This project was developed primarily as a learning process to explore modern full-stack development on the edge. While it incorporates several industry-standard security practices, it is not intended to be a production-hardened financial or medical system.

The API includes a custom in-memory rate-limiting middleware to prevent basic spam and automated bot submissions. Note: In a distributed Cloudflare environment, this rate limit is per-isolate. For global rate limiting, a KV or Durable Object implementation would be required.

All incoming API requests are strictly validated using Zod. This ensures that only well-formed data reaches our logic and database layers, preventing common injection or corruption issues.

We explicitly limit the size of incoming JSON payloads to 1MB to prevent Denial of Service (DoS) attacks via oversized requests.

Cross-Origin Resource Sharing (CORS) is configured to only allow requests from the trusted frontend URL, preventing unauthorized third-party sites from interacting with the API.

The system implements a double-opt-in flow using unique tokens (generated via nanoid) to ensure that email addresses are valid and owned by the user before they are marked as verified.

As part of the learning journey, the following areas are identified for future enhancement:

• CSRF Protection: Implementing specific anti-CSRF measures for the web forms.
• Enhanced Rate Limiting: Moving from in-memory to a persistent store (Cloudflare KV) for global consistency.
• Security Headers: Adding standard security headers (HSTS, CSP, etc.) via Hono middleware.

This repository is a learning project. Use it as a reference or a starting point, but always perform a thorough security audit before using it in a sensitive production environment.