Cloudflare Domains
In each TLD configured in Cloudflare there are some general settings and services that can be configured. In this page we are going to analyze the security related settings of each section:
Overview
Analytics
DNS
Email
TODO
Spectrum
TODO
SSL/TLS
Overview
Edge Certificates
Security
CloudFlare DDoS Protection
If you can, enable Bot Fight Mode or Super Bot Fight Mode. If you protecting some API accessed programatically (from a JS front end page for example). You might not be able to enable this without breaking that access.
In WAF: You can create rate limits by URL path or to verified bots (Rate limiting rules), or to block access based on IP, Cookie, referrer...). So you could block requests that doesn't come from a web page or has a cookie.
If the attack is from a verified bot, at least add a rate limit to bots.
If the attack is to a specific path, as prevention mechanism, add a rate limit in this path.
You can also whitelist IP addresses, IP ranges, countries or ASNs from the Tools in WAF.
Check if Managed rules could also help to prevent vulnerability exploitations.
In the Tools section you can block or give a challenge to specific IPs and user agents.
In DDoS you could override some rules to make them more restrictive.
Settings: Set Security Level to High and to Under Attack if you are Under Attack and that the Browser Integrity Check is enabled.
In Cloudflare Domains -> Analytics -> Security -> Check if rate limit is enabled
In Cloudflare Domains -> Security -> Events -> Check for detected malicious Events
Access
pageCloudflare Zero Trust NetworkSpeed
I couldn't find any option related to security
Caching
In the
Configuration
section consider enabling the CSAM Scanning Tool
Workers Routes
You should have already checked cloudflare workers
Rules
TODO
Network
If
HTTP/2
is enabled,HTTP/2 to Origin
should be enabledHTTP/3 (with QUIC)
should be enabledIf the privacy of your users is important, make sure
Onion Routing
is enabled
Traffic
TODO
Custom Pages
It's optional to configure custom pages when an error related to security is triggered (like a block, rate limiting or I'm under attack mode)
Apps
TODO
Scrape Shield
Check Email Address Obfuscation is enabled
Check Server-side Excludes is enabled
Zaraz
TODO
Web3
TODO
Last updated