Case Study

This Site v2: editorial clarity, premium controls

A luxury, static-first portfolio system built for speed and traceability: public pages stay frictionless while privileged admin workflows remain access-gated, role-enforced, and auditable.

Access-gated admin

Cloudflare Access gate before app logic

RBAC roles

Worker-enforced admin / reviewer permissions

Audit logging

Write-path telemetry for event reconstruction

Turnstile + rate limit

Public input hardening against abuse bursts

Architecture at a glance

Core topology is intentionally simple to keep latency low and operations predictable.

Architecture diagram: Pages frontend routes requests to Worker API, then to D1 and R2, with security controls around privileged operations. — Static Pages experience with controlled mutation path: Pages → Worker → D1 + R2.

Control layers

Each layer is designed to reduce blast radius while keeping support workflows practical.

Identity & access

Cloudflare Access gates admin routes before runtime processing.
Role checks enforce admin and reviewer action boundaries.
Sensitive paths are denied by default until claims validate.

Traffic & abuse controls

Turnstile challenges protect public write entry points.
Edge/API rate limits absorb burst patterns early.
Input validation and sanitization run before persistence.

Operations & recoverability

Versioned migrations keep schema changes repeatable.
CI deploys static assets and Worker services consistently.
Rollback + compensating actions support safe recovery.

Mapped to certs

The same design choices map directly to formal security and admin competency areas.

SC-900

Zero Trust boundaries, telemetry-led control posture, and security principles in public-cloud workflows.

MS-102

Identity governance patterns, role definition, and privileged admin guardrails.

MD-102

Operational policy discipline, resilience planning, and recoverability thinking.