Middleware & Security

All API requests pass through functions/api/_middleware.js which enforces authentication, CSRF protection, and rate limiting.

Authentication

Note

JWT Verification: Every request must carry a valid CF_Authorization cookie or Cf-Access-Jwt-Assertion header. The middleware verifies the JWT signature against Cloudflare Access JWKS (RS256).

Alternative Auth: POST /api/receipt-api/logs accepts X-Api-Key header (for Azure Receipt API push).

CSRF Protection

All mutating requests (POST/PUT/PATCH/DELETE) require a valid Origin or Referer header matching allowed origins:

• https://dashboard.fjzippin.com
• http://localhost (development only)

Rate Limiting

Endpoint Category	Limit	Window
Admin endpoints (/api/access, /api/setup)	30 req	1 min
AI endpoints (/api/langflow, /api/messages)	10 req	1 min
All other endpoints	200 req	1 min