SEC-001 critical Cloudflare Protection
All environments behind Cloudflare
All public-facing environments (production, staging, dev) should be proxied through Cloudflare for DDoS protection, WAF, and edge caching.
Question to ask
"Is staging actually behind Cloudflare, or just prod?"
Pass criteria
- ✓ All environments show proxied: true in Cloudflare API
- ✓ All environments return cf-ray header
Fail criteria
- ✗ Any public environment not proxied through Cloudflare
- ✗ Environment domains not in any Cloudflare zone
Verification guide
Severity: Critical
Check automatically:
- Via Cloudflare API (preferred):
# List all zones
curl -s -X GET "https://api.cloudflare.com/client/v4/zones" \
-H "Authorization: Bearer $CF_API_TOKEN" | jq '.result[] | {name: .name, status: .status}'
# List DNS records for a zone - check proxied status
curl -s -X GET "https://api.cloudflare.com/client/v4/zones/ZONE_ID/dns_records" \
-H "Authorization: Bearer $CF_API_TOKEN" | jq '.result[] | {name: .name, type: .type, proxied: .proxied}'
- Via HTTP headers (no token needed):
# Check for cf-ray header on each environment
curl -sI https://example.com | grep -i "cf-ray"
curl -sI https://staging.example.com | grep -i "cf-ray"
curl -sI https://dev.example.com | grep -i "cf-ray"
- Via DNS lookup:
# Check if DNS resolves to Cloudflare IPs
dig +short example.com
# Cloudflare IPs are in known ranges (104.16.x.x, 172.64.x.x, etc.)
Ask user:
- List all environment domains (prod, staging, dev)
- Cloudflare API token available? (read-only is sufficient)
- Any intentional exceptions? (e.g., internal dev behind VPN)
Pass criteria:
- All public-facing environments show
proxied: truein Cloudflare API, OR - All return
cf-rayheader in HTTP response
Fail criteria:
- Any public environment has
proxied: falseor missing Cloudflare - Environment domains not in any Cloudflare zone
Evidence to capture:
- List of all environment domains
- Cloudflare zone status for each
cf-rayheader presence per environment- Any documented exceptions