Using Cloudflare Workers to identify pwned passwords

John Graham-Cumming has created a simple code that can check if a password exists in Troy Hunt's Pwned Password v2 service without sending the password to Troy. The code uses an API handled and cached by Cloudflare using a clever anonymity scheme. This code can be easily implemented in other languages such as JavaScript, allowing it to be incorporated into a Cloudflare Worker. A Worker is a piece of JavaScript that runs on Cloudflare's edge nodes around the world, transforming and enhancing requests and responses, building responses from multiple API calls, and interacting with the Cloudflare cache. The Worker code can be used to intercept a request passing through Cloudflare to a Cloudflare site, checking if the password is found in Troy Hunt's database, and adding an HTTP request header, Cf-Password-Pwned, with either the value YES or NO depending on whether the password being handled is found in the database or not. This could be used on a signup page to check whether the password a user is hoping to use has already been found in a leak.