HackTricks CloudCloudflare Domains
Reading time: 5 minutes
tip
Learn & practice AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
In each TLD configured in Cloudflare there are some general settings and services that can be configured. In this page we are going to analyze the security related settings of each section:
.png)
Overview
- Get a feeling of how much are the services of the account used
- Find also the zone ID and the account ID
Analytics
-
In
Securitycheck if there is any Rate limiting
DNS
- Check interesting (sensitive?) data in DNS records
- Check for subdomains that could contain sensitive info just based on the name (like admin173865324.domin.com)
- Check for web pages that aren't proxied
- Check for proxified web pages that can be accessed directly by CNAME or IP address
- Check that DNSSEC is enabled
-
Check that CNAME Flattening is used in all CNAMEs
- This is could be useful to hide subdomain takeover vulnerabilities and improve load timings
- Check that the domains aren't vulnerable to spoofing
TODO
Spectrum
TODO
SSL/TLS
Overview
- The SSL/TLS encryption should be Full or Full (Strict). Any other will send clear-text traffic at some point.
- The SSL/TLS Recommender should be enabled
Edge Certificates
- Always Use HTTPS should be enabled
- HTTP Strict Transport Security (HSTS) should be enabled
- Minimum TLS Version should be 1.2
- TLS 1.3 should be enabled
- Automatic HTTPS Rewrites should be enabled
- Certificate Transparency Monitoring should be enabled
Security
-
In the
WAFsection it's interesting to check that Firewall and rate limiting rules are used to prevent abuses.- The
Bypassaction will disable Cloudflare security features for a request. It shouldn't be used.
- The
-
In the
Page Shieldsection it's recommended to check that it's enabled if any page is used -
In the
API Shieldsection it's recommended to check that it's enabled if any API is exposed in Cloudflare -
In the
DDoSsection it's recommended to enable the DDoS protections -
In the
Settingssection:-
Check that the
Security Levelis medium or greater -
Check that the
Challenge Passageis 1 hour at max -
Check that the
Browser Integrity Checkis enabled -
Check that the
Privacy Pass Supportis enabled
-
Check that the
CloudFlare DDoS Protection
- If you can, enable Bot Fight Mode or Super Bot Fight Mode. If you protecting some API accessed programmatically (from a JS front end page for example). You might not be able to enable this without breaking that access.
- In WAF: You can create rate limits by URL path or to verified bots (Rate limiting rules), or to block access based on IP, Cookie, referrer...). So you could block requests that doesn't come from a web page or has a cookie.
- If the attack is from a verified bot, at least add a rate limit to bots.
- If the attack is to a specific path, as prevention mechanism, add a rate limit in this path.
- You can also whitelist IP addresses, IP ranges, countries or ASNs from the Tools in WAF.
- Check if Managed rules could also help to prevent vulnerability exploitations.
- In the Tools section you can block or give a challenge to specific IPs and user agents.
- In DDoS you could override some rules to make them more restrictive.
- Settings: Set Security Level to High and to Under Attack if you are Under Attack and that the Browser Integrity Check is enabled.
- In Cloudflare Domains -> Analytics -> Security -> Check if rate limit is enabled
- In Cloudflare Domains -> Security -> Events -> Check for detected malicious Events
Access
Speed
I couldn't find any option related to security
Caching
-
In the
Configurationsection consider enabling the CSAM Scanning Tool
Workers Routes
You should have already checked cloudflare workers
Rules
TODO
Network
-
If
HTTP/2is enabled,HTTP/2 to Originshould be enabled -
HTTP/3 (with QUIC)should be enabled -
If the privacy of your users is important, make sure
Onion Routingis enabled
Traffic
TODO
Custom Pages
- It's optional to configure custom pages when an error related to security is triggered (like a block, rate limiting or I'm under attack mode)
Apps
TODO
Scrape Shield
- Check Email Address Obfuscation is enabled
- Check Server-side Excludes is enabled
Zaraz
TODO
Web3
TODO
tip
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.