Harden Security With Page Rules

Cloudflare provisions your domain with a number of security enhancements with absolutely no configuration required. Learn how Page Rules gives you granular control over Cloudflare’s security features so you can harden the security of your domain.

To purchase Page Rules, visit the Cloudflare dashboard.

Overview

In the above video you will learn how to:

  • Increase security and performance by enforcing secure domain connections
  • Eliminate threats before they reach your domain with targeted firewall protection
  • Block spammers, bots, and malicious crawlers from accessing critical resources
  • Stop bots from harvesting email addresses with on-the-fly email obfuscation
  • Protect sensitive information from suspicious visitors with server side excludes

Video Transcript

Cloudflare provisions your domain with a number of security enhancements with absolutely no configuration required. In this video we’ll look at how Page Rules gives you granular control over your Cloudflare’s security features so you can harden the security of your domain.

Always Use HTTPS

Enabling SSL within the Crypto section of Cloudflare on your domain should be the very first step in your security strategy. It’s important to note that enabling SSL simply enables your domain to take advantage of SSL. Page Rules allows you to enforce all visitors to connect to your domain securely.

To accomplish this, once you’ve enabled any mode of SSL, create a Page Rule for HTTP that includes an asterisk before and after your domain, and select “Add a Setting” > Always Use HTTPS.

This URL pattern that includes HTTP, with an asterisk before and after your domain ensures that any subdomains, directories or query strings referencing your domain will be forced over HTTPS.

Once you click Save and Deploy, new and returning visitors attempting to connect to your domain over HTTP will be redirected to HTTPS. This option should generally be the first rule you set in Page Rules. Unless you have a special case, be sure to reorder this rule to appear at the top of your set.

Web Application Firewall

Cloudflare’s Web Application Firewall, or WAF for short, provides Layer 7 protection against common web threats and specialized attacks before they reach your servers. Page Rules allows you to turn the WAF on for only specific sections of your domains.

To configure your WAF, head over to the Firewall section and click in to the Rules details. From here you can turn on various rule groups or drill down into each group to fine tune your selections. Toggling the WAF in this area sets the global default for the firewall. I’m going to leave it off for the domain, and I’ll use Page Rules to override this setting to ON for specific URLs.

In the Page Rules section I’ve turned the WAF on for a number of pages. I’ve targeted any areas of my domain that include a form or have administrative features for heightened security.

You’ll notice that I’m using asterisks in my URL patterns. By doing so, these patterns will cover any subdomains or appended query strings to the URL.

Security Level

To further increase security, I’ve set the Security Level to High. Security Level controls how high a client Threat Score must be for a client to encounter a challenge page. Threat Scores are derived from our IP Reputation database and assigned to clients that attempt to connect to a resource on your domain.

Browser Integrity Check

By enabling Browser Integrity Check on a number of my pages, Cloudflare checks for HTTP headers commonly used by spammers, bots, and malicious crawlers and denies them access.

Email Obfuscation

To avoid email harvesters and bots from adding my address their spam lists, I’ve enabled Email Obfuscation on any public facing pages that include an email address. Email Obfuscation will encrypt email addresses on your web page from bots while keeping them visible to humans, resulting in no visible changes to your website for visitors.

Once enabled, while I can see the email address as a human visitor when I view the source code I can see that the email is obfuscated, protected from malicious crawlers.

Server Side Excludes

On my Contact page I’ve also include information like a physical address and phone number that I’d like to hide from suspicious visitors. Server Side Excludes offers another layer of protection by automatically hiding any HTML content placed between Cloudflare specific comment codes from suspicious visitors.

In my source code I placed some information in between the specific comment code. When I visit the page as a regular user, I see the content. But when I attempt to access it from a suspicious address, the content is no longer available.

Conclusion

By following the Page Rules outlined in this video, your domain can take better advantage of Cloudflare’s security features to harden the security of your domain.

The number of Page Rules available to your domain is limited by plan type. If you need more Page Rules, Cloudflare now offers you the ability to purchase more Page Rules a la carte. Be sure to visitor our plans page for more information at: www.cloudflare.com/plans