{"id":1105,"date":"2022-11-25T21:46:16","date_gmt":"2022-11-25T19:46:16","guid":{"rendered":"https:\/\/cln.io\/blog\/?p=1105"},"modified":"2022-12-05T19:40:01","modified_gmt":"2022-12-05T17:40:01","slug":"quick-and-easy-cloudflare-security-tips-and-tricks","status":"publish","type":"post","link":"https:\/\/cln.io\/blog\/quick-and-easy-cloudflare-security-tips-and-tricks\/","title":{"rendered":"Quick and easy Cloudflare security tips and tricks"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">Writing down some of the things I wish I had found when I got started with Cloudflare (basically Cloudflare tips and tricks, or easy wins)<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Some of them are tricks, others are tips or usability things.<br>NOTE: all of these are available under the free package<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">On this page<\/p>\n\n\n\n<nav aria-label=\"Table of Contents\" class=\"wp-block-table-of-contents\"><ol><li><a class=\"wp-block-table-of-contents__entry\" href=\"https:\/\/cln.io\/blog\/quick-and-easy-cloudflare-security-tips-and-tricks\/#adding-custom-quick-win-rules-to-the-waf\">Adding custom quick-win rules to the WAF<\/a><\/li><li><a class=\"wp-block-table-of-contents__entry\" href=\"https:\/\/cln.io\/blog\/quick-and-easy-cloudflare-security-tips-and-tricks\/#adding-logflare-to-your-site\">Adding logflare to your site<\/a><\/li><li><a class=\"wp-block-table-of-contents__entry\" href=\"https:\/\/cln.io\/blog\/quick-and-easy-cloudflare-security-tips-and-tricks\/#enable-dnssec\">Enable DNSSEC<\/a><\/li><li><a class=\"wp-block-table-of-contents__entry\" href=\"https:\/\/cln.io\/blog\/quick-and-easy-cloudflare-security-tips-and-tricks\/#enable-always-use-https\">Enable Always Use HTTPS<\/a><\/li><li><a class=\"wp-block-table-of-contents__entry\" href=\"https:\/\/cln.io\/blog\/quick-and-easy-cloudflare-security-tips-and-tricks\/#enable-http-strict-transport-security-hsts\">Enable HTTP Strict Transport Security (HSTS) <\/a><\/li><li><a class=\"wp-block-table-of-contents__entry\" href=\"https:\/\/cln.io\/blog\/quick-and-easy-cloudflare-security-tips-and-tricks\/#set-the-minimum-tls-version-to-tls-1-2\">Set the Minimum TLS version to TLS 1.2<\/a><\/li><li><a class=\"wp-block-table-of-contents__entry\" href=\"https:\/\/cln.io\/blog\/quick-and-easy-cloudflare-security-tips-and-tricks\/#enable-bot-fight-mode\">Enable Bot Fight Mode<\/a><\/li><\/ol><\/nav>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"adding-custom-quick-win-rules-to-the-waf\">Adding custom quick-win rules to the WAF<\/h2>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"265\" height=\"166\" src=\"https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/image-28.png\" alt=\"\" class=\"wp-image-1106\"\/><\/figure>\n<\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"644\" src=\"https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/image-29-1024x644.png\" alt=\"\" class=\"wp-image-1107\" srcset=\"https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/image-29-1024x644.png 1024w, https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/image-29-300x189.png 300w, https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/image-29-768x483.png 768w, https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/image-29.png 1048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n<\/div>\n\n\n<p class=\"wp-block-paragraph\">I have 2 custom rules, 1 to block risky countries, and 1 to managed challenge some questionable sources.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Here is the expression for the &#8220;hmm&#8221; countries:<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">(ip.geoip.country eq \"AF\") or (ip.geoip.country eq \"AX\") or (ip.geoip.country eq \"AL\") or (ip.geoip.country eq \"DZ\") or (ip.geoip.country eq \"BD\") or (ip.geoip.country eq \"BR\") or (ip.geoip.country eq \"CN\") or (ip.geoip.country eq \"EG\") or (ip.geoip.country eq \"IN\") or (ip.geoip.country eq \"IL\") or (ip.geoip.country eq \"TR\") or (ip.geoip.country eq \"T1\") or (ip.geoip.country eq \"ID\") or (ip.geoip.country eq \"SG\") or (ip.geoip.country eq \"HK\") or (ip.geoip.country eq \"CZ\") or (ip.geoip.country eq \"JP\") or (ip.geoip.country eq \"KP\") or (ip.geoip.country eq \"KR\") or (ip.geoip.country eq \"AM\") or (ip.geoip.country eq \"RU\") or (ip.geoip.country eq \"RS\") or (ip.geoip.country eq \"EC\") or (ip.geoip.country eq \"ZA\") or (ip.geoip.country eq \"CO\") or (ip.geoip.country eq \"VN\") or (ip.geoip.country eq \"AR\") or (ip.geoip.country eq \"LA\") or (ip.geoip.country eq \"PE\") or (ip.geoip.country eq \"JO\") or (ip.geoip.country eq \"IQ\") or (ip.geoip.country eq \"SY\") or (ip.geoip.country eq \"HU\") or (ip.geoip.country eq \"TW\") or (ip.geoip.country eq \"MY\") or (ip.geoip.country eq \"T1\") or (ip.geoip.country eq \"NP\") or (ip.geoip.country eq \"PH\") or (ip.geoip.country eq \"HR\") or (ip.geoip.country eq \"MG\") or (ip.geoip.country eq \"PK\") or (ip.geoip.country eq \"IN\") or (ip.geoip.country eq \"XX\")<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Here is the expression for &#8220;Block risky countries&#8221;<\/p>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">(ip.geoip.country eq \"RU\") or (ip.geoip.country eq \"IR\") or (ip.geoip.country eq \"CN\") or (ip.geoip.country eq \"KP\")<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\">Optionally, (in my case) you can just throw the entire non-European continent in a challenge ( or a block)<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"129\" src=\"https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/image-38-1024x129.png\" alt=\"\" class=\"wp-image-1124\" srcset=\"https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/image-38-1024x129.png 1024w, https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/image-38-300x38.png 300w, https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/image-38-768x97.png 768w, https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/image-38.png 1054w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">(not ip.geoip.continent in {\"EU\"})<\/pre>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"adding-logflare-to-your-site\">Adding logflare to your site<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Cloudflare does not provide &#8220;access&#8221; logs and thus seeing what is going on between your web server &amp; cloudflare is at times difficult, a while ago I had some weird routing issues and some users were reporting 500 errors and others were fine. Logflare was a fantastic tool to help me troubleshoot and eliminate possible issues.<br>This can also be used to trace what type of bots\/scripts are fiddling around &#x1f917;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"257\" height=\"224\" src=\"https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/image-30.png\" alt=\"\" class=\"wp-image-1109\"\/><\/figure>\n<\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"547\" src=\"https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/image-31-1024x547.png\" alt=\"\" class=\"wp-image-1110\" srcset=\"https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/image-31-1024x547.png 1024w, https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/image-31-300x160.png 300w, https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/image-31-768x410.png 768w, https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/image-31.png 1047w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n<\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"928\" height=\"879\" src=\"https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/image-32.png\" alt=\"\" class=\"wp-image-1111\" srcset=\"https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/image-32.png 928w, https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/image-32-300x284.png 300w, https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/image-32-768x727.png 768w\" sizes=\"auto, (max-width: 928px) 100vw, 928px\" \/><figcaption class=\"wp-element-caption\">hunting for broken links<\/figcaption><\/figure>\n<\/div>\n\n\n<h2 class=\"wp-block-heading\" id=\"enable-dnssec\">Enable DNSSEC<\/h2>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"287\" height=\"186\" src=\"https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/image-34.png\" alt=\"\" class=\"wp-image-1113\"\/><\/figure>\n<\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"266\" src=\"https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/image-33-1024x266.png\" alt=\"\" class=\"wp-image-1112\" srcset=\"https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/image-33-1024x266.png 1024w, https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/image-33-300x78.png 300w, https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/image-33-768x200.png 768w, https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/image-33.png 1046w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n<\/div>\n\n\n<h2 class=\"wp-block-heading\" id=\"enable-always-use-https\">Enable Always Use HTTPS<\/h2>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"261\" height=\"253\" src=\"https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/image-35.png\" alt=\"\" class=\"wp-image-1117\"\/><\/figure>\n<\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"243\" src=\"https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/image-36-1024x243.png\" alt=\"\" class=\"wp-image-1119\" srcset=\"https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/image-36-1024x243.png 1024w, https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/image-36-300x71.png 300w, https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/image-36-768x182.png 768w, https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/image-36.png 1046w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n<\/div>\n\n\n<h2 class=\"wp-block-heading\" id=\"enable-http-strict-transport-security-hsts\">Enable HTTP Strict Transport Security (HSTS) <\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Some more reading on why HSTS is a good choice <a href=\"https:\/\/stackoverflow.com\/questions\/23040408\/when-should-hsts-be-enabled\" target=\"_blank\" rel=\"noreferrer noopener\">here<\/a> and <a href=\"https:\/\/security.stackexchange.com\/questions\/17264\/hsts-extra-security-over-https\" target=\"_blank\" rel=\"noreferrer noopener\">here<\/a><\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"261\" height=\"253\" src=\"https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/image-35.png\" alt=\"\" class=\"wp-image-1117\"\/><\/figure>\n<\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"320\" src=\"https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/image-37-1024x320.png\" alt=\"\" class=\"wp-image-1120\" srcset=\"https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/image-37-1024x320.png 1024w, https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/image-37-300x94.png 300w, https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/image-37-768x240.png 768w, https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/11\/image-37.png 1046w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n<\/div>\n\n\n<h2 class=\"wp-block-heading\" id=\"set-the-minimum-tls-version-to-tls-1-2\">Set the Minimum TLS version to TLS 1.2<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">You can go 1.3, but a minimum of TLS 1.2 for your visitors<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"224\" src=\"https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/12\/Screenshot-2022-12-04-at-19.04.55-1024x224.png\" alt=\"\" class=\"wp-image-1225\" srcset=\"https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/12\/Screenshot-2022-12-04-at-19.04.55-1024x224.png 1024w, https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/12\/Screenshot-2022-12-04-at-19.04.55-300x66.png 300w, https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/12\/Screenshot-2022-12-04-at-19.04.55-768x168.png 768w, https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/12\/Screenshot-2022-12-04-at-19.04.55-1536x336.png 1536w, https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/12\/Screenshot-2022-12-04-at-19.04.55-2048x448.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"enable-bot-fight-mode\">Enable Bot Fight Mode<\/h2>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/12\/image-1.png\" alt=\"\" class=\"wp-image-1230\" width=\"177\" height=\"199\" srcset=\"https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/12\/image-1.png 520w, https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/12\/image-1-267x300.png 267w\" sizes=\"auto, (max-width: 177px) 100vw, 177px\" \/><\/figure>\n<\/div>\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"303\" src=\"https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/12\/image-1024x303.png\" alt=\"\" class=\"wp-image-1228\" srcset=\"https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/12\/image-1024x303.png 1024w, https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/12\/image-300x89.png 300w, https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/12\/image-768x228.png 768w, https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/12\/image-1536x455.png 1536w, https:\/\/cln.io\/blog\/wp-content\/uploads\/2022\/12\/image-2048x607.png 2048w\" sizes=\"auto, (max-width: 1024px) 100vw, 1024px\" \/><\/figure>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Writing down some of the things I wish I had found when I got started with Cloudflare (basically Cloudflare tips and tricks, or easy wins) Some of them are tricks, others are tips or usability [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":1116,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[48,35,26,37],"tags":[],"class_list":["post-1105","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-security","category-dns","category-it","category-networking"],"_links":{"self":[{"href":"https:\/\/cln.io\/blog\/wp-json\/wp\/v2\/posts\/1105","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cln.io\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cln.io\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cln.io\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cln.io\/blog\/wp-json\/wp\/v2\/comments?post=1105"}],"version-history":[{"count":10,"href":"https:\/\/cln.io\/blog\/wp-json\/wp\/v2\/posts\/1105\/revisions"}],"predecessor-version":[{"id":1232,"href":"https:\/\/cln.io\/blog\/wp-json\/wp\/v2\/posts\/1105\/revisions\/1232"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cln.io\/blog\/wp-json\/wp\/v2\/media\/1116"}],"wp:attachment":[{"href":"https:\/\/cln.io\/blog\/wp-json\/wp\/v2\/media?parent=1105"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cln.io\/blog\/wp-json\/wp\/v2\/categories?post=1105"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cln.io\/blog\/wp-json\/wp\/v2\/tags?post=1105"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}