Skip to content

WAF: add directory based hmac example #24591

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
Aug 27, 2025
Merged

WAF: add directory based hmac example #24591

merged 4 commits into from
Aug 27, 2025

Conversation

Le0Developer
Copy link
Contributor

@Le0Developer Le0Developer commented Aug 21, 2025
edited
Loading

Summary

This summary is Copilot generated

This pull request adds documentation for a new use case to the custom token authentication rules, specifically describing how to protect an entire directory with a single HMAC signature. The update provides a practical example and step-by-step instructions for extracting a directory name from a request URI and using it in authentication.

New use case documentation:

  • Added a section explaining how to protect an entire directory with a single signature by concatenating the directory name and query string as the MessageMAC argument for the is_timed_hmac_valid_v0() function.
  • Included an example using the substring() function to extract a fixed-length directory name from the URI path and demonstrated how to construct the authentication logic using concat() and the relevant WAF functions.

Screenshots (optional)

image

Documentation checklist

  • Is there a changelog entry (guidelines)? If you don't add one for something awesome and new (however small) — how will our customers find out? Changelogs are automatically posted to RSS feeds, the Discord, and X.
  • The documentation style guide has been adhered to.
  • If a larger change - such as adding a new page- an issue has been opened in relation to any incorrect or out of date information that this PR fixes.
  • Files which have changed name or location have been allocated redirects.

@Le0Developer Le0Developer requested review from pedrosousa and a team as code owners August 21, 2025 08:47
@Le0Developer
Copy link
Contributor Author

I don't think case-studies will be a common example. I think image/video delivery (where one album/HLS playlist shares the same token) are a lot more common. This was sparked by a discussion in the #r2 channel on Discord.

@pedrosousa
Copy link
Contributor

I don't think case-studies will be a common example. I think image/video delivery (where one album/HLS playlist shares the same token) are a lot more common. This was sparked by a discussion in the #r2 channel on Discord.

Hi @Le0Developer
I discussed this internally and ended up using case-studies due to the following reasons:

  • Using images as an example could lead to a user creating a configuration that would leak information. If a user follows the example but keeps photos/files of all users under the same path prefix (or in sub-folders of that prefix), a single auth token could be used to access any user's photo if we can guess filenames.
  • Using videos would require additional Cloudflare products or subscriptions (R2 or Stream), and I was trying to make the example generic enough so it applied to more users (even though HMAC validation requires a Pro, Business, or Enterprise plan).

@pedrosousa pedrosousa merged commit d5fedca into cloudflare:production Aug 27, 2025
2 checks passed
@workers-devprod workers-devprod added the contribution [Holopin] Recognizes a docs contribution, big or small label Aug 27, 2025
@holopin-bot Holopin Bot
Copy link

holopin-bot bot commented Aug 27, 2025

Congratulations @Le0Developer, the maintainer of this repository has issued you a holobyte! Here it is: https://holopin.io/holobyte/cmeu4935k1728707i89l8qmo5u

This badge can only be claimed by you, so make sure that your GitHub account is linked to your Holopin account. You can manage those preferences here: https://holopin.io/account.
Or if you're new to Holopin, you can simply sign up with GitHub, which will do the trick!

@Le0Developer Le0Developer deleted the feat/waf-directory-based-hmac branch August 27, 2025 15:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pedrosousa pedrosousa pedrosousa approved these changes

Assignees

@pedrosousa pedrosousa

Labels
contribution [Holopin] Recognizes a docs contribution, big or small product:waf size/s
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Le0Developer @pedrosousa @workers-devprod