From e5b167d731504c0b6d76bfba118155ee9e67f01e Mon Sep 17 00:00:00 2001
From: multipleof4 <planetrenox@protonmail.com>
Date: Sun, 15 Feb 2026 09:02:54 -0800
Subject: [PATCH] Feat: Reject queries with slashes, serve bad.webp

---
 functions/[[path]].js | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/functions/[[path]].js b/functions/[[path]].js
index cdd77dd..43a01f5 100644
--- a/functions/[[path]].js
+++ b/functions/[[path]].js
@@ -4,7 +4,7 @@ export async function onRequest(context) {
   const path = params.path?.join("/") || "";
 
   // Serve static assets for root or standard files
-  if (!path || path === "index.html" || path === "favicon.ico" || path === "robots.txt" || path === "limit.webp") {
+  if (!path || path === "index.html" || path === "favicon.ico" || path === "robots.txt" || path === "limit.webp" || path === "bad.webp") {
     return env.ASSETS.fetch(request);
   }
 
@@ -13,6 +13,12 @@ export async function onRequest(context) {
     return jsonResponse(400, { error: "Empty query" });
   }
 
+  // Reject queries containing slashes (bot probes like wp-admin/setup-config.php)
+  if (query.includes("/")) {
+    const badReq = new Request(new URL("/bad.webp", url.origin));
+    return env.ASSETS.fetch(badReq);
+  }
+
   // Max query length: 200 chars after normalization
   if (query.length > 200) {
     return jsonResponse(400, { error: "Query too long (max 200 characters)" });