A headless CMS built entirely on Cloudflare's edge infrastructure.
Cloudcore CMS runs on Cloudflare Workers with D1 (SQLite), R2 (object storage), and KV (cache) — no origin servers, no containers, no cold starts. One Worker, one database, deployed globally.
| Repository | Description |
|---|---|
| cloudcore-cms | The CMS — block-based content editor, 5 auth methods, RBAC, media library, audit logging |
| cloudcore-api | Read-only public API Worker — zero write operations, rate limited, CORS-ready |
| cloudcore | Architecture reference and monorepo documentation |
| Repository | Framework | Description |
|---|---|---|
| cloudcore-next | Next.js | App Router starter with SSR/SSG, TailwindCSS, one-click deploy |
| cloudcore-react | React + Vite | SPA starter with React Query, React Router, TailwindCSS |
| cloudcore-astro | Astro | Static site generator, zero JS by default, TailwindCSS |
| Repository | Description |
|---|---|
| cloudcore-ecom | E-commerce module — products, subscriptions, Stripe & PayPal integration |
| cloudcore-mcp | Model Context Protocol server — manage your CMS from Claude, Cursor, or Windsurf |
| cloudcore-auth | Authentication plugin (session-based admin auth) |
| Repository | Description |
|---|---|
| cloudcore-cms.github.io | Documentation & marketing site — cloudcore-cms.github.io |
- Runtime: Cloudflare Workers (V8 isolates, deployed to 300+ edge locations)
- Database: Cloudflare D1 (SQLite at the edge)
- Storage: Cloudflare R2 (S3-compatible object storage)
- Framework: Hono + Drizzle ORM + Zod
- Admin UI: React + Vite + TailwindCSS + Tiptap
- Language: TypeScript throughout
- Testing: Vitest
- Block-based content — 13 block types including WYSIWYG, code, image, video, embed, and more
- 5 authentication methods — Password, Passkeys (WebAuthn), Magic Links, GitHub OAuth, Google OAuth
- Role-based access control — Admin, Editor, Contributor
- Media library — R2 storage with magic byte validation and SVG sanitization
- Revision history — Full content versioning
- Audit logging — With sensitive field redaction
- Public API — Separate read-only Worker for serving published content
- AI integration — MCP server for managing content through AI assistants
- E-commerce — Products, subscriptions, Stripe & PayPal (no PCI scope)
- 0 npm audit vulnerabilities
Internet --> cloudcore-api (public, read-only) --> D1 / R2
^
Cloudflare Access --> cloudcore-cms (admin) ----------|
|
AI Tools (MCP) --> cloudcore-mcp ----> cloudcore-cms --|
The CMS sits behind Cloudflare Access. The public API is a separate Worker with zero write capabilities — no auth endpoints, no admin routes, no mutations. Frontend starters connect to the public API.
- PBKDF2-SHA512 password hashing (210,000 iterations)
- SHA-256 hashed session tokens with timing-safe comparison
- CSRF protection (header + Origin + SameSite=Strict cookies)
- Rate limiting on all endpoints
- File upload validation (magic bytes + MIME whitelist)
- SVG sanitization on upload
- 10MB request body limit
- Comprehensive audit logging with field redaction
The CMS deploys as a single Cloudflare Worker. Frontend starters deploy to Cloudflare Pages, Vercel, or Netlify.
# CMS
git clone https://github.com/cloudcore-cms/cloudcore-cms
cd cloudcore-cms
npm install
npx wrangler deploy
# Frontend (pick one)
git clone https://github.com/cloudcore-cms/cloudcore-next # Next.js
git clone https://github.com/cloudcore-cms/cloudcore-react # React + Vite
git clone https://github.com/cloudcore-cms/cloudcore-astro # Astro- Documentation: cloudcore-cms.github.io
- GitHub: github.com/cloudcore-cms
MIT
