Fouad Matin

@fouadmatin

Few systems in a company's tech stack are more sensitive than where your traffic is routed. Cloudflare is a popular choice for managing DNS, DDoS protection, and more. (We use it here at Indent!)

Putting some security best practices in place can help you better manage the risk around your Cloudflare account and more easily become compliant with frameworks like SOC 2, PCI DSS, and HIPAA.

Here's the TLDR of what you should od:

1. Least privilege Cloudflare access
2. Monitor DNS record changes
3. Set up Infrastructure as Code (IaC)
4. Enforce security headers
5. Hardware 2FA keys

Users with permissions to add or edit your DNS records can redirect traffic to malicious sites, intercept sensitive data, or launch phishing attacks by altering DNS settings.

To prevent bad actors from making these malicious updates you should grant access on a least privilege basis.

By granting temporary access to Cloudflare roles to complete a specific task, and then revoking that access once the task has been completed, it eliminates unused privileged access, making it much harder to successfully breach your Cloudflare.

You can manage accounts manually or fully automate approvals and provisioning with Indent’s Cloudflare integration.

Indent is the request access button for work, getting your team access when they need it and automatically revoking it after they’re done. If you have any questions, feel free to book some time with our team and we’re happy to answer any questions.

The settings in your Cloudflare accounts can have a big impact on your attack surface. It's important to monitor for high risk activities, like creation or modification of DNS records, API keys, or security sensitive products like WAF, Bot management, or Zero Trust.

The easiest way to set up that monitoring is to use RunReveal which can collect your Cloudflare audit logs and detect anomalies and critical configuration changes.

“

Cloudflare configuration changes are critical to monitor. Cloudflare operates on their customer's traffic on so many layers that configuration changes can have a massive security impact.

— Evan Johnson, Cofounder/CEO at RunReveal, former Head of Security Engineering at Cloudflare

Infrastructure as Code increases your security while also saving you time. Here are a few of our recommendations:

• Deploy Cloudflare Workers with `wrangler`
  • Using wrangler simplifies Cloudflare Worker deployment by providing a command-line interface for streamlined setup, version control integration, local testing, and automated deployment.
  • This creates a more developer-friendly workflow while automatically helping you adhere to Cloudflare's best practices for security and performance.
• Configure your Cloudflare account with Terraform
  • Using Terraform facilitates automation and reproducibility of Cloudflare configurations across multiple environments.
  • It streamlines management, version control, and collaborative deployment while maintaining consistency in managing Cloudflare.
• Use least privilege roles to purge cache or call via API
  • Rather than granting someone full admin access, you can implement low-risk access to manage cache settings.
  • Least privilege roles allow for easier management, version control, and automation of Cloudflare resources, streamlining deployment processes and promoting scalability with efficient resource provisioning and updates.

Cloudflare Page Rules allow straightforward configuration by enabling users to set up specific rules for different URL patterns, effortlessly incorporating security headers like Content Security Policy (CSP), X-Frame-Options, or HTTP Strict Transport Security (HSTS).

Alternatively, Cloudflare Workers provide a more dynamic and programmable approach, allowing for advanced customization and fine-grained control over security headers based on specific conditions or application logic. Whether opting for the simplicity of Page Rules or the flexibility of Workers, both methods empower users to bolster their website security by enforcing essential security headers effectively within the Cloudflare ecosystem.

Here's an example of enforcing security headers using Workers:

const DEFAULT_SECURITY_HEADERS = {
  'X-Frame-Options': 'DENY',
  // more headers...
}
const BLOCKED_HEADERS = ['Public-Key-Pins', 'X-Powered-By', 'X-AspNet-Version']

Object.keys(DEFAULT_SECURITY_HEADERS).map((name) => {
  newHeaders.set(name, DEFAULT_SECURITY_HEADERS[name])
})

BLOCKED_HEADERS.forEach((name) => {
  newHeaders.delete(name)
})

const tlsVersion = request.cf.tlsVersion

if (tlsVersion !== "TLSv1.2" && tlsVersion !== "TLSv1.3") {
  return new Response("You need to use TLS version 1.2 or higher.", {
    status: 400,
  });
} else {
  return new Response(response.body, {
    status: response.status,
    statusText: response.statusText,
    headers: newHeaders,
  });
}

Explore on the Cloudflare Docs for more information on how to enforce security headers using Cloudflare Workers.

Using hardware-based two-factor authentication (2FA) keys in Cloudflare significantly enhances the overall security of privileged accounts. Encouraging employees to utilize hardware tokens, such as YubiKeys, over less secure alternatives like SMS-based 2FA, serves as a critical step in mitigating the risk of unauthorized access.

By providing employees with YubiKeys and actively discouraging SMS-based authentication, Cloudflare users can elevate their account security to a more robust level.

Limiting access for users without hardware keys to only the essential functions ensures that only those authenticated through a secure hardware token can take privileged action, adding an additional layer of protection to sensitive Cloudflare accounts.

This approach aligns with best practices in access control and authentication, fortifying the defense against potential security threats.

If you have any questions about implementing these best practices or have questions about Indent, feel free to book some time with our team.