Nice, but I’m disappointed a website behind CloudFlare [1] allows XSS [2]

[1] https://www.cloudflare.com/waf/

[2] https://telex.blog/p/0yg14u6j

Thanks for your comment! I just built it under an hour to showcase the capability of Serverless computing :-) I'll take care of sanitizing the inputs now.

Update: Has been fixed now.

Still able to XSS with link 2.

That must be an old link. I have left them untouched.

The old links have been fixed now. :)

Well done!

I hear a lot of complaints about serverless for performance and cost but I think this is exactly what Serverless is meant to do - Reduce upfront cost for low traffic and remove the barrier of managing infrastructure.

Many app welcome the benefits despite the tradeoffs.

Amazingly quick loads, slick project. I'd suggest adding a required class or warning to the inputs, I was hitting the publish button a few times wondering why it didn't publish until I filled out the title as I thought the "name" field was the title field.

Thanks for the comment. Will add the warnings for sure. I just built this in under an hour to test Workers KV. :)

Can you drop a link to the source code?

Also I saw kv has a 10s possible eventual consistency for writes, did you bump into this at all? (This is what's stopping me using it for crud apps)

I have been looking into the viability of putting auth and basic user data in Worker + KV. For auth I'm currently using firebase/google auth and I'm wondering if there's a strategy to authenticate with firebase that wouldn't require a auth request to firebase on every request but instead allow sessions and possibly caching session info in KV. Have any thoughts?

PM of KV here.

People have certainly done auth with Workers and KV before. https://liftcodeplay.com/2018/10/16/pushing-my-api-to-the-ed... and https://gist.github.com/bcnzer/04620abc992da72f83f6f1c61d71c... are two examples I've seen using JWT. We added expirations to KV to handle these sorts of use cases. I don't have a pre-built firebase example handy, but I think this should work pretty well. You'd store the ID and refresh tokens in KV, and then use those when talking to Firebase. Sounds about right. Feel free to reach out if you give it a shot and run into issues: sklabnik@cloudflare.com

Thanks @steveklabnik! That helps a lot! I'll reach out if I run into trouble!

This is pretty interesting. I am interested in learning more about serverless so I will be excited when the source code becomes available

Is static site hosting an usecase for CF workers or is this being hosted somewhere else?

Do CF Workers need an API-Gateway, like AWS Lambda?

(I know Lambda can also be accessed via the SDK)

They do not.

Oh btw.

Is there a plan to change the 30 worker limit?

It seems to limit the system to small/medium projects only when you can only have 30 workers and every worker can only have 1MB scripts.

I mean, they don't even offer to pay for more. They just tall about some nebulous enterprise option on the "limits" page.

I'm not in charge of that part of things, so I'm not sure, to be honest. We do sometimes give folks more on a case-by-case basis.

You should consider sanitizing user input.

Sure! I just built this quickly to demonstrate the capability of Workers KV. Will take care of it. Thanks for the comment.

Update: has been fixed now :)

Awesome!

Thanks! :-)

did you publish the source code?

Not yet. I am planning to write a tutorial soon with code snippets.

Please do! Would love to read about how you did it :-)

agreed... I'm super curious. Workers are my next major inquiry for new tech. they seem fascinating.