Quick and easy Cloudflare security tips and tricks
Writing down some of the things I wish I had found when I got started with Cloudflare (basically Cloudflare tips and tricks, or easy wins)
Some of them are tricks, others are tips or usability things.
NOTE: all of these are available under the free package
On this page
Adding custom quick-win rules to the WAF
I have 2 custom rules, 1 to block risky countries, and 1 to managed challenge some questionable sources.
Here is the expression for the “hmm” countries:
(ip.geoip.country eq "AF") or (ip.geoip.country eq "AX") or (ip.geoip.country eq "AL") or (ip.geoip.country eq "DZ") or (ip.geoip.country eq "BD") or (ip.geoip.country eq "BR") or (ip.geoip.country eq "CN") or (ip.geoip.country eq "EG") or (ip.geoip.country eq "IN") or (ip.geoip.country eq "IL") or (ip.geoip.country eq "TR") or (ip.geoip.country eq "T1") or (ip.geoip.country eq "ID") or (ip.geoip.country eq "SG") or (ip.geoip.country eq "HK") or (ip.geoip.country eq "CZ") or (ip.geoip.country eq "JP") or (ip.geoip.country eq "KP") or (ip.geoip.country eq "KR") or (ip.geoip.country eq "AM") or (ip.geoip.country eq "RU") or (ip.geoip.country eq "RS") or (ip.geoip.country eq "EC") or (ip.geoip.country eq "ZA") or (ip.geoip.country eq "CO") or (ip.geoip.country eq "VN") or (ip.geoip.country eq "AR") or (ip.geoip.country eq "LA") or (ip.geoip.country eq "PE") or (ip.geoip.country eq "JO") or (ip.geoip.country eq "IQ") or (ip.geoip.country eq "SY") or (ip.geoip.country eq "HU") or (ip.geoip.country eq "TW") or (ip.geoip.country eq "MY") or (ip.geoip.country eq "T1") or (ip.geoip.country eq "NP") or (ip.geoip.country eq "PH") or (ip.geoip.country eq "HR") or (ip.geoip.country eq "MG") or (ip.geoip.country eq "PK") or (ip.geoip.country eq "IN") or (ip.geoip.country eq "XX")
Here is the expression for “Block risky countries”
(ip.geoip.country eq "RU") or (ip.geoip.country eq "IR") or (ip.geoip.country eq "CN") or (ip.geoip.country eq "KP")
Optionally, (in my case) you can just throw the entire non-European continent in a challenge ( or a block)
(not ip.geoip.continent in {"EU"})
Adding logflare to your site
Cloudflare does not provide “access” logs and thus seeing what is going on between your web server & cloudflare is at times difficult, a while ago I had some weird routing issues and some users were reporting 500 errors and others were fine. Logflare was a fantastic tool to help me troubleshoot and eliminate possible issues.
This can also be used to trace what type of bots/scripts are fiddling around 🤗
Enable DNSSEC
Enable Always Use HTTPS
Enable HTTP Strict Transport Security (HSTS)
Some more reading on why HSTS is a good choice here and here
Set the Minimum TLS version to TLS 1.2
You can go 1.3, but a minimum of TLS 1.2 for your visitors