests      event.respondWith(handleOptions(request))    }    else if(      request.method === "GET" ||      request.method === "HEAD" ||      request.method === "POST"    ){      // Handle requests to the API server      event.respondWith(handleRequest(request))    }    else {      event.respondWith(        new Response(null, {          status: 405,          statusText: "Method Not Allowed",        }),      )    }  }  else {    // Serve demo page    event.respondWith(rawHtmlResponse(DEMO_PAGE))  }})
Country code redirect

Redirect a response based on the country code in the header of a visitor.

/** * Returns a redirect determined by the country code * @param {Request} request */async function redirect(request) {  // The `cf-ipcountry` header is not supported in the preview  const country = request.headers.get("cf-ipcountry")
  if (country != null && country in countryMap) {    const url = countryMap[country]    return Response.redirect(url)  }  else {    return await fetch(request)  }}/** * A map of the URLs to redirect to * @param {Object} countryMap */const countryMap = {  US: "https://example.com/us",  EU: "https://eu.example.com/",}
async function handleRequest(request) {  return redirect(request)}
addEventListener("fetch", event => {  event.respondWith(handleRequest(event.request))})
Data loss prevention

Protect sensitive data to prevent data loss, and send alerts to a webhooks server in the event of a data breach.

const DEBUG = trueconst SOME_HOOK_SERVER = "https://webhook.flow-wolf.io/hook"/** * Alert a data breach by posting to a webhook server */async function postDataBreach(request) {  const trueClientIp = request.headers.get("cf-connecting-ip")  const epoch = new Date().getTime()  const body = {    ip: trueClientIp,    time: epoch,    request: request  }  const init = {    body: JSON.stringify(body),    method: "POST",    headers: {      "content-type": "application/json;charset=UTF-8"    },  }  return await fetch(SOME_HOOK_SERVER, init)}/** * Define personal data with regular expressions. * Respond with block if credit card data, and strip * emails and phone numbers from the response. * Execution will be limited to MIME type "text/*". */async function handleRequest(request) {  const response = await fetch(request)
  // Return origin response, if response wasn’t text  const contentType = response.headers.get("content-type") || ""  if (!contentType.toLowerCase().includes("text/")) {    return response  }
  let text = await response.text()
  // When debugging replace the response  // from the origin with an email  text = DEBUG    ? text.replace("You may use this", "me@example.com may use this")    : text
  const sensitiveRegexsMap = {    creditCard: String.raw`\b(?:4[0-9]{12}(?:[0-9]{3})?|(?:5[1-5][0-9]{2}|222[1-9]|22[3-9][0-9]|2[3-6][0-9]{2}|27[01][0-9]|2720)[0-9]{12}|3[47][0-9]{13}|3(?:0[0-5]|[68][0-9])[0-9]{11}|6(?:011|5[0-9]{2})[0-9]{12}|(?:2131|1800|35\d{3})\d{11})\b`,    email: String.raw`\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}\b`,    phone: String.raw`\b07\d{9}\b`  }
  for (const kind in sensitiveRegexsMap) {    const sensitiveRegex = new RegExp(sensitiveRegexsMap[kind], "ig")    const match = await sensitiveRegex.test(text)    if (match) {      // Alert a data breach      await postDataBreach(request)
      // Respond with a block if credit card,      // otherwise replace sensitive text with `*`s      return kind === "creditCard"        ? new Response(kind + " found\nForbidden\n", {            status: 403,            statusText: "Forbidden"          })        : new Response(text.replace(sensitiveRegex, "**********"), response)    }  }  return new Response(text, response)}
addEventListener("fetch", event => {  event.respondWith(handleRequest(event.request))})
Debugging logs

Send debugging information in an errored response to a logging service.

// Service configured to receive logsconst LOG_URL = "https://log-service.example.com/"
function postLog(data) {  return fetch(LOG_URL, {    method: "POST",    body: data,  })}
async function handleRequest(event) {  let response
  try {    response = await fetch(event.request)    if (!response.ok) {      const body = await response.text()      throw new Error(        "Bad response at origin. Status: " +          response.status +          " Body: " +          //Ensure the string is small enough to be a header          body.trim().substring(0, 10),      )    }  } catch (err) {    // Without event.waitUntil(), our fetch() to our logging service may    // or may not complete.    event.waitUntil(postLog(err.toString()))    const stack = JSON.stringify(err.stack) || err
    // Copy the response and initialize body to the stack trace    response = new Response(stack, response)
    // Shove our rewritten URL into a header to find out what it was.    response.headers.set("X-Debug-stack", stack)    response.headers.set("X-Debug-err", err)  }  return response}
addEventListener("fetch", event => {  //Have any uncaught errors thrown go directly to origin  event.passThroughOnException()  event.respondWith(handleRequest(event))})
Extract cookie value

Given the cookie name, get the value of a cookie. You can also use cookies for A/B testing.

const COOKIE_NAME = "__uid"/** * Gets the cookie with the name from the request headers * @param {Request} request incoming Request * @param {string} name of the cookie to get */function getCookie(request, name) {  let result = ""  const cookieString = request.headers.get("Cookie")  if (cookieString) {    const cookies = cookieString.split(";")    cookies.forEach(cookie => {      const cookiePair = cookie.split("=", 2)      const cookieName = cookiePair[0].trim()      if (cookieName === name) {        const cookieVal = cookiePair[1]        result = cookieVal      }    })  }  return result}
function handleRequest(request) {  const cookie = getCookie(request, COOKIE_NAME)  if (cookie) {    // Respond with the cookie value    return new Response(cookie)  }  return new Response("No cookie with name: " + COOKIE_NAME)}
addEventListener("fetch", event => {  event.respondWith(handleRequest(event.request))})
Hot-link protection

Block other websites from linking to your content. This is useful for protecting images.

const HOMEPAGE_URL = "https://tutorial.cloudflareworkers.com/"const PROTECTED_TYPE = "images/"
async function handleRequest(request) {  // Fetch the original request  const response = await fetch(request)
  // If it's an image, engage hotlink protection based on the  // Referer header.  const referer = request.headers.get("Referer")  const contentType = response.headers.get("Content-Type") || ""
  if (referer && contentType.startsWith(PROTECTED_TYPE)) {    // If the hostnames don't match, it's a hotlink    if (new URL(referer).hostname !== new URL(request.url).hostname) {      // Redirect the user to your website      return Response.redirect(HOMEPAGE_URL, 302)    }  }
  // Everything is fine, return the response normally.  return response}
addEventListener("fetch", event => {  event.respondWith(handleRequest(event.request))})
HTTP2 server push

Push static assets to a client's browser without waiting for HTML to render.

const CSS = `body { color: red; }`const HTML = `<!doctype html><html lang="en"><head>    <meta charset="utf-8">    <title>Server push test</title>    <link rel="stylesheet" href="http2_push/h2p/test.css"></head><body>    <h1>Server push test page</h1></body></html>`
async function handleRequest(request) {  // If request is for test.css, serve the raw CSS  if (/test\.css$/.test(request.url)) {    return new Response(CSS, {      headers: {        "content-type": "text/css",      },    })  }  else {    // Serve raw HTML using HTTP/2 for the CSS file    return new Response(HTML, {      headers: {        "content-type": "text/html",        Link: "</http2_push/h2p/test.css>; rel=preload; as=style",      },    })  }}
addEventListener("fetch", event => {  event.respondWith(handleRequest(event.request))})
Logging headers

Examine the contents of a Headers object by logging to console with a Map.

async function handleRequest(request) {  let requestHeaders = JSON.stringify([...request.headers])  console.log(new Map(request.headers))
  return new Response("Hello world")}
addEventListener("fetch", event => {  return event.respondWith(handleRequest(event.request))})
Modify request property

Create a modified request with edited properties based off of an incoming request.

/** * Example someHost is set up to return raw JSON * @param {string} someUrl the URL to send the request to, since we are setting hostname too only path is applied * @param {string} someHost the host the request will resolve too */const someHost = "example.com"const someUrl = "https://foo.example.com/api.js"
async function handleRequest(request) {  /**   * The best practice is to only assign new properties on the request   * object (i.e. RequestInit props) using either a method or the constructor   */  const newRequestInit = {    // Change method    method: "POST",    // Change body    body: JSON.stringify({ bar: "foo" }),    // Change the redirect mode.    redirect: "follow",    //Change headers, note this method will erase existing headers    headers: {      "Content-Type": "application/json",    },    // Change a Cloudflare feature on the outbound response    cf: { apps: false },  }
  // Change just the host  const url = new URL(someUrl)
  url.hostname = someHost
  // Best practice is to always use the original request to construct the new request  // to clone all the attributes. Applying the URL also requires a constructor  // since once a Request has been constructed, its URL is immutable.  const newRequest = new Request(    url.toString(),    new Request(request, newRequestInit),  )
  // Set headers using method  newRequest.headers.set("X-Example", "bar")  newRequest.headers.set("Content-Type", "application/json")  try {    return await fetch(newRequest)  } catch (e) {    return new Response(JSON.stringify({ error: e.message }), { status: 500 })  }}
addEventListener("fetch", event => {  event.respondWith(handleRequest(event.request))})
Modify response

Fetch and modify response properties which are immutable by creating a copy first.

/** * @param {string} headerNameSrc Header to get the new value from * @param {string} headerNameDst Header to set based off of value in src */const headerNameSrc = "foo" //"Orig-Header"const headerNameDst = "Last-Modified"
async function handleRequest(request) {  /**   * Response properties are immutable. To change them, construct a new   * Response and pass modified status or statusText in the ResponseInit   * object. Response headers can be modified through the headers `set` method.   */  const originalResponse = await fetch(request)
  // Change status and statusText, but preserve body and headers  let response = new Response(originalResponse.body, {    status: 500,    statusText: "some message",    headers: originalResponse.headers,  })
  // Change response body by adding the foo prop  const originalBody = await originalResponse.json()  const body = JSON.stringify({ foo: "bar", ...originalBody })  response = new Response(body, response)
  // Add a header using set method  response.headers.set("foo", "bar")
  // Set destination header to the value of the source header  const src = response.headers.get(headerNameSrc)
  if (src != null) {    response.headers.set(headerNameDst, src)    console.log(      `Response header "${headerNameDst}" was set to "${response.headers.get(        headerNameDst,      )}"`,    )  }  return response}
addEventListener("fetch", event => {  event.respondWith(handleRequest(event.request))})
Post JSON

Send a POST request with JSON data. Use to share data with external servers.

/** * Example someHost is set up to take in a JSON request * Replace url with the host you wish to send requests to * @param {string} url the URL to send the request to * @param {BodyInit} body the JSON data to send in the request */const someHost = "https://examples.cloudflareworkers.com/demos"const url = someHost + "/requests/json"const body = {  results: ["default data to send"],  errors: null,  msg: "I sent this to the fetch",}/** * gatherResponse awaits and returns a response body as a string. * Use await gatherResponse(..) in an async function to get the response body * @param {Response} response */async function gatherResponse(response) {  const { headers } = response  const contentType = headers.get("content-type") || ""  if (contentType.includes("application/json")) {    return JSON.stringify(await response.json())  }  else if (contentType.includes("application/text")) {    return await response.text()  }  else if (contentType.includes("text/html")) {    return await response.text()  }  else {    return await response.text()  }}
async function handleRequest() {  const init = {    body: JSON.stringify(body),    method: "POST",    headers: {      "content-type": "application/json;charset=UTF-8",    },  }  const response = await fetch(url, init)  const results = await gatherResponse(response)  return new Response(results, init)}addEventListener("fetch", event => {  return event.respondWith(handleRequest())})
Read POST

Serve an HTML form, then read POST requests. Use also to read JSON or POST data from an incoming request.

/** * rawHtmlResponse returns HTML inputted directly * into the worker script * @param {string} html */function rawHtmlResponse(html) {  const init = {    headers: {      "content-type": "text/html;charset=UTF-8",    },  }  return new Response(html, init)}/** * readRequestBody reads in the incoming request body * Use await readRequestBody(..) in an async function to get the string * @param {Request} request the incoming request to read from */async function readRequestBody(request) {  const { headers } = request  const contentType = headers.get("content-type") || ""
  if (contentType.includes("application/json")) {    return JSON.stringify(await request.json())  }  else if (contentType.includes("application/text")) {    return await request.text()  }  else if (contentType.includes("text/html")) {    return await request.text()  }  else if (contentType.includes("form")) {    const formData = await request.formData()    const body = {}    for (const entry of formData.entries()) {      body[entry[0]] = entry[1]    }    return JSON.stringify(body)  }  else {    const myBlob = await request.blob()    const objectURL = URL.createObjectURL(myBlob)    return objectURL  }}
const someForm = `  <!DOCTYPE html>  <html>  <body>  <h1>Hello World</h1>  <p>This is all generated using a Worker</p>  <form action="/demos/requests" method="post">    <div>      <label for="say">What  do you want to say?</label>      <input name="say" id="say" value="Hi">    </div>    <div>      <label for="to">To who?</label>      <input name="to" id="to" value="Mom">    </div>    <div>      <button>Send my greetings</button>    </div>  </form>  </body>  </html>  `
async function handleRequest(request) {  const reqBody = await readRequestBody(request)  const retBody = `The request body sent in was ${reqBody}`  return new Response(retBody)}
addEventListener("fetch", event => {  const { request } = event  const { url } = request
  if (url.includes("form")) {    return event.respondWith(rawHtmlResponse(someForm))  }  if (request.method === "POST") {    return event.respondWith(handleRequest(request))  }  else if (request.method === "GET") {    return event.respondWith(new Response(`The request was a GET`))  }})
Rewrite links

Rewrite URL links in HTML using the HTMLRewriter. This is useful for JAMstack websites.

const OLD_URL = "developer.mozilla.org"const NEW_URL = "mynewdomain.com"
async function handleRequest(req) {  const res = await fetch(req)  return rewriter.transform(res)}
class AttributeRewriter {  constructor(attributeName) {    this.attributeName = attributeName  }  element(element) {    const attribute = element.getAttribute(this.attributeName)    if (attribute) {      element.setAttribute(        this.attributeName,        attribute.replace(OLD_URL, NEW_URL),      )    }  }}
const rewriter = new HTMLRewriter()  .on("a", new AttributeRewriter("href"))  .on("img", new AttributeRewriter("src"))
addEventListener("fetch", event => {  event.respondWith(handleRequest(event.request))})
Signing requests

Sign and verify a request using the HMAC and SHA-256 algorithms or return a 403.

// We will need some super-secret data to use as a symmetric key.const encoder = new TextEncoder()const secretKeyData = encoder.encode("my secret symmetric key")
// Convert a ByteString (a string whose code units are all in the range// [0, 255]), to a Uint8Array. If you pass in a string with code units larger// than 255, their values will overflow!function byteStringToUint8Array(byteString) {  const ui = new Uint8Array(byteString.length)  for (let i = 0; i < byteString.length; ++i) {    ui[i] = byteString.charCodeAt(i)  }  return ui}
async function verifyAndFetch(request) {  const url = new URL(request.url)
  // If the path does not begin with our protected prefix, just pass the request  // through.  if (!url.pathname.startsWith("/verify/")) {    return fetch(request)  }
  // Make sure we have the minimum necessary query parameters.  if (!url.searchParams.has("mac") || !url.searchParams.has("expiry")) {    return new Response("Missing query parameter", { status: 403 })  }
  const key = await crypto.subtle.importKey(    "raw",    secretKeyData,    { name: "HMAC", hash: "SHA-256" },    false,    ["verify"],  )
  // Extract the query parameters we need and run the HMAC algorithm on the  // parts of the request we are authenticating: the path and the expiration  // timestamp.  const expiry = Number(url.searchParams.get("expiry"))  const dataToAuthenticate = url.pathname + expiry
  // The received MAC is Base64-encoded, so we have to go to some trouble to  // get it into a buffer type that crypto.subtle.verify() can read.  const receivedMacBase64 = url.searchParams.get("mac")  const receivedMac = byteStringToUint8Array(atob(receivedMacBase64))
  // Use crypto.subtle.verify() to guard against timing attacks. Since HMACs use  // symmetric keys, we could implement this by calling crypto.subtle.sign() and  // then doing a string comparison -- this is insecure, as string comparisons  // bail out on the first mismatch, which leaks information to potential  // attackers.  const verified = await crypto.subtle.verify(    "HMAC",    key,    receivedMac,    encoder.encode(dataToAuthenticate),  )
  if (!verified) {    const body = "Invalid MAC"    return new Response(body, { status: 403 })  }
  if (Date.now() > expiry) {    const body = `URL expired at ${new Date(expiry)}`    return new Response(body, { status: 403 })  }
  // We have verified the MAC and expiration time; we are good to pass the request  // through.  return fetch(request)}
addEventListener("fetch", event => {  event.respondWith(verifyAndFetch(event.request))})