Ever wondered how to connect securely to Cloudflare D1 while maintaining a good developer experience? The D1RemoteAdapter implements a clever dual-mode approach that automatically adapts to your environment.
π‘οΈ Registry Mode: Production Security
In production, the adapter uses registry mode - a security-first approach:
// No raw SQL ever leaves your application
const result = await d1.query('SELECT * FROM users');
// Becomes: POST /zin/d1/statement { statementId: "abc123...", params: [] }
The system hashes your SQL and looks it up in a pre-approved allowlist. This means:
- β Zero SQL Injection Risk at the network level
- β Maximum Security even with compromised credentials
- β Higher friction for query changes
π§ SQL Mode: Developer Experience
In development, you get SQL mode for maximum flexibility:
// Raw SQL sent directly
const result = await d1.query('SELECT * FROM users WHERE id = ?', [userId]);
// Becomes: POST /zin/d1/query "SELECT * FROM users WHERE id = ?"
Benefits:
- β Zero friction - write code, run immediately
- β Migration friendly - dynamic SQL works perfectly
- β Rapid iteration - no configuration needed
π― Smart Auto-Detection
The adapter automatically chooses the right mode:
| Environment | Mode | Why |
|---|---|---|
| Production | Registry | Security first |
| Development | SQL | DX first |
| Test | SQL | Flexibility first |
π Why This Design Matters
This dual-mode approach solves a real problem: production apps need security, dev apps need flexibility. Instead of forcing you to choose one or the other, you get both automatically.
The registry mode's allowlist system is particularly clever - it prevents network-level SQL injection while still allowing your application to work normally. Even if attackers steal your API keys, they're limited to queries you've explicitly approved.
For anyone building production apps with D1, this pattern provides enterprise-grade security without sacrificing developer productivity.
Top comments (0)