Assess Cloudflare Security with cnspec
Secure and enforce policy for Cloudflare
Rely on cnspec to ensure your Cloudflare infrastructure follows security best practices, such as enforcing strict SSL/TLS encryption, enabling the web application firewall (WAF), requiring HTTPS, setting minimum TLS versions, and verifying two-factor authentication at the account level.
Requirements
To secure your Cloudflare environment with cnspec, you must have:
- cnspec installed on your workstation.
- A Cloudflare account with API access.
- A Cloudflare API token with appropriate permissions.
Give cnspec access using a Cloudflare API token
To scan your Cloudflare environment, cnspec needs access through the Cloudflare API. You create an API token and then provide it when running cnspec commands.
To create an API token:
- Log in to the Cloudflare dashboard.
- Navigate to My Profile > API Tokens.
- Select Create Token.
- Configure the token with these permissions:
- Zone > Zone > Read
- Zone > Zone Settings > Read
- Zone > DNS > Read
- Account > Account Settings > Read
- Under Zone Resources, select the zones you want to scan (or select All zones).
- Select Continue to summary and then Create Token.
- Copy the generated token.
Configure a CLOUDFLARE_API_TOKEN environment variable
You can supply your API token to cnspec using the CLOUDFLARE_API_TOKEN environment variable. This avoids passing the token on the command line with every command.
On Linux / macOS:
export CLOUDFLARE_API_TOKEN=YOUR_API_TOKENOn Windows, using PowerShell:
$Env:CLOUDFLARE_API_TOKEN = "YOUR_API_TOKEN"When CLOUDFLARE_API_TOKEN is set, you can omit the --token flag from all the commands below.
Test your connection
Before running a full scan, verify that your token works by opening a cnspec shell:
cnspec shell cloudflare --token YOUR_API_TOKENcnspec> cloudflare.zones { name status }
cloudflare.zones: [
0: { name: "example.com" status: "active" }
]If you see your zones listed, cnspec is connected and ready to scan.
Scan Cloudflare
To scan your Cloudflare infrastructure:
cnspec scan cloudflare --token YOUR_API_TOKENUnderstand scan output
When a scan completes, cnspec prints a summary of all the checks it ran, grouped by policy. Each check shows a pass or fail result. For example:
✓ Pass: Ensure SSL/TLS is set to Full (Strict)
✕ Fail: Ensure minimum TLS version is 1.2 or higher
✓ Pass: Ensure the Web Application Firewall (WAF) is enabledAt the end of the output, cnspec shows a risk score from 0 (no risk) to 100 (highest risk). Failed checks include remediation guidance to help you fix issues.
By default, cnspec applies the Mondoo Cloudflare Security policy, which covers SSL/TLS settings, WAF, HTTPS enforcement, browser integrity, and more. You can also create your own policies or specify a particular policy bundle with --policy-bundle.
Example checks
Run cnspec shell cloudflare --token YOUR_API_TOKEN to open the cnspec interactive shell. From there you can make checks like the examples below.
Verify SSL/TLS encryption is not disabled
This check ensures that no zone has SSL/TLS encryption turned off:
cnspec> cloudflare.zones.all(settings.ssl != "off")
[ok] value: trueEnsure SSL/TLS is set to Full (Strict)
Full (Strict) mode encrypts end-to-end and validates the origin server certificate:
cnspec> cloudflare.zones.all(settings.ssl == "strict")
[ok] value: trueEnsure Always Use HTTPS is enabled
This check verifies that all HTTP requests are redirected to HTTPS:
cnspec> cloudflare.zones.all(settings.alwaysUseHttps == "on")
[ok] value: trueEnsure minimum TLS version is 1.2 or higher
Older TLS versions have known vulnerabilities. This check enforces TLS 1.2 as the minimum:
cnspec> cloudflare.zones.all(settings.minTlsVersion == "1.2" || settings.minTlsVersion == "1.3")
[ok] value: trueEnsure TLS 1.3 is enabled
TLS 1.3 provides improved security and performance:
cnspec> cloudflare.zones.all(settings.tls13 != "off")
[ok] value: trueEnsure Automatic HTTPS Rewrites is enabled
Automatic HTTPS Rewrites fixes mixed content by rewriting HTTP URLs to HTTPS:
cnspec> cloudflare.zones.all(settings.automaticHttpsRewrites == "on")
[ok] value: trueEnsure the Web Application Firewall (WAF) is enabled
The WAF protects against common web vulnerabilities:
cnspec> cloudflare.zones.all(settings.waf == "on")
[ok] value: trueEnsure the security level is not essentially off
This check verifies that Cloudflare's security features are not disabled:
cnspec> cloudflare.zones.all(settings.securityLevel != "essentially_off")
[ok] value: trueEnsure Browser Integrity Check is enabled
Browser Integrity Check evaluates HTTP headers for threats and blocks malicious requests:
cnspec> cloudflare.zones.all(settings.browserCheck == "on")
[ok] value: trueEnsure Email Address Obfuscation is enabled
Email obfuscation hides email addresses on your site from bots and scrapers:
cnspec> cloudflare.zones.all(settings.emailObfuscation == "on")
[ok] value: trueEnsure Hotlink Protection is enabled
Hotlink protection prevents other sites from linking directly to your resources:
cnspec> cloudflare.zones.all(settings.hotlinkProtection == "on")
[ok] value: trueEnsure two-factor authentication is enforced
This check verifies that two-factor authentication is enforced at the account level:
cnspec> cloudflare.accounts.all(settings.enforceTwoFactor == true)
[ok] value: trueLearn more
-
To learn more about how the MQL query language works, read Write Effective MQL.
-
To learn about all the Cloudflare resources and properties you can query, read the Mondoo Cloudflare Resource Pack Reference.