Test mTLS Certificates the way Devflare expects it to run
mTLS certificate bindings let a Worker make outbound fetches with a client certificate.
Test mTLS Certificates by choosing the local harness that matches the product boundary instead of reaching for Cloudflare by default.
The first test should prove application control flow. Escalate to Wrangler remote binding or deployed tests only when the Cloudflare-hosted behavior is the thing under test.
- Best for
- calling origins that require a Cloudflare-uploaded client certificate
- Default harness
- with
- Escalate when
- The assertion depends on Cloudflare-hosted product behavior rather than the app calling the binding correctly
Start with the default test loop
Keep the first test small. Name the binding, call the one method your route uses, and assert the behavior your app owns.
When Cloudflare owns the interesting behavior, mark that as a remote/deployed lane instead of building a local fake that claims too much.
Fixture an mTLS Fetcher locally
The helper surface to remember
- Use with for config-backed local worker tests.
- Use / for pure unit tests.
- Use or an explicit integration lane when the test needs Cloudflare credentials or a local Docker/Podman engine.
When to move beyond the default harness
- Real TLS client-certificate presentation is Cloudflare/Wrangler remote behavior.
- Do not let a low-fidelity mock become product documentation. Keep mocks framed as application-flow tools.
- If a test would mutate paid or remote Cloudflare state, gate it separately from ordinary unit tests.
Local tests should be honest
For mTLS Certificates, passing locally means the Devflare contract and app flow are correct. It does not automatically prove every hosted Cloudflare behavior.
Previous
mTLS Certificates internals
mTLS Certificates compiles from to Wrangler , with local/test behavior called out explicitly.
Next
mTLS Certificates example
A compact mTLS Certificates recipe with config and worker usage in one application path.