If you haven’t discovered Super Productivity yet, you’re missing one of the most thoughtfully designed productivity tools in the open source ecosystem. This is more than a Pomodoro timer or simple to-do list. It’s a complete work orchestration system that understands how knowledge workers actually function: integrating with multiple tools, tracking time with precision, managing focus sessions with built-in break reminders. And most importantly, it treats your data with respect.
What sets Super Productivity apart is its holistic approach to the working day. It doesn’t just track tasks; it understands the relationships between your GitHub issues, your Jira tickets, your personal notes, and your time investment. It creates a cohesive narrative of your productivity across all these disparate systems. The app can run entirely offline, encrypt your data at rest, with an option to sync across devices without forcing you into a cloud subscription. It’s productivity software that respects both your workflow and your privacy.
But here’s where developers hit a familiar wall: that cross-device sync. That’s why we built R2-WebDAV Multi-User Edition; a relatively simple way to sync your Super-Productivity data through infrastructure you control. But here’s where it gets interesting: by choosing Cloudflare as our “backhaul,” we’re not just building another self-hosted solution. It’s showing the promise of privacy-first architecture that is both accessible to developers and could be made invisible to end users.
WebDAV: The Proven Protocol
WebDAV (Web Distributed Authoring and Versioning) and its sibling CalDAV represent one of the internet’s success stories in open standards. Since 1996, these protocols have quietly powered everything from corporate document management to calendar synchronization, proving that well-designed standards endure because they solve real problems elegantly.
Why WebDAV makes perfect sense for privacy-first sync:
- Universal compatibility: Native support in operating systems and applications worldwide, including Super-Productivity
- Semantic clarity: RESTful operations for hierarchical data; exactly what sync needs
- Open standard: IETF-maintained, vendor-neutral, no proprietary extensions required
- Production-proven: Nearly three decades of reliable service in mission-critical systems
Our fork of the r2-webdav Worker repository brings WebDAV up to the latest API, combining time-tested protocol reliability with modern global infrastructure.
Simplicity With Sophistication
The entire WebDAV server runs in a single TypeScript file on Cloudflare’s V8 isolates. Here’s the actual authentication and routing logic from our implementation:
// From src/index.ts - Deterministic naming for complete user isolation
const bucketBinding = `${username}_webdav_sync`;
const passwordSecret = `USER_${username.toUpperCase()}_PASSWORD`;
// Get the password from secrets
const storedPassword = env[passwordSecret] as string;
if (!storedPassword) {
const response = new Response('Unauthorized', {
status: 401,
headers: { 'WWW-Authenticate': 'Basic realm="webdav"' }
});
return addCorsHeaders(response);
}
// Timing-safe password comparison prevents timing attacks
if (!is_authorized(authHeader, username, storedPassword)) {
const response = new Response('Unauthorized', {
status: 401,
headers: { 'WWW-Authenticate': 'Basic realm="webdav"' }
});
return addCorsHeaders(response);
}
// Get the user's R2 bucket - complete isolation
const bucket = env[bucketBinding] as R2Bucket;
No containers. No orchestration. No service mesh. Just deterministic routing to isolated storage buckets, running at the edge measured in milliseconds of any user on Earth.
While our current implementation uses TypeScript for broad accessibility, we’re planning to migrate this codebase to F# using Fable. This will bring type safety, functional composition, and seamless integration with our broader Fidelity framework vision. The same F# code that handles WebDAV operations could eventually compile to WebAssembly for even better performance, or to native code for specialized deployments. But for now we’re showcasing the benefits in a fork or the original TypeScript based repository that inspired the extensions we’ve built.
Cloudflare As Privacy Centered Backhaul
In telecommunications, “backhaul” refers to the intermediate infrastructure that carries data between the network edge and core; it’s the hidden backbone that makes distributed systems possible. We use this term deliberately for Cloudflare’s role in our architecture. They provide the fundamental infrastructure layer; global network presence, storage primitives, compute isolation; while remaining architecturally separated from application concerns. This isn’t just vendor selection, it’s a conscious architectural decision about where trust boundaries should exist. Traditional cloud providers integrate vertically, creating dependencies between infrastructure and application layers. Cloudflare’s approach maintains clear separation:
Zero-Knowledge Architecture
Cloudflare’s R2 storage operates on an object storage model where your data remains opaque to the infrastructure layer. Unlike providers that parse content for optimization or analytics, R2 treats your data as binary objects without semantic interpretation. The WebDAV server executing in Workers maintains application-level access, but this runs in isolated V8 contexts separate from Cloudflare’s infrastructure plane. This architectural separation ensures that while Cloudflare provides the storage and compute infrastructure, they have no visibility into the application data itself.
Future-Ready Security Infrastructure
Cloudflare is pioneering post-quantum cryptography deployment across their network, making advanced security accessible to everyone, not just hyperscalers. While today’s WebDAV sync benefits from their current world-class encryption, we chose Cloudflare as our backhaul because they’re actively building tomorrow’s security infrastructure today. This forward-thinking approach aligns with our privacy-first values; when quantum-resistant algorithms become critical, the infrastructure will already be there. It’s about choosing partners who see security as first-class consideration.
Zero Trust at the Network Level
Every request to your WebDAV server crosses Cloudflare’s Zero Trust network:
- DDoS protection that handles nation-state level attacks
- Bot detection that stops automated scanning
- Rate limiting that prevents abuse
- Geo-restrictions if you need them
The exciting part of this approach is that all of this happens at the network edge, before traffic even reaches your code. This simple WebDAV server gets enterprise-grade protection without writing a single security rule.
Beyond TypeScript: The F# and Fable Path
While our WebDAV server delivers value today in TypeScript, it represents the beginning of a larger vision. We’re actively working on building CloudflareFS, an F# toolkit using Fable, bringing functional programming’s guarantees to edge computing.
This isn’t just about language preference. As we detail in How Our Innovations Express Our Values, every technical choice embodies principles. The planned F# migration will deliver:
- Type safety throughout: Eliminating entire classes of runtime errors
- Functional composition: Building complex behavior from simple, testable functions
- Seamless Cloudflare integration: Type-safe bindings for Workers, R2, KV, and all Cloudflare services
- Unified compilation targets: The same F# code compiling to JavaScript (via Fable), WebAssembly (via Fidelity), or native code as needed
The Fable compiler already handles sophisticated JavaScript generation, and tools like Glutinum can automatically generate F# bindings from Cloudflare’s TypeScript SDKs. This means we can maintain full compatibility with Cloudflare’s ecosystem while gaining F#’s safety and expressiveness:
// Future: Type-safe WebDAV with exhaustive pattern matching
type AuthResult =
| Authorized of username: string * bucket: R2Bucket
| Unauthorized of reason: string
let authenticate (env: CloudflareEnv) (auth: string) =
match parseBasicAuth auth with
| None -> Unauthorized "Missing credentials"
| Some (user, pass) ->
match env.GetSecret $"USER_{user.ToUpper()}_PASSWORD" with
| None -> Unauthorized "Unknown user"
| Some stored when timingSafeCompare pass stored ->
match env.GetBucket $"{user}_webdav_sync" with
| Some bucket -> Authorized (user, bucket)
| None -> Unauthorized "Bucket not configured"
| Some _ -> Unauthorized "Invalid password"
This evolution from TypeScript to F# demonstrates our commitment to raising the bar for edge computing, making it simultaneously safer and more powerful.
A Real-World Case Study
Let’s make this concrete. You’re a developer juggling multiple projects across GitHub and Jira, tracking billable hours, and trying to maintain focus in an interruption-driven world. Super Productivity becomes your command center, pulling together issues from multiple sources into a unified workspace. Here’s how R2-WebDAV transforms this already-powerful workflow:
Setup (5 Minutes)
# Add yourself as a user
.\scripts\add-user.ps1 -Username "alice" -Password "secure-password"
# Deploy to Cloudflare
npx wrangler deploy
# Configure Super-Productivity
# URL: https://sync.yourdomain.com/webdav
# Username: alice
# Password: [your password]
What You Get
- Global sync: Your integrated workspace; GitHub issues, Jira tickets, time tracking data; replicates across all devices
- Millisecond latency: Faster sync than any centralized server
- Isolated storage: Your complete productivity system in your own R2 bucket
- Timed backups: R2 maintains the latest versions of your (optionally encrypted) data
- Zero maintenance: No servers to patch while managing complex integrations
What You Don’t Have to Deal With
- Data mining of your time tracking patterns by vendors
- AI training on your project relationships and workflows
- Vendor lock-in to a specific sync service
- Surprise price increases when your project data grows
- Privacy policy changes affecting your historical productivity data
The Privacy Multiplier Effect
Here’s where it gets philosophically interesting. Super Productivity already provides the option to encrypt your data at rest, treating your information with the respect it deserves. By making privacy-first sync equally accessible through R2-WebDAV, we complete the privacy chain from application to infrastructure. This creates a cascade effect:
- Individual developers protect their personal data
- Small teams maintain project confidentiality without enterprise complexity
- Open source projects can offer sync without liability (following Super Productivity’s example)
- Businesses meet compliance requirements simply
Each deployment creates another privacy-preserving node in the global sync infrastructure. Unlike centralized services where scale decreases privacy, our approach means scale increases privacy through diversification.
Connecting to the Bigger Picture
This WebDAV server might seem like a small project, but it’s a proof point for larger ideas:
Edge-First Architecture
Running at the edge isn’t just about performance. It’s about data sovereignty. Your data stays in the regions you specify, processed by code you control, with audit logs you own.
The Fidelity Framework Future
While this implementation uses TypeScript today, imagine compiling F# to type safe JavaScript-ed Cloudflare Workers through CloudflareFS. Type-safe, formally verified sync logic that compiles to optimal edge code. The same source could target WebAssembly for browsers or native code for embedded devices.
Beyond WebDAV
The patterns here; user isolation, edge deployment, zero-trust security, they each apply to any distributed application. APIs, REST services, real-time collaboration; all can follow this privacy-first template.
For F# Developers: The Migration Path
If you’re interested in functional approaches, consider how this might look in F#:
// Domain modeling for WebDAV operations
type FileSystemPath = private Path of string
type UserBucket = private Bucket of R2Bucket
// Type-safe WebDAV implementation
module WebDAV =
let get (Path path) (Bucket bucket) = async {
match! R2.tryGet bucket path with
| Some content -> return Ok content
| None -> return Error NotFound
}
// Computation expression for request handling
let handleRequest = webdav {
let! user = authenticate
let! operation = parseMethod
let! result = executeOperation user operation
return! formatResponse result
}
The beauty is that Fable can compile F# to JavaScript today, and CLoudflareFS will be able to target Cloudflare infrastructure with the same ergonomics and safety.
A Challenge to the Status Quo
Every time someone deploys this WebDAV server, they’re making a statement: “My data doesn’t need to live in a hyperscaler’s data center to be useful.” It’s a small act of resistance against surveillance capitalism, implemented in a few lines of code.
But more importantly, it’s a demonstration that privacy-first doesn’t mean user-hostile. The Super-Productivity integration is seamless. The performance is better than centralized alternatives. The cost is predictable and minimal.
This challenges the fundamental assumption that convenience requires surrendering control. What if it doesn’t? What if privacy-first is actually easier when you build on the right foundations?
Your Data, Your Rules, Today
The WebDAV code is open source. The deployment takes minutes. The monthly cost is trivial (and often free). There’s no excuse left for surrendering your data to centralized services that monetize your digital footprints.
This WebDAV solution enhances what Super Productivity made into a smooth “paved path”. The app gives you a powerful, integrated workspace that respects your privacy. It pulls together your GitHub PRs, Jira stories, and personal tasks into a unified view. It tracks your time without surveillance. It manages your focus without manipulation. And with R2-WebDAV, it syncs across all your devices without compromise.
Imagine starting your deep work session on your desktop, reviewing the GitHub issues that need attention, time-boxing your Jira tasks for the day, and setting your focus timer. Later, you pick up your laptop at a coffee shop and everything is there; not because it lives in someone else’s cloud, but because you’ve created your own privacy-preserving sync infrastructure. Your project notes, time tracking data, and task relationships remain encrypted at rest by Super Productivity and transmitted securely through Cloudflare’s network, with you holding all the keys.
This is productivity software as it should be: powerful enough to orchestrate visibility across multiple platforms, respectful enough to keep your data private, and seamless enough to work across all your devices without sacrificing either capability or privacy.
For Super Productivity users: Take direct control of your sync today.
For ThypeScript developers: Fork it, extend it, make it yours.
For F# enthusiasts: This is just the beginning of functional edge computing.
For everyone else: Your data has value. Keep it.
The future of privacy isn’t about building higher walls. It’s about making privacy-first the path of least resistance. This simple WebDAV server, running on Cloudflare’s edge, proves that future is already here. Combined with Super Productivity’s thoughtful design, you now have a complete productivity system that’s both powerful and private.