chore: tweaks

tmm · tmm · commit fa974706ac4a · 2026-05-05T01:35:16.000-04:00
diff --git a/docs/dev/deploy.mdx b/docs/dev/deploy.mdx
@@ -151,10 +151,10 @@ If `SENTRY_AUTH_TOKEN` is missing, builds still pass, but Sentry releases and so
 
 ### HTTPS Enforcement
 
-Enforce HTTPS at Cloudflare instead of in the Worker.
+Keep Cloudflare's blanket HTTP-to-HTTPS redirect off so bare `curl curl.md/<url>` requests reach the Worker. The Worker serves unauthenticated URL-fetch paths over HTTP and redirects all other HTTP routes to HTTPS.
 
 1. Go to [Edge Certificates](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates) for the `curl.md` zone.
-2. Enable [Always Use HTTPS](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/always-use-https/).
+2. Disable [Always Use HTTPS](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/always-use-https/).
 3. Enable [HTTP Strict Transport Security (HSTS)](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/http-strict-transport-security/).
 4. Use these HSTS settings.
    - **Max Age Header**: `6 months`
diff --git a/src/entry-server.ts b/src/entry-server.ts
@@ -31,6 +31,23 @@ export default Sentry.withSentry<Env, QueueHandlerMessage>(
   {
     async fetch(request, env, ctx) {
       const url = new URL(request.url)
+      const firstSegment = url.pathname.split('/')[1] ?? ''
+
+      // Keep unauthenticated curl fetch paths working over HTTP, but enforce HTTPS elsewhere.
+      if (url.protocol === 'http:' && url.hostname === env.HOST) {
+        const isFetchPath = firstSegment.includes('.') || /^https?:$/.test(firstSegment)
+        if (!isFetchPath) {
+          url.protocol = 'https:'
+          return new Response(null, { status: 301, headers: { location: url.toString() } })
+        }
+        if (
+          request.headers.has('authorization') ||
+          request.headers.has('cookie') ||
+          url.searchParams.has('t') ||
+          url.searchParams.has('token')
+        )
+          return new Response('Use HTTPS for authenticated requests', { status: 400 })
+      }
 
       // Route API requests to the Hono API handler
       if (url.pathname.startsWith('/api/')) return api.fetch(new Request(url, request), env, ctx)
@@ -66,7 +83,6 @@ export default Sentry.withSentry<Env, QueueHandlerMessage>(
       }
 
       // Route dot-segment paths (e.g. curl.md/example.com) to the API handler under /api prefix
-      const firstSegment = url.pathname.split('/')[1] ?? ''
       if (firstSegment.includes('.') || /^https?:$/.test(firstSegment)) {
         const protocolMatch = url.pathname.match(/^\/(https?:\/\/)(.+)/)
         if (protocolMatch) {
