Show HN: Minimal NIST/OWASP-compliant auth implementation for Cloudflare Workers

https://github.com/vhscom/private-landing

11•vhsdev•1h ago

This is an educational reference implementation showing how to build reasonably secure, standards-compliant authentication from first principles on Cloudflare Workers.

Stack: Hono, Turso (libSQL), PBKDF2-SHA384 + normalization + common-password checks, JWT access + refresh tokens with revocation support, HTTP-only SameSite cookies, device tracking.

It's deliberately minimal — no OAuth, no passkeys, no magic links, no rate limiting — because the goal is clarity and auditability.

I wrote it mainly to deeply understand edge-runtime auth constraints and to have a clean Apache-2.0 example that follows NIST SP 800-63B / SP 800-132 and OWASP guidance.

For production I'd almost always reach for Better Auth instead (https://www.better-auth.com) — this repo is not trying to compete with it.

Live demo: https://private-landing.vhsdev.workers.dev/

Repo: https://github.com/vhscom/private-landing

Happy to answer questions about the crypto choices, the refresh token revocation pattern, Turso schema, constant-time comparison, unicode pitfalls, etc.

Comments

TheTaytay•28m ago

Thank you for writing/publishing this. I especially appreciate the prominent warning at the top not to mistake it for a production library and to suggest an alternative. (It’s surprising to me how often people forget to add disclaimers like that to their code.)

vhsdev•26m ago

Appreciate it, TheTaytay!

usefulposter•24m ago

Oy.

Who specifically is this intended for? It's a wonder that the model didn't spice things up with some compliance catnip like FIPS.

I would be curious to see the prompts used to create this.

At present, I don't think there could be a better example of applicability of Brandolini's law.

vhsdev•19m ago

Everything you or your agent need to see is in the commit history.

A raycasting engine in 7 easy steps

Constraint Propagation for Fun

Python Syntax compiles to Java source code – meet Java++

Jony Ive Designed Ferrari Luce EV Interior

OCapN and Structural Authority in Agentic AI

Added OTEL Observability to OpenClaw agents full GenAI spec support

Learn Weird Programming Languages

Japan LLC has been trading its way out of a fiscal hole

Vending-Bench 2

Danish Red Street Lighting Solves a Problem Every City Has

Show HN: Speaklone – Native voice cloning for Mac, runs on-device

Extract Audio from Video

The Claude Code plugin that replaced my visual workflow

The Styx Architecture for Distributed Systems (1999)

Are you a digital sharecropper? (2009)

Show HN: Simulation Studio Inside ArchtSoft

SpaceX prioritizes lunar 'self-growing city' over Mars project

Profiling Swift Applications on Windows and macOS with Tracy

React-based TUI framework based on Yoga and react-reconciler. Full Flexbox

Botkeeper Shuts Down

Show HN: Browser Terminal Use – A Local-to-Cloud Execution Bridge for LLM Agents

Show HN: Claude-Pipe – A 1k LOC Bridge from Claude Code to Telegram/Discord

Usage_rules makes agents better at Elixir [video]

OpenClaw Partners with VirusTotal for Skill Security

Self-Management Tips for Remote Workers to Avoid Burnout in 2026

Building an Open-Source Claude Code-Style Agent in Python

Why Canvas Breaks Your Screen Recorder (and What to Do Instead)

First Proof

Ask HN: Will Tesla ever be truly self driving?

Show HN: Codesession-CLI – Teach your AI agent to track its own token costs