@appwarden/middleware

Overview

@appwarden/middleware is open source software that can be installed on your Cloudflare or Vercel-hosted website to enable Appwarden to quarantine your website during a security incident. Read the Core Features and Installation sections to learn more.

For a guided setup, start with Protect your Cloudflare project with Appwarden for Cloudflare deployments or Protect your Vercel project with Appwarden for Vercel deployments. If you are configuring protected hostnames or CSP behavior, take a look at the domain configuration guide and Content Security Policy guide.

Core Features

Discord Integration: Quarantine your website via Discord commands (/quarantine [un]lock)
Instant Quarantine: Immediately redirects all visitors to a lock page when activated to stop in progress attacks.
Nonce-based Content Security Policy (See Feature Compatibility): Deploy a nonce-based Content Security Policy (CSP) using HTML rewriting on Cloudflare where supported.
Minimal Runtime Overhead: Negligible performance impact by using event.waitUntil for status checks

Feature Compatibility

The table below summarizes which Appwarden features are available on each platform, including quarantine enforcement and Content Security Policy (CSP) support (with or without nonces).

Platform / Adapter	Package / entrypoint	Quarantine	CSP	CSP Nonce
Cloudflare – Universal middleware	`@appwarden/middleware/cloudflare`	✅	✅	✅
Cloudflare – Astro	`@appwarden/middleware/cloudflare/astro`	✅	✅	✅
Cloudflare – React Router	`@appwarden/middleware/cloudflare/react-router`	✅	✅	✅
Cloudflare – TanStack Start	`@appwarden/middleware/cloudflare/tanstack-start`	✅	✅	✅
Cloudflare – Next.js (OpenNext adapter)	`@appwarden/middleware/cloudflare/nextjs`	✅	✅	❌
Vercel - Universal middleware	`@appwarden/middleware/vercel`	✅	✅	❌

Nonce-based CSP requires HTML rewriting and is only available on Cloudflare. Next.js on Cloudflare (OpenNext) and Vercel Edge Middleware apply CSP headers only and do not support nonces. If you are using Next.js on Cloudflare, please use the Cloudflare Universal middleware for CSP nonce support.

Configuration

The following options are shared across the Cloudflare and Vercel middleware bundles.

`lockPageSlug`

The path or route (for example, /maintenance) to redirect users to when the domain is quarantined. This should be a working page on your site, such as a maintenance or status page, that explains why the website is temporarily unavailable.

`contentSecurityPolicy` (optional)

Controls the Content Security Policy headers that Appwarden adds. This configuration is optional—if not provided, no CSP header will be applied.

When provided, both mode and directives are required:

mode controls how the CSP is applied:
- "disabled" – no CSP header is sent.
- "report-only" – sends the Content-Security-Policy-Report-Only header so violations are reported (for example in the browser console) but not blocked.
- "enforced" – sends the Content-Security-Policy header so violations are actively blocked.
When developing or iterating on your CSP, we recommend starting with "report-only" so you can identify and fix violations before switching to "enforced".

directives is an object whose keys are CSP directive names and whose values are arrays of allowed sources. For example:

1
contentSecurityPolicy: {
2
  mode: "enforced",
3
  directives: {
4
    "script-src": ["'self'", "{{nonce}}"],
5
    "style-src": ["'self'", "{{nonce}}"],
6
  },
7
}

To add a nonce to a directive (See Feature Compatibility), include the "{{nonce}}" placeholder in the list of sources.

`appwardenApiToken`

The Appwarden API token used to authenticate requests to the Appwarden API. See the API token management guide for details on creating and managing your token.

Treat this token as a secret (similar to a password): do not commit it to source control and store it in environment variables or secret management where possible. Appwarden stores API tokens using AES-GCM encryption and does not display them after creation.

`cacheUrl` (Vercel only)

The URL or connection string of the cache provider (for example, Upstash or Vercel Edge Config) that stores the quarantine status for your domain. See the Vercel integration guide for cache provider configuration details.

`vercelApiToken` (Vercel only)

A Vercel API token that Appwarden uses to manage the Vercel Edge Config cache provider that synchronizes the quarantine status of your domain. See the Vercel integration guide for cache provider configuration details.

Appwarden never stores or logs your Vercel API token; it is used only to manage the quarantine status cache for your domain.

Installation

Compatible with websites powered by Cloudflare or Vercel.

For more background and advanced configuration, see the Appwarden documentation.

1. Cloudflare

1.1 Universal Middleware (direct Cloudflare Worker usage)

The Universal Middleware (@appwarden/middleware/cloudflare) is the recommended way to install Appwarden on Cloudflare. The easiest way to deploy this universal middleware is via our build-cloudflare-action; see the Cloudflare integration guide for workflow details. If you prefer to manage your own Cloudflare Worker instead of using the GitHub Action, you can mount the universal Cloudflare middleware directly using the @appwarden/middleware/cloudflare bundle:

1
import { createAppwardenMiddleware } from "@appwarden/middleware/cloudflare"
2

3
const appwardenHandler = createAppwardenMiddleware((cloudflare) => ({
4
  debug: cloudflare.env.DEBUG,
5
  lockPageSlug: cloudflare.env.APPWARDEN_LOCK_PAGE_SLUG,
6
  appwardenApiToken: cloudflare.env.APPWARDEN_API_TOKEN,
7
  contentSecurityPolicy: {
8
    mode: cloudflare.env.CSP_MODE,
9
    directives: cloudflare.env.CSP_DIRECTIVES,
10
  },
11
}))
12

13
export default {
14
  fetch(request: Request, env: CloudflareEnv, ctx: ExecutionContext) {
15
    return appwardenHandler(request, env, ctx)
16
  },
17
}

See the Cloudflare integration docs on appwarden.io for environment variable setup and deployment details.

1.2 Cloudflare framework adapters

If you cannot use build-cloudflare-action, you can mount Appwarden inside your application using framework-specific adapters.

Currently, framework adapters do not automatically reflect your Appwarden domain configuration. You must manually provide the lockPageSlug and contentSecurityPolicy configuration in your code.

Astro on Cloudflare

1
import { sequence } from "astro:middleware"
2
import { createAppwardenMiddleware } from "@appwarden/middleware/cloudflare/astro"
3

4
const appwarden = createAppwardenMiddleware((cloudflare) => ({
5
  lockPageSlug: cloudflare.env.APPWARDEN_LOCK_PAGE_SLUG,
6
  appwardenApiToken: cloudflare.env.APPWARDEN_API_TOKEN,
7
  debug: cloudflare.env.DEBUG,
8
  contentSecurityPolicy: {
9
    // See Configuration > contentSecurityPolicy section for details
10
    mode: "report-only",
11
    directives: {
12
      "default-src": ["'self'"],
13
    },
14
  },
15
}))
16

17
export const onRequest = sequence(appwarden)

See the Astro + Cloudflare guide for more details.

React Router on Cloudflare

Set future.v8_middleware: true in your react-router.config.ts file

1
import { env } from "cloudflare:workers"
2
import { createAppwardenMiddleware } from "@appwarden/middleware/cloudflare/react-router"
3

4
export const middleware = [
5
  createAppwardenMiddleware(() => ({
6
    lockPageSlug: env.APPWARDEN_LOCK_PAGE_SLUG,
7
    appwardenApiToken: env.APPWARDEN_API_TOKEN,
8
    // "debug" can be a string or boolean; the schema will normalize it
9
    debug: env.DEBUG,
10
    // "directives" can be a JSON string or an object; the schema will parse it
11
    contentSecurityPolicy: {
12
      // See Configuration > contentSecurityPolicy section for details
13
      mode: "report-only",
14
      directives: {
15
        "default-src": ["'self'"],
16
      },
17
    },
18
  })),
19
]

See the React Router + Cloudflare guide for more details.

TanStack Start on Cloudflare

1
import { createMiddleware } from "@tanstack/start"
2
import { env } from "cloudflare:workers"
3
import { createAppwardenMiddleware } from "@appwarden/middleware/cloudflare/tanstack-start"
4

5
const appwardenMiddleware = createMiddleware().server(
6
  createAppwardenMiddleware(() => ({
7
    lockPageSlug: env.APPWARDEN_LOCK_PAGE_SLUG,
8
    appwardenApiToken: env.APPWARDEN_API_TOKEN,
9
    debug: env.DEBUG, // Accepts string or boolean
10
    contentSecurityPolicy: {
11
      // See Configuration > contentSecurityPolicy section for details
12
      mode: "report-only",
13
      directives: {
14
        "default-src": ["'self'"],
15
      },
16
    },
17
  })),
18
)
19

20
export const startInstance = createStart(() => ({
21
  requestMiddleware: [appwardenMiddleware],
22
}))

See the TanStack Start + Cloudflare guide for more details.

Next.js on Cloudflare (OpenNext)

1
// middleware.ts or proxy.ts
2
import { createAppwardenMiddleware } from "@appwarden/middleware/cloudflare/nextjs"
3

4
export const config = {
5
  matcher: ["/((?!api|_next/static|_next/image|favicon.ico).*)"],
6
}
7

8
export default createAppwardenMiddleware((cloudflare) => ({
9
  lockPageSlug: cloudflare.env.APPWARDEN_LOCK_PAGE_SLUG,
10
  appwardenApiToken: cloudflare.env.APPWARDEN_API_TOKEN,
11
  debug: cloudflare.env.DEBUG,
12
  // Headers-only CSP (no HTML rewriting, no nonce support; do not use `{{nonce}}` here)
13
  contentSecurityPolicy: {
14
    // See Configuration > contentSecurityPolicy section for details
15
    mode: "enforced",
16
    directives: {
17
      "default-src": ["'self'"],
18
    },
19
  },
20
}))

This adapter applies CSP headers only before origin (no HTML rewriting, no nonce injection). Nonce-based CSP ({{nonce}}) is not supported in this adapter; CSP directives must not include {{nonce}}.

2. Vercel

To use Appwarden as Vercel Edge Middleware, use the @appwarden/middleware/vercel bundle:

1
// middleware.ts (Next.js app on Vercel)
2
import { createAppwardenMiddleware } from "@appwarden/middleware/vercel"
3

4
const appwardenMiddleware = createAppwardenMiddleware({
5
  // Edge Config or Upstash KV URL
6
  cacheUrl: process.env.APPWARDEN_CACHE_URL!,
7
  // Required when using Vercel Edge Config
8
  vercelApiToken: process.env.APPWARDEN_VERCEL_API_TOKEN!,
9
  appwardenApiToken: process.env.APPWARDEN_API_TOKEN!,
10
  lockPageSlug: "/maintenance",
11
  contentSecurityPolicy: {
12
    // See Configuration > contentSecurityPolicy section for details
13
    mode: "report-only",
14
    directives: {
15
      "default-src": ["'self'"],
16
    },
17
  },
18
})
19

20
export default appwardenMiddleware

Nonce-based CSP ({{nonce}}) is not supported in Vercel Edge Middleware; CSP directives must not include {{nonce}}.

Supported platforms

Contributing

Contributions are welcome! Please feel free to submit a Pull Request.

Fork the repository
Create your feature branch (git checkout -b feature/amazing-feature)
Commit your changes using the Conventional Commits format
- This project enforces commit message format with commitlint
- Examples:
  - feat: add new feature
  - fix: resolve issue with X
  - docs: update README
  - chore: update dependencies
  - test: add tests for feature X
Push to the branch (git push origin feature/amazing-feature)
Open a Pull Request

Development

1
# Install dependencies
2
pnpm install
3

4
# Build the package
5
pnpm build
6

7
# Run tests
8
pnpm test

Security

Please review our security policy for details on how we handle vulnerabilities and how to report a security issue.

This package is published with npm trusted publishers, to prevent npm token exfiltration, and provenance enabled, which provides a verifiable link between the published package and its source code. For more information, see npm provenance documentation.

Versioning & dependencies

This project uses Conventional Commits and automated release tooling to keep versions and the changelog up to date.
Patch releases may include bug fixes and internal maintenance or dependency updates (for example, Cloudflare Workers types, Wrangler, and GitHub Action tooling). New features are shipped in minor releases.
See CHANGELOG.md for the complete release history.

License

This project is licensed under the MIT License - see the LICENSE file for details.