A reference architecture for secure direct browser uploads to Cloudflare R2 using time-limited pre-signed URLs generated by a Hono application on Cloudflare Workers. Covers the full stack: Hono API with Better Auth and Drizzle ORM on the backend, Nuxt SPA on the frontend. Details include CORS configuration for R2, request/response contracts for both generic and profile-image upload flows, security decisions (auth scoping, TTLs, overwrite policy), implementation notes using aws4fetch instead of AWS SDK v3 (which is incompatible with Workers), and known pitfalls like wildcard CORS unreliability, Content-Type signature requirements, and metadata consistency to avoid signature mismatches.
Table of contents
ComponentsEnvironment and BindingsData Model (Profile Images)CORS Policy (R2)Request/Response Contracts (Summary)Flow: Profile Image Upload (Stable Key, Overwrite)Flow: Generic Upload (UUID per Object)Flow: Profile Image DownloadSecurity Model and DecisionsImplementation NotesKnown Pitfalls and MitigationsOperational ConsiderationsSort: