Section 13 · Observability

Infrastructure Security

Verify all environments are protected behind Cloudflare, origin servers are not directly exposed, security headers are properly configured, and SSL certificate issuance is monitored.

7 items 3 critical 4 recommended

This guide walks you through auditing a project's infrastructure security setup, ensuring all environments are protected behind Cloudflare, origin servers are not directly exposed, security headers are properly configured, and SSL certificate issuance is monitored.

The Goal: Hidden and Hardened

Your origin servers should be invisible to attackers. Defense in depth means multiple layers: Cloudflare absorbs attacks, origins reject direct connections, headers reveal nothing useful, and certificate monitoring catches rogue issuance.

  • Proxied — All public-facing environments behind Cloudflare with DNS records showing only Cloudflare IPs
  • Origin-protected — Firewalls restrict traffic to Cloudflare IP ranges; direct origin access fails
  • Header-hardened — HSTS enforced, technology-revealing headers stripped, no stack fingerprinting
  • Script-verified — External CDN scripts use SRI; GTM access controlled and audited
  • Certificate-monitored — CT logs watched for unauthorized certificate issuance

Before You Start

  1. Have Cloudflare API token with read access (Zone:Read, DNS:Read)
  2. Know all environment domains (production, staging, dev)
  3. Have access to web server configuration (nginx, Apache, or app-level)
  4. Know what third-party scripts are loaded (GTM, CDN libraries, etc.)

Cloudflare Protection

SEC-001
All environments behind Cloudflare critical

All public-facing environments (production, staging, dev) should be proxied through Cloudflare for DDoS protection, WAF, and edge caching.

“Is staging actually behind Cloudflare, or just prod?”
SEC-002
No direct IP exposure critical

Origin server IPs should not be publicly accessible. All traffic must flow through Cloudflare to prevent bypass attacks.

“Could someone bypass Cloudflare and hit your origin directly?”
SEC-003
Cloudflare respects cache-control headers recommended

Cloudflare should respect the origin server's cache-control headers rather than overriding them, unless explicitly configured otherwise.

“Is Cloudflare caching responses it shouldn't be?”

Security Headers

SEC-004
Response header hygiene recommended

Response headers should not leak technology stack information. Remove or sanitize headers that expose server software, versions, or frameworks.

“What does your Server header reveal about your stack?”
SEC-005
HTTPS-only headers (HSTS) critical

Strict-Transport-Security header must be present to ensure browsers always use HTTPS, preventing downgrade attacks.

“Can your app still be reached over plain HTTP?”
SEC-006
Subresource Integrity (SRI) and GTM controls recommended

External scripts from CDNs must have integrity hashes (SRI). If Google Tag Manager is used, access must be controlled since GTM cannot have SRI.

“Who has access to inject scripts via GTM right now?”

SSL/Certificates

SEC-007
SSL transparency reports recommended

Monitor Certificate Transparency logs to receive alerts when new SSL certificates are issued for your domains, detecting potential compromise.

“Would you know if someone issued a cert for your domain?”
← Previous section

Monitoring

6 items

 Next section →

Documentation

3 items