General website security guidelines

The following website security guidelines are appropriate for all CloudFlare customers.

  • Do not rate-limit or throttle requests from CloudFlare IP addresses.
  • Make sure you are seeing original visitor IP addresses in your logs.
  • Remove all DNS records you are not using.
  • Run email on separate server/service.
  • After moving site to CloudFlare, change server IP address(es).
  • Review Threat Control settings.
  • Check WAF settings.

Do not rate-limit or throttle requests from CloudFlare IP addresses

CloudFlare acts as a reverse proxy so all connections come from one of our IPs. It is important to ensure that your server accepts connections from CloudFlare at all times. CloudFlare IP ranges are listed at https://www.cloudflare.com/ips and that page includes links to simple text files intended for machine parsing.

CloudFlare will add any new ranges to the public list at least one month before the new range is used, and will use many methods to publicize any new ranges.

Make sure you are seeing original visitor IP addresses in your logs

CloudFlare operates as a reverse proxy, so requests to your server(s) are made from our global network. The requests will therefore come from CloudFlare IP addresses (see above), but CloudFlare always includes the original visitor IP address in the request, as an HTTP header. Learn more...

CloudFlare offers several tools, such as mod_cloudflare for Apache webservers, for pulling the original visitor IP address from the header. See the full list of methods.

Remove all DNS records you are not using

CloudFlare provides authoritative DNS service to its direct customers.

If you’ve enabled CloudFlare via a hosting partner or CNAME, then your DNS is controlled elsewhere, and this only applies for those records delegated to CloudFlare.

Within the CloudFlare DNS Settings, you have a choice of enabling CloudFlare security and acceleration and other services on a per-record basis. Security is ON when the cloud is orange. Some services will add default records whether you use them or not, such as webmail, FTP or wildcards.

Review your DNS records and:

(1) remove any records that are not in use

and

(2) enable CloudFlare security (orange cloud) on the web records you use.

 Screen_Shot_2013-02-14_at_5.04.30_PM.png

Note: Protocols like mail, ftp, ssh and cPanel have gray clouds by default. If you enable CloudFlare for these subdomains, the protocols will no longer work. However, if you have gray clouds, then an attacker can look up your origin server IP if they know about these subdomains. If you are concerned about security, then you can enable orange clouds for the subdomains and use the direct IP. For example, to FTP you would use ftp.yourdomain.com for ftp://yourserverip.

If there is no cloud, the record cannot be proxied, but that means it’s pointing to another service, so should not be a concern.

Run email on separate server/service

If you are running your mail on the same server as your website, then the attacker can always find your origin server IP. To close this possible security gap, you can use an email service on a separate server than your website, whether through your hosting provider or an outside service (e.g., Google Apps).

For Mac users:

You can run this command in Terminal to see what IP is being reported with your MX records:

dig +short $(dig mx +short WEBSITE)

For example, if I was concerned about example.com, I would enter:

dig +short $(dig mx +short example.com)

The output will be an IP address. This is the IP address that an attacker can always find. You want to make sure this IP address is different that the IP address for your web server. Otherwise, no matter how many times you change your web server, if your email is also on the same server, then the attacker can always find the new IP.

For PC users:

You can run this command in command prompt to see what IP is being reported with your MX records:

nslookup -q=mx WEBSITE

For example, if I was concerned about example.com, I would enter:

nslookup -q=mx example.com

The output will be an IP address. This is the IP address that an attacker can always find. You want to make sure this IP address is different that the IP address for your web server. Otherwise, no matter how many times you change your web server, if your email is also on the same server, then the attacker can always find the new IP.

Customize the challenge page

All paid customers can fully modify the entire HTML page, using the Custom Errors feature within their CloudFlare Settings.

While the security works whether the page is customized or not, it’s useful to make that page reflect your brand and site language.

After moving site to CloudFlare, change server IP address(es)

Once you’ve enabled CloudFlare for all web records, CloudFlare helps mask the server IP address(es)—especially if you’ve followed the steps above about removing unused records and keeping email on a separate server.

As an extra security measure, you may contact your hosting provider and ask them to change your web server IP address to something new. Note: this task is rarely automatic, and may incur a charge, so discuss with your hosting provider, based on the risk of attack on your site.

Review Threat Control settings

CloudFlare’s Threat Control lets you block IP addresses and set entire countries to be challenged. The beauty of the Internet is that your site is available to all, but you may choose to increase the friction from visitors in certain countries, based on your audience characteristics.

Threat Control is an easy place to act pre-emptively, as well as during an attack, so it’s smart to take a look before a crisis.

Check WAF settings

CloudFlare’s Web Application Firewall (WAF) is available to Pro, Business and Enterprise customers. Learn more about the benefits of the WAF and learn more details.

Have more questions? Submit a request

Comments

Article is closed for comments.