Cloudflare Docs
Workers
Cloudflare Docs
Workers
GitHub icon
Visit Workers on GitHub
Set theme to dark (⇧+D)
  1. Products
  2. Workers
  3. Examples
  4. Using timingSafeEqual

Using timingSafeEqual

Protect against timing attacks by safely comparing values using `timingSafeEqual`.

To avoid timing attacks in your code, you can replace equality checks with the crypto.timingSafeEqual function in your Workers application.

To use this function, create a new TextEncoder and encode the string values to instances of ArrayBuffer using encoder.encode. This is needed because crypto.timingSafeEqual compares ArrayBuffer instances, not strings. With the encoded values, replace the standard JavaScript equality check (===) with crypto.timingSafeEqual. Note that the strings must be the same length in order to compare to timingSafeEqual. The below code shows how to implement string equality checks with crypto.timingSafeEqual:


const encoder = new TextEncoder();



const string1 = new TextEncoder().encode("foo")

const string2 = new TextEncoder().encode("bar")



if (string1.byteLength !== string2.byteLength) {
  // Strings must be the same length in order to compare
  // with crypto.timingSafeEqual
  return false

}



// The below code is vulnerable to timing attacks

// if (string1 === string2) { ... }



// You can replace it with `crypto.timingSafeEqual` by encoding the values

// you need to compare

const a = encoder.encode(string1);

const b = encoder.encode(string2);



let equal = crypto.timingSafeEqual(a, b)



if (equal) {
  // The values are equal

} else {
  // The values are not equal

}


const encoder = new TextEncoder();



const string1 = new TextEncoder().encode("foo")

const string2 = new TextEncoder().encode("bar")



if (string1.byteLength !== string2.byteLength) {
  // Strings must be the same length in order to compare
  // with crypto.timingSafeEqual
  return false

}



// The below code is vulnerable to timing attacks

// if (string1 === string2) { ... }



// You can replace it with `crypto.timingSafeEqual` by encoding the values

// you need to compare

const a = encoder.encode(string1);

const b = encoder.encode(string2);



let equal = crypto.timingSafeEqual(a, b)



if (equal) {
  // The values are equal

} else {
  // The values are not equal

}