Building Modern Web Applications with Cloudflare Pages and Edge Functions#

Cloudflare Pages combined with Edge Functions provides a powerful platform for building and deploying modern web applications at the edge. This comprehensive guide covers everything from static site deployment to dynamic edge computing with serverless functions.

Table of Contents#

Introduction#

Cloudflare Pages is a JAMstack platform for frontend developers to collaborate and deploy websites. When combined with Edge Functions (powered by Workers), it enables:

Static site hosting with global CDN distribution
Serverless functions running at the edge
Git-based deployments with automatic builds
Preview deployments for every commit
Advanced routing and middleware capabilities
Full-stack applications with API routes

Pages vs Traditional Hosting#

Feature	Cloudflare Pages	Vercel	Netlify	GitHub Pages
Free Tier Builds	500/month	Unlimited	300 min/month	Unlimited
Bandwidth	Unlimited	100GB	100GB	100GB
Edge Functions	✅ Workers	✅ Edge Functions	✅ Functions	❌
Custom Domains	Unlimited	50	Unlimited	1
Preview URLs	✅	✅	✅	❌
Analytics	✅ Free	Paid	Paid	❌

Getting Started#

1. Create a New Pages Project#

1
# Using Wrangler CLI
2
npm create cloudflare@latest my-pages-app -- --framework=react
3

4
# Or with any framework
5
npm create cloudflare@latest my-app -- --framework=vue
6
npm create cloudflare@latest my-app -- --framework=svelte
7
npm create cloudflare@latest my-app -- --framework=next
8
npm create cloudflare@latest my-app -- --framework=nuxt
9
npm create cloudflare@latest my-app -- --framework=astro
10
npm create cloudflare@latest my-app -- --framework=remix

2. Project Structure#

1
my-pages-app/
2
├── public/               # Static assets
3
├── src/                  # Source code
4
│   ├── components/       # React/Vue/Svelte components
5
│   ├── pages/           # Page components
6
│   └── styles/          # CSS/SCSS files
7
├── functions/           # Edge Functions (API routes)
8
│   ├── api/
9
│   │   ├── hello.js    # /api/hello endpoint
10
│   │   └── [[path]].js # Catch-all route
11
│   └── _middleware.js  # Global middleware
12
├── wrangler.toml        # Configuration
13
└── package.json

3. Configuration#

wrangler.toml:

1
name = "my-pages-app"
2
compatibility_date = "2025-01-10"
3

4
[build]
5
command = "npm run build"
6
publish = "dist"
7

8
[build.environment]
9
NODE_VERSION = "18"
10

11
# Environment variables
12
[env.production.vars]
13
API_URL = "https://api.example.com"
14
ENVIRONMENT = "production"
15

16
[env.preview.vars]
17
API_URL = "https://staging-api.example.com"
18
ENVIRONMENT = "preview"
19

20
# KV Namespaces
21
[[env.production.kv_namespaces]]
22
binding = "CACHE"
23
id = "your-kv-namespace-id"
24

25
# D1 Database
26
[[env.production.d1_databases]]
27
binding = "DB"
28
database_name = "my-database"
29
database_id = "your-database-id"
30

31
# R2 Bucket
32
[[env.production.r2_buckets]]
33
binding = "STORAGE"
34
bucket_name = "my-bucket"
35

36
# Durable Objects
37
[[env.production.durable_objects.bindings]]
38
name = "WEBSOCKET"
39
class_name = "WebSocketDurableObject"

Edge Functions (API Routes)#

1. Basic API Route#

functions/api/hello.js:

1
export async function onRequest(context) {
2
  // context contains:
3
  // - request: The incoming Request
4
  // - env: Environment bindings (KV, D1, etc.)
5
  // - params: URL parameters
6
  // - waitUntil: For background tasks
7
  // - next: For middleware chaining
8
  // - data: Data from middleware
9

10
  return new Response(JSON.stringify({
11
    message: 'Hello from the edge!'
12
  }), {
13
    headers: { 'Content-Type': 'application/json' }
14
  });
15
}
16

17
// Support specific HTTP methods
18
export async function onRequestPost(context) {
19
  const body = await context.request.json();
20
  return new Response(JSON.stringify({
21
    received: body
22
  }), {
23
    status: 201,
24
    headers: { 'Content-Type': 'application/json' }
25
  });
26
}
27

28
export async function onRequestGet({ request, env }) {
29
  const url = new URL(request.url);
30
  const name = url.searchParams.get('name') || 'World';
31

32
  return new Response(`Hello, ${name}!`);
33
}

2. Dynamic Routes#

functions/api/users/[id].js:

1
export async function onRequest({ params, env }) {
2
  const userId = params.id;
3

4
  // Fetch from D1 database
5
  const user = await env.DB.prepare(
6
    'SELECT * FROM users WHERE id = ?'
7
  ).bind(userId).first();
8

9
  if (!user) {
10
    return new Response('User not found', { status: 404 });
11
  }
12

13
  return new Response(JSON.stringify(user), {
14
    headers: { 'Content-Type': 'application/json' }
15
  });
16
}

3. Catch-All Routes#

functions/api/[[path]].js:

1
export async function onRequest({ request, params }) {
2
  // Catch all routes under /api/
3
  const path = params.path ? params.path.join('/') : '';
4

5
  // Custom routing logic
6
  if (path.startsWith('v2/')) {
7
    return handleV2Api(request, path);
8
  }
9

10
  return new Response('API endpoint not found', { status: 404 });
11
}
12

13
function handleV2Api(request, path) {
14
  // Handle v2 API routes
15
  return new Response(JSON.stringify({
16
    version: 'v2',
17
    path
18
  }), {
19
    headers: { 'Content-Type': 'application/json' }
20
  });
21
}

Middleware and Authentication#

1. Global Middleware#

functions/_middleware.js:

1
import jwt from '@tsndr/cloudflare-worker-jwt';
2

3
export async function onRequest(context) {
4
  const { request, env, next, data } = context;
5

6
  // Add CORS headers
7
  const corsHeaders = {
8
    'Access-Control-Allow-Origin': '*',
9
    'Access-Control-Allow-Methods': 'GET, POST, PUT, DELETE, OPTIONS',
10
    'Access-Control-Allow-Headers': 'Content-Type, Authorization',
11
  };
12

13
  // Handle OPTIONS requests
14
  if (request.method === 'OPTIONS') {
15
    return new Response(null, { headers: corsHeaders });
16
  }
17

18
  // Rate limiting
19
  const ip = request.headers.get('CF-Connecting-IP') || 'unknown';
20
  const rateLimitKey = `rate:${ip}`;
21
  const current = await env.CACHE.get(rateLimitKey);
22

23
  if (current && parseInt(current) > 100) {
24
    return new Response('Rate limit exceeded', {
25
      status: 429,
26
      headers: { ...corsHeaders, 'Retry-After': '60' }
27
    });
28
  }
29

30
  await env.CACHE.put(rateLimitKey, String((parseInt(current) || 0) + 1), {
31
    expirationTtl: 60
32
  });
33

34
  // Authentication check for protected routes
35
  if (request.url.includes('/api/admin')) {
36
    const token = request.headers.get('Authorization')?.replace('Bearer ', '');
37

38
    if (!token) {
39
      return new Response('Unauthorized', {
40
        status: 401,
41
        headers: corsHeaders
42
      });
43
    }
44

45
    try {
46
      const isValid = await jwt.verify(token, env.JWT_SECRET);
47
      if (!isValid) {
48
        return new Response('Invalid token', {
49
          status: 401,
50
          headers: corsHeaders
51
        });
52
      }
53

54
      const decoded = jwt.decode(token);
55
      data.user = decoded.payload;
56
    } catch (error) {
57
      return new Response('Invalid token', {
58
        status: 401,
59
        headers: corsHeaders
60
      });
61
    }
62
  }
63

64
  // Continue to the next middleware or route
65
  const response = await next();
66

67
  // Add CORS headers to response
68
  Object.keys(corsHeaders).forEach(key => {
69
    response.headers.set(key, corsHeaders[key]);
70
  });
71

72
  return response;
73
}

2. Route-Specific Middleware#

functions/api/admin/_middleware.js:

1
export async function onRequest({ request, env, next, data }) {
2
  // This middleware only applies to /api/admin/* routes
3

4
  // Check admin permissions
5
  if (!data.user || data.user.role !== 'admin') {
6
    return new Response('Forbidden', { status: 403 });
7
  }
8

9
  // Log admin action
10
  await env.DB.prepare(
11
    'INSERT INTO admin_logs (user_id, action, timestamp) VALUES (?, ?, ?)'
12
  ).bind(data.user.id, request.url, new Date().toISOString()).run();
13

14
  return next();
15
}

3. Auth Implementation#

functions/api/auth/login.js:

1
import bcrypt from 'bcryptjs';
2
import jwt from '@tsndr/cloudflare-worker-jwt';
3

4
export async function onRequestPost({ request, env }) {
5
  try {
6
    const { email, password } = await request.json();
7

8
    // Get user from database
9
    const user = await env.DB.prepare(
10
      'SELECT * FROM users WHERE email = ?'
11
    ).bind(email).first();
12

13
    if (!user) {
14
      return new Response('Invalid credentials', { status: 401 });
15
    }
16

17
    // Verify password
18
    const valid = await bcrypt.compare(password, user.password_hash);
19
    if (!valid) {
20
      return new Response('Invalid credentials', { status: 401 });
21
    }
22

23
    // Generate JWT
24
    const token = await jwt.sign({
25
      id: user.id,
26
      email: user.email,
27
      role: user.role,
28
      exp: Math.floor(Date.now() / 1000) + (60 * 60 * 24) // 24 hours
29
    }, env.JWT_SECRET);
30

31
    // Set secure cookie
32
    const response = new Response(JSON.stringify({
33
      success: true,
34
      user: { id: user.id, email: user.email, role: user.role }
35
    }), {
36
      headers: { 'Content-Type': 'application/json' }
37
    });
38

39
    response.headers.append('Set-Cookie',
40
      `token=${token}; HttpOnly; Secure; SameSite=Strict; Path=/; Max-Age=86400`
41
    );
42

43
    return response;
44
  } catch (error) {
45
    console.error('Login error:', error);
46
    return new Response('Internal server error', { status: 500 });
47
  }
48
}

Framework Integration#

1. Next.js with Pages#

next.config.js:

1
/** @type {import('next').NextConfig} */
2
const nextConfig = {
3
  experimental: {
4
    runtime: 'edge',
5
  },
6
  images: {
7
    loader: 'custom',
8
    loaderFile: './imageLoader.js',
9
  },
10
};
11

12
module.exports = nextConfig;

pages/api/data.js:

1
export const config = {
2
  runtime: 'edge',
3
};
4

5
export default async function handler(request) {
6
  // This runs on Cloudflare's edge
7
  const { searchParams } = new URL(request.url);
8
  const id = searchParams.get('id');
9

10
  // Access Cloudflare bindings via process.env
11
  const data = await process.env.KV.get(`data:${id}`);
12

13
  return new Response(JSON.stringify({ data }), {
14
    headers: { 'Content-Type': 'application/json' },
15
  });
16
}

2. React with Vite#

vite.config.js:

1
import { defineConfig } from 'vite';
2
import react from '@vitejs/plugin-react';
3
import { getPlatformProxy } from 'wrangler';
4

5
export default defineConfig(async () => {
6
  const { env } = await getPlatformProxy();
7

8
  return {
9
    plugins: [react()],
10
    define: {
11
      'process.env': env,
12
    },
13
    server: {
14
      proxy: {
15
        '/api': {
16
          target: 'http://localhost:8788',
17
          changeOrigin: true,
18
        },
19
      },
20
    },
21
  };
22
});

3. Astro Integration#

astro.config.mjs:

1
import { defineConfig } from 'astro/config';
2
import cloudflare from '@astrojs/cloudflare';
3

4
export default defineConfig({
5
  output: 'server',
6
  adapter: cloudflare({
7
    mode: 'directory',
8
    functionPerRoute: true,
9
  }),
10
  vite: {
11
    define: {
12
      'process.env.API_URL': JSON.stringify(process.env.API_URL),
13
    },
14
  },
15
});

src/pages/api/posts/[id].js:

1
export async function GET({ params, locals }) {
2
  // Access Cloudflare bindings via locals.runtime.env
3
  const post = await locals.runtime.env.DB.prepare(
4
    'SELECT * FROM posts WHERE id = ?'
5
  ).bind(params.id).first();
6

7
  if (!post) {
8
    return new Response('Not found', { status: 404 });
9
  }
10

11
  return new Response(JSON.stringify(post), {
12
    headers: { 'Content-Type': 'application/json' },
13
  });
14
}

Advanced Patterns#

1. Server-Side Rendering (SSR)#

functions/[[path]].js:

1
import { renderToString } from 'react-dom/server';
2
import App from '../src/App';
3

4
export async function onRequest({ request, env, params }) {
5
  const path = params.path ? `/${params.path.join('/')}` : '/';
6

7
  // Server-side render React app
8
  const html = renderToString(<App path={path} env={env} />);
9

10
  return new Response(`
11
    <!DOCTYPE html>
12
    <html>
13
      <head>
14
        <title>My SSR App</title>
15
        <link rel="stylesheet" href="/styles.css">
16
      </head>
17
      <body>
18
        <div id="root">${html}</div>
19
        <script>
20
          window.__INITIAL_STATE__ = ${JSON.stringify({ path })}
21
        </script>
22
        <script src="/bundle.js"></script>
23
      </body>
24
    </html>
25
  `, {
26
    headers: { 'Content-Type': 'text/html' },
27
  });
28
}

2. WebSocket Support with Durable Objects#

functions/ws.js:

1
export class WebSocketDurableObject {
2
  constructor(state, env) {
3
    this.state = state;
4
    this.env = env;
5
    this.sessions = [];
6
  }
7

8
  async fetch(request) {
9
    const upgradeHeader = request.headers.get('Upgrade');
10

11
    if (!upgradeHeader || upgradeHeader !== 'websocket') {
12
      return new Response('Expected Upgrade: websocket', { status: 426 });
13
    }
14

15
    const [client, server] = Object.values(new WebSocketPair());
16

17
    this.handleSession(server);
18

19
    return new Response(null, {
20
      status: 101,
21
      webSocket: client,
22
    });
23
  }
24

25
  handleSession(websocket) {
26
    websocket.accept();
27
    this.sessions.push(websocket);
28

29
    websocket.addEventListener('message', async (event) => {
30
      const message = JSON.parse(event.data);
31

32
      // Broadcast to all connected clients
33
      this.broadcast(message);
34

35
      // Store message in database
36
      await this.env.DB.prepare(
37
        'INSERT INTO messages (content, timestamp) VALUES (?, ?)'
38
      ).bind(message.content, new Date().toISOString()).run();
39
    });
40

41
    websocket.addEventListener('close', () => {
42
      this.sessions = this.sessions.filter(s => s !== websocket);
43
    });
44
  }
45

46
  broadcast(message) {
47
    const data = JSON.stringify(message);
48
    this.sessions.forEach(session => {
49
      try {
50
        session.send(data);
51
      } catch (error) {
52
        // Remove dead sessions
53
        this.sessions = this.sessions.filter(s => s !== session);
54
      }
55
    });
56
  }
57
}
58

59
export async function onRequest({ request, env }) {
60
  const id = env.WEBSOCKET.idFromName('global-chat');
61
  const stub = env.WEBSOCKET.get(id);
62

63
  return stub.fetch(request);
64
}

3. Image Optimization#

functions/images/[[path]].js:

1
export async function onRequest({ request, env, params }) {
2
  const path = params.path ? params.path.join('/') : '';
3
  const url = new URL(request.url);
4

5
  // Parse image transformation parameters
6
  const width = parseInt(url.searchParams.get('w') || '0');
7
  const height = parseInt(url.searchParams.get('h') || '0');
8
  const quality = parseInt(url.searchParams.get('q') || '85');
9
  const format = url.searchParams.get('f') || 'auto';
10

11
  // Check cache
12
  const cacheKey = `image:${path}:${width}x${height}:q${quality}:${format}`;
13
  const cached = await env.CACHE.get(cacheKey, { type: 'stream' });
14

15
  if (cached) {
16
    return new Response(cached, {
17
      headers: {
18
        'Content-Type': `image/${format === 'auto' ? 'webp' : format}`,
19
        'Cache-Control': 'public, max-age=31536000',
20
      },
21
    });
22
  }
23

24
  // Fetch original image
25
  const original = await env.STORAGE.get(path);
26
  if (!original) {
27
    return new Response('Image not found', { status: 404 });
28
  }
29

30
  // Apply transformations using Cloudflare Image Resizing
31
  const transformed = await fetch(request, {
32
    cf: {
33
      image: {
34
        width,
35
        height,
36
        quality,
37
        format,
38
        fit: 'cover',
39
      },
40
    },
41
  });
42

43
  const buffer = await transformed.arrayBuffer();
44

45
  // Cache transformed image
46
  await env.CACHE.put(cacheKey, buffer, {
47
    expirationTtl: 86400, // 24 hours
48
  });
49

50
  return new Response(buffer, {
51
    headers: {
52
      'Content-Type': transformed.headers.get('Content-Type'),
53
      'Cache-Control': 'public, max-age=31536000',
54
    },
55
  });
56
}

4. A/B Testing#

functions/_middleware.js:

1
export async function onRequest({ request, env, next, waitUntil }) {
2
  const url = new URL(request.url);
3

4
  // Skip A/B testing for API routes
5
  if (url.pathname.startsWith('/api')) {
6
    return next();
7
  }
8

9
  // Get or create user ID
10
  const cookies = parseCookies(request.headers.get('Cookie'));
11
  let userId = cookies.userId;
12

13
  if (!userId) {
14
    userId = crypto.randomUUID();
15
  }
16

17
  // Determine variant
18
  const variant = await determineVariant(userId, env);
19

20
  // Log experiment exposure
21
  waitUntil(logExperiment(userId, variant, env));
22

23
  // Modify response based on variant
24
  const response = await next();
25

26
  // Inject variant data
27
  if (response.headers.get('Content-Type')?.includes('text/html')) {
28
    const html = await response.text();
29
    const modifiedHtml = html.replace(
30
      '</head>',
31
      `<script>window.__AB_VARIANT__ = '${variant}';</script></head>`
32
    );
33

34
    const newResponse = new Response(modifiedHtml, response);
35
    newResponse.headers.set('Set-Cookie',
36
      `userId=${userId}; Path=/; Max-Age=2592000; SameSite=Lax`
37
    );
38

39
    return newResponse;
40
  }
41

42
  return response;
43
}
44

45
async function determineVariant(userId, env) {
46
  // Check if user already has a variant
47
  const existing = await env.KV.get(`variant:${userId}`);
48
  if (existing) return existing;
49

50
  // Assign variant based on hash
51
  const hash = await crypto.subtle.digest(
52
    'SHA-256',
53
    new TextEncoder().encode(userId)
54
  );
55
  const hashArray = Array.from(new Uint8Array(hash));
56
  const hashHex = hashArray.map(b => b.toString(16).padStart(2, '0')).join('');
57
  const variant = parseInt(hashHex.substring(0, 8), 16) % 100 < 50 ? 'A' : 'B';
58

59
  // Store variant assignment
60
  await env.KV.put(`variant:${userId}`, variant, {
61
    expirationTtl: 2592000, // 30 days
62
  });
63

64
  return variant;
65
}
66

67
async function logExperiment(userId, variant, env) {
68
  await env.DB.prepare(
69
    'INSERT INTO experiments (user_id, variant, timestamp) VALUES (?, ?, ?)'
70
  ).bind(userId, variant, new Date().toISOString()).run();
71
}

Deployment Strategies#

1. Git Integration#

1
name: Deploy to Cloudflare Pages
2

3
on:
4
  push:
5
    branches: [main]
6
  pull_request:
7
    branches: [main]
8

9
jobs:
10
  deploy:
11
    runs-on: ubuntu-latest
12
    steps:
13
      - uses: actions/checkout@v3
14

15
      - name: Setup Node.js
16
        uses: actions/setup-node@v3
17
        with:
18
          node-version: '18'
19
          cache: 'npm'
20

21
      - name: Install dependencies
22
        run: npm ci
23

24
      - name: Run tests
25
        run: npm test
26

27
      - name: Build
28
        run: npm run build
29
        env:
30
          API_URL: ${{ secrets.API_URL }}
31

32
      - name: Deploy to Cloudflare Pages
33
        uses: cloudflare/pages-action@v1
34
        with:
35
          apiToken: ${{ secrets.CLOUDFLARE_API_TOKEN }}
36
          accountId: ${{ secrets.CLOUDFLARE_ACCOUNT_ID }}
37
          projectName: my-pages-app
38
          directory: dist
39
          gitHubToken: ${{ secrets.GITHUB_TOKEN }}
40
          wranglerVersion: '3'

2. Preview Deployments#

1
export async function onRequest({ request, env, next }) {
2
  const url = new URL(request.url);
3

4
  // Only protect preview deployments
5
  if (!url.hostname.includes('pages.dev')) {
6
    return next();
7
  }
8

9
  // Basic auth for preview URLs
10
  const auth = request.headers.get('Authorization');
11

12
  if (!auth || !auth.startsWith('Basic ')) {
13
    return new Response('Authentication required', {
14
      status: 401,
15
      headers: {
16
        'WWW-Authenticate': 'Basic realm="Preview"',
17
      },
18
    });
19
  }
20

21
  const [user, pass] = atob(auth.substring(6)).split(':');
22

23
  if (user !== env.PREVIEW_USER || pass !== env.PREVIEW_PASS) {
24
    return new Response('Invalid credentials', { status: 401 });
25
  }
26

27
  return next();
28
}

3. Blue-Green Deployment#

1
export async function onRequest({ request, env, next }) {
2
  const cookie = parseCookies(request.headers.get('Cookie'));
3
  const version = cookie.version || 'blue';
4

5
  // Route to appropriate version
6
  if (version === 'green') {
7
    // Fetch from green deployment
8
    const response = await fetch(`https://green.${env.DOMAIN}${request.url}`);
9
    return new Response(response.body, response);
10
  }
11

12
  // Continue with blue (current) version
13
  return next();
14
}
15

16
// Admin endpoint to switch versions
17
export async function onRequestPost({ request, env }) {
18
  const { version } = await request.json();
19

20
  if (version !== 'blue' && version !== 'green') {
21
    return new Response('Invalid version', { status: 400 });
22
  }
23

24
  // Update global version
25
  await env.KV.put('active-version', version);
26

27
  return new Response(JSON.stringify({
28
    message: `Switched to ${version}`
29
  }), {
30
    headers: { 'Content-Type': 'application/json' },
31
  });
32
}

Performance Optimization#

1. Static Asset Optimization#

1
export async function onRequest({ request, env, next }) {
2
  const response = await next();
3

4
  // Skip non-asset responses
5
  if (!response.headers.get('Content-Type')?.match(/css|javascript|image/)) {
6
    return response;
7
  }
8

9
  // Clone response to modify headers
10
  const newResponse = new Response(response.body, response);
11

12
  // Set aggressive caching for assets
13
  newResponse.headers.set('Cache-Control',
14
    'public, max-age=31536000, immutable'
15
  );
16

17
  // Add security headers
18
  newResponse.headers.set('X-Content-Type-Options', 'nosniff');
19

20
  // Enable Brotli compression
21
  newResponse.headers.set('Content-Encoding', 'br');
22

23
  return newResponse;
24
}

2. HTML Caching Strategy#

1
export async function onRequest({ request, env, next }) {
2
  const url = new URL(request.url);
3
  const cacheKey = `html:${url.pathname}`;
4

5
  // Check if this is a cacheable HTML request
6
  if (request.method === 'GET' && !url.pathname.startsWith('/api')) {
7
    // Check cache
8
    const cached = await env.CACHE.get(cacheKey);
9

10
    if (cached) {
11
      const response = new Response(cached, {
12
        headers: {
13
          'Content-Type': 'text/html',
14
          'X-Cache': 'HIT',
15
        },
16
      });
17

18
      return response;
19
    }
20
  }
21

22
  const response = await next();
23

24
  // Cache successful HTML responses
25
  if (
26
    response.status === 200 &&
27
    response.headers.get('Content-Type')?.includes('text/html')
28
  ) {
29
    const html = await response.text();
30

31
    // Store in cache
32
    await env.CACHE.put(cacheKey, html, {
33
      expirationTtl: 300, // 5 minutes
34
    });
35

36
    const newResponse = new Response(html, response);
37
    newResponse.headers.set('X-Cache', 'MISS');
38

39
    return newResponse;
40
  }
41

42
  return response;
43
}

3. Resource Hints#

1
export async function onRequest({ request, next }) {
2
  const response = await next();
3

4
  if (!response.headers.get('Content-Type')?.includes('text/html')) {
5
    return response;
6
  }
7

8
  const html = await response.text();
9

10
  // Add resource hints
11
  const optimizedHtml = html.replace('</head>', `
12
    <link rel="preconnect" href="https://fonts.googleapis.com">
13
    <link rel="dns-prefetch" href="https://api.example.com">
14
    <link rel="preload" href="/fonts/main.woff2" as="font" type="font/woff2" crossorigin>
15
    <link rel="modulepreload" href="/js/app.js">
16
    </head>
17
  `);
18

19
  return new Response(optimizedHtml, response);
20
}

Security Best Practices#

1. Content Security Policy#

1
export async function onRequest({ request, next }) {
2
  const response = await next();
3

4
  // Add security headers
5
  response.headers.set('Content-Security-Policy',
6
    "default-src 'self'; " +
7
    "script-src 'self' 'unsafe-inline' https://cdn.example.com; " +
8
    "style-src 'self' 'unsafe-inline'; " +
9
    "img-src 'self' data: https:; " +
10
    "font-src 'self' data:; " +
11
    "connect-src 'self' https://api.example.com; " +
12
    "frame-ancestors 'none';"
13
  );
14

15
  response.headers.set('X-Frame-Options', 'DENY');
16
  response.headers.set('X-Content-Type-Options', 'nosniff');
17
  response.headers.set('Referrer-Policy', 'strict-origin-when-cross-origin');
18
  response.headers.set('Permissions-Policy',
19
    'camera=(), microphone=(), geolocation=()'
20
  );
21

22
  return response;
23
}

2. Input Validation#

1
import { z } from 'zod';
2

3
const FormSchema = z.object({
4
  email: z.string().email(),
5
  name: z.string().min(2).max(100),
6
  message: z.string().min(10).max(1000),
7
  age: z.number().min(18).max(120),
8
});
9

10
export async function onRequestPost({ request, env }) {
11
  try {
12
    const body = await request.json();
13

14
    // Validate input
15
    const validated = FormSchema.parse(body);
16

17
    // Sanitize HTML content
18
    validated.message = sanitizeHtml(validated.message);
19

20
    // Store in database
21
    await env.DB.prepare(
22
      'INSERT INTO submissions (email, name, message, age) VALUES (?, ?, ?, ?)'
23
    ).bind(
24
      validated.email,
25
      validated.name,
26
      validated.message,
27
      validated.age
28
    ).run();
29

30
    return new Response(JSON.stringify({ success: true }), {
31
      headers: { 'Content-Type': 'application/json' },
32
    });
33
  } catch (error) {
34
    if (error instanceof z.ZodError) {
35
      return new Response(JSON.stringify({
36
        errors: error.errors
37
      }), {
38
        status: 400,
39
        headers: { 'Content-Type': 'application/json' },
40
      });
41
    }
42

43
    return new Response('Internal server error', { status: 500 });
44
  }
45
}
46

47
function sanitizeHtml(input) {
48
  // Remove potentially dangerous HTML
49
  return input
50
    .replace(/<script\b[^<]*(?:(?!<\/script>)<[^<]*)*<\/script>/gi, '')
51
    .replace(/<iframe\b[^<]*(?:(?!<\/iframe>)<[^<]*)*<\/iframe>/gi, '')
52
    .replace(/on\w+\s*=\s*"[^"]*"/gi, '')
53
    .replace(/on\w+\s*=\s*'[^']*'/gi, '');
54
}

3. DDoS Protection#

1
export async function onRequest({ request, env, next }) {
2
  const ip = request.headers.get('CF-Connecting-IP');
3

4
  // Check if IP is blocked
5
  const blocked = await env.KV.get(`blocked:${ip}`);
6
  if (blocked) {
7
    return new Response('Access denied', { status: 403 });
8
  }
9

10
  // Implement rate limiting
11
  const rateLimitKey = `rate:${ip}:${Math.floor(Date.now() / 60000)}`;
12
  const requests = await env.KV.get(rateLimitKey);
13
  const count = requests ? parseInt(requests) : 0;
14

15
  if (count > 100) { // 100 requests per minute
16
    // Block IP for 1 hour
17
    await env.KV.put(`blocked:${ip}`, 'true', {
18
      expirationTtl: 3600,
19
    });
20

21
    return new Response('Rate limit exceeded', {
22
      status: 429,
23
      headers: { 'Retry-After': '3600' },
24
    });
25
  }
26

27
  // Increment counter
28
  await env.KV.put(rateLimitKey, String(count + 1), {
29
    expirationTtl: 60,
30
  });
31

32
  // Check for suspicious patterns
33
  const userAgent = request.headers.get('User-Agent');
34
  if (isSuspicious(userAgent)) {
35
    await logSuspiciousActivity(ip, userAgent, env);
36
  }
37

38
  return next();
39
}
40

41
function isSuspicious(userAgent) {
42
  const suspiciousPatterns = [
43
    /bot/i,
44
    /crawler/i,
45
    /spider/i,
46
    /scraper/i,
47
  ];
48

49
  return suspiciousPatterns.some(pattern => pattern.test(userAgent));
50
}

Monitoring and Analytics#

1. Custom Analytics#

1
export async function onRequest({ request, env, next, waitUntil }) {
2
  const start = Date.now();
3
  const response = await next();
4
  const duration = Date.now() - start;
5

6
  // Log request analytics
7
  waitUntil(logAnalytics({
8
    timestamp: new Date().toISOString(),
9
    method: request.method,
10
    path: new URL(request.url).pathname,
11
    status: response.status,
12
    duration,
13
    ip: request.headers.get('CF-Connecting-IP'),
14
    country: request.headers.get('CF-IPCountry'),
15
    userAgent: request.headers.get('User-Agent'),
16
  }, env));
17

18
  // Add Server-Timing header
19
  response.headers.set('Server-Timing', `total;dur=${duration}`);
20

21
  return response;
22
}
23

24
async function logAnalytics(data, env) {
25
  // Store in D1 database
26
  await env.DB.prepare(`
27
    INSERT INTO analytics
28
    (timestamp, method, path, status, duration, ip, country, user_agent)
29
    VALUES (?, ?, ?, ?, ?, ?, ?, ?)
30
  `).bind(
31
    data.timestamp,
32
    data.method,
33
    data.path,
34
    data.status,
35
    data.duration,
36
    data.ip,
37
    data.country,
38
    data.userAgent
39
  ).run();
40

41
  // Send to external analytics service
42
  await fetch('https://analytics.example.com/track', {
43
    method: 'POST',
44
    headers: { 'Content-Type': 'application/json' },
45
    body: JSON.stringify(data),
46
  });
47
}

2. Error Tracking#

1
export async function onRequest({ request, env, next }) {
2
  try {
3
    return await next();
4
  } catch (error) {
5
    // Log error to Sentry or similar
6
    await logError(error, request, env);
7

8
    // Return user-friendly error
9
    return new Response('Something went wrong', {
10
      status: 500,
11
      headers: { 'Content-Type': 'text/plain' },
12
    });
13
  }
14
}
15

16
async function logError(error, request, env) {
17
  const errorData = {
18
    message: error.message,
19
    stack: error.stack,
20
    url: request.url,
21
    method: request.method,
22
    headers: Object.fromEntries(request.headers),
23
    timestamp: new Date().toISOString(),
24
  };
25

26
  // Store in database
27
  await env.DB.prepare(`
28
    INSERT INTO errors
29
    (message, stack, url, method, headers, timestamp)
30
    VALUES (?, ?, ?, ?, ?, ?)
31
  `).bind(
32
    errorData.message,
33
    errorData.stack,
34
    errorData.url,
35
    errorData.method,
36
    JSON.stringify(errorData.headers),
37
    errorData.timestamp
38
  ).run();
39

40
  // Send to error tracking service
41
  await fetch('https://sentry.io/api/PROJECT_ID/store/', {
42
    method: 'POST',
43
    headers: {
44
      'Content-Type': 'application/json',
45
      'X-Sentry-Auth': `Sentry sentry_key=${env.SENTRY_KEY}`,
46
    },
47
    body: JSON.stringify(errorData),
48
  });
49
}

Troubleshooting#

Common Issues and Solutions#

1
// 1. Function timeout issues
2
export async function onRequest({ request, env, waitUntil }) {
3
  // Use waitUntil for background tasks
4
  waitUntil(performBackgroundTask(env));
5

6
  // Return response immediately
7
  return new Response('Processing started');
8
}
9

10
// 2. Large response handling
11
export async function onRequest({ request, env }) {
12
  // Stream large responses
13
  const { readable, writable } = new TransformStream();
14
  const writer = writable.getWriter();
15

16
  // Start streaming
17
  streamLargeData(writer, env);
18

19
  return new Response(readable, {
20
    headers: { 'Content-Type': 'application/json' },
21
  });
22
}
23

24
// 3. CORS issues
25
export async function onRequest({ request, next }) {
26
  // Handle preflight requests
27
  if (request.method === 'OPTIONS') {
28
    return new Response(null, {
29
      headers: {
30
        'Access-Control-Allow-Origin': '*',
31
        'Access-Control-Allow-Methods': 'GET, POST, PUT, DELETE, OPTIONS',
32
        'Access-Control-Allow-Headers': '*',
33
        'Access-Control-Max-Age': '86400',
34
      },
35
    });
36
  }
37

38
  const response = await next();
39

40
  // Add CORS headers to all responses
41
  response.headers.set('Access-Control-Allow-Origin', '*');
42

43
  return response;
44
}

Conclusion#

Cloudflare Pages with Edge Functions provides a powerful platform for modern web applications:

Global edge deployment with automatic scaling
Serverless functions integrated with static hosting
Full-stack capabilities with database and storage bindings
Advanced features like WebSockets, SSR, and middleware
Built-in security and performance optimization

Key Takeaways#

Use middleware for cross-cutting concerns
Leverage caching at multiple levels
Implement proper error handling and monitoring
Follow security best practices from the start
Optimize for performance with edge computing