Dev and staging protected with Cloudflare Zero Trust

Severity: Critical

Check automatically:

1. Browser verification (use agent-browser skill):

   • Navigate to staging URL → should redirect to Cloudflare Access login
   • Navigate to dev URL → should redirect to Cloudflare Access login
   • Capture screenshots as evidence

2. If using Terraform, check state/config:

   grep -r "cloudflare_access_application\|cloudflare_access_policy" terraform/ *.tf 2>/dev/null
   
   terraform state list 2>/dev/null | grep -i access
   

3. Cloudflare API (if token available):

   # List Access applications
   curl -s "https://api.cloudflare.com/client/v4/accounts/{account_id}/access/apps" \
     -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" | jq '.result[] | {name, domain}'
   
   # List policies for an Access application
   curl -s "https://api.cloudflare.com/client/v4/accounts/{account_id}/access/apps/{app_id}/policies" \
     -H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" | jq '.result[] | {name, decision, include}'
   

4. DNS check (confirm behind Cloudflare):

   dig +short staging.example.com
   dig +short dev.example.com
   # Should resolve to Cloudflare IPs (104.x, 172.x, 103.x ranges)
   

Ask user:

• Staging and dev URLs to test
• Cloudflare account ID and API token (if available)
• Or: confirm Terraform is used for Access config

Pass criteria:

• Browser test shows Access gate on staging and dev
• API/Terraform confirms Access applications exist
• DNS confirms behind Cloudflare

Fail criteria:

• Browser loads without authentication prompt
• No Access application configured
• Public access possible

Evidence to capture:

• Screenshots of Access login prompts
• Access application names/domains from API or Terraform
• Policy rules (who can access)

Cross-reference with:

• ENV-002, ENV-003 (environments exist)
• ENV-009 (webhooks bypass with signatures)
• Section 13 (Infrastructure Security)

---