Exercise 5: Dynamic Data Redaction
Objective
Intercept HTTP responses and dynamically mask sensitive data, but only for users in a specific Cloudflare Access group (e.g., contractors or external users).
This exercise teaches you how to build context-aware security controls that protect sensitive information based on user identity and access levels.
What You'll Learn
- Context-Aware Security: Apply different security policies based on user identity
- JWT Token Validation: Verify and decode Cloudflare Access tokens
- HTML Transformation: Use HTMLRewriter to modify page content dynamically
- Reverse Proxy Patterns: Implement transparent content filtering
Architecture Overview
User Request → Cloudflare Access → Worker (Reverse Proxy) → Origin Server
↓ ↓
JWT Validation HTMLRewriter Transform
↓ ↓
Group Membership Check Selective Redaction
↓ ↓
Access Decision Modified Response
- Authentication: Cloudflare Access handles user authentication
- Authorization: Worker checks group membership via JWT claims
- Content Processing: HTMLRewriter selectively redacts sensitive data
- Transparent Operation: Users see normal pages with appropriate data filtering
Prerequisites
Before starting this exercise, ensure you have:
- Cloudflare Access configured with user groups
- Understanding of JWT token validation
- Knowledge of HTMLRewriter API
- Basic understanding of reverse proxy patterns
Instructions
1. Cloudflare Access Setup
Configure Access to protect your application:
# Create an Access application in the dashboard
# 1. Go to Zero Trust → Access → Applications
# 2. Create a new application pointing to your origin server
# 3. Create a "contractors" group with specific users
# 4. Set up appropriate Access policies
2. Project Setup
Create a new Worker project for data redaction:
npm create cloudflare@latest data-redaction-worker -- --template=worker-only --type=ts
cd data-redaction-worker
npm install jose # For JWT verification
3. Configure Environment
Add the required configuration:
npx wrangler secret put AUTH_DOMAIN
# Example: https://your-team.cloudflareaccess.com
npx wrangler secret put CONTRACTOR_GROUP_ID
# Get this from your Access group configuration
4. Update Wrangler Configuration
Configure your worker to handle all routes:
name = "data-redaction-worker"
main = "src/index.ts"
compatibility_date = "2024-01-01"
[vars]
ORIGIN_URL = "https://your-protected-app.example.com"
# Route all requests through this worker
routes = [
{ pattern = "your-protected-app.example.com/*", zone_name = "example.com" }
]
5. Implementation Challenge
Your task is to implement a Worker that:
- Acts as a reverse proxy to your protected application
- Validates Cloudflare Access JWT tokens from request headers
- Extracts group membership information from token claims
- Applies different content filtering based on user groups
- Uses HTMLRewriter to redact sensitive data for contractors
- Passes through unmodified content for internal users
- Handles edge cases like missing tokens or invalid groups
Key Requirements:
- Transparent reverse proxy operation
- JWT token validation with proper error handling
- Group-based content filtering decisions
- HTMLRewriter transformations for data redaction
- Maintain original page functionality while masking data
🔐 Hint: JWT Token Validation
Cloudflare Access tokens contain valuable claims:
{
"aud": "your-app-aud-id",
"email": "user@company.com",
"groups": ["contractors", "external-users"],
"iss": "https://your-team.cloudflareaccess.com",
"exp": 1627834567
}
The groups claim contains user group memberships.
🎨 Hint: HTMLRewriter Selectors
Target sensitive data with CSS selectors:
new HTMLRewriter()
.on('[data-sensitive="credit-card"]', new CreditCardRedactor())
.on('[data-sensitive="ssn"]', new SSNRedactor())
.on('.salary-info', new SalaryRedactor())
.on('#customer-details .phone', new PhoneRedactor())
⚡ Hint: Performance Optimization
Only apply HTMLRewriter when redaction is needed:
if (shouldRedactForUser) {
return new HTMLRewriter()
.on('[data-sensitive]', new SensitiveDataRedactor())
.transform(response);
}
return response; // Pass through unchanged
Testing Your Solution
- Access Setup: Verify Cloudflare Access is properly configured
- Group Membership: Test with users in different groups
- Token Validation: Confirm JWT verification works correctly
- Content Redaction: Verify sensitive data is masked appropriately
- Functionality: Ensure redacted pages remain fully functional
Success Criteria
Your implementation should:
- ✅ Successfully validate Cloudflare Access JWT tokens
- ✅ Extract group membership from token claims accurately
- ✅ Apply different redaction policies based on user groups
- ✅ Use HTMLRewriter to transform content dynamically
- ✅ Maintain page functionality while protecting sensitive data
- ✅ Handle authentication errors gracefully
- ✅ Pass through content unchanged for authorized users
Solution
🔒 Complete Dynamic Redaction System
This content is password-protected. Enter the password to view the content.
Next Steps
After completing this exercise, you've built a sophisticated data protection system that:
- Applies context-aware security controls based on user identity
- Protects sensitive information from unauthorized access
- Maintains application functionality while ensuring data privacy
- Provides audit trails for compliance and monitoring
This pattern is essential for organizations that need to share applications with external partners while protecting sensitive internal data!