Blog

Cloudflare Workers KV: CORS, cache keys that include Origin, and avoiding cross-tenant data leaks

When multiple SPAs share a Worker, partition KV keys by origin or tenant ID to prevent one Allow-Origin from serving another’s payload.

Published: 2027-03-06Updated: 2027-03-081 min read

cloudflareworkerscors

Bindings

Namespace limits differ by plan—monitor read units during traffic spikes.

Use transactional semantics only where supported; otherwise implement compare-and-swap in application code.

Subrequest filters should block private IP ranges from user-controlled URLs inside Workers.

Log origin headers alongside request IDs for forensic replay after incidents.