industry2026-05-236 min read

Your file header is not a spec — how worker handlers become silent CDN leaks

Name: thMenu
Rating: 4.9 (127 reviews)
Author: thMenu

A Cloudflare Worker handler header said "serves affiliate/ prefix only" — the code enforced no such gate. SOC2 evidence + backup metadata were publicly fetchable. thMenu's PR #551 QQ F4 fix: a single-line `decoded.startsWith(affiliate/)` check.

thMenu Team

thmenu.com

Found this helpful? Share it.

X / Twitter LinkedIn

✦📈

industry

Why Digital Menus Increase Restaurant Revenue by Up to 30%

Studies show restaurants using digital QR menus see measurable increases in aver…

✦🔻

industry

When a Customer Downgrades, What Happens to Old Features? — The Silent Feature-Drift Problem in SaaS

Most SaaS apps run a single line of code when a customer downgrades — but old fe…

✦🛡️

industry

JWT alg-confusion attack — why Supabase's HS256 → RS256/JWKS migration breaks legacy verifiers

Verifiers that never decode the JWT header are wide open to `alg=none` and alg-c…

Your file header is not a spec — how worker handlers become silent CDN leaks

Related articles

Why Digital Menus Increase Restaurant Revenue by Up to 30%

When a Customer Downgrades, What Happens to Old Features? — The Silent Feature-Drift Problem in SaaS

JWT alg-confusion attack — why Supabase's HS256 → RS256/JWKS migration breaks legacy verifiers