SEC-003 recommended Cloudflare Protection

Cloudflare respects cache-control headers

Cloudflare should respect the origin server's cache-control headers rather than overriding them, unless explicitly configured otherwise.

Question to ask

"Is Cloudflare caching responses it shouldn't be?"

Pass criteria

  • Browser Cache TTL = 0 or explicitly documented
  • Page rules documented if overriding
  • Cache behavior matches app's cache-control headers

Fail criteria

  • CF overrides cache headers without documentation
  • Static assets not cached when they should be
  • API responses cached when they shouldn't be

Verification guide

Severity: Recommended

Check automatically:

  1. Check Cloudflare cache settings via API:
# Check Browser Cache TTL setting
curl -s -X GET "https://api.cloudflare.com/client/v4/zones/ZONE_ID/settings/browser_cache_ttl" \
  -H "Authorization: Bearer $CF_API_TOKEN" | jq '.result'
# value: 0 means "Respect Existing Headers"

# Check Edge Cache TTL setting
curl -s -X GET "https://api.cloudflare.com/client/v4/zones/ZONE_ID/settings/edge_cache_ttl" \
  -H "Authorization: Bearer $CF_API_TOKEN" | jq '.result'
  1. Check page rules for cache overrides:
# List page rules
curl -s -X GET "https://api.cloudflare.com/client/v4/zones/ZONE_ID/pagerules" \
  -H "Authorization: Bearer $CF_API_TOKEN" | jq '.result[] | {targets: .targets, actions: .actions}'
# Look for "cache_level" or "edge_cache_ttl" overrides
  1. Check app cache-control settings (in codebase):
# Look for cache-control header settings
grep -riE "cache-control|max-age|s-maxage|stale-while" . --include="*.js" --include="*.ts" --include="*.py" --include="*.rb" --include="*.go" 2>/dev/null | head -20
  1. Verify via Cloudflare response:
# Check headers through Cloudflare
curl -sI https://example.com/static/app.js | grep -iE "cache-control|cf-cache-status"
# cf-cache-status: HIT/MISS/DYNAMIC indicates CF caching behavior

Ask user:

  • Is "Browser Cache TTL" set to "Respect Existing Headers"?
  • What cache-control headers does your app set for static assets vs API responses?
  • Any known issues where CF caches things it shouldn't (or vice versa)?

Cross-reference with:

  • Section 22 (Caching Strategy) - cache headers should be intentional

Pass criteria:

  • Browser Cache TTL = 0 (Respect Existing Headers), OR explicitly configured with documented reason
  • Page rules documented if overriding defaults
  • cf-cache-status behavior matches expectations

Fail criteria:

  • CF overrides cache headers without documented reason
  • Static assets not cached when they should be
  • API responses cached when they shouldn't be

Evidence to capture:

  • Browser Cache TTL setting
  • Edge Cache TTL setting
  • Page rules affecting caching
  • Sample cf-cache-status responses

Section

13. Infrastructure Security

Observability

← Previous

SEC-002

No direct IP exposure

 Next →

SEC-004

Response header hygiene