Cloudflare Docs

Cloudflare Docs

Overview
Get started
CLI
Dashboard
Quickstarts
Examples
Tutorials
Playground
Configuration
Bindings
Compatibility dates
Continuous integration
Cron Triggers
Environment variables
Integrations
APIs
External Services
Momento
Page Rules
Routes and domains
Custom Domains
Routes
workers.dev
Secrets
Smart Placement (beta)
Versions & Deployments
Gradual deployments
Rollbacks
Workers Sites
Start from existing
Start from scratch
Start from Worker
Workers Sites configuration
Runtime APIs
Bindings (env)
AI
Analytics Engine
Browser Rendering
D1
Dispatcher (Workers for Platforms)
Durable Objects
Environment Variables
Hyperdrive
KV
mTLS
Queues
R2
Rate Limiting
Secrets
Service bindings
HTTP
RPC (WorkerEntrypoint)
Vectorize
Version metadata
Cache
Console
Context (ctx)
Encoding
Fetch
Handlers
Alarm Handler
Email Handler
Fetch Handler
Queue Handler
Scheduled Handler
Tail Handler
Headers
HTMLRewriter
Node.js compatibility
assert
AsyncLocalStorage
Buffer
Crypto
Diagnostics Channel
EventEmitter
path
process
Streams
StringDecoder
test
util
Performance and timers
Remote-procedure call (RPC)
Lifecycle
Reserved Methods
Visibility and Security Model
TypeScript
Error handling
Request
Response
Streams
ReadableStream
ReadableStream BYOBReader
ReadableStream DefaultReader
TransformStream
WritableStream
WritableStream DefaultWriter
TCP sockets
Web Crypto
Web standards
WebAssembly (Wasm)
Wasm in JavaScript
WebSockets
Databases
Connect to databases
Analytics Engine
Vectorize (vector database)
Cloudflare D1
Hyperdrive
Database Integrations (beta)
Neon
PlanetScale
Supabase
Turso
Upstash
Xata
Testing
Local development
Unit testing
Integration testing
Debugging tools
Vitest integration
Get started
Write your first test
Migrate from Miniflare 2's test environments
Migrate from unstable_dev
Recipes
Configuration
Test APIs
Isolation and concurrency
Known issues
Observability
Baselime integration (beta)
Errors and exceptions
Logging
Logpush
Real-time logs
Tail Workers
Metrics and analytics
Sentry integration (beta)
Source maps and stack traces
Wrangler
Install/Update Wrangler
API
Bundling
Commands
Configuration
Custom builds
Deprecations
Environments
Migrations
Migrate from Wrangler v1 to v2
1. Migrate webpack projects
2. Update to Wrangler v2
Wrangler v1 (legacy)
Install / Update
Authentication
Commands
Configuration
Webpack
Migrate from Wrangler v2 to v3
Run in CI/CD
System environment variables
Languages
JavaScript
Examples
TypeScript
Examples
Python
How Python Workers Work
Standard Library
Examples
Foreign Function Interface (FFI)
Packages
FastAPI
Langchain
Rust
Supported crates
Platform
Pricing
Changelog
Workers (Historic)
Wrangler
Limits
Choose a data or storage product
Betas
Known issues
Workers for Platforms
Reference
How the Cache works
How Workers works
Migrate from Service Workers to ES Modules
Protocols
Security model
Glossary
AI Assistant

Using timingSafeEqual

Protect against timing attacks by safely comparing values using timingSafeEqual.

The crypto.subtle.timingSafeEqual function compares two values using a constant-time algorithm. The time taken is independent of the contents of the values.

When strings are compared using the equality operator (== or ===), the comparison will end at the first mismatched character. By using timingSafeEqual, an attacker would not be able to use timing to find where at which point in the two strings there is a difference.

The timingSafeEqual function takes two ArrayBuffer or TypedArray values to compare. These buffers must be of equal length, otherwise an exception is thrown.

In order to compare two strings, you must use the TextEncoder API. Since the time taken to encode the values may reveal the length of our secret value, you should check the length of the strings before encoding.

interface Environment {  MY_SECRET_VALUE?: string;
}

export default {  async fetch(req: Request, env: Environment) {    if (!env.MY_SECRET_VALUE) {      return new Response("Missing secret binding", { status: 500 });    }
    const authToken = req.headers.get("Authorization") || "";
    if (authToken.length !== env.MY_SECRET_VALUE.length) {      return new Response("Unauthorized", { status: 401 });    }
    const encoder = new TextEncoder();
    const a = encoder.encode(authToken);    const b = encoder.encode(env.MY_SECRET_VALUE);
    if (a.byteLength !== b.byteLength) {      return new Response("Unauthorized", { status: 401 });    }
    if (!crypto.subtle.timingSafeEqual(a, b)) {      return new Response("Unauthorized", { status: 401 });    }
    return new Response("Welcome!");  },
};

from js import Response, TextEncoder, crypto
async def on_fetch(request, env):    auth_token = request.headers["Authorization"] or ""    secret = env.MY_SECRET_VALUE
    if secret is None:        return Response.new("Missing secret binding", status=500)
    if len(auth_token) != len(secret):        return Response.new("Unauthorized", status=401)
    if a.byteLength != b.byteLength:        return Response.new("Unauthorized", status=401)
    encoder = TextEncoder.new()    a = encoder.encode(auth_token)    b = encoder.encode(secret)
    if not crypto.subtle.timingSafeEqual(a, b):        return Response.new("Unauthorized", status=401)
    return Response.new("Welcome!")