Tonight I moved PassGen.io off of Cloudflare Workers and onto the Netlify Sites platform. This decision is being made to protect the security of our platform and users who rely on it for their critical security needs. As Cloudflare has continued to invest into products like Cloudflare Gateway that enable real time traffic modification and censorship one has to ask how else they may use this technology even to target an individual user. There is no evidence they have abused this tooling although it pushes me over my comfort level when developing a security focused product.
Admittedly this is but one of many steps to protect the project’s security. The WhereICode GitLab Platform has to be moved off of Cloudflare and that isn’t an overnight project. It is in the works for those wondering. In the meanwhile Netlify is pulling code from a private GitHub Repo. Ideally users can see the exact repo our build processes pull from but even with Cloudflare Workers builds have always been a manual process. In the long term this means I may move over development to a public GitHub or GitLab Project as part of improving the transparency of PassGen.io. I am looking into the best way to achieve this.
For end users this change will have no impact on your ability to access the site. The platform remains fast, stable, and secure. PassGen has never and will never log your generated passwords (with the exception of storing your last generated password and generator options in local storage, we use local storage because it is not a cookie and is never sent to the origin server) and will always operate client side.
Ironically thanks to the initially low TTLs used by Cloudflare, updating DNS records to point to Netlify CNAMEs took seconds while waiting for Netlify DNS to take over. Over the next several hours user traffic will divert away from Cloudflare Workers and Cloudflare DNS over to Netlify’s servers and Netlify DNS.
Deploying the PassGen React App to Netlify was easy and it didn’t require any special scripting I just gave them the Git repo and clicked through the default settings. Given that it’s a standard React app with minimal changes being made and no need for a backend server (everything happens in the browser!) it’s pretty portable and secure.
Finally I pushed long overdue dependency updates which should address minor bugs or browser-specific issues caused by React / Redux. Feel free to contact me if this changes any issues.