Cloudflare Domains

Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE) Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)

Support HackTricks

Check the subscription plans!
Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.

In each TLD configured in Cloudflare there are some general settings and services that can be configured. In this page we are going to analyze the security related settings of each section:

Overview

Get a feeling of how much are the services of the account used
Find also the zone ID and the account ID

Analytics

In Security check if there is any Rate limiting

DNS

Check interesting (sensitive?) data in DNS records
Check for subdomains that could contain sensitive info just based on the name (like admin173865324.domin.com)
Check for web pages that aren't proxied
Check for proxified web pages that can be accessed directly by CNAME or IP address
Check that DNSSEC is enabled
Check that CNAME Flattening is used in all CNAMEs
- This is could be useful to hide subdomain takeover vulnerabilities and improve load timings
Check that the domains aren't vulnerable to spoofing

Email

TODO

Spectrum

TODO

SSL/TLS

Overview

The SSL/TLS encryption should be Full or Full (Strict). Any other will send clear-text traffic at some point.
The SSL/TLS Recommender should be enabled

Edge Certificates

Always Use HTTPS should be enabled
HTTP Strict Transport Security (HSTS) should be enabled
Minimum TLS Version should be 1.2
TLS 1.3 should be enabled
Automatic HTTPS Rewrites should be enabled
Certificate Transparency Monitoring should be enabled

Security

In the WAF section it's interesting to check that Firewall and rate limiting rules are used to prevent abuses.
- The Bypass action will disable Cloudflare security features for a request. It shouldn't be used.
In the Page Shield section it's recommended to check that it's enabled if any page is used
In the API Shield section it's recommended to check that it's enabled if any API is exposed in Cloudflare
In the DDoS section it's recommended to enable the DDoS protections
In the Settings section:
- Check that the Security Level is medium or greater
- Check that the Challenge Passage is 1 hour at max
- Check that the Browser Integrity Check is enabled
- Check that the Privacy Pass Support is enabled

CloudFlare DDoS Protection

If you can, enable Bot Fight Mode or Super Bot Fight Mode. If you protecting some API accessed programmatically (from a JS front end page for example). You might not be able to enable this without breaking that access.
In WAF: You can create rate limits by URL path or to verified bots (Rate limiting rules), or to block access based on IP, Cookie, referrer...). So you could block requests that doesn't come from a web page or has a cookie.
- If the attack is from a verified bot, at least add a rate limit to bots.
- If the attack is to a specific path, as prevention mechanism, add a rate limit in this path.
- You can also whitelist IP addresses, IP ranges, countries or ASNs from the Tools in WAF.
- Check if Managed rules could also help to prevent vulnerability exploitations.
- In the Tools section you can block or give a challenge to specific IPs and user agents.
In DDoS you could override some rules to make them more restrictive.
Settings: Set Security Level to High and to Under Attack if you are Under Attack and that the Browser Integrity Check is enabled.
In Cloudflare Domains -> Analytics -> Security -> Check if rate limit is enabled
In Cloudflare Domains -> Security -> Events -> Check for detected malicious Events

Access

Cloudflare Zero Trust Network

Speed

I couldn't find any option related to security

Caching

In the Configuration section consider enabling the CSAM Scanning Tool

Workers Routes

You should have already checked cloudflare workers

Rules

TODO

Network

If HTTP/2 is enabled, HTTP/2 to Origin should be enabled
HTTP/3 (with QUIC) should be enabled
If the privacy of your users is important, make sure Onion Routing is enabled