Checkliste zur Überprüfung von KI-generierten Cloudflare Workers

[ ] Worker exports a fetch handler with the correct signature: (request, env, ctx)
[ ] No use of Node.js built-ins — no fs, path, os, net, child_process, or crypto from 'node:crypto' without the nodejs_compat flag
[ ] crypto.randomUUID() and crypto.subtle are accessed via the global — not imported
[ ] setTimeout and setInterval are used only for short delays — no long-running timers
[ ] ctx.waitUntil() wraps any async work that must complete after the response is sent
[ ] All bindings (KV, D1, R2, Queue, AI) are accessed via env, not as module-level globals
[ ] Durable Object stubs are obtained via env.MY_DO.idFromName() or idFromString() — not constructed directly
[ ] Durable Object state.storage calls are awaited — they are async
[ ] R2 object body is consumed — unclosed readable streams cause memory leaks
[ ] Scheduled handlers export a scheduled() function, not fetch()
[ ] wrangler.toml [vars] only holds non-secret config — secrets go in wrangler secret put
[ ] No top-level await outside of module scope — Workers support it but some bundlers break it

[ ] Incoming requests validate the Content-Type header before parsing the body
[ ] User-supplied values are not interpolated into KV key names without sanitization
[ ] D1 queries use parameterized bindings — no string concatenation for SQL
[ ] CORS headers on cross-origin endpoints are explicit and not set to * for credentialed requests
[ ] Secrets are read from env, never hardcoded in source or wrangler.toml [vars]
[ ] Webhook endpoints verify signatures (e.g. Stripe-Signature, X-Hub-Signature-256) before processing
[ ] Responses do not leak internal error stack traces — catch and return generic 500
[ ] Auth tokens from headers are validated server-side — not just decoded and trusted
[ ] KV keys containing user IDs are namespaced per tenant to prevent cross-tenant reads
[ ] Queue consumers validate message shape before processing — malformed messages can DLQ-loop

[ ] CPU time stays under 10ms for free tier, 30ms for paid — no synchronous heavy computation
[ ] KV reads in hot paths use the cache TTL parameter to avoid remote fetches on every request
[ ] D1 queries are batched with db.batch() where possible to reduce round trips
[ ] Large response bodies are streamed — do not buffer multi-MB payloads in memory
[ ] Assets served from R2 set Cache-Control headers and use cf.cacheEverything where applicable
[ ] No N+1 KV or D1 calls inside a loop — batch or restructure data access
[ ] fetch() calls to external services set an AbortController timeout
[ ] Worker bundle size is under 1 MB compressed — verify with wrangler deploy --dry-run

[ ] wrangler.toml account_id and zone_id do not contain real values in source control
[ ] All KV namespaces and D1 databases referenced in wrangler.toml are created in the dashboard
[ ] Routes in wrangler.toml match the intended host pattern — trailing /* is often required
[ ] compatibility_date is set and up-to-date — behavior changes with each compat date
[ ] nodejs_compat flag is enabled in wrangler.toml when using node: imports
[ ] Preview deployments use separate KV namespace bindings from production
[ ] Secrets are set in both production and preview environments via wrangler secret put --env
[ ] Worker name in wrangler.toml does not collide with an existing production Worker

[ ] AI has not used process.env — environment in Workers is env parameter, not process.env
[ ] AI has not used require() — Workers use ES modules
[ ] AI has not used __dirname or __filename — not available in the Workers runtime
[ ] AI has not used Buffer — use Uint8Array or TextEncoder/TextDecoder instead
[ ] AI has not fabricated KV methods — only get, put, delete, list, and getWithMetadata exist
[ ] AI has not used D1 syntax from a different SQLite driver (e.g. better-sqlite3)
[ ] AI has not assumed fetch() returns a Node.js IncomingMessage — it returns a Web API Response
[ ] Hono, itty-router, or other framework version is current — AI may use deprecated APIs