Never hardcode secrets in your worker code. Cloudflare provides encrypted secret storage through Wrangler secrets—secrets are encrypted at rest and decrypted only when your worker runtime needs them.
Add secrets via wrangler secret put, which prompts for the value securely. They're then available in your worker's env object. For non-sensitive configuration, use wrangler.toml variables—good for feature flags, feature toggles, or environment-specific endpoints.
Rotation is straightforward: update the secret value and it's available on next deploy. Access logs show which workers accessed which secrets. Don't expose secrets in responses or logs even accidentally—audit your output carefully.