workers-best-practices
Original:🇺🇸 English
Translated
Reviews and authors Cloudflare Workers code against production best practices. Load when writing new Workers, reviewing Worker code, configuring wrangler.jsonc, or checking for common Workers anti-patterns (streaming, floating promises, global state, secrets, bindings, observability). Biases towards retrieval from Cloudflare docs over pre-trained knowledge.
73installs
Sourcecloudflare/skills
Added on
NPX Install
npx skill4agent add cloudflare/skills workers-best-practicesTags
Translated version includes tags in frontmatterSKILL.md Content
View Translation Comparison →Your knowledge of Cloudflare Workers APIs, types, and configuration may be outdated. Prefer retrieval over pre-training for any Workers code task — writing or reviewing.
Retrieval Sources
Fetch the latest versions before writing or reviewing Workers code. Do not rely on baked-in knowledge for API signatures, config fields, or binding shapes.
| Source | How to retrieve | Use for |
|---|---|---|
| Workers best practices | Fetch | Canonical rules, patterns, anti-patterns |
| Workers types | See | API signatures, handler types, binding types |
| Wrangler config schema | | Config fields, binding shapes, allowed values |
| Cloudflare docs | Search tool or | API reference, compatibility dates/flags |
FIRST: Fetch Latest References
Before reviewing or writing Workers code, retrieve the current best practices page and relevant type definitions. If the project's has an older version, prefer the latest published version.
node_modulesbash
# Fetch latest workers types
mkdir -p /tmp/workers-types-latest && \
npm pack @cloudflare/workers-types --pack-destination /tmp/workers-types-latest && \
tar -xzf /tmp/workers-types-latest/cloudflare-workers-types-*.tgz -C /tmp/workers-types-latest
# Types at /tmp/workers-types-latest/package/index.d.tsReference Documentation
- — all best practice rules with code examples and anti-patterns
references/rules.md - — type validation, config validation, binding access patterns, review process
references/review.md
Rules Quick Reference
Configuration
| Rule | Summary |
|---|---|
| Compatibility date | Set |
| nodejs_compat | Enable the |
| wrangler types | Run |
| Secrets | Use |
| wrangler.jsonc | Use JSONC config for non-secret settings — newer features are JSON-only |
Request & Response Handling
| Rule | Summary |
|---|---|
| Streaming | Stream large/unknown payloads — never |
| waitUntil | Use |
Architecture
| Rule | Summary |
|---|---|
| Bindings over REST | Use in-process bindings (KV, R2, D1, Queues) — not the Cloudflare REST API |
| Queues & Workflows | Move async/background work off the critical path |
| Service bindings | Use service bindings for Worker-to-Worker calls — not public HTTP |
| Hyperdrive | Always use Hyperdrive for external PostgreSQL/MySQL connections |
Observability
| Rule | Summary |
|---|---|
| Logs & Traces | Enable |
Code Patterns
| Rule | Summary |
|---|---|
| No global request state | Never store request-scoped data in module-level variables |
| Floating promises | Every Promise must be |
Security
| Rule | Summary |
|---|---|
| Web Crypto | Use |
| No passThroughOnException | Use explicit try/catch with structured error responses |
Anti-Patterns to Flag
| Anti-pattern | Why it matters |
|---|---|
| Memory exhaustion — 128 MB limit |
| Hardcoded secrets in source or config | Credential leak via version control |
| Predictable, not cryptographically secure |
Bare | Floating promise — dropped result, swallowed error |
| Module-level mutable variables for request state | Cross-request data leaks, stale state, I/O errors |
| Cloudflare REST API from inside a Worker | Unnecessary network hop, auth overhead, added latency |
| Hides bugs, makes debugging impossible |
Hand-written | Drifts from actual wrangler config bindings |
| Direct string comparison for secret values | Timing side-channel — use |
Destructuring | Loses |
| Defeats type safety for all binding access |
| Hides real type incompatibilities — fix the design |
| Legacy — loses |
| Should be |
Review Workflow
- Retrieve — fetch latest best practices page, workers types, and wrangler schema
- Read full files — not just diffs; context matters for binding access patterns
- Check types — binding access, handler signatures, no , no unsafe casts (see
any)references/review.md - Check config — compatibility_date, nodejs_compat, observability, secrets, binding-code consistency
- Check patterns — streaming, floating promises, global state, serialization boundaries
- Check security — crypto usage, secret handling, timing-safe comparisons, error handling
- Validate with tools — , lint for
npx tsc --noEmitno-floating-promises - Reference rules — see for each rule's correct pattern
references/rules.md
Scope
This skill covers Workers-specific best practices and code review. For related topics:
- Durable Objects: load the skill
durable-objects - Workflows: see Rules of Workflows
- Wrangler CLI commands: load the skill
wrangler
Principles
- Be certain. Retrieve before flagging. If unsure about an API, config field, or pattern, fetch the docs first.
- Provide evidence. Reference line numbers, tool output, or docs links.
- Focus on what developers will copy. Workers code in examples and docs gets pasted into production.
- Correctness over completeness. A concise example that works beats a comprehensive one with errors.