Assess Cloudflare Security with cnspec
Secure and enforce policy for Cloudflare
Rely on cnspec to enforce security policies for your Cloudflare infrastructure, including zones, DNS records, SSL/TLS settings, WAF configuration, and account security.
Requirements
To secure your Cloudflare environment with cnspec, you must have:
- cnspec installed on your workstation.
- A Cloudflare account with API access.
- A Cloudflare API token with appropriate permissions.
Configure access to Cloudflare
To create an API token:
- Log in to the Cloudflare dashboard.
- Navigate to My Profile > API Tokens.
- Select Create Token.
- Configure the token with the permissions you need.
- Copy the generated token.
Connect to Cloudflare
To test access, open a cnspec shell:
cnspec shell cloudflare --token YOUR_API_TOKENYou can also set the CLOUDFLARE_API_TOKEN environment variable to omit the --token flag:
export CLOUDFLARE_API_TOKEN=your_token_here
cnspec shell cloudflareTo scan your Cloudflare infrastructure:
cnspec scan cloudflare --token YOUR_API_TOKENExample queries and checks
Verify SSL/TLS encryption is not disabled
This check ensures that no zone has SSL/TLS encryption turned off:
cloudflare.zones.all(settings.ssl != "off")Ensure SSL/TLS is set to Full (Strict)
Full (Strict) mode encrypts end-to-end and validates the origin server certificate:
cloudflare.zones.all(settings.ssl == "strict")Ensure Always Use HTTPS is enabled
This check verifies that all HTTP requests are redirected to HTTPS:
cloudflare.zones.all(settings.alwaysUseHttps == "on")Ensure minimum TLS version is 1.2 or higher
Older TLS versions have known vulnerabilities. This check enforces TLS 1.2 as the minimum:
cloudflare.zones.all(settings.minTlsVersion == "1.2" || settings.minTlsVersion == "1.3")Ensure TLS 1.3 is enabled
TLS 1.3 provides improved security and performance:
cloudflare.zones.all(settings.tls13 != "off")Ensure Automatic HTTPS Rewrites is enabled
Automatic HTTPS Rewrites fixes mixed content by rewriting HTTP URLs to HTTPS:
cloudflare.zones.all(settings.automaticHttpsRewrites == "on")Ensure the Web Application Firewall (WAF) is enabled
The WAF protects against common web vulnerabilities:
cloudflare.zones.all(settings.waf == "on")Ensure the security level is not essentially off
This check verifies that Cloudflare's security features are not disabled:
cloudflare.zones.all(settings.securityLevel != "essentially_off")Ensure Browser Integrity Check is enabled
Browser Integrity Check evaluates HTTP headers for threats and blocks malicious requests:
cloudflare.zones.all(settings.browserCheck == "on")Ensure Email Address Obfuscation is enabled
Email obfuscation hides email addresses on your site from bots and scrapers:
cloudflare.zones.all(settings.emailObfuscation == "on")Ensure Hotlink Protection is enabled
Hotlink protection prevents other sites from linking directly to your resources:
cloudflare.zones.all(settings.hotlinkProtection == "on")Ensure two-factor authentication is enforced
This check verifies that two-factor authentication is enforced at the account level:
cloudflare.accounts.all(settings.enforceTwoFactor == true)Learn more
-
To learn more about how the MQL query language works, read Write Effective MQL.
-
To learn about all the Cloudflare resources and properties you can query, read the Mondoo Cloudflare Resource Pack Reference.