Pipeline-based security middleware for Cloudflare Workers
Protect your Workers with pluggable detectors, multi-level threat response, and configurable actions. Block SQL injection, XSS, brute force, and more.
- 🔄 Pipeline Architecture - Composable detection → scoring → resolution → handling
- 🛡️ Multi-Level Thresholds - Configurable actions per threat level
- 🔌 Pluggable Everything - Detectors, aggregators, resolvers, handlers
- ⚡ High Performance - Parallel detection, early exit, KV caching
- 🎯 Route-Based Config - Different protection per endpoint
- 💰 Cost-Effective - $0 for most websites
npm install cloudflare-sentinelimport {
SentinelPipeline,
BlocklistDetector,
ReputationDetector,
RateLimitDetector,
SQLInjectionRequestDetector,
MaxScoreAggregator,
MultiLevelResolver,
LogHandler,
ActionType,
} from 'cloudflare-sentinel';
export default {
async fetch(request: Request, env: Env, ctx: ExecutionContext) {
const pipeline = SentinelPipeline.sync([
new BlocklistDetector({ kv: env.BLOCKLIST_KV }),
new ReputationDetector({ kv: env.REPUTATION_KV }),
new RateLimitDetector({ kv: env.RATE_LIMIT_KV, limit: 100, windowSeconds: 60 }),
new SQLInjectionRequestDetector(),
])
.score(new MaxScoreAggregator())
.resolve(new MultiLevelResolver({
levels: [
{ maxScore: 30, actions: [ActionType.LOG] },
{ maxScore: 60, actions: [ActionType.LOG, ActionType.UPDATE_REPUTATION] },
{ maxScore: 100, actions: [ActionType.BLOCK, ActionType.NOTIFY] },
],
}))
.on(ActionType.LOG, new LogHandler({ console: true }));
const decision = await pipeline.process(request, { env, ctx });
if (decision.has('block')) {
return new Response('Blocked', { status: 403 });
}
return fetch(request);
},
};- Getting Started - Installation & setup
- Architecture - System design
- Notifications - Slack/email alerts
- Pipeline - Core orchestration
- Detector - Attack detection
- Scoring - Score aggregation
- Resolver - Action resolution
- Handler - Action execution
| Type | Detectors |
|---|---|
| Security | BlocklistDetector, RateLimitDetector, ReputationDetector |
| Request | SQLInjectionRequestDetector, XSSRequestDetector, PathTraversalRequestDetector, CommandInjectionDetector, SSRFDetector, NoSQLInjectionDetector, XXEDetector, SSTIDetector, JWTDetector |
| Response | SQLInjectionResponseDetector, XSSResponseDetector, PathTraversalResponseDetector |
| Behavior | BruteForceDetector, EntropyDetector, FailureThresholdDetector |
| ML | MLDetector - Lightweight ML classifier for request pre-filtering |
MaxScoreAggregator- Use highest score (any high-severity = block)WeightedAggregator- Weighted average with detector weights
DefaultResolver- Standard thresholdsStrictResolver- Aggressive blockingLenientResolver- PermissiveMultiLevelResolver- Configurable cascading actions
LogHandler- Console loggingNotifyHandler- Webhook notifications (Slack, Discord, etc.)BlocklistHandler- Add to KV blocklistReputationHandler- Update IP reputation scoreAnalyticsHandler- Cloudflare Analytics Engine logging
Lightweight binary classifier for suspicious request detection:
import { MLDetector } from 'cloudflare-sentinel';
const pipeline = SentinelPipeline.async([
new MLDetector(), // Uses bundled model (~224KB)
// ... other detectors
]);cd scripts/training
# 1. Download attack payloads
python3 download_datasets.py
# 2. Generate safe requests
python3 generate_safe_requests.py --count 50000
# 3. Prepare & train
python3 prepare_dataset.py
python3 train_classifier.py --data data/dataset.jsonl --output ../../models/classifier.jsonSee scripts/training/README.md for details.
Ready-to-deploy security proxy for legacy websites:
cd examples/sentinel-proxy
npm install
# Create KV namespaces
wrangler kv:namespace create BLOCKLIST_KV
wrangler kv:namespace create RATE_LIMIT_KV
wrangler kv:namespace create REPUTATION_KV
# Configure wrangler.toml + sentinel.config.ts
# Deploy
wrangler deploy- Fork the repo
- Create feature branch
- Add tests
- Submit PR
See CONTRIBUTING.md
Cloudflare Only License © 2025 lploc94
See LICENSE for details.
Made with ❤️ for Cloudflare Workers