Cloudflare environment audit checklist
Use this checklist to review a Cloudflare environment for configuration drift, risky bypasses, missing logging, duplicated rules, origin exposure, weak access controls, certificate issues, and operational gaps.
Use this checklist to review a Cloudflare environment for configuration drift, risky bypasses, missing logging, duplicated rules, origin exposure, weak access controls, certificate issues, and operational gaps.
Topics: cloudflare, resource, cloudflare, environment, audit, checklist
Machine-readable context: /ai-index.json
Step by step
Step-by-step checklist
- 1
Snapshot the current configuration across DNS, WAF, Rulesets, custom rules, page rules, Transform and Cache Rules, bot policy, TLS settings, and access so the review starts from what is actually deployed rather than what is assumed.
- 2
Compare deployed configuration against the intended baseline per zone to surface configuration drift — settings changed manually in the dashboard that never made it back into documentation or infrastructure-as-code.
- 3
Hunt for risky bypasses: WAF skip rules, allow rules, IP allowlists, and Page Rules or custom rules that disable security features, and check each for scope, justification, and an owner.
- 4
Identify duplicate and conflicting rules — overlapping custom rules, redundant Cache Rules, and legacy Page Rules that shadow newer Rulesets — and flag rules that never match traffic.
- 5
Check for direct-to-origin exposure: grey-clouded (DNS-only) records, leaked origin IPs in DNS history, missing origin firewall allowlisting, and absent Authenticated Origin Pulls.
- 6
Review access governance: account member roles and least privilege, two-factor enforcement, API token scope and expiry, audit-log coverage, and any shared or orphaned credentials.
- 7
Assess logging and operational readiness: Logpush datasets, alerting, certificate ownership and expiry tracking, and whether change history is captured for the zones in scope.
- 8
Compile findings into a drift-and-risk register with severity, owner, recommended fix, and a path to bring configuration back under change control.
Risk register
Risks to control
Manual dashboard changes have drifted away from documentation or infrastructure-as-code, so nobody knows the true current state.
Snapshot live configuration and diff it against the intended baseline, then capture every confirmed setting back into source of truth.
Skip rules and allow rules quietly disable security controls for traffic that no longer needs the exception.
List every bypass with its scope, reason, owner, and creation date; tighten or retire any that lack a current justification.
Duplicate and conflicting rules produce unpredictable behaviour and make changes risky.
Map rule precedence across Page Rules, Rulesets, and custom rules, flag shadowed or never-matching rules, and consolidate overlapping logic.
A DNS-only record or a stale origin IP in DNS history leaves the origin reachable around the edge.
Review every record's proxy status and DNS history, allowlist Cloudflare IPs at the origin, and enable Authenticated Origin Pulls on proxied hostnames.
Over-broad account roles and unexpiring tokens mean more people and integrations can change config than necessary.
Map members to least-privilege roles, enforce two-factor, and confirm each API token's scope, expiry, and owner against actual need.
Findings are noted but configuration keeps drifting after the audit.
Hand over a drift register tied to change control and a re-review cadence so corrected settings stay corrected.
Output
Useful deliverables
- Configuration snapshot across DNS, WAF, Rulesets, custom rules, Page Rules, Transform and Cache Rules, TLS, and access per zone.
- Drift report comparing deployed settings against the intended baseline, with each divergence attributed to an owner.
- Bypass and exception register listing skip rules, allow rules, and security-disabling rules with scope and justification.
- Duplicate and conflict findings covering overlapping, shadowed, and never-matching rules with consolidation recommendations.
- Origin-exposure findings covering DNS-only records, leaked IPs, firewall allowlisting, and Authenticated Origin Pulls status.
- Access governance report on member roles, two-factor, token scope and expiry, and audit-log coverage.
- Drift-and-risk register with severity, owner, recommended fix, and a route back into change control.
Keep reading
Related resources
FAQ
Frequently asked questions
Common questions teams ask when putting this resource into practice.
What does an environment audit look for that a security audit does not?
It focuses on hygiene and governance: configuration drift from the intended baseline, risky bypasses, duplicate or conflicting rules, accidental origin exposure, and who can change what. A security audit instead measures how strong the protective controls themselves are.
How do you detect configuration drift?
By snapshotting the live configuration of each zone and diffing it against the documented or infrastructure-as-code baseline. Anything present in production but absent from the source of truth — or vice versa — is flagged with an owner.
Why are skip and allow rules treated as risks?
Each one disables a control for some slice of traffic. Over time the original reason is forgotten but the exception remains, widening the attack surface. The audit records scope, justification, owner, and age so stale bypasses can be retired.
Can the audit run without disrupting production?
Yes. The review reads configuration and DNS history rather than changing enforcement. Any recommended fix is staged and agreed with the owner, with rollback notes, rather than applied during the audit itself.
Nanosek
Audit your Cloudflare environment
Nanosek can turn this resource into a practical delivery plan for your environment — with rollback planning, stakeholder alignment, and 24/7 managed operations support.