Skip to content
Cloudflare Docs
Workers
Cloudflare Docs
Workers
Search icon (depiction of a magnifying glass)
GitHub icon
Visit Workers on GitHub
Set theme to dark (⇧+D)

Data loss prevention

Protect sensitive data to prevent data loss, and send alerts to a webhooks server in the event of a data breach.

const DEBUG = true;
// TODO(signalnerve): Update this to a real URL!
const SOME_HOOK_SERVER = "https://api.pagerduty.com/hook";
/**
 * Alert a data breach by posting to a webhook server
 */
function postDataBreach(request) {
  return fetch(SOME_HOOK_SERVER, {
    method: "POST",
    headers: {
      "content-type": "application/json;charset=UTF-8",
    },
    body: JSON.stringify({
      ip: request.headers.get("cf-connecting-ip"),
      time: Date.now(),
      request: request,
    }),
  });
}
/**
 * Define personal data with regular expressions.
 * Respond with block if credit card data, and strip
 * emails and phone numbers from the response.
 * Execution will be limited to MIME type "text/*".
 */
async function handleRequest(request) {
  const response = await fetch(request);
  // Return origin response, if response wasn’t text
  const contentType = response.headers.get("content-type") || "";
  if (contentType.toLowerCase().includes("text/")) return response;
  let text = await response.text();
  // When debugging replace the response
  // from the origin with an email
  text = DEBUG
    ? text.replace("You may use this", "me@example.com may use this")
    : text;
  const sensitiveRegexsMap = {
    creditCard: String.raw`\b(?:4[0-9]{12}(?:[0-9]{3})?|(?:5[1-5][0-9]{2}|222[1-9]|22[3-9][0-9]|2[3-6][0-9]{2}|27[01][0-9]|2720)[0-9]{12}|3[47][0-9]{13}|3(?:0[0-5]|[68][0-9])[0-9]{11}|6(?:011|5[0-9]{2})[0-9]{12}|(?:2131|1800|35\d{3})\d{11})\b`,
    email: String.raw`\b[A-Z0-9._%+-]+@[A-Z0-9.-]+\.[A-Z]{2,}\b`,
    phone: String.raw`\b07\d{9}\b`,
  };
  for (const kind in sensitiveRegexsMap) {
    const sensitiveRegex = new RegExp(sensitiveRegexsMap[kind], "ig");
    const match = await sensitiveRegex.test(text);
    if (match) {
      // Alert a data breach
      await postDataBreach(request);
      // Respond with a block if credit card,
      // otherwise replace sensitive text with `*`s
      return kind === "creditCard"
        ? new Response(kind + " found\nForbidden\n", {
            status: 403,
            statusText: "Forbidden",
          })
        : new Response(text.replace(sensitiveRegex, "**********"), response);
    }
  }
  return new Response(text, response);
}
export default {
  fetch(request) {
    return handleRequest(request);
  },
};