Comment on page

Cloudflare Domains

Support HackTricks and get benefits!
If you want to see your company advertised in HackTricks or if you want access to the latest version of the PEASS or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag​
Discover The PEASS Family, our collection of exclusive NFTs​
Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦 @carlospolopm.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
In each TLD configured in Cloudflare there are some general settings and services that can be configured. In this page we are going to analyze the security related settings of each section:
Overview
Get a feeling of how much are the services of the account used
Find also the zone ID and the account ID
Analytics
In Security check if there is any Rate limiting
DNS
Check interesting (sensitive?) data in DNS records
Check for subdomains that could contain sensitive info just based on the name (like admin173865324.domin.com)
Check for web pages that aren't proxied
Check for proxified web pages that can be accessed directly by CNAME or IP address
Check that DNSSEC is enabled
Check that CNAME Flattening is used in all CNAMEs
This is could be useful to hide subdomain takeover vulnerabilities and improve load timings
Check that the domains aren't vulnerable to spoofing​
Email
TODO
Spectrum
TODO
SSL/TLS
Overview
The SSL/TLS encryption should be Full or Full (Strict). Any other will send clear-text traffic at some point.
The SSL/TLS Recommender should be enabled
Edge Certificates
Always Use HTTPS should be enabled
HTTP Strict Transport Security (HSTS) should be enabled
Minimum TLS Version should be 1.2
TLS 1.3 should be enabled
Automatic HTTPS Rewrites should be enabled
Certificate Transparency Monitoring should be enabled
Security
In the WAF section it's interesting to check that Firewall and rate limiting rules are used to prevent abuses.
The Bypass action will disable Cloudflare security features for a request. It shouldn't be used.
In the Page Shield section it's recommended to check that it's enabled if any page is used
In the API Shield section it's recommended to check that it's enabled if any API is exposed in Cloudflare
In the DDoS section it's recommended to enable the DDoS protections
In the Settings section:
Check that the Security Level is medium or greater
Check that the Challenge Passage is 1 hour at max
Check that the Browser Integrity Check is enabled
Check that the Privacy Pass Support is enabled
CloudFlare DDoS Protection
If you can, enable Bot Fight Mode or Super Bot Fight Mode. If you protecting some API accessed programatically (from a JS front end page for example). You might not be able to enable this without breaking that access.
In WAF: You can create rate limits by URL path or to verified bots (Rate limiting rules), or to block access based on IP, Cookie, referrer...). So you could block requests that doesn't come from a web page or has a cookie.
If the attack is from a verified bot, at least add a rate limit to bots.
If the attack is to a specific path, as prevention mechanism, add a rate limit in this path.
You can also whitelist IP addresses, IP ranges, countries or ASNs from the Tools in WAF.
Check if Managed rules could also help to prevent vulnerability exploitations.
In the Tools section you can block or give a challenge to specific IPs and user agents.
In DDoS you could override some rules to make them more restrictive.
Settings: Set Security Level to High and to Under Attack if you are Under Attack and that the Browser Integrity Check is enabled.
In Cloudflare Domains -> Analytics -> Security -> Check if rate limit is enabled
In Cloudflare Domains -> Security -> Events -> Check for detected malicious Events
Access
Cloudflare Zero Trust Network
Speed
I couldn't find any option related to security
Caching
In the Configuration section consider enabling the CSAM Scanning Tool
Workers Routes
You should have already checked cloudflare workers​
Rules
TODO
Network
If HTTP/2 is enabled, HTTP/2 to Origin should be enabled
HTTP/3 (with QUIC) should be enabled
If the privacy of your users is important, make sure Onion Routing is enabled
Traffic
TODO
Custom Pages
It's optional to configure custom pages when an error related to security is triggered (like a block, rate limiting or I'm under attack mode)
Apps
TODO
Scrape Shield
Check Email Address Obfuscation is enabled
Check Server-side Excludes is enabled
Zaraz
TODO
Web3
TODO
Support HackTricks and get benefits!
If you want to see your company advertised in HackTricks or if you want access to the latest version of the PEASS or download HackTricks in PDF Check the SUBSCRIPTION PLANS!
Get the official PEASS & HackTricks swag​
Discover The PEASS Family, our collection of exclusive NFTs​
Join the 💬 Discord group or the telegram group or follow me on Twitter 🐦 @carlospolopm.
Share your hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

Pentesting CI/CD - Previous

Cloudflare Security

Cloudflare Zero Trust Network

Last modified 2mo ago