Checklist 8 min read Intermediate

Cloudflare Workers readiness checklist

Use this checklist before deploying Cloudflare Workers to production. It covers use-case fit, routes, bindings, secrets, KV, D1, R2, Queues, Durable Objects, authentication, validation, caching, observability, CI/CD, rollback, cost, and ownership.

Step by step

Step-by-step checklist

7 steps

1
Confirm the use case fits Workers: lightweight APIs, edge logic, request/response transforms, or edge auth — not long-running or heavily stateful workloads better suited elsewhere.
2
Map routes and triggers: which hostnames, paths, and patterns the Worker runs on, and whether it runs ahead of cache, on specific routes, or as the origin.
3
Inventory required bindings per environment: KV, D1, R2, Queues, Durable Objects, service bindings, secrets, and environment variables.
4
Define the security model: input validation, authentication and authorization, secret handling via Wrangler secrets, and CPU/subrequest budgets.
5
Set up local dev and CI/CD with Wrangler: preview environments, staged deploys, versioning, and gradual (percentage) rollouts.
6
Wire observability before production traffic: Workers logs/Logpush, tail consumers, error reporting, and analytics.
7
Plan rollback: keep the prior version instantly deployable and define the revert trigger.

Risk register

Risks to control

Hitting CPU-time or subrequest limits under real traffic.

Profile CPU and subrequest counts in staging; offload heavy work to Queues or Durable Objects and cache aggressively.

Secrets committed in code or wrangler config instead of secret storage.

Use `wrangler secret put` and runtime bindings; keep secrets out of the repo and out of plaintext vars.

Logic assumes strong consistency that KV does not provide.

Design for KV eventual consistency and D1 limits; use Durable Objects where coordination or strong consistency is required.

No rollback path when a deploy regresses.

Use Wrangler versioned and gradual deployments so a known-good version can take 100% of traffic immediately.

Unbounded or unvalidated input reaches the Worker.

Validate and size-limit input, enforce authentication, and rate-limit at the edge before executing logic.

Output

Useful deliverables

Use-case fit assessment and route/trigger map.
Per-environment bindings and secrets inventory.
Security and input-validation plan.
CI/CD pipeline with preview, staged deploy, and gradual rollout.
Observability setup: logs/Logpush, error reporting, and analytics.
Documented rollback procedure and ownership.

Keep reading

Related resources

Cloudflare Migration Checklist

Cloudflare Migration Readiness Assessment

Cloudflare Cutover Runbook

Cloudflare Rollback Plan Template

FAQ

Frequently asked questions

Common questions teams ask when putting this resource into practice.

When should logic be a Worker versus a native Cloudflare Rule?

Use declarative rules (Transform, Cache, Redirect, Origin Rules) for header edits, redirects, routing, and cache decisions. Reserve Workers for logic that genuinely needs code — external calls, computation, state, or complex branching.

How do Workers handle secrets and configuration?

Secrets are stored with `wrangler secret put` and exposed as bindings at runtime; non-sensitive config uses environment-specific vars. Neither should be hardcoded in source.

Can a bad Workers deploy be rolled back quickly?

Yes. With versioned and gradual deployments you can shift traffic back to the previous version immediately, which is why a rollback trigger should be defined before launch.

What runtime limits should I plan for?

CPU time per request, number of subrequests, memory, and request size. Profile these in staging and offload heavy or stateful work to Queues, Durable Objects, or appropriate storage.

Nanosek

Prepare a Workers project

Nanosek can turn this resource into a practical delivery plan for your environment — with rollback planning, stakeholder alignment, and 24/7 managed operations support.

Talk to Nanosek Browse resources