Building a domain audit engine using Cloudflare Workers and D1 for $0/mo

The "Vibe Coding" Story of StackAnchor.

I’ve spent years in the DevOps field, and if there’s one thing I’ve learned, it’s that the traditional way of building apps—waiting for slow pipelines and over-designing every detail—is the fastest way to kill a project's momentum. I got tired of it. I wanted to see if I could build something real, something useful, without the corporate friction.

Last week, I decided to build StackAnchor using everything I've learned about building fast and resilient tools. I didn't start with a sprint plan. I didn't have a Jira board. I started with a vibe.

I wanted a tool that could audit a domain’s health (SSL, Security Headers, Email Auth, SEO) in under 10 seconds, email a beautiful report, and cost exactly $0.00 to run at scale. It was part engineering challenge, part personal curiosity.

Here is how I built it using Cloudflare’s "Infinity" stack, Antigravity (my AI pair programmer who actually "gets" it), and pure vibe coding.

"If you aren't building on the edge in 2026, you're playing on Hard Mode."

The Stack: Why Cloudflare?

I chose Cloudflare because their Free Tier is essentially a superpower for developers. The "Infinity" stack allows us to stay fast and cheap:

• Cloudflare Workers: 100k requests/day for free. Zero cold starts.
• D1 (SQL Database): High-performance SQLite at the edge.
• Service Bindings: This is the secret sauce. My API Gateway calls my Audit Worker with zero latency—it's like a function call but across separate microservices.
• Pages: Blazing fast static hosting for the frontend.

The "Vibe Coding" Workflow

I built this project in a single flow state with Antigravity. Instead of writing boilerplate, I focused on the What and let the AI handle the How.

• Iterative Architecture: We didn't plan the database on day one. We built the Audit logic first, saw it working in the terminal, and then said: "Hey Antigravity, let’s persist this to D1 for rate limiting."
• Zero-Friction UI: The Terminal aesthetic wasn't a pixel-perfect Figma design. It was a vibe: "Make it feel like a dev's home."
• Global-Scale Security: We didn't just build a scanner; we built a fortress using Cloudflare's native security primitives. From Turnstile to custom D1 rate-limiting, the security is baked directly into the edge.

The 2:00 AM Pivot

At one point, I was over-engineering the email delivery service. I was thinking about message queues and complex retry logic. I told Antigravity: "This feels like 'Hard Mode' again. Let's simplify."

Within seconds, we pivoted to using ctx.waitUntil() and Resend. It was a moment of pure clarity—momentum is more valuable than complex architecture you don't need yet. That's the heart of vibe coding: knowing when to stop thinking and start doing.

Security at the Edge: Defense in Depth

One of the biggest challenges when building a free public tool is preventing abuse. If you don't secure your edge, malicious bots will burn through your D1 budget or use your infrastructure for phishing in minutes.

Using Cloudflare, we implemented a 10-layer security pipeline that runs before a single audit check is executed:

• Turnstile (Layer 1): Mandatory bot verification that respects user privacy while stopping industrial-scale automation.
• Honeypot Traps (Layer 2): Invisible form fields that "dumb" bots fill out. We silently drop these requests without wasting server resources.
• Payload Size Guards (Layer 3): We strictly reject any request body over 16KB. Massive payloads never even hit our main logic.
• D1 Rate Limiting (Layers 4-7): We track usage via D1 in real-time. We enforce global daily caps, per-IP hourly limits, and per-email/domain cooldowns at zero additional cost.
• Intelligence Blocking (Layers 8-10): We maintain dynamic lists of disposable email providers and major enterprise domains to prevent the tool from being used for reconnaissance against high-value targets.

"Security isn't a feature you add at the end; it's the foundation of your edge worker."

Deep Dive: The Audit Engine

Under the hood, StackAnchor runs 30+ checks in parallel using Promise.all(). When you hit "Audit," a Cloudflare Worker performing several non-blocking sub-requests:

// Parallelizing Audit Logic
const findings = await Promise.all([
  checkSSL(domain),
  checkEmailSecurity(domain),
  checkHeaders(domain),
  checkPerformance(domain)
]);

The beauty of this architecture is that the user never waits. We offload the email delivery and Discord notifications to ctx.waitUntil(), returning a success response immediately while the heavy lifting happens in the background.

The Economics of $0/mo

Here is the "Bill of Materials" for StackAnchor:

• Hosting: Cloudflare Pages ($0)
• Compute: Cloudflare Workers ($0)
• Database: Cloudflare D1 ($0)
• Email: Resend Free Tier ($0)
• IaC: Terraform + R2 for state ($0)

Total Cost: $0.

What’s Next?

"Vibe coding" doesn't mean "done." It means "fast."

The core of StackAnchor is now rock solid. Next, I'm building Pulse—continuous uptime and SSL monitoring from the edge. If you want to see what happens when you combine AI with the world’s fastest edge network, come run an audit on your site.