How secure is my javascript Workers source code from cloudflare employees?

My code is nothing fancy or special but let’s say I want to write something fancy and special, how secure will it be from being leaked? I don’t want to be laughed at for the code written on cloudflare coz it’s terrible and embarrassing.

1 Like

I don’t think that the code is specifically protected, some groups within Cloudflare can read it, but anything more (be it leaking it or mentioning it outside) would be a gross violation of privacy and most likely even copyright. I highly doubt anyone would do such a thing.

2 Likes

What?! I can’t write fancy, out of the world, super duper code securely without any privacy concern? Is this the official answer from cloudflare?

Obviously not, as I am not an employee.

Can you expand a bit more here? I believe you have interpreted my reply the wrong way.

How secure is the source code written in javascript inside Cloudflare Workers? How do i protect my source code?

As far as I know the code it’s not specifically encrypted at rest (@KentonVarda can confirm, as I don’t know exactly the inner workings and I am going on based on what I know and gathered in the past), Workers KV values and the Secrets section is. Also since it’s shown in the dashboard it’s enough to be able to see dashboard to see that.

Here’s the thing, laughing or mocking at someone’s code is counterproductive, every time you read code you are learning. I care more at the business logic than the syntax. I feel only the coder itself can laugh at its code when comparing to previous work.

Is my code public?

“The content of your Worker script will not be accessible to the public. However, Cloudflare employees may view your scripts for a variety of purposes, such as debugging, security audits, or to provide you with technical support.”

4 Likes

Well, often how not to do it :wink:

I wouldnt comment on whether laughing and mocking is counterproductive, but I sincerely believe Cloudflare employees will have better things to do than to go through their users’ not-so-ideal code base for that purpose.

2 Likes

is the attached swap() function a joke? I dunno java but…

public Sring swap() {
c = a;
a = b;
b = c;
return (a,b);
}

wait… let’s not get distracted. how secure is my code against cloudflare employees?

uglify is obviously reversible easily.

Remember there’s like 26+ million web sites using Cloudflare and even if only 1% of them use Cloudflare Workers, that’s like 260,000 web sites and say each one has 5x Worker scripts = 5x 260k = 1.3 million Worker scripts ! CF staff wouldn’t have that many hours in a working day to look at all those Worker scripts !

how can i code protect my source code in that case? only through rust-wasm?

any javascript is reversible easily. but rust won’t help you either. any program code could be reverse engineered.

1 Like

With enough effort, everything can be reverse engineered. However the OP is not so much concerned by that but apparently rather potentially embarrassed by his skillset in software engineering. In this context he does have a point that WebAssembly would hide that better than plain JavaScript.

Though the underlying assumption, that Cloudflare staff has nothing better to do that go through his code in particular and publicly “shame” him, is still rather shaky. I guess they will have other things to do than to browse through endless lines of code to find that one piece of absurd code that they can ridicule. And even if one engineer would happen to come across that line, he might show it to a colleague, but - aside from any potential legal consequences - I doubt that would make it much farther than that internal team circle.

Essentially, we are discussing here something that is not really an issue.

5 Likes

So, I’m an engineer on the workers team, but not a lawyer. For a legal answer, please refer to the Cloudflare Terms of Service and Privacy Policy.

With that said, we on the Workers team do often look at customers’ code when debugging specific issues that arose while running that code. For example, if the Workers Runtime crashes while running your code, we are going to look at it. This is important so that we can debug the issue, as well as to catch malicious attacks.

We are not permitted to look at your code “for fun” or to steal ideas, and we definitely wouldn’t leak your code with third parties.

All code is stored encrypted at rest, and we have authentication in place to make sure only employees who legitimately need to be able to see customers’ code are able to.

13 Likes

image

:smile:

8 Likes

:see_no_evil::hear_no_evil::speak_no_evil::joy_cat::smile_cat::joy_cat:

This was fun! XD
(sounds a lot like me when I was a beginner🤓)

So adding to this question - would all data stored in KV workers be accessible too?

@michael42 We don’t look at data in KV.

1 Like