Cloudflare Hardening Checklist

5 min read Beginner

A zone-level security checklist for Cloudflare. Use this to validate your configuration against baseline expectations. Each item can be verified via the Cloudflare dashboard or API.

DNS

  • Zone is on Cloudflare authoritative DNS (not CNAME setup)
  • DNSSEC is enabled and DS record is published at registrar
  • No stale A/AAAA/CNAME records pointing to decommissioned hosts
  • No wildcard DNS records unless explicitly required
  • MX, SPF, DKIM, and DMARC records configured for email security
  • Proxy status (orange cloud) enabled for all web-serving records

SSL/TLS

  • SSL mode set to Full (Strict) - not Flexible, not Full
  • Cloudflare Origin Certificate installed on origin server
  • Minimum TLS version set to 1.2
  • TLS 1.3 enabled
  • HSTS enabled with max-age=31536000 and includeSubDomains
  • Automatic HTTPS Rewrites enabled
  • Always Use HTTPS enabled
  • Authenticated Origin Pulls enabled (if origin supports mTLS)
Common mistake: Flexible SSL mode does not encrypt traffic between Cloudflare and your origin. Your users see a padlock, but the backend connection is plaintext. Always use Full (Strict) with an origin certificate.

WAF

  • Cloudflare Managed Ruleset enabled
  • OWASP Core Rule Set enabled (sensitivity tuned to avoid false positives)
  • Custom rules deployed for application-specific logic
  • Rate limiting configured on authentication and API endpoints
  • Bot Fight Mode or Super Bot Fight Mode enabled
  • Challenge Passage set to a reasonable TTL (default: 30 min)

Security Headers

Use Transform Rules to set or remove headers at the edge:

  • Server header removed or overwritten (hides origin software)
  • X-Content-Type-Options: nosniff set
  • X-Frame-Options: DENY or SAMEORIGIN set
  • Referrer-Policy: strict-origin-when-cross-origin set
  • Permissions-Policy set with appropriate feature restrictions
  • X-Powered-By header removed

Access and Authentication

  • Admin paths (/admin, /wp-admin, /login) protected with WAF rules or Access policies
  • API endpoints rate-limited and schema-validated (if API Shield is available)
  • Cloudflare Access configured for internal applications (if applicable)
  • Service tokens used for machine-to-machine API access (not user credentials)

Verification Commands

Quick checks you can run from the command line:

Check SSL mode and certificate

curl -sI https://example.com | grep -i "strict-transport|server|cf-ray"

Check DNSSEC

dig +dnssec example.com | grep -i "rrsig|ad"

Check security headers

curl -sI https://example.com | grep -iE "x-frame|x-content|referrer-policy|permissions-policy|server"

Check TLS version

openssl s_client -connect example.com:443 -tls1_2 < /dev/null 2>&1 | grep "Protocol"
Need a deeper audit? These checks cover the basics. For comprehensive zone hardening with evidence packs and rollback capability, see our Cloudflare Everywhere Security engagement.