workers-best-practices
作者: Cloudflare
審查並指導 Cloudflare Workers 程式碼遵循生產最佳實踐。在撰寫新的 Workers、審查 Worker 程式碼、設定 wrangler.jsonc,或檢查常見的 Workers 反模式(串流、懸浮承諾、全域狀態、機密、綁定、可觀測性)時載入。傾向從 Cloudflare 文件檢索,而非依賴預先訓練的知識。
npx skills add https://github.com/cloudflare/skills --skill workers-best-practicesYour knowledge of Cloudflare Workers APIs, types, and configuration may be outdated. Prefer retrieval over pre-training for any Workers code task — writing or reviewing.
Retrieval Sources
Fetch the latest versions before writing or reviewing Workers code. Do not rely on baked-in knowledge for API signatures, config fields, or binding shapes.
| Source | How to retrieve | Use for |
|---|---|---|
| Workers best practices | Fetch https://developers.cloudflare.com/workers/best-practices/workers-best-practices/ | Canonical rules, patterns, anti-patterns |
| Workers types | See references/review.md for retrieval steps | API signatures, handler types, binding types |
| Wrangler config schema | node_modules/wrangler/config-schema.json | Config fields, binding shapes, allowed values |
| Cloudflare docs | Search tool or https://developers.cloudflare.com/workers/ | API reference, compatibility dates/flags |
FIRST: Fetch Latest References
Before reviewing or writing Workers code, retrieve the current best practices page and relevant type definitions. If the project's node_modules has an older version, prefer the latest published version.
# Fetch latest workers types
mkdir -p /tmp/workers-types-latest && \
npm pack @cloudflare/workers-types --pack-destination /tmp/workers-types-latest && \
tar -xzf /tmp/workers-types-latest/cloudflare-workers-types-*.tgz -C /tmp/workers-types-latest
# Types at /tmp/workers-types-latest/package/index.d.ts
Reference Documentation
references/rules.md— all best practice rules with code examples and anti-patternsreferences/review.md— type validation, config validation, binding access patterns, review process
Rules Quick Reference
Configuration
| Rule | Summary |
|---|---|
| Compatibility date | Set compatibility_date to today on new projects; update periodically on existing ones |
| nodejs_compat | Enable the nodejs_compat flag — many libraries depend on Node.js built-ins |
| wrangler types | Run wrangler types to generate Env — never hand-write binding interfaces |
| Secrets | Use wrangler secret put, never hardcode secrets in config or source |
| wrangler.jsonc | Use JSONC config for non-secret settings — newer features are JSON-only |
Request & Response Handling
| Rule | Summary |
|---|---|
| Streaming | Stream large/unknown payloads — never await response.text() on unbounded data |
| waitUntil | Use ctx.waitUntil() for post-response work; do not destructure ctx |
Architecture
| Rule | Summary |
|---|---|
| Bindings over REST | Use in-process bindings (KV, R2, D1, Queues) — not the Cloudflare REST API |
| Queues & Workflows | Move async/background work off the critical path |
| Service bindings | Use service bindings for Worker-to-Worker calls — not public HTTP |
| Hyperdrive | Always use Hyperdrive for external PostgreSQL/MySQL connections |
Observability
| Rule | Summary |
|---|---|
| Logs & Traces | Enable observability in config with head_sampling_rate; use structured JSON logging |
Code Patterns
| Rule | Summary |
|---|---|
| No global request state | Never store request-scoped data in module-level variables |
| Floating promises | Every Promise must be awaited, returned, voided, or passed to ctx.waitUntil() |
Security
| Rule | Summary |
|---|---|
| Web Crypto | Use crypto.randomUUID() / crypto.getRandomValues() — never Math.random() for security |
| No passThroughOnException | Use explicit try/catch with structured error responses |
Anti-Patterns to Flag
| Anti-pattern | Why it matters |
|---|---|
await response.text() on unbounded data | Memory exhaustion — 128 MB limit |
| Hardcoded secrets in source or config | Credential leak via version control |
Math.random() for tokens/IDs | Predictable, not cryptographically secure |
Bare fetch() without await or waitUntil | Floating promise — dropped result, swallowed error |
| Module-level mutable variables for request state | Cross-request data leaks, stale state, I/O errors |
| Cloudflare REST API from inside a Worker | Unnecessary network hop, auth overhead, added latency |
ctx.passThroughOnException() as error handling | Hides bugs, makes debugging impossible |
Hand-written Env interface | Drifts from actual wrangler config bindings |
| Direct string comparison for secret values | Timing side-channel — use crypto.subtle.timingSafeEqual |
Destructuring ctx (const { waitUntil } = ctx) | Loses this binding — throws "Illegal invocation" at runtime |
any on Env or handler params | Defeats type safety for all binding access |
as unknown as T double-cast | Hides real type incompatibilities — fix the design |
implements on platform base classes (instead of extends) | Legacy — loses this.ctx, this.env. Applies to DurableObject, WorkerEntrypoint, Workflow |
env.X inside platform base class | Should be this.env.X in classes extending DurableObject, WorkerEntrypoint, etc. |
Review Workflow
- Retrieve — fetch latest best practices page, workers types, and wrangler schema
- Read full files — not just diffs; context matters for binding access patterns
- Check types — binding access, handler signatures, no
any, no unsafe casts (seereferences/review.md) - Check config — compatibility_date, nodejs_compat, observability, secrets, binding-code consistency
- Check patterns — streaming, floating promises, global state, serialization boundaries
- Check security — crypto usage, secret handling, timing-safe comparisons, error handling
- Validate with tools —
npx tsc --noEmit, lint forno-floating-promises - Reference rules — see
references/rules.mdfor each rule's correct pattern
Scope
This skill covers Workers-specific best practices and code review. For related topics:
- Durable Objects: load the
durable-objectsskill - Workflows: see Rules of Workflows
- Wrangler CLI commands: load the
wranglerskill
Principles
- Be certain. Retrieve before flagging. If unsure about an API, config field, or pattern, fetch the docs first.
- Provide evidence. Reference line numbers, tool output, or docs links.
- Focus on what developers will copy. Workers code in examples and docs gets pasted into production.
- Correctness over completeness. A concise example that works beats a comprehensive one with errors.
來自 Cloudflare 的更多技能
agents-sdk
Cloudflare
在 Cloudflare Workers 上使用 Agents SDK 建置 AI 代理。建立有狀態代理、持久化工作流程、即時 WebSocket 應用程式、排程任務、MCP 伺服器或聊天應用程式時載入。涵蓋 Agent 類別、狀態管理、可呼叫 RPC、Workflows 整合及 React hooks。
official
building-ai-agent-on-cloudflare
Cloudflare
在 Cloudflare 上使用 Agents SDK 建置 AI 代理,具備狀態管理、即時 WebSocket、排程任務、工具整合及聊天功能。產生可部署至 Workers 的正式環境代理程式碼。 適用時機:使用者想「建置代理」、「AI 代理」、「聊天代理」、「有狀態代理」,提及「Agents SDK」,需要「即時 AI」、「WebSocket AI」,或詢問代理的「狀態管理」、「排程任務」或「工具呼叫」。
developmentofficial
building-mcp-server-on-cloudflare
Cloudflare
在 Cloudflare Workers 上建置遠端 MCP(模型上下文協定)伺服器,包含工具、OAuth 驗證與正式環境部署。可產生伺服器程式碼、設定驗證提供者,並部署至 Workers。 使用時機:使用者提及「建置 MCP 伺服器」、「建立 MCP 工具」、「遠端 MCP」、「部署 MCP」、為 MCP 加入「OAuth」,或提到 Cloudflare 上的模型上下文協定。亦會觸發於「MCP 驗證」或「MCP 部署」。
developmentofficial
cloudflare
Cloudflare
涵蓋 Cloudflare 平台的完整技能,包括 Workers、Pages、儲存(KV、D1、R2)、AI(Workers AI、Vectorize、Agents SDK)、網路(Tunnel、Spectrum)、安全(WAF、DDoS)以及基礎設施即程式碼(Terraform、Pulumi)。適用於任何 Cloudflare 開發任務。
official
durable-objects
Cloudflare
建立與審查 Cloudflare Durable Objects。適用於建構有狀態的協調機制(聊天室、多人遊戲、預訂系統)、實作 RPC 方法、SQLite 儲存、警報、WebSocket,或審查 DO 程式碼以符合最佳實務。涵蓋 Workers 整合、wrangler 設定,以及使用 Vitest 進行測試。
official
sandbox-sdk
Cloudflare
為安全程式碼執行建置沙盒應用程式。在建立AI程式碼執行、程式碼直譯器、CI/CD系統、互動式開發環境或執行不受信任的程式碼時載入。涵蓋Sandbox SDK生命週期、指令、檔案、程式碼直譯器及預覽URL。
official
web-perf
Cloudflare
使用 Chrome DevTools MCP 分析網頁效能。測量核心網頁指標(FCP、LCP、TBT、CLS、速度指數),識別渲染阻塞資源、網路依賴鏈、版面位移、快取問題及無障礙缺口。當被要求稽核、剖析、除錯或優化頁面載入效能、Lighthouse 分數或網站速度時使用。
official
wrangler
Cloudflare
Cloudflare Workers CLI,用於部署、開發及管理 Workers、KV、R2、D1、Vectorize、Hyperdrive、Workers AI、Containers、Queues、Workflows、Pipelines 與 Secrets Store。在執行 wrangler 指令前載入,以確保正確語法與最佳實踐。
official