https://github.com/brandonhenricks/cloudflare-leakedcredentials
Minimal netstandard2.0 library that parses Cloudflare's Exposed-Credential-Check header so origin servers can detect credential exposure.
https://github.com/brandonhenricks/cloudflare-leakedcredentials
cloudflare csharp security
Last synced: 6 months ago
JSON representation
Minimal netstandard2.0 library that parses Cloudflare's Exposed-Credential-Check header so origin servers can detect credential exposure.
- Host: GitHub
- URL: https://github.com/brandonhenricks/cloudflare-leakedcredentials
- Owner: brandonhenricks
- License: mit
- Created: 2025-12-12T17:29:22.000Z (7 months ago)
- Default Branch: master
- Last Pushed: 2025-12-12T20:23:17.000Z (7 months ago)
- Last Synced: 2025-12-14T08:30:07.434Z (7 months ago)
- Topics: cloudflare, csharp, security
- Language: C#
- Homepage:
- Size: 26.4 KB
- Stars: 0
- Watchers: 0
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# Cloudflare.LeakedCredentials
[](https://github.com/brandonhenricks/cloudflare-leakedcredentials/actions/workflows/ci.yml)
[](LICENSE)
[](https://www.nuget.org/packages/Cloudflare.LeakedCredentials)
A minimal [netstandard2.0](https://learn.microsoft.com/dotnet/standard/net-standard) library that parses Cloudflare's `Exposed-Credential-Check` response header so origin servers can detect credential exposure without pulling in framework dependencies.
## Purpose
1. Keep framework dependencies out of the security signal by exposing only a single, functional entry point (`ExposedCredentialCheck.Parse`).
2. Require callers to provide a `Func` header accessor so the library works with ASP.NET, HttpClient, middleware pipelines, or any custom HTTP stack.
## Contents
- [Purpose](#purpose)
- [Getting started](#getting-started)
- [Usage](#usage)
- [API contract](#api-contract)
- [Best practices](#best-practices)
- [Testing & validation](#testing--validation)
- [NuGet package](#nuget-package)
- [Contributing](#contributing)
- [License](#license)
## Getting started
1. Consume the published NuGet package using `dotnet add package Cloudflare.LeakedCredentials` or build from source with `dotnet build Cloudflare.LeakedCredentials.sln` (netstandard2.0 only).
2. Provide a header getter delegate when calling `Parse` so you retain control of how headers are fetched.
```csharp
var result = ExposedCredentialCheck.Parse(context.Request.Headers.Get);
if (result == ExposedCredentialCheckResult.Exposed)
{
// trigger additional logging, alerting, or rejection logic
}
```
## API contract
- `ExposedCredentialCheck.Parse(Func getHeader)`
- Emits `ExposedCredentialCheckResult.None` for missing/null/empty headers.
- Uses `Enum.IsDefined()` plus a positive value check so only known exposure states are surfaced.
- Throws `ArgumentNullException` if the delegate is null to keep contracts strict.
## Best practices
- Keep header access centralized inside middleware, filters, or helpers before passing a delegate into this library; it simplifies testing and throttling.
- Treat every result that is not `None` as actionable—`PotentiallyExposed` still warrants monitoring or rate limiting.
- Wrap log and metric instrumentation around the exposure result so it can feed dashboards without leaking secrets.
- Preserve netstandard2.0 compatibility: avoid framework-specific APIs in wrappers so this package stays portable.
- Respect null-safety guarantees by never calling `Parse` with a null delegate and by validating header values before acting on them.
## Testing & validation
- Keep builds fast with `dotnet build Cloudflare.LeakedCredentials.sln`.
- The tests live under `tests/Cloudflare.LeakedCredentials.Tests/`; add coverage-sensitive scenarios there and expose internals via `InternalsVisibleTo` when needed.
- Use `dotnet test` in CI to exercise the `ExposedCredentialCheck` parsing logic across all states.
## NuGet package
- The repository already publishes the `Cloudflare.LeakedCredentials` NuGet package targeting netstandard2.0.
- Consume it with `dotnet add package Cloudflare.LeakedCredentials` and keep your package reference updated from nuget.org.
- Package publishing follows the standard `dotnet pack` / `dotnet nuget push` flow and should only be run by authorized maintainers.
## Resiliency notes
- The library keeps the enum validation strict (using `Enum.IsDefined` and positive value checks) so unknown headers fall back to `None` rather than failing the request.
- Header parsing is intentionally synchronous and stateless—provide thread-safe delegates when sampling headers from shared contexts.
## Next steps
- Run `dotnet test Cloudflare.LeakedCredentials.sln` locally and in CI to validate the parsing coverage you just added.
- When bumping the package, update `Directory.Build.props` metadata and align `Directory.Packages.props` versions with any new dependencies.
- Draft release notes that explain which Cloudflare response states are surfaced so downstream teams can react appropriately.
## Contributing
- Open issues for bug reports or feature ideas.
- Keep future API changes backward-compatible with `ExposedCredentialCheck.Parse`.
## License
See the [LICENSE](LICENSE) file for details.