A modern Blazor WebAssembly application that provides comprehensive IP address analysis and abuse checking functionality. Albatross combines cloud IP range detection with AbuseIPDB reputation checking and AI-powered risk assessment through a secure Cloudflare Worker proxy.
- IP Abuse Checking: Query the AbuseIPDB API to check if an IP address has been reported for malicious activity
- AI-Powered Reputation Analysis: Advanced risk assessment using Cloudflare Workers AI with Llama 3.1 70B Instruct model
- Cloud IP Range Detection: Identify if an IP address belongs to major cloud providers (AWS, Azure, GCP, Oracle Cloud)
- Flexible Input Format: Support for IP addresses with custom report age (e.g.,
8.8.8.8;60for 60 days of history) - Combined Data Sources: Integrated AbuseIPDB, Cloudflare Radar API, and Workers AI for comprehensive IP analysis
- Secure Authentication: Build-time generated HMAC authentication with timestamp validation for enhanced security
- CORS Protection: Cloudflare Worker proxy handles CORS and protects API keys from client exposure
- SEO-Optimized: Static HTML prerendering for improved search engine indexing and web crawler accessibility
- Modern UI: Clean, responsive Blazor WebAssembly interface with real-time JSON formatting
- Cross-Platform: Runs on Windows, macOS, and Linux
This application implements a multi-layered security system with the following components:
- Cryptographically Secure Keys: Each build generates a unique 256-bit authentication key using
RNGCryptoServiceProvider - HMAC Authentication: Uses HMAC-SHA256 for request authentication between the Blazor app and Cloudflare Worker
- Timestamp Validation: 2-minute window validation to prevent replay attacks
- No Hardcoded Secrets: Authentication keys are generated at build time and never stored in source code
- Build Process: Generates unique authentication key and injects it into both C# and JavaScript code
- Client Request: Blazor app creates HMAC token using the generated key, full request URL, and UTC timestamp
- Timestamp Check: Worker validates that the request timestamp is within 2 minutes of current UTC time
- HMAC Validation: Cloudflare Worker validates the HMAC token using the same generated key and full URL
- Origin Validation: Additional CORS and origin checking for browser-based requests
- API Proxy: Upon successful authentication, worker proxies the request to external APIs
The project uses MSBuild targets for automated key generation and code injection:
-
Key Generation (
GenerateAuthKeytarget):- Runs
Generate-AuthKey.ps1PowerShell script - Generates cryptographically secure 256-bit key
- Creates multiple output formats (C#, JavaScript, environment files, JSON)
- Runs
-
Worker Processing (
ProcessWorkertarget):- Runs
Process-Worker.ps1PowerShell script - Injects generated constants into
cloudflare-worker.template.js - Outputs final
cloudflare-worker.jswith embedded authentication
- Runs
Generated/BuildConstants.cs- C# constants for the Blazor appGenerated/build-constants.js- JavaScript constants for worker injectionGenerated/build.env- Environment file formatGenerated/build-manifest.json- Build metadata and timestampscloudflare-worker.js- Final worker with injected authentication
Albatross uses BlazorWasmPreRendering.Build to generate static HTML during the publish process, improving SEO and web crawler accessibility.
- Build-Time Rendering: During
dotnet publish, the app is rendered to static HTML - SEO Benefits: Search engines can index content without executing JavaScript
- Hidden Content: Prerendered HTML is hidden (opacity: 0, z-index: -1) to prevent visual flash
- Blazor Hydration: The app seamlessly takes over after loading, providing full interactivity
- Zero Runtime Overhead: Prerendering happens at build time, not on the server
For prerendering to work, service registration must be extracted into a static local function in Program.cs:
static void ConfigureServices(IServiceCollection services, string baseAddress)
{
services.AddScoped(sp => new HttpClient { BaseAddress = new Uri(baseAddress) });
services.AddScoped<AbuseIPDBService>(/* ... */);
}See the BlazorWasmPreRendering.Build documentation for more details.
To verify prerendering is working after deployment:
# Check for prerendering markers in the HTML
curl -s https://albatross.devnomadic.com | grep "PRERENDERING-BEGIN"
# Or view page source in browser and search for:
<!-- %%-PRERENDERING-BEGIN-%% -->If prerendering is working, you'll see the full app structure in the HTML source, not just "Loading..."
- .NET 8.0 SDK
- Node.js 20.0.0 or higher (required for Cloudflare Wrangler 4)
- PowerShell (cross-platform)
- AbuseIPDB API key
- Cloudflare Workers account (for deployment)
- Clone the repository
- Update
cloudflare-worker.template.jswith your AbuseIPDB API key - Build the project:
dotnet build - Run the application:
dotnet run
The project includes a comprehensive unit test suite to ensure IP range matching accuracy across IPv4 and IPv6 addresses.
- Total Tests: 41 unit tests
- Test Framework: xUnit 2.4.2
- Target Framework: .NET 8.0
- Test Categories:
- IPv4 basic matching and validation
- IPv6 basic matching and validation
- Boundary condition testing (first/last address in ranges)
- Edge cases (single hosts /32 and /128, large networks /0)
- Real-world cloud provider IP ranges (AWS, Azure, GCP, Oracle)
- Invalid input handling (malformed CIDR, out-of-range prefixes)
- Mixed version validation (IPv4 vs IPv6 range mismatches)
Run all tests:
dotnet test Tests/Albatross.Tests.csprojRun tests with detailed output:
dotnet test Tests/Albatross.Tests.csproj --logger "console;verbosity=normal"Run tests as part of the build:
./build.shThe build script automatically:
- Updates cloud IP manifests
- Runs all unit tests
- Builds and publishes the application (only if tests pass)
IPv4 Cloud Range Tests:
- AWS EC2:
3.5.140.50in3.5.140.0/22β - AWS S3:
52.216.100.10in52.216.0.0/15β - Azure:
13.64.50.100in13.64.0.0/11β - GCP:
34.64.100.200in34.64.0.0/10β - Oracle:
132.145.100.50in132.145.0.0/16β
IPv6 Cloud Range Tests:
- AWS CloudFront:
2600:9000:5300::1in2600:9000:5300::/40β - AWS EC2:
2600:1900:8000::1in2600:1900:8000::/44β - Azure:
2603:1030:100::1in2603:1030:100::/47β - GCP:
2001:4860:4860::8888in2001:4860:4860::/48β
Boundary & Edge Cases:
- First/last addresses in ranges
- Single host ranges (/32 for IPv4, /128 for IPv6)
- Large networks (/0 ranges)
- Invalid CIDR notation handling
Tests are automatically run as part of the CI/CD pipeline:
- Pre-deployment validation: Tests must pass before any deployment
- Build verification: Each build runs the full test suite
- Continuous integration: Tests run on all pull requests and commits
The project uses automated GitHub Actions workflows for deployment:
Development/Preview Deployments:
- Trigger: Feature branches (
feature/*,fix/*) and Pull Requests - SPA: Deployed to Cloudflare Pages preview environment
- Worker: Deployed to static preview worker (
abuseipdb-preview) - URLs:
- Worker:
https://abuseipdb-preview.devnomadic.workers.dev(static for all previews) - SPA:
https://{preview-name}.{project}.pages.dev
- Worker:
Production Deployments:
- Trigger: Pushes to
mainbranch - SPA: Deployed to main Cloudflare Pages project
- Worker: Deployed to
abuseipdbworker (production) - URL:
https://abuseipdb.devnomadic.workers.dev
Manual Deployment Options:
- Build Locally: Run
dotnet buildto generate authentication keys - Deploy Worker: Upload
cloudflare-worker.jsto your Cloudflare Workers account - Update Endpoint: Configure the worker URL in
AbuseIPDBService.cs - Deploy App: Use your preferred hosting platform
The project includes comprehensive GitHub Actions workflows in .github/workflows/:
π Deployment Workflows:
deploy-dev.yml: Handles development and preview deploymentsdeploy-production.yml: Handles production deployments
π§ CI/CD Workflows:
ci.yml: Runs tests, code formatting checks, and builds
π‘οΈ Security Workflows:
codeql.yml: GitHub's CodeQL security analysis for code vulnerabilitiesdependency-review.yml: Reviews dependencies for security vulnerabilities in PRs
These workflows automatically:
- Generate authentication keys during CI/CD
- Build and deploy the Blazor WebAssembly app to Cloudflare Pages
- Process and deploy the Cloudflare Worker to static preview or production workers
- Create preview environments for feature branches and PRs
- Maintain a shared
abuseipdb-previewworker for all development deployments - Perform comprehensive security scanning on code and dependencies
- Analyze C# and JavaScript/TypeScript code for vulnerabilities
Albatross/
βββ Services/
β βββ AbuseIPDBService.cs # Main service with HMAC authentication and flexible IP parsing
βββ Pages/
β βββ Home.razor # IP checking interface with combined functionality
βββ Layout/
β βββ MainLayout.razor # Application layout
β βββ NavMenu.razor # Navigation menu
βββ Tests/ # Unit test suite
β βββ Albatross.Tests.csproj # Test project configuration
β βββ IpRangeTests.cs # 41 IPv4/IPv6 range matching tests
βββ Generated/ # Auto-generated build artifacts
β βββ BuildConstants.cs # C# authentication constants
β βββ build-constants.js # JavaScript constants
β βββ build.env # Environment variables
β βββ build-manifest.json # Build metadata
βββ .github/workflows/ # CI/CD pipelines
β βββ ci.yml # Continuous integration
β βββ deploy-dev.yml # Development deployment
β βββ deploy-production.yml # Production deployment
β βββ codeql.yml # GitHub Advanced Security
β βββ dependency-review.yml # Dependency security scanning
β βββ security-scan.yml # Additional security checks
βββ Generate-AuthKey.ps1 # PowerShell key generation script
βββ Process-Worker.ps1 # Worker template processing script
βββ cloudflare-worker.template.js # Worker template with injection points
βββ cloudflare-worker.js # Generated worker with authentication (temporary)
βββ SECURITY.md # Security policy and guidelines
βββ Albatross.csproj # MSBuild configuration with custom targets
The project uses unified GitHub Actions workflows that build and deploy both the SPA and Worker together:
- Development/Preview:
.github/workflows/deploy-dev.yml- Deploys to staging environments on feature branches and PRs - Production:
.github/workflows/deploy-production.yml- Deploys to production environment on main branch
Worker Environments:
- Production:
abuseipdbworker withproductionenvironment - Preview:
abuseipdbworker withpreviewenvironment - Same URL:
https://abuseipdb.devnomadic.workers.devfor both (differentiated by environment variables)
SPA Environments:
- Production: Main Cloudflare Pages project (deployed from main branch)
- Preview: Branch-specific preview URLs (deployed from feature branches and PRs)
Configure these secrets in your repository settings (Settings β Secrets and variables β Actions):
Required for Cloudflare Deployment:
CLOUDFLARE_API_TOKEN- Custom Cloudflare API token with Workers and Pages permissionsCLOUDFLARE_ACCOUNT_ID- Your Cloudflare account IDCLOUDFLARE_PAGES_PROJECT- Your Cloudflare Pages project name (e.g.,abuseipdb-spa)
Required for Worker Deployment:
ABUSEIPDB_API_KEY- Your production API key from AbuseIPDBABUSEIPDB_API_KEY_DEV- Your development API key from AbuseIPDB
For local development, update the fallback API key in cloudflare-worker.template.js or set up environment variables.
Configure the ALLOWED_ORIGINS array in the worker template to specify which domains can access your API proxy.
Update the BaseUrl in AbuseIPDBService.cs with your deployed Cloudflare Worker URL.
- Key Rotation: Authentication keys are regenerated with each build, providing automatic key rotation
- Request Validation: All requests are validated using HMAC-SHA256 authentication with full URL signing
- Timestamp Validation: 2-minute window validation prevents replay attacks and ensures request freshness
- Origin Control: CORS headers restrict access to configured allowed origins
- Browser-Only Access: Worker validates User-Agent headers to ensure requests come from legitimate browsers
- Production Origins Only: Localhost and development origins are blocked in production deployments
- API Key Protection: External API keys (AbuseIPDB, Cloudflare Radar) are never exposed to client-side code
- Multi-Layer Authentication: HMAC authentication, timestamp validation, and origin validation must all pass
- Input Validation: All IP addresses are validated for proper format and public routability
- GitHub Advanced Security: CodeQL analysis, dependency scanning, and security workflows enabled
Users can specify custom report age limits using a semicolon delimiter:
8.8.8.8- Uses default 30 days8.8.8.8;60- Uses 60 days of report history2001:4860:4860::8888;90- IPv6 with 90 days
- AbuseIPDB: IP reputation and abuse reports
- Cloudflare Radar: ASN information and network details
- Cloudflare Workers AI: AI-powered risk assessment using Llama 3.1 70B Instruct model
- Optimized Processing: AbuseIPDB and Radar APIs are queried in parallel; AI analysis processes their results
- Graceful Degradation: Partial results if one API fails
The worker uses Cloudflare Workers AI with the Llama 3.1 70B Instruct model to generate intelligent risk assessments:
- Real-time Analysis: Analyzes data from AbuseIPDB and Cloudflare Radar APIs
- Risk Levels: Categorizes threats as low, medium, high, or critical
- Trust Scores: Provides 0-100 trust score for quick assessment
- AI Summary: Natural language explanation of the IP's reputation
- Event Pattern Analysis: Summarizes abuse event types and patterns from historical reports
- Actionable Recommendations: Specific steps to take based on the analysis
- Model:
@cf/meta/llama-3.1-70b-instruct(70 billion parameter model)
Example AI Response:
{
"aiReputation": {
"success": true,
"analysis": {
"riskLevel": "medium",
"trustScore": 65,
"summary": "This IP from US shows moderate abuse activity with 15 reports. ISP indicates datacenter usage which is common for both legitimate and malicious traffic.",
"eventsSummary": "Reported 15 times for Port Scan, Brute-Force, SSH activity over the past 30 days.",
"recommendations": [
"Review the specific abuse reports for patterns",
"Consider rate limiting if used for API access"
]
},
"model": "@cf/meta/llama-3.1-70b-instruct",
"timestamp": "2025-10-28T04:45:00.000Z"
}
}β
Authentication System: Fully implemented and working
β
CORS Security: Browser-only validation enabled
β
Production Deployment: Live at https://albatross.devnomadic.com
β
Build System: Automated key generation and injection working
β
GitHub Actions: Automated CI/CD pipeline functional
β
Security Scanning: CodeQL and dependency review workflows active
β
Code Quality: Automated formatting and testing in CI/CD
β
AI Integration: Cloudflare Workers AI with Llama 3.1 70B for reputation analysis
This project uses free images sourced from:
We appreciate these platforms for providing free resources to the developer community.
This project is licensed under the MIT License. See the LICENSE file for details.
- Fork the repository
- Create a feature branch
- Make your changes
- Ensure all builds pass with the new authentication system
- Submit a pull request