A full-featured REST API for the OWASP Bug Logging Tool (BLT) project, designed to run efficiently on Cloudflare Workers with PostgreSQL backend.
- π Cloudflare Workers - Edge-optimized for global low-latency access
- ποΈ PostgreSQL Backend - Compatible with Neon, Hyperdrive, and standard PostgreSQL
- π Token Authentication - Django REST Framework compatible authentication
- π‘οΈ Security - CORS support, rate limiting, and secure database connections
- π Comprehensive API - Full coverage of BLT features including:
- Issues/Bugs management
- User profiles and authentication
- Domains and organizations
- Bug bounty hunts
- Leaderboards (global, monthly, organization)
- Statistics and analytics
- Points and rewards system
- β‘ Performance - Optimized queries with pagination and efficient database access
- π± RESTful - Clean, intuitive REST API design
- Node.js 18+
- Cloudflare account (for deployment)
- PostgreSQL database (Neon, Supabase, or any PostgreSQL instance)
# Install dependencies
npm install
# Set up environment variables
cp .env.example .dev.vars
# Configure your database connection
# Edit .dev.vars with your DATABASE_URL and other settings# Start local development server
npm run dev
# Access the API at http://localhost:8787# Deploy to Cloudflare Workers
npm run deploy
# Set production secrets
wrangler secret put DATABASE_URL
wrangler secret put JWT_SECRET
wrangler secret put ALLOWED_ORIGINSConfigure these in .dev.vars for local development or as Cloudflare secrets for production:
DATABASE_URL- PostgreSQL connection string (required)JWT_SECRET- Secret key for JWT tokens (optional, if using JWT)ALLOWED_ORIGINS- Comma-separated list of allowed CORS origins (default: *)ENVIRONMENT- Environment name (development/production)
This API is designed to work with the existing OWASP BLT Django PostgreSQL database. No schema changes are required.
For optimal performance on Cloudflare Workers, consider using:
- Neon - Serverless PostgreSQL with HTTP API
- Cloudflare Hyperdrive - Connection pooling for PostgreSQL
- Supabase - PostgreSQL with built-in API features
https://your-worker.workers.dev/api
Most endpoints support optional authentication using Django REST Framework tokens:
Authorization: Token <your-token>
GET /api/issues- List all issues (with pagination, filtering)GET /api/issues/:id- Get issue detailsPOST /api/issues/:id/like- Like/unlike an issue (auth required)POST /api/issues/:id/flag- Flag/unflag an issue (auth required)
Query Parameters:
page- Page number (default: 1)per_page- Results per page (default: 20, max: 100)status- Filter by status (open/closed)domain- Filter by domain URLsearch- Search in description and URL
GET /api/users/:id- Get user profilePUT /api/users/:id- Update user profile (auth required, own profile only)GET /api/users/:id/issues- Get user's issuesGET /api/users/:id/points- Get user's points history
GET /api/domains- List all domainsGET /api/domains/:id- Get domain detailsGET /api/domains/:id/issues- Get issues for a domain
GET /api/organizations- List all organizationsGET /api/organizations/:id- Get organization detailsGET /api/organizations/:id/repositories- Get organization repositoriesGET /api/organizations/:id/members- Get organization members
GET /api/leaderboard- Get global leaderboard- Query params:
type=users|organizations,month,year
- Query params:
GET /api/leaderboard/monthly- Get monthly winners by year
GET /api/hunts- List all bug hunts- Query params:
filter=active|upcoming|previous,search
- Query params:
GET /api/hunts/:id- Get hunt detailsGET /api/hunts/:id/issues- Get issues for a hunt
GET /api/stats- Get overall platform statisticsGET /api/stats/activity- Get recent activity statisticsGET /api/stats/issues-by-label- Get issue count by labelGET /api/stats/top-domains- Get top domains by issue count
All API responses follow this format:
Success Response:
{
"count": 100,
"next": "/api/issues?page=2",
"previous": null,
"results": [...]
}Error Response:
{
"error": "Error message",
"details": "Additional details if available"
}Default rate limits:
- 100 requests per minute per IP
Rate limit headers:
X-RateLimit-Limit- Maximum requests allowedX-RateLimit-Remaining- Remaining requestsX-RateLimit-Reset- Unix timestamp when limit resets
- Runtime: Cloudflare Workers (V8 isolates)
- Framework: Hono (lightweight web framework)
- Database: PostgreSQL via @neondatabase/serverless
- Language: TypeScript
- Validation: Zod
src/
βββ index.ts # Main application entry
βββ types/
β βββ env.ts # Environment types
β βββ models.ts # Database model types
βββ middleware/
β βββ auth.ts # Authentication middleware
β βββ cors.ts # CORS middleware
β βββ error-handler.ts # Error handling
β βββ rate-limit.ts # Rate limiting
βββ routes/
β βββ issues.ts # Issues endpoints
β βββ users.ts # Users endpoints
β βββ domains.ts # Domains endpoints
β βββ organizations.ts # Organizations endpoints
β βββ leaderboard.ts # Leaderboard endpoints
β βββ hunts.ts # Bug hunts endpoints
β βββ stats.ts # Statistics endpoints
βββ db/
βββ client.ts # Database connection
- Edge Deployment - Runs on Cloudflare's global network for low latency
- Connection Pooling - Efficient database connections via Neon or Hyperdrive
- Pagination - All list endpoints support pagination to limit data transfer
- Query Optimization - Indexed queries and efficient JOIN operations
- Rate Limiting - Prevents abuse and ensures fair usage
- Caching Headers - Appropriate cache headers for static data
Contributions are welcome! Please see the main OWASP BLT project for contribution guidelines.
MIT License - see LICENSE file for details
- Issues: GitHub Issues
- Main Project: OWASP BLT
- OWASP: OWASP Foundation
- OWASP BLT - Main Django application
- BLT Flutter - Mobile app
- BLT Chrome Extension - Browser extension
