Invos

02_cloudflare_security_configuration

3 min read

Cloudflare Security Configuration

Cloudflare is our first line of defense against many types of attacks. This document outlines the standard security configuration for our sites on Cloudflare.

SSL/TLS

  • Mode: Full (Strict)
    • Location: SSL/TLS > Overview
    • Why: This ensures that traffic is encrypted between the user and Cloudflare, AND between Cloudflare and our origin (the OpenNext/Pages functions). Full (non-strict) is not sufficient as it doesn’t validate the origin certificate.
  • Always Use HTTPS: On
    • Location: SSL/TLS > Edge Certificates
    • Why: This automatically redirects any http requests to https.
  • Minimum TLS Version: 1.2
    • Location: SSL/TLS > Edge Certificates
    • Why: TLS 1.0 and 1.1 have known vulnerabilities.

Web Application Firewall (WAF)

The WAF is a powerful tool for blocking malicious traffic before it ever reaches our application.

  • Location: Security > WAF
  • Managed Rules:
    • Cloudflare Managed Ruleset: This should be enabled. It protects against a wide range of common attacks.
    • OWASP Core Ruleset: Enable this as well. It provides protection against the OWASP Top 10 vulnerabilities.
    • Action: For both rulesets, the default action should be Block or Managed Challenge for high-confidence rules.
  • Firewall Rules:
    • We create custom firewall rules to block or challenge suspicious traffic patterns.
    • Example Rule 1: Block Bad Bots
      • Rule: (cf.threat_score gt 14)
      • Action: Block
      • Why: This blocks requests from IP addresses that Cloudflare has identified as malicious.
    • Example Rule 2: Challenge requests from outside primary markets
      • Rule: (ip.geoip.country ne "US" and ip.geoip.country ne "CA")
      • Action: Managed Challenge
      • Why: If a client’s business is primarily in North America, we can challenge requests from other regions to filter out bot traffic. This rule should be used with care.
    • Example Rule 3: Protect Login Endpoints
      • Rule: (http.request.uri.path eq "/api/auth/login" and http.request.method eq "POST")
      • Action: Set a Rate Limiting rule to prevent brute-force attacks on the login endpoint (e.g., max 10 requests per minute per IP).

Rate Limiting

  • Location: Security > WAF > Rate Limiting Rules
  • Rate limiting is crucial for preventing brute-force attacks and denial-of-service (DoS) attacks against our API endpoints.
  • We should have rate limiting rules on all sensitive or computationally expensive endpoints, such as:
    • Login (/api/auth/login)
    • Registration (/api/auth/register)
    • Password Reset (/api/auth/reset-password)

Other Security Settings

  • Bot Fight Mode: On
    • Location: Security > Bots
    • Why: This is a simple, one-click way to challenge known bots.
  • Email Address Obfuscation: On
    • Location: Scrape Shield
    • Why: This helps prevent spammers from scraping email addresses that are displayed on your site.

This configuration provides a strong baseline of security for all our projects. These settings should be reviewed and potentially adjusted based on the specific needs and traffic patterns of each application.

Graph View

Backlinks