Cloudflare Docs

Cloudflare Docs

Overview
Get started
Guide
Quickstarts
Examples
Tutorials
Playground
Configuration
Bindings
Service bindings
Compatibility dates
Continuous integration
Cron Triggers
Deployments
Environment variables
Integrations
APIs
External Services
Momento
Page Rules
Routes and domains
Custom Domains
Routes
workers.dev
Secrets
Smart Placement (beta)
Workers Sites
Start from existing
Start from scratch
Start from Worker
Workers Sites configuration
Runtime APIs
Bindings
D1
Durable Objects
KV
mTLS
Queues
R2
Service bindings
Vectorize
Cache
Console
Encoding
Fetch
Handlers
Alarm Handler
Email Handler
Fetch Handler
Queue Handler
Scheduled Handler
Tail Handler
Headers
HTMLRewriter
Node.js compatibility
assert
AsyncLocalStorage
Buffer
Crypto
Diagnostics Channel
EventEmitter
path
process
Streams
StringDecoder
util
Performance and timers
Request
Response
Streams
ReadableStream
ReadableStream BYOBReader
ReadableStream DefaultReader
TransformStream
WritableStream
WritableStream DefaultWriter
TCP sockets
Web Crypto
Web standards
WebAssembly (Wasm)
Wasm in JavaScript
Rust
Supported crates
WebSockets
Databases
Connect to databases
Analytics Engine
Vectorize (vector database)
Cloudflare D1
Hyperdrive
Database Integrations (beta)
Neon
PlanetScale
Supabase
Turso
Upstash
Xata
Testing
Local development
Unit testing
Integration testing
Debugging tools
Vitest integration
Get started
Write your first test
Migrate from Miniflare 2's test environments
Migrate from unstable_dev
Recipes
Configuration
Test APIs
Isolation and concurrency
Known issues
Observability
Errors and exceptions
Logging
Logpush
Real-time logs
Tail Workers
Metrics and analytics
Sentry integration (beta)
Wrangler
Install/Update Wrangler
API
Bundling
Commands
Configuration
Custom builds
Deprecations
Environments
Migrations
Migrate from Wrangler v1 to v2
1. Migrate webpack projects
2. Update to Wrangler v2
Wrangler v1 (legacy)
Install / Update
Authentication
Commands
Configuration
Webpack
Migrate from Wrangler v2 to v3
Run in CI/CD
System environment variables
Platform
Pricing
Limits
Choose a data or storage product
Changelog
Wrangler
Betas
Known issues
Reference
How the Cache works
How Workers works
Languages
Migrate from Service Workers to ES Modules
Protocols
Security model
Glossary
AI Assistant

Using timingSafeEqual

Protect against timing attacks by safely comparing values using `timingSafeEqual`.

To avoid timing attacks in your code, you can replace equality checks with the crypto.timingSafeEqual function in your Workers application.

To use this function, create a new TextEncoder and encode the string values to instances of ArrayBuffer using encoder.encode. This is needed because crypto.subtle.timingSafeEqual compares ArrayBuffer instances, not strings. With the encoded values, replace the standard JavaScript equality check (===) with crypto.subtle.timingSafeEqual. Note that the strings must be the same length in order to compare to timingSafeEqual. The below code shows how to implement string equality checks with crypto.subtle.timingSafeEqual. Note that the example shown would apply to TypeScript and JavaScript:

const encoder = new TextEncoder();

const username = "foo";
const password = "bar";

if (username.length !== password.length) {  // Minimise the possibility of a timing attack via how long encoding takes on the strings
}

const a = encoder.encode(username)
const b = encoder.encode(password)

if (a.byteLength !== b.byteLength) {  // Strings must be the same length in order to compare  // with crypto.subtle.timingSafeEqual  return false
}

// The below code is vulnerable to timing attacks
// if (string1 === string2) { ... }

// You can replace it with `crypto.subtle.timingSafeEqual` by encoding the values
// you need to compare

let isEqual = crypto.subtle.timingSafeEqual(a,b)

if (isEqual) {  // The values are equal
} else {  // The values are not equal
}