ENTERPRISE HARDENING

Website Security Center.

Deploy defense-in-depth across your network and serverless environments to block exploits, scrapers, and bot abuse.

Security Hardening Scorecard

Select the security measures you currently have active to evaluate your infrastructure's hardening score in real-time.

Security Posture: Vulnerable

0 / 12

0% VULNERABLE 0% CALIBRATED 100% FORTIFIED

Enable Cloudflare WAF Filters malicious web request payloads and SQL injections before they reach the server.

Restrict Direct Server Access Configures firewall rules so origin accepts traffic ONLY from the WAF's IP ranges.

Enable 2FA for Administrators Enforces multi-factor authentication across all admin dashboard access points.

Configure Rate Limiting Blocks automated brute-force attempts by capping request thresholds per IP.

Disable XML-RPC Deactivates WordPress XML-RPC endpoints to prevent pingback attacks and authentication bypass.

Keep Software Updated Enables automatic patching for core dependencies, CMS components, and packages.

Enforce HTTPS Redirects HTTP requests to secure HTTPS using a valid TLS/SSL certificate.

Validate All User Input Sanitizes and filters all custom query parameters and request form bodies.

Secure File Uploads Validates MIME-types and routes uploads to isolated storage outside the public web root.

Schedule Daily Backups Creates automated daily snapshots stored in an encrypted off-site cloud storage.

Run Vulnerability Scans Regularly Executes continuous automated scans to detect file modifications and system anomalies.

Monitor Logs and Alerts Reviews activity logs and establishes real-time notifications for anomalous server metrics.

ARCHITECTURAL SYSTEM

The Five Pillars of Hardening

Deploy defenses across all levels of your application stack to filter traffic, control access, and monitor behavior.

PILLAR 01

Deploy a Web Application Firewall (WAF)

A WAF filters, scrubs, and regulates malicious request headers before they can target backend processing compute cycles.

✓ Filter incoming requests via Cloudflare CDN networks.
✓ Strictly allow only Cloudflare WAF proxy IPs at origin firewalls.

PILLAR 02

Block Automated Bot Attacks

Bots scan, scrap, and perform automated credential-stuffing credential exploits across form endpoints.

✓ Replace standard access routes (e.g. `/wp-admin` or `/login`) with custom ones.
✓ Incorporate hidden honeypot validation inputs in your form bodies.

PILLAR 03

Strengthen Auth & Access Control

Enforce absolute access security boundaries to block account hijackings and unauthorized credential access.

✓ Enforce TOTP multi-factor (MFA/2FA) tokens for administrators.
✓ Restrict permissions strictly based on the Principle of Least Privilege.

The Recommended Security Stack

Industry-standard, production-proven tools vetted for modern application environments.

CDN/WAF: Cloudflare

Protects networks against DDoS floods, strips scanning scripts, and cache assets on global edges.

Bot Protection: Turnstile

Cryptographic validation layer running silently in user browser environments, stopping scraper crawlers.

Authentication: TOTP Tokens

One-time token systems (e.g., Google Authenticator, Authy) securing administrative controls.

SSL/TLS: Let's Encrypt

Auto-managed secure socket layer configuration providing robust end-to-end data encryption.

Nginx Origin Protect

# Block direct origin requests
deny all;
allow 103.21.244.0/22;
allow 141.101.64.0/22;

# Security Headers
add_header X-Frame-Options "DENY" always;

Unprefixed API Secrets API keys do NOT use 'PUBLIC_' prefix, ensuring they stay strictly on the server-side edge.

Cloudflare Settings Secrets Production variables are configured in Cloudflare Dashboard instead of being hardcoded in code.

Git-ignored Local Credentials Local wrangler variables are stored in '.dev.vars' and added to '.gitignore'.

BFF Proxy Routing Active Client-side requests interface exclusively with Astro serverless proxy routes.

Turnstile Widget Protection Sensitive form submission endpoints are guarded by Cloudflare Turnstile token validation.

Source-maps Disabled Production builds have 'sourcemap: false' configured to block client-side source reconstruction.

Cloudflare WAF Filters Enabled Global CDN rules deployed to block automated vulnerability scanning tools.

Edge Rate Limits Active Request limits (e.g. 50/min) are active on the edge worker paths.

_headers Rules Deployed Content-Security-Policy and HSTS security headers configured in 'public/_headers'.

Isolated File Storages MIME-checked uploads are directed to isolated external R2 or S3 buckets.

CLOUDFLARE EDGE WORKER ARCHITECTURE & DATA FLOW

01. Browser

Submits raw inputs. Sensitive variables isolated from client bundles.

▶

02. Edge WAF

Scrubs scans and SQL injections. Evaluates Turnstile CAPTCHA.

▶

03. BFF API

SSR Endpoint reads non-public variables (`import.meta.env`).

▶

04. API Origin

Proxied fetches completed server-to-server. Secrets never leaked.

TECHNICAL BLUEPRINT

Astro + Cloudflare Architecture Blueprint.

Step-by-step architectural guide to isolate secrets, secure edge API routes, block scanners, and deploy securely.

Strictly isolate development assets and environment credentials. Your Astro deployment workflow must deploy *only* the compiled assets inside the `/dist` production output directory. Committing or uploading root assets like raw TypeScript source files, CMS configurations, or backup databases exposes source maps and secret variables.

# Secure Astro Directory Isolation
nasty-neutron/
├── .env                  # IGNORED (Contains local keys)
├── .dev.vars             # IGNORED (Contains local wrangler secrets)
├── .gitignore            # Add *.env, *.dev.vars, .wrangler/
├── dist/                 # ONLY directory deployed to Cloudflare Pages
└── src/                  # Protected source code (Not deployed to client)

Astro environment variables must never be prefixed with `PUBLIC_` unless they are explicitly meant for client-side visibility. Any variable carrying `PUBLIC_` (e.g., `PUBLIC_API_KEY`) is automatically bundled into client javascript compilation processes. Maintain sensitive values unprefixed so that they are strictly readable in server-side edge environments only.

// Safe server-only environment variable reading (Astro SSR endpoint)
export const POST: APIRoute = async ({ request }) => {
  // Safe: Accessible ONLY on server-side edge runtime
  const secretKey = import.meta.env.OPENROUTER_API_KEY || process.env.OPENROUTER_API_KEY;
  if (!secretKey) throw new Error("Secret credential missing");
}

Never hardcode or push secrets to repository branches. Configure production keys directly inside your Cloudflare Pages Dashboard under **Settings ➔ Environment Variables**. For local emulation, Wrangler processes secrets from the `.dev.vars` file. Add `.dev.vars` to `.gitignore` immediately.

# .dev.vars (Local secrets - gitignored)
OPENROUTER_API_KEY="sk-or-v1-abcdef1234567890"
TURNSTILE_SECRET_KEY="0x4AAAAAAAKb..."

Implement a Backend-for-Frontend (BFF) pattern using Astro server-side edge routes. Instead of making raw client fetches to third-party endpoints, route them through isolated `/api/` endpoints (like `/api/enhance`). This keeps third-party API keys fully concealed from networks inspectors.

Live Implementation Reference: This site uses a secure BFF pattern in src/pages/api/enhance.ts which processes the OpenRouter API key completely server-side.

Protect forms against automated spamming. Integrate invisible **honeypot fields** (input elements that are physically hidden via CSS display configurations). Real users will ignore them, but automated scripts will blindly fill them. If the field is filled, silently discard the submission.

<!-- Honeypot Field -->
<div class="hidden" style="display:none;">
  <label>Do not fill this if you are human:</label>
  <input type="text" name="b_honeypot" autocomplete="off" />
</div>

Cloudflare Turnstile provides cryptographic bot challenges completely silently. Load the Turnstile widget in the client browser, capture the client token response, and verify the token server-side on your BFF routes before completing the requested action.

// Server-side verification inside edge function/worker API route
const outcome = await fetch("https://challenges.cloudflare.com/turnstile/v0/siteverify", {
  method: "POST",
  headers: { "Content-Type": "application/x-www-form-urlencoded" },
  body: new URLSearchParams({
    secret: import.meta.env.TURNSTILE_SECRET_KEY,
    response: clientToken,
    remoteip: clientIP
  })
});
const verification = await outcome.json();
if (!verification.success) return new Response("Bot challenge failed", { status: 403 });

Validate payload size and structure strictly. Enforce correct request header parameters such as `Content-Type: application/json` and reject unexpected parameters or excessively large payloads (e.g. capping request size to 100KB) immediately to protect serverless worker memory allocation limit.

Production code should never expose source map layouts to client inspector tools. Exposing source maps permits anyone to reconstruct your exact TypeScript development sources. Always disable source maps in production builds by updating your Astro configuration file.

// astro.config.mjs (Disable Source-maps)
export default defineConfig({
  vite: {
    build: {
      sourcemap: false // Block client-side source reconstruction
    }
  }
});

Leverage Cloudflare Web Application Firewall rules to drop malicious actors before they can hit edge endpoints. Set custom rules in WAF to block scanner user-agents (e.g. Nessus, Nmap, sqlmap) or trigger automatic challenges for requests that originate from non-browser structures.

Define strict rate limits for high-risk endpoints (such as `/api/enhance`). In the Cloudflare Dashboard, configure a rule to block or present challenge screens to any IP submitting more than 60 requests per minute.

Configure security headers to protect browsers from cross-site scripting and frame-jacking. Cloudflare Pages allows configuring headers using a simple `_headers` text file placed inside your `public/` directory so it compiles flush at the root folder.

# public/_headers (Configure secure header bindings)
/*
  Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' https://challenges.cloudflare.com;
  Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
  X-Content-Type-Options: nosniff
  X-Frame-Options: DENY
  Referrer-Policy: strict-origin-when-cross-origin

Enable **Cloudflare Scrape Shield** in the dashboard under Scrape Shield. This automatically obfuscates email addresses and hides marked portions of source templates from bots, without altering how actual users view the page elements.

Always perform compile tests and local checks before triggering deployments. Deploy to Cloudflare using pre-compiled targets ONLY via Wrangler tools: `npx wrangler pages deploy dist`. This prevents sending dev configuration files directly to the hosting serverless environment.

Maintain complete infrastructure hardening metrics by tracking checks on the **Astro + Cloudflare Compliance Audit Checklist** at the top of this tab dashboard. Ensure all checks are fortified to keep your serverless application perfectly secured at the network edge.