DiscordSign up
SKILLS.SH

workers-best-practices

Cloudflare Workers code review and authoring against production best practices. Retrieves latest Workers APIs, types, and wrangler configuration schema before reviewing or writing code; biases towards live documentation over pre-trained knowledge Covers 40+ best practice rules across configuration, request/response handling, architecture, observability, code patterns, and security Flags 15+ common anti-patterns including unbounded streaming, floating promises, global request state, hardcoded secrets, and unsafe crypto usage Provides structured review workflow: retrieve references, validate types and config, check patterns and security, validate with tools

INSTALLATION
npx skills add https://github.com/cloudflare/skills --skill workers-best-practices
Run in your project or agent environment. Adjust flags if your CLI version differs.

SKILL.md

$2a

# Fetch latest workers types

mkdir -p /tmp/workers-types-latest && \

  npm pack @cloudflare/workers-types --pack-destination /tmp/workers-types-latest && \

  tar -xzf /tmp/workers-types-latest/cloudflare-workers-types-*.tgz -C /tmp/workers-types-latest

# Types at /tmp/workers-types-latest/package/index.d.ts

Reference Documentation

  • references/rules.md — all best practice rules with code examples and anti-patterns
  • references/review.md — type validation, config validation, binding access patterns, review process

Rules Quick Reference

Configuration

Rule

Summary

Compatibility date

Set compatibility_date to today on new projects; update periodically on existing ones

nodejs_compat

Enable the nodejs_compat flag — many libraries depend on Node.js built-ins

wrangler types

Run wrangler types to generate Env — never hand-write binding interfaces

Secrets

Use wrangler secret put, never hardcode secrets in config or source

wrangler.jsonc

Use JSONC config for non-secret settings — newer features are JSON-only

Request & Response Handling

Rule

Summary

Streaming

Stream large/unknown payloads — never await response.text() on unbounded data

waitUntil

Use ctx.waitUntil() for post-response work; do not destructure ctx

Architecture

Rule

Summary

Bindings over REST

Use in-process bindings (KV, R2, D1, Queues) — not the Cloudflare REST API

Queues & Workflows

Move async/background work off the critical path

Service bindings

Use service bindings for Worker-to-Worker calls — not public HTTP

Hyperdrive

Always use Hyperdrive for external PostgreSQL/MySQL connections

Observability

Rule

Summary

Logs & Traces

Enable observability in config with head_sampling_rate; use structured JSON logging

Code Patterns

Rule

Summary

No global request state

Never store request-scoped data in module-level variables

Floating promises

Every Promise must be awaited, returned, voided, or passed to ctx.waitUntil()

Security

Rule

Summary

Web Crypto

Use crypto.randomUUID() / crypto.getRandomValues() — never Math.random() for security

No passThroughOnException

Use explicit try/catch with structured error responses

Anti-Patterns to Flag

Anti-pattern

Why it matters

await response.text() on unbounded data

Memory exhaustion — 128 MB limit

Hardcoded secrets in source or config

Credential leak via version control

Math.random() for tokens/IDs

Predictable, not cryptographically secure

Bare fetch() without await or waitUntil

Floating promise — dropped result, swallowed error

Module-level mutable variables for request state

Cross-request data leaks, stale state, I/O errors

Cloudflare REST API from inside a Worker

Unnecessary network hop, auth overhead, added latency

ctx.passThroughOnException() as error handling

Hides bugs, makes debugging impossible

Hand-written Env interface

Drifts from actual wrangler config bindings

Direct string comparison for secret values

Timing side-channel — use crypto.subtle.timingSafeEqual

Destructuring ctx (const { waitUntil } = ctx)

Loses this binding — throws "Illegal invocation" at runtime

any on Env or handler params

Defeats type safety for all binding access

as unknown as T double-cast

Hides real type incompatibilities — fix the design

implements on platform base classes (instead of extends)

Legacy — loses this.ctx, this.env. Applies to DurableObject, WorkerEntrypoint, Workflow

env.X inside platform base class

Should be this.env.X in classes extending DurableObject, WorkerEntrypoint, etc.

Review Workflow

  • Retrieve — fetch latest best practices page, workers types, and wrangler schema
  • Read full files — not just diffs; context matters for binding access patterns
  • Check types — binding access, handler signatures, no any, no unsafe casts (see references/review.md)
  • Check config — compatibility_date, nodejs_compat, observability, secrets, binding-code consistency
  • Check patterns — streaming, floating promises, global state, serialization boundaries
  • Check security — crypto usage, secret handling, timing-safe comparisons, error handling
  • Validate with toolsnpx tsc --noEmit, lint for no-floating-promises
  • Reference rules — see references/rules.md for each rule's correct pattern

Scope

This skill covers Workers-specific best practices and code review. For related topics:

  • Durable Objects: load the durable-objects skill
  • Wrangler CLI commands: load the wrangler skill

Principles

  • Be certain. Retrieve before flagging. If unsure about an API, config field, or pattern, fetch the docs first.
  • Provide evidence. Reference line numbers, tool output, or docs links.
  • Focus on what developers will copy. Workers code in examples and docs gets pasted into production.
  • Correctness over completeness. A concise example that works beats a comprehensive one with errors.
BrowserAct

Let your agent run on any real-world website

Bypass CAPTCHA & anti-bot for free. Start local, scale to cloud.

Explore BrowserAct Skills →

Related skills

find-skills
2/3

Discover and install specialized agent skills from the open ecosystem when users need extended capabilities. Helps identify relevant skills by domain and task when users ask "how do I do X" or "find a skill for X" Integrates with the Skills CLI ( npx skills find , npx skills add ) to search, verify, and install packages from the skills.sh directory Recommends skills based on install count, source reputation, and GitHub stars to ensure quality before suggesting installation Presents skill options with install commands and links to skills.sh for user review and one-click installation

Verified authorvercel-labs
SKILLS.SH
1.5M19.6K
2026-05-22
vercel-react-best-practices
3/3

React and Next.js performance optimization guide with 64 prioritized rules across 8 categories. Organized by impact level, from critical waterfalls and bundle optimization down to advanced patterns, each rule includes incorrect/correct code examples and explanations Covers eight domains: async patterns, bundle size, server-side caching, client-side data fetching, re-render optimization, rendering performance, JavaScript efficiency, and advanced patterns Designed for use during component writing, code review, refactoring, and performance audits on React and Next.js applications Each rule has a prefix code (e.g., async-parallel , bundle-barrel-imports ) for easy reference in automated tooling and documentation

Verified authorvercel-labs
SKILLS.SH
389K26.9K
2026-05-22
azure-validate
2/3

Pre-deployment validation for Azure infrastructure, configuration, and permissions before deployment. Requires .azure/plan.md from a prior azure-prepare run; stops immediately if the plan is missing Executes recipe-specific validation commands (azd provision, bicep build, terraform validate) and records proof in the plan document Performs build verification, configuration checks, and permission validation; blocks deployment if any check fails Only authorized method to set plan status to Validated ; must be followed by azure-deploy skill to execute the actual deployment

Verified authormicrosoft
SKILLS.SH
324K1.1K
2026-05-22
appinsights-instrumentation
3/3

Guidance and reference material for instrumenting webapps with Azure Application Insights. Covers SDK setup, telemetry patterns, and configuration for ASP.NET Core and Node.js applications hosted in Azure Distinguishes between this skill (reference and guidance) and azure-prepare (actual implementation); invoke azure-prepare when the user wants to add instrumentation to their project Provides auto-instrumentation guidance for C# ASP.NET Core apps in Azure App Service, plus manual instrumentation paths for creating App Insights resources via Bicep templates or Azure CLI Includes language-specific code modification guides for ASP.NET Core, Node.js, and Python, plus quick references for OpenTelemetry SDKs and exporters

Verified authormicrosoft
SKILLS.SH
324K1.1K
2026-05-22

Stop writing automation&scrapers

Install the CLI. Run your first Skill in 30 seconds. Scale when you're ready.

Start free
free · no credit card