Checklist 8 min read Intermediate

Cloudflare security audit checklist

Use this checklist to prepare a Cloudflare security audit across accounts, zones, WAF, bot controls, DDoS readiness, API Shield, rate limits, DNS, TLS, origin protection, Logpush, API tokens, Zero Trust policies, incident workflows, and remediation planning.

Step by step

Step-by-step checklist

8 steps

1
Establish scope: list every Cloudflare account, the zones under each, super administrator membership, and which teams own which applications, so the audit reflects the full estate rather than a single zone.
2
Review WAF posture per zone: which Managed Rulesets and OWASP rules are deployed, what action they take, how many rules sit in log versus block, and how skip rules and exceptions are scoped.
3
Assess DDoS and rate-limiting readiness: HTTP DDoS managed-rule sensitivity, L3/4 coverage for non-HTTP services, and whether Rate Limiting rules exist on login, checkout, token, and API endpoints.
4
Evaluate Bot Management and API Shield: bot score thresholds and challenge behavior on sensitive paths, plus API Shield discovery, schema validation, mTLS, and JWT validation coverage on documented APIs.
5
Check DNS, TLS, and origin protection: DNSSEC status, SSL/TLS mode (avoiding Flexible), minimum TLS version, certificate ownership, origin firewall allowlisting of Cloudflare IPs, and Authenticated Origin Pulls.
6
Audit access and token hygiene: account member roles and least privilege, two-factor enforcement, API token scope and expiry, legacy Global API Key usage, and any service tokens in active use.
7
Confirm visibility: Logpush datasets enabled, delivery to the SIEM, dashboards, and alerting on security events, so incidents are observable rather than discovered after the fact.
8
Produce a prioritised remediation plan grouping findings by severity, owner, effort, and rollback consideration, and define the cadence for re-auditing the estate.

Risk register

Risks to control

The audit covers one zone while other zones and accounts run weaker or default configurations.

Enumerate every account and zone up front and audit posture per zone, flagging zones that inherit defaults or diverge from the agreed baseline.

WAF appears active but most rules sit in log mode, giving a false sense of protection.

Record the action (log, challenge, block) for each Managed Ruleset and custom rule, and separate genuine enforcement from monitoring-only coverage.

Long-lived API tokens or the Global API Key carry broad permissions and never expire.

Inventory every token and key, confirm scope and expiry, retire Global API Key usage in favour of scoped API tokens, and document an ownership and rotation plan.

Origins remain reachable directly, so the audited edge controls can be bypassed entirely.

Test origin reachability from outside Cloudflare, allowlist Cloudflare IP ranges at the origin firewall, and verify Authenticated Origin Pulls before signing off.

Security events are not reaching the SIEM, so findings cannot be validated against real traffic.

Confirm Logpush datasets are enabled and delivering, fields are parsed correctly, and alerts fire, before relying on the dashboard view alone.

Findings are listed without priority, so nothing gets remediated.

Rank each finding by severity, business impact, owner, and effort, and agree a remediation cadence rather than handing over a flat list.

Output

Useful deliverables

Estate map of accounts, zones, super administrators, and application ownership in scope for the audit.
WAF and DDoS posture report covering Managed Rulesets, OWASP rules, custom rules, rate limits, and enforcement mode per zone.
Bot Management and API Shield coverage summary across sensitive paths and documented APIs.
DNS, TLS, certificate, and origin-protection findings including DNSSEC, SSL/TLS mode, and origin allowlisting status.
Access and token hygiene report covering member roles, two-factor enforcement, API token scope and expiry, and legacy key usage.
Logging and alerting assessment confirming Logpush datasets, SIEM delivery, dashboards, and security-event alerts.
Prioritised remediation plan with severity, owner, effort, rollback notes, and a re-audit cadence.

Keep reading

Related resources

Cloudflare Migration Checklist

Cloudflare Migration Readiness Assessment

Cloudflare Cutover Runbook

Cloudflare Rollback Plan Template

FAQ

Frequently asked questions

Common questions teams ask when putting this resource into practice.

How is a security audit different from an environment audit?

A security audit reviews the strength of protective controls — WAF, DDoS, Bot Management, API Shield, rate limits, TLS, DNS, origin protection, Logpush, and token hygiene — across accounts and zones. An environment audit focuses on configuration drift, risky bypasses, duplicate rules, and access governance. They overlap but answer different questions.

Do you need admin access to run the audit?

Review can be done with a read-only or auditor role for most findings. Verifying origin protection and token scope may need additional context, and any remediation requires appropriately scoped access agreed in advance with the account owner.

How are findings prioritised?

Each finding is scored by severity and business impact — for example a directly reachable origin or an unexpiring broad-scope token ranks above a cosmetic rule-naming issue — then grouped by owner, effort, and rollback risk so remediation can be sequenced.

How often should the estate be re-audited?

Posture decays as rules, tokens, and zones are added. A recurring cadence — typically tied to release cycles plus an annual deep review — keeps WAF enforcement, token hygiene, and origin protection from drifting back toward defaults.

Nanosek

Prepare security audit

Nanosek can turn this resource into a practical delivery plan for your environment — with rollback planning, stakeholder alignment, and 24/7 managed operations support.

Talk to Nanosek Browse resources