What are my options for protecting my site?

Avatar
Garret B.
Follow

Cloudflare offers a number of tools for controlling your traffic, thereby protecting your domains, URLs, and directories against specified volumes of traffic, certain groups of requesters, and specific requesting IPs. Below are a few of those features with details on how to set them up as well as how find out more information about them:

 

IP Firewall

Available for all plans. The IP Firewall allows you to control access for specific IP addresses, IP ranges, specific countries, specific ASNs, and certain CIDR blocks. This is best used when you want to control traffic for these specific elements. Available actions to affect incoming requests are Whitelist, Block, Challenge (Captcha), or JavaScript Challenge (IUAM challenge).

Example usage would be if you are already restoring visitor IPs using the mod_cloudflare plugin and you notice that a particular IP is causing malicious requests; you can block that user via IP address.

 

URL Redirect

Available for all plans. URL Forwarding allows you to prevent access to (1) URLs, (2) a certain request scheme (http or https), (3) file type, (4) sub-domain, (5) or directory, by redirecting users away from these this content to some "safe" location.

Example uses for each of these would be:

  1. Prevent access to the specific URL example.com/puppies.jpg: Redirect example.com/puppies.jpg to https://example.com/safe/location
  2. Prevent access to the http version example.com/puppies.jpg: Redirect http://example.com/puppies.jpg to https://example.com/puppies.jpg
  3. Prevent access to the .jpg file type: Redirect example.com/*.jpg to https://example.com/safe/location
  4. Prevent access to your www sub-domain, like www.example.com/*: Redirect www.example.com/puppies.jpg to https://example.com/puppies.jpg . Alternatively, to prevent access to any sub-domain you can use a wildcard as follows: Redirect *.example.com/puppies.jpg to https://example.com/puppies.jpg .
  5. Prevent access to the directory path /foo/bar/: Redirect example.com/foo/bar/* to https://example.com/safe/location

 

Security Level

Available for all plans. The Security Level setting allows you to control your site’s tolerance to potentially malicious IPs by responding to requesting IPs having certain IP-reputation levels with Captcha challenges. Cloudflare bases its IP reputation checks against Project Honeypot (https://www.projecthoneypot.org/). Then you select a Challenge Passage which controls how long a user that has passed the Captcha challenge may continue freely browsing your site before being challenged again.

Example usage of these settings would be if I am a new website owner who is quite concerned about preventing well-known bot IPs from attacking my site. I might set a Medium or High Security Level and lower Challenge Passage like 5 to 30 minutes to ensure that Cloudflare is constantly protecting my site from bots.

Another example usage would be if I am an experienced website admin and proxy implementer and am confident in my security settings. I might set an Essentially Off or Low Security Level and higher Challenge Passage like a week, month, or even year, to provide a less obtrusive experience for my users.

 

Cloudflare Access

Available for all plans. Cloudflare Access adds an authentication page in front of an application you don’t want to be publicly accessible. It is a perimeter-less access control solution for cloud and on-premise applications.

Read more about Getting Started with Cloudflare Access.

 

Zone (URL) Lockdown

Available for Pro plan and above. Zone (URL) Lockdown allows you to whitelist specific IP addresses and IP ranges whereby all other IPs are effectively blacklisted. Zone Lockdown supports:

  • Specific sub-domains, allowing you to, for example, allow IP 1.2.3.4 to access domain foo.example.com and allow IP 5.6.7.8 to access domain bar.example.com, but not necessarily allow the vice versa.
  • Specific URLs, allowing you to, for example, allow IP 1.2.3.4 to access directory example.com/foo/* and allow IP 5.6.7.8 to access directory example.com/bar/*, but not necessarily allow the vice versa.

This is useful when you need more granularity in your access rules since with the IP Firewall, you can only either apply the block to all sub-domains of the current domain or all domains on your account, and you can not specify URIs.

 

User-Agent Blocking Rules

Available for all plans. User-Agent Blocking allows you to action on any User-Agent string you want. This works similarly to Zone Lockdown as described above except the block examines the incoming User-Agent string rather than the IP and also you can choose how to handle a matching request with the same list of actions as you have in the IP Firewall, those being Block, JS Challenge, Captcha Challenge, Whitelist. Note that User-Agent blocking applies to your entire zone. That is, you cannot specify sub-domains as you can with Zone Lockdowns.

This tool is useful for blocking any User-Agent strings that you deem suspicious and works great in conjunction with the Browser Integrity Check feature.

 

Rate Limiting

Available for all plans. Rate Limiting allows you to control volumes of traffic for your entire site, specific URL, and any directory, for a given interval of time.

Example usage is implementing Protect My Login, which sets up rate limiting for POST requests on your login page. This is useful because login pages tend to not be cacheable and so vulnerable as DDOS attack vectors.

Another example would be if you know you have many uncacheable resources in your /foo/bar/ directory and want to ensure that no one can exceed traffic rates of 1000 requests per minute to that directory and that any violating IP gets blocked for 1 minute.

Note: Rate Limiting applies its limitations per IP and not to your traffic as a whole. Taking the previous example, this means that your traffic could still exceed 1000 requests per minute when aggregated, just not from any one user.

 

Custom WAF Rule

Available for Business and Enterprise plans. You can request a Custom WAF rule to be created for any traffic logic that you are unable to implement at the edge using the tools in your Cloudflare account by default, such as all of the above.

This is recommended in order to base traffic logic on:

  • Virtually any HTTP header in the request.
  • IP ranges.
  • Hostname
  • Regex
  • Validation of byte ranges to prevent binary data from being transferred through the URI for, example.
  • Checking for empty strings anywhere in request.
  • Integer comparisons (greater than, less than, greater than/equal to, less than/equal to, and equal to).

 

 

Token Authentication

Available for Business and Enterprise plans. Token Authentication allows you to restrict access to documents, files and media to selected users without requiring registration. This can be used to protect paid/restricted content from leeching and non authorized sharing. Token Authentication can be easily implemented using the Cloudflare Web Application Firewall (WAF) and requires a Business level subscription or higher.

Read more about How to setup Token Authentication.

 

Was this article helpful?
1 out of 2 found this helpful
Not finding what you need?

95% of questions can be answered using the search tool. This is the quickest way to get a response.

Submit a request

Popular questions: Why is my site slow, 522 errors, I'm expecting a spike in traffic

Powered by Zendesk