In each TLD configured in Cloudflare there are some general settings and services that can be configured. In this page we are going to analyze the security related settings of each section:

Overview

• Get a feeling of how much are the services of the account used

• Find also the zone ID and the account ID

Analytics

• In Security check if there is any Rate limiting

DNS

• Check interesting (sensitive?) data in DNS records

• Check for subdomains that could contain sensitive info just based on the name (like admin173865324.domin.com)

• Check for web pages that aren't proxied

• Check for proxified web pages that can be accessed directly by CNAME or IP address

• Check that DNSSEC is enabled

• Check that CNAME Flattening is used in all CNAMEs

  • This is could be useful to hide subdomain takeover vulnerabilities and improve load timings

• Check that the domains aren't vulnerable to spoofing

Email

TODO

Spectrum

TODO

SSL/TLS

Overview

• The SSL/TLS encryption should be Full or Full (Strict). Any other will send clear-text traffic at some point.

• The SSL/TLS Recommender should be enabled

Edge Certificates

• Always Use HTTPS should be enabled

• HTTP Strict Transport Security (HSTS) should be enabled

• Minimum TLS Version should be 1.2

• TLS 1.3 should be enabled

• Automatic HTTPS Rewrites should be enabled

• Certificate Transparency Monitoring should be enabled

Security

• In the WAF section it's interesting to check that Firewall and rate limiting rules are used to prevent abuses.

  • The Bypass action will disable Cloudflare security features for a request. It shouldn't be used.

• In the Page Shield section it's recommended to check that it's enabled if any page is used

• In the API Shield section it's recommended to check that it's enabled if any API is exposed in Cloudflare

• In the DDoS section it's recommended to enable the DDoS protections

• In the Settings section:

  • Check that the Security Level is medium or greater

  • Check that the Challenge Passage is 1 hour at max

  • Check that the Browser Integrity Check is enabled

  • Check that the Privacy Pass Support is enabled

CloudFlare DDoS Protection

• If you can, enable Bot Fight Mode or Super Bot Fight Mode. If you protecting some API accessed programatically (from a JS front end page for example). You might not be able to enable this without breaking that access.

• In WAF: You can create rate limits by URL path or to verified bots (Rate limiting rules), or to block access based on IP, Cookie, referrer...). So you could block requests that doesn't come from a web page or has a cookie.

  • If the attack is from a verified bot, at least add a rate limit to bots.

  • If the attack is to a specific path, as prevention mechanism, add a rate limit in this path.

  • You can also whitelist IP addresses, IP ranges, countries or ASNs from the Tools in WAF.

  • Check if Managed rules could also help to prevent vulnerability exploitations.

  • In the Tools section you can block or give a challenge to specific IPs and user agents.

• In DDoS you could override some rules to make them more restrictive.

• Settings: Set Security Level to High and to Under Attack if you are Under Attack and that the Browser Integrity Check is enabled.

• In Cloudflare Domains -> Analytics -> Security -> Check if rate limit is enabled

• In Cloudflare Domains -> Security -> Events -> Check for detected malicious Events

Access

Speed

I couldn't find any option related to security

Caching

• In the Configuration section consider enabling the CSAM Scanning Tool

Workers Routes

You should have already checked cloudflare workers

Rules

TODO

Network

• If HTTP/2 is enabled, HTTP/2 to Origin should be enabled

• HTTP/3 (with QUIC) should be enabled

• If the privacy of your users is important, make sure Onion Routing is enabled

Traffic

TODO

Custom Pages

• It's optional to configure custom pages when an error related to security is triggered (like a block, rate limiting or I'm under attack mode)

Apps

TODO

Scrape Shield

• Check Email Address Obfuscation is enabled

• Check Server-side Excludes is enabled

Zaraz

TODO

Web3

TODO