惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Hacker News - Newest:
Hacker News - Newest: "LLM"
Webroot Blog
Webroot Blog
S
Security @ Cisco Blogs
H
Heimdal Security Blog
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
www.infosecurity-magazine.com
www.infosecurity-magazine.com
N
News and Events Feed by Topic
H
Hacker News: Front Page
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
Application and Cybersecurity Blog
Application and Cybersecurity Blog
SecWiki News
SecWiki News
N
News | PayPal Newsroom
T
Tor Project blog
W
WeLiveSecurity
A
Arctic Wolf
Security Archives - TechRepublic
Security Archives - TechRepublic
S
Secure Thoughts
月光博客
月光博客
AWS News Blog
AWS News Blog
D
Docker
C
CERT Recently Published Vulnerability Notes
MyScale Blog
MyScale Blog
Google Online Security Blog
Google Online Security Blog
大猫的无限游戏
大猫的无限游戏
T
The Blog of Author Tim Ferriss
I
InfoQ
人人都是产品经理
人人都是产品经理
Recent Announcements
Recent Announcements
Google DeepMind News
Google DeepMind News
Hacker News: Ask HN
Hacker News: Ask HN
Blog — PlanetScale
Blog — PlanetScale
博客园 - 【当耐特】
Engineering at Meta
Engineering at Meta
Stack Overflow Blog
Stack Overflow Blog
Recorded Future
Recorded Future
罗磊的独立博客
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
T
The Exploit Database - CXSecurity.com
D
DataBreaches.Net
S
Security Affairs
WordPress大学
WordPress大学
T
Threatpost
Microsoft Security Blog
Microsoft Security Blog
V
Vulnerabilities – Threatpost
The Hacker News
The Hacker News
S
SegmentFault 最新的问题
B
Blog RSS Feed
Project Zero
Project Zero
P
Proofpoint News Feed

Flavio Copes

Workers Cache: a cache in front of your Cloudflare Worker Cloudflare Drop: drag a folder, get a live site Temporary Cloudflare accounts: agents can now deploy without signing up Moondream 3.1 on Workers AI: fast vision at the edge inferencecost.dev: what will AI inference cost you at 10k users? Sitebase: all the features your website needs, in one place StackPlan: figure out where to deploy your app, and what it How the Cloudflare Pages build cache works The Summer of Code How I generate an Open Graph image for every post New: 90 free tools for developers How I added search to my static site with Pagefind How to rebuild a Cloudflare site on a schedule Cloudflare Email Workers: run code when an email arrives Cloudflare Turnstile: stop bots without annoying CAPTCHAs Cloudflare Workers observability: logs and traces Cloudflare Analytics Engine: store and query metrics The AI Workshop (July 2026 cohort) Cloudflare Cron Triggers: run a Worker on a schedule Cloudflare Durable Objects: state that lives in one place Cloudflare Queues: run work in the background Cloudflare R2: object storage without egress fees Cloudflare KV: a key-value store for your Workers Cloudflare D1: a SQL database for your Workers Serving a website with Cloudflare Workers static assets Wrangler: the Cloudflare Workers command line tool Executor: one gateway to connect your AI agent to every tool Cloudflare Workers: your first serverless function Vercel eve: an open framework for building AI agents Flue: the open framework for building AI agents Val Town: write and deploy code in seconds A hands-on guide to The Agency, a collection of AI agents The AI Workshop (June 2026 cohort) The AI Workshop (May 2026 cohort) The AI Workshop (Apr 2026 cohort)
Cloudflare Workers: secrets and environments
Flavio Copes · 2026-07-01 · via Flavio Copes

By Flavio Copes

How to handle config, secrets, and multiple environments (staging, production) in Cloudflare Workers without leaking anything.

~~~

Every real app has two kinds of config: stuff that’s fine to see, and stuff that must stay secret. And most apps run in more than one place: production, and at least a staging copy to test on.

Cloudflare Workers handle both cleanly. Let me walk through how I set it up.

Plain variables

For config that isn’t sensitive, like a feature flag or your app’s public URL, use vars in wrangler.jsonc:

{
  "vars": {
    "APP_URL": "https://myapp.com",
    "DEBUG_LOG": "0"
  }
}

These show up on env in your Worker:

export default {
  async fetch(request, env) {
    return new Response(env.APP_URL)
  },
}

These live in your config file, in your repo. So only put things here that you’re fine with the world seeing.

Secrets

API keys, tokens, signing keys: these must never go in your repo. They’re secrets, and you set them with Wrangler:

npx wrangler secret put STRIPE_KEY

It prompts you for the value, encrypts it, and stores it on Cloudflare. It’s not written to any file. In your code, a secret looks exactly like a var:

const key = env.STRIPE_KEY

The difference is where it lives. Vars are in your config; secrets are encrypted on Cloudflare and never in your repo.

Secrets in local development

When you run wrangler dev, you still need those secrets, but you obviously don’t want the real production ones on your laptop.

Put local values in a file called .dev.vars:

STRIPE_KEY=sk_test_local_key

Wrangler loads it automatically in dev. Add .dev.vars to your .gitignore so it never gets committed.

Multiple environments

Now the environments. You define named environments in your config, each with its own settings:

{
  "name": "myapp",
  "vars": { "APP_ENV": "dev" },
  "env": {
    "staging": {
      "name": "myapp-staging",
      "vars": { "APP_ENV": "staging" }
    },
    "production": {
      "name": "myapp-prod",
      "vars": { "APP_ENV": "production" }
    }
  }
}

Deploy a specific one with --env:

npx wrangler deploy --env production

Each environment is a separate Worker with its own name, its own URL, its own secrets. Set a secret for just production:

npx wrangler secret put STRIPE_KEY --env production

So staging can use test keys and production uses live ones, with no chance of mixing them up.

The gotcha that gets everyone

Here’s the one that cost me time, so learn it from me.

Environment blocks do not inherit the top-level config. If you put triggers, vars, or bindings at the top level, your named environments do not get them automatically. You have to repeat them inside each environment.

So if you have a cron trigger at the top level and a production environment, production won’t run the cron unless you also add the trigger inside the production block.

It feels wrong the first time, but it’s deliberate: every environment is fully explicit, so nothing leaks across by accident. When you add a binding, remember to add it to each environment that needs it.

The setup I use

Three environments: a local dev one, a staging copy that mirrors production, and production. Public config in vars, anything sensitive as a secret, local values in .dev.vars.

It’s a little boilerplate to repeat bindings per environment, but the payoff is that production and staging can never accidentally share a database or a key. The full reference is in the secrets docs and the environments docs.

~~~

Related posts about cloudflare: