# Cloudflare Domains

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}

In each TLD configured in Cloudflare there are some **general settings and services** that can be configured. In this page we are going to **analyze the security related settings of each section:**

<figure><img src="../../.gitbook/assets/image (101).png" alt=""><figcaption></figcaption></figure>

### Overview

* [ ] Get a feeling of **how much** are the services of the account **used**
* [ ] Find also the **zone ID** and the **account ID**

### Analytics

* [ ] In **`Security`** check if there is any **Rate limiting**

### DNS

* [ ] Check **interesting** (sensitive?) data in DNS **records**
* [ ] Check for **subdomains** that could contain **sensitive info** just based on the **name** (like admin173865324.domin.com)
* [ ] Check for web pages that **aren't** **proxied**
* [ ] Check for **proxified web pages** that can be **accessed directly** by CNAME or IP address
* [ ] Check that **DNSSEC** is **enabled**
* [ ] Check that **CNAME Flattening** is **used** in **all CNAMEs**
  * This is could be useful to **hide subdomain takeover vulnerabilities** and improve load timings
* [ ] Check that the domains [**aren't vulnerable to spoofing**](https://book.hacktricks.xyz/network-services-pentesting/pentesting-smtp#mail-spoofing)

### **Email**

TODO

### Spectrum

TODO

### SSL/TLS

#### **Overview**

* [ ] The **SSL/TLS encryption** should be **Full** or **Full (Strict)**. Any other will send **clear-text traffic** at some point.
* [ ] The **SSL/TLS Recommender** should be enabled

#### Edge Certificates

* [ ] **Always Use HTTPS** should be **enabled**
* [ ] **HTTP Strict Transport Security (HSTS)** should be **enabled**
* [ ] **Minimum TLS Version should be 1.2**
* [ ] **TLS 1.3 should be enabled**
* [ ] **Automatic HTTPS Rewrites** should be **enabled**
* [ ] **Certificate Transparency Monitoring** should be **enabled**

### **Security**

* [ ] In the **`WAF`** section it's interesting to check that **Firewall** and **rate limiting rules are used** to prevent abuses.
  * The **`Bypass`** action will **disable Cloudflare security** features for a request. It shouldn't be used.
* [ ] In the **`Page Shield`** section it's recommended to check that it's **enabled** if any page is used
* [ ] In the **`API Shield`** section it's recommended to check that it's **enabled** if any API is exposed in Cloudflare
* [ ] In the **`DDoS`** section it's recommended to enable the **DDoS protections**
* [ ] In the **`Settings`** section:
  * [ ] Check that the **`Security Level`** is **medium** or greater
  * [ ] Check that the **`Challenge Passage`** is 1 hour at max
  * [ ] Check that the **`Browser Integrity Check`** is **enabled**
  * [ ] Check that the **`Privacy Pass Support`** is **enabled**

#### **CloudFlare DDoS Protection**

* If you can, enable **Bot Fight Mode** or **Super Bot Fight Mode**. If you protecting some API accessed programmatically (from a JS front end page for example). You might not be able to enable this without breaking that access.
* In **WAF**: You can create **rate limits by URL path** or to **verified bots** (Rate limiting rules), or to **block access** based on IP, Cookie, referrer...). So you could block requests that doesn't come from a web page or has a cookie.
  * If the attack is from a **verified bot**, at least **add a rate limit** to bots.
  * If the attack is to a **specific path**, as prevention mechanism, add a **rate limit** in this path.
  * You can also **whitelist** IP addresses, IP ranges, countries or ASNs from the **Tools** in WAF.
  * Check if **Managed rules** could also help to prevent vulnerability exploitations.
  * In the **Tools** section you can **block or give a challenge to specific IPs** and **user agents.**
* In DDoS you could **override some rules to make them more restrictive**.
* **Settings**: Set **Security Level** to **High** and to **Under Attack** if you are Under Attack and that the **Browser Integrity Check is enabled**.
* In Cloudflare Domains -> Analytics -> Security -> Check if **rate limit** is enabled
* In Cloudflare Domains -> Security -> Events -> Check for **detected malicious Events**

### Access

{% content-ref url="cloudflare-zero-trust-network.md" %}
[cloudflare-zero-trust-network.md](cloudflare-zero-trust-network.md)
{% endcontent-ref %}

### Speed

_I couldn't find any option related to security_

### Caching

* [ ] In the **`Configuration`** section consider enabling the **CSAM Scanning Tool**

### **Workers Routes**

_You should have already checked_ [_cloudflare workers_](./#workers)

### Rules

TODO

### Network

* [ ] If **`HTTP/2`** is **enabled**, **`HTTP/2 to Origin`** should be **enabled**
* [ ] **`HTTP/3 (with QUIC)`** should be **enabled**
* [ ] If the **privacy** of your **users** is important, make sure **`Onion Routing`** is **enabled**

### **Traffic**

TODO

### Custom Pages

* [ ] It's optional to configure custom pages when an error related to security is triggered (like a block, rate limiting or I'm under attack mode)

### Apps

TODO

### Scrape Shield

* [ ] Check **Email Address Obfuscation** is **enabled**
* [ ] Check **Server-side Excludes** is **enabled**

### **Zaraz**

TODO

### **Web3**

TODO

{% hint style="success" %}
Learn & practice AWS Hacking:<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">[**HackTricks Training AWS Red Team Expert (ARTE)**](https://training.hacktricks.xyz/courses/arte)<img src="../../.gitbook/assets/image (1) (1) (1) (1).png" alt="" data-size="line">\
Learn & practice GCP Hacking: <img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">[**HackTricks Training GCP Red Team Expert (GRTE)**<img src="../../.gitbook/assets/image (2) (1).png" alt="" data-size="line">](https://training.hacktricks.xyz/courses/grte)

<details>

<summary>Support HackTricks</summary>

* Check the [**subscription plans**](https://github.com/sponsors/carlospolop)!
* **Join the** 💬 [**Discord group**](https://discord.gg/hRep4RUj7f) or the [**telegram group**](https://t.me/peass) or **follow** us on **Twitter** 🐦 [**@hacktricks\_live**](https://twitter.com/hacktricks_live)**.**
* **Share hacking tricks by submitting PRs to the** [**HackTricks**](https://github.com/carlospolop/hacktricks) and [**HackTricks Cloud**](https://github.com/carlospolop/hacktricks-cloud) github repos.

</details>
{% endhint %}