Distributed Denial-of-Service (DDoS)

In a distributed denial-of-service (DDoS) attack, a network of computers work in tandem to overflow an access point and prevent legitimate users from accessing a service.

Cloudflare’s network capacity is 15x bigger than the largest DDoS attack ever recorded. With 30 Tbps of capacity, it can handle any modern distributed attack, including those targeting DNS infrastructure.

Cloudflare stands between you and DDoS no matter the attack size, type, or duration.

To learn more, read here.

SSL

SSL (Secure Socket Layer) is the standard security technology for establishing an encrypted link between a web server and a browser. This secure link ensures that all data transferred remains private. It’s also called TLS (Transport Layer Security). Millions of websites use SSL encryption everyday to secure connections and keep their customer’s data safe from monitoring and tampering.

Learn more about SSL settings:

1. Flexible
2. Full
3. Full (strict)

To learn more, read the knowledge article here.

How to:

Use Turn On button to navigate directly to SSL settings.

or

1. Log into dashboard
2. Go to Crypto tab
3. Locate SSL section
4. Select dropdown value

• Flexible
• Full
• Full (strict)

HTTPS

Hypertext transfer protocol secure (HTTPS) is the secure version of HTTP, which is the primary protocol used to send data between a web browser and a website. HTTPS is encrypted in order to increase security of data transfer. This is particularly important when users transmit sensitive data, such as by logging into a bank account, email service, or health insurance provider.

Any website, especially those that require login credentials, should use HTTPS. In modern web browsers such as Chrome, websites that do not use HTTPS are marked differently than those that are. Look for a green padlock in the URL bar to signify the webpage is secure. Web browsers take HTTPS seriously; Google Chrome and other browsers flag all non-HTTPS websites as not secure.

To learn more, read the knowledge article here.

How to:

Use Turn On button to navigate directly to HTTPS settings.

or

1. Log into dashboard
2. Go to Crypto tab
3. Locate Always Use HTTPS section
4. Select ON

Web Application Firewall (WAF)

A Web Application Firewall (WAF) examines web traffic to identify any suspicious activity. It can then automatically filter out illegitimate traffic based on rule sets that you specify.

Turning on the WAF will enable all packages including OWASP, Cloudflare Rules, and any custom rules you’ve set.

How to:

Use Turn On button to navigate directly to Firewall settings.

or

1. Log into dashboard
2. Go to Firewall tab
3. Locate Managed Rules section:
4. Toggle ON position to enable

Managed Ruleset

Managed Rulesets contains rulesets written and curated by Cloudflare engineers. Clicking on Rule Details will reveal the rulesets that this package consists of.

You will find 10 rulesets called Drupal, Flash, Joomla, Magento, Miscellaneous, PHP, Plone, Specials, WHMCS, and Wordpress.

To learn more, read the knowledge article here.

Understanding and Configuring DNSSEC in Cloudflare DNS

DNSSEC adds an authentication layer to an otherwise insecure DNS infrastructure. It guarantees that visitors are directed to your web server when they type your domain into a web browser, thus avoiding man-in-the-middle attacks and other types of DNS forgeries.

How to (obtain the Cloudflare DS record data):

Use Turn On button to navigate directly to HTTPS settings.

or

1. Log in to the Cloudflare dashboard.
2. Ensure the website for the DS record you need is selected.
3. Click the DNS app.
4. Scroll down to the DNSSEC panel.
5. Click Enable DNSSEC. You will see a dialog informing you that your configuration is pending until the DS record is added at your registrar.
6. Next, click to expand the DS Record dropdown in the DNSSEC panel.
7. Copy the DS record information displayed as you will need it for Step 2 below:
Step 1 - Enable DNSSEC in Cloudflare DNS
Step 2 - Add a DS record to your registrar

See detailed set-up steps here.

Argo Tunnel

Argo Tunnel exposes applications running on your local web server on any network with an internet connection without manually adding DNS records or configuring a firewall or router.

By enabling Argo in the Cloudflare dashboard, you’ll receive access to Smart Routing, Tiered Caching, and Tunnel.

How to:

Use Turn On button to navigate directly to Argo settings.

or

1. Log into dashboard
2. Go to Traffic tab
3. Locate Argo section and enable Argo, starting at $5 per month.

To learn more, click here.

Cloudflare Access: Identity and Access Management

Access protects internal resources by authenticating against identity providers you already use. With Access, you can control which users and groups can reach sensitive materials without a VPN or making code changes to your site.

• Secure, authenticate, and monitor user access to any domain, application, or path on Cloudflare.
• Quickly apply application-level user access permissions using existing single sign-on providers.
• Ensure compliance using real-time access logs available in the dashboard, API, or using a SIEM.

To learn more, click here.

How to:

Use Turn On button to navigate directly to Access settings.

or

1. Log into dashboard
2. Go to Access tab
3. Select Enable Access

What is the OWASP Top 10?

The Open Web Application Security Project, or OWASP, is an international non-profit organization dedicated to web application security. The OWASP Top 10 is a regularly-updated report outlining security concerns for web application security, focusing on the 10 most critical risks.

How to:

Use Turn On button to navigate directly to Firewall Rules (OWASP) settings.

or

1. Log into dashboard

2. Go to Firewall tab

3. Locate Package: OWASP ModSecurity Core Rule Set

4. Choose sensitivity level

• High
• Medium
• Low
• Off

5. Choose action

• Simulate
• Challenge
• Block

6. Enable Mode ON / OFF

Custom WAF Rules

Custom WAF Rules are rules that the Cloudflare WAF team writes specifically for a customer, based on that customer's unique requirements and/or their website's traffic patterns. This means that you can ask us to block virtually any combination of characteristics of a request.

To learn more, read the knowledge article here.

How to:

1. Contact Cloudflare Support by submitting a support ticket with the relevant WAF rule information.

2. Request a custom WAF rule via the Cloudflare dashboard: In the Firewall app under the Managed Rules tab, click on Request a rule in the Web Application Firewall section.

Custom SSL Certificate Upload

Custom SSL certificates provide several benefits:

• They are not shared by multiple customer domains.
• Customers can serve valid, existing origin SSL certificates from Cloudflare's network.

To learn more, read the knowledge article here.

Cloudflare and PCI Compliance

Custom SSL certificates provide several benefits:

The Payment Card Industry Data Security Standard (PCI DSS) is a global financial information security standard that keeps credit card holders safe. It ensures that any company processing credit card transactions adheres to the highest technical standards.

PCI certification has several levels. Level one (the highest level) is reserved for those companies that handle the greatest numbers of credit cards. Companies at level one PCI compliance are subject to the most stringent checks.

How to:

Use Turn On button to navigate directly to Crypto settings.

or

1. Log into dashboard
2. Click the appropriate Cloudflare account for the domain.
3. Ensure the proper domain is selected.
4. Click on the Cloudflare Crypto tab.
5. Scroll to the Minimum TLS Version section.
6. Select TLS 1.2

To learn more, read the knowledge article here.

Cloudflare Logs

Cloudflare Enterprise customers have access to detailed logs of HTTP requests for their domains. These logs are helpful for debugging, identifying configuration adjustments, and creating analytics, especially when combined with other data sources, such as application server logs.

To learn more, read the knowledge article here.

Cloudflare Spectrum

If you run TCP or UDP services on your origin, not just web-servers, but also gaming services, remote server access (SSH), or email (SMTP), they are exposed through open ports.

This means malicious attackers can send volumetric DDoS traffic or attempt to snoop sensitive, unencrypted data.

With Spectrum, you can extend the power of Cloudflare's DDoS, TLS, and IP Firewall to not just your web servers, but also your other TCP and UDP-based services, keeping them online and secure.

To learn more, read here.

Cloudflare Rate Limiting

Cloudflare Rate Limiting is a feature that allows customers to identify and mitigate high request rates automatically, either for specific URLs or for an entire domain.

The most common uses for Rate Limiting are:

• DDoS protection
• Brute-force attack protection
• Limited access to high-cost resources

To learn more, read the knowledge article here.

Cloudflare Bot Management

Identify, monitor, and mitigate automated requests with Bot Management, a Cloudflare mitigation solution based on machine learning. It complements our suite of firewall products including Web Application Firewall (WAF), Rate Limiting, and IP Reputation.

To learn more, read the knowledge article here.