Environment Audit

Score every part of your Cloudflare estate.

Tap a category to see its top finding.

CLOUDFLARE ENVIRONMENT AUDITOVERALL68/100FINDINGS46CATEGORIES8DNS & zones86/100STRONG3 findingsCDN & cache64/100MIXED7 findingsWAF posture71/100MIXED9 findingsDDoS readiness92/100STRONG1 findingBot Management58/100GAPS6 findingsAPI security41/100GAPS11 findingsLogpush & observability53/100GAPS5 findingsZero Trust hygiene78/100MIXED4 findings
41

Gaps · 11 findings

API security

API Shield, schema validation, mTLS, rate limits per endpoint.

Top finding: No API endpoint inventory exists. Schema validation off everywhere.
Request a security audit View security audit checklist
On this page
AI summary Machine-readable context is available at /ai-index.json

Nanosek provides Cloudflare Security Audit services for organizations that need to assess and improve security posture across Cloudflare WAF, DDoS protection, Bot Management, API Shield, Rate Limiting, DNS, TLS, certificates, origin protection, Zero Trust, Logpush, account governance, and incident readiness. The audit delivers evidence-based findings, severity ratings, affected zones or services, practical recommendations, quick wins, and a prioritized remediation roadmap.

cloudflaresecurity auditwaf auditddos readinessbot managementapi shieldorigin protectionzero trust

Who this is for

Security, infrastructure, platform, application, IT operations, compliance, and enterprise teams responsible for Cloudflare security posture.
Organizations that need evidence-based findings, severity ratings, affected zones or services, remediation priorities, and executive-ready reporting.
Teams preparing for an audit, renewal, incident review, managed services handover, or Cloudflare security improvement program.

Why audit Cloudflare security

Find exposed origins

Identify origin IPs, direct DNS records, bypass paths, firewall gaps, and origin access patterns that allow traffic to avoid Cloudflare controls.

Validate WAF enforcement

Review Managed Rules, Custom Rules, actions, exceptions, skip rules, rule ordering, and paths that are still only logging.

Reduce false-positive risk

Find broad rules, unscoped skips, sensitive flows, and enforcement patterns that could block legitimate users or integrations.

Protect APIs and login flows

Assess API Shield, mTLS, schema validation, WAF rules, rate limits, authentication-sensitive endpoints, and abuse-prone paths.

Review bot protection posture

Evaluate bot score usage, verified bot handling, challenge behavior, allowlists, false positives, and bot-event visibility.

Confirm DDoS readiness

Review HTTP DDoS posture, rate controls, origin resilience, cache behavior, escalation paths, and response workflows.

Improve DNS and TLS hygiene

Check proxy status, CAA, DNSSEC, risky records, SSL/TLS mode, minimum TLS version, certificate coverage, HSTS, and mTLS readiness.

Strengthen account governance

Review users, roles, API tokens, account structure, audit logs, naming standards, Terraform or API workflows, and change control.

Improve logging and investigation readiness

Assess Logpush, Security Events, WAF and bot events, audit logs, dashboards, SIEM integration, alerting, retention, and investigation workflows.

Build a prioritized remediation roadmap

Convert findings into critical fixes, quick wins, planned improvements, and longer-term maturity work with clear implementation notes.

Common security findings

Cloudflare security controls are powerful, but they only reduce risk when they are configured, tuned, monitored, and governed correctly. Many environments grow over time: new zones are added, WAF exceptions accumulate, origins remain reachable, APIs launch without rate limits, bot policies stay in monitor mode, TLS settings drift, and logs are not reviewed.

Origin IPs are still reachable outside CloudflareSSL mode is Flexible or not Full StrictMinimum TLS version is too lowWAF Managed Rules are disabled or only loggingCustom WAF rules are too broad or duplicatedSkip rules bypass too much securityNo rate limiting on login or expensive API endpointsBot controls are enabled but not tunedVerified bots are not handled separatelyAPIs are protected like regular web pagesCAA records block certificate issuanceDNS-only records expose sensitive originsNo Logpush or SIEM visibility for security eventsAPI tokens have excessive permissionsZero Trust policies are too broadTunnels and private routes lack ownership documentationNo incident response runbook exists for WAF, bot, or DDoS events

Our Cloudflare security audit methodology

Phase 1

Scope and access review

  • Define accounts, zones, applications, APIs, Zero Trust components, products, and environments in scope.
  • Confirm read-only access, stakeholders, documentation sources, and reporting expectations.
Phase 2

Security inventory

  • Collect Cloudflare account settings, zone settings, DNS records, WAF rules, managed rules, custom rules, rate limits, bot settings, certificates, origin configuration, Logpush jobs, API tokens, and Zero Trust policies.
Phase 3

Risk analysis

  • Review each area for security exposure, availability risk, false-positive risk, operational gaps, logging gaps, and governance issues.
Phase 4

Evidence-based findings

  • Document each finding with affected zones or services, severity, evidence, business impact, recommended action, and implementation notes.
Phase 5

Remediation roadmap

  • Prioritize recommendations into critical fixes, quick wins, planned improvements, and longer-term maturity work.
Phase 6

Review workshop

  • Walk stakeholders through findings, validate assumptions, explain tradeoffs, and agree on remediation sequence.
Phase 7

Optional remediation and managed operations

  • Nanosek can help implement fixes, tune WAF and bot controls, harden origins, configure logging, create runbooks, and provide ongoing Cloudflare security operations.

Severity model

Critical: Misconfiguration that can expose origins, bypass security controls, cause major downtime, or create immediate high-impact security risk.
High: Important security gap that should be remediated soon, such as weak TLS, missing controls on critical paths, overbroad WAF skips, exposed APIs, or excessive access permissions.
Medium: Configuration gap that increases operational risk, reduces visibility, or weakens protection but may require context before prioritization.
Low: Hygiene, consistency, cleanup, naming, documentation, or minor hardening improvement.
Informational: Observations, optimization opportunities, future-state recommendations, or maturity improvements.

Security audit coverage matrix

WAF

What we review

Managed Rules, Custom Rules, skips, exceptions, actions

Example output

WAF tuning and enforcement roadmap.

DDoS

What we review

HTTP DDoS posture, origin resilience, rate controls

Example output

DDoS readiness recommendations.

Bot

What we review

Bot score, verified bots, challenge behavior

Example output

Bot policy and false-positive tuning plan.

API security

What we review

API Shield, mTLS, schemas, rate limits

Example output

API protection roadmap.

Rate limiting

What we review

Login, forms, search, checkout, APIs

Example output

Scoped rate limiting recommendations.

Origin protection

What we review

Origin exposure, AOP, firewall allowlists

Example output

Origin hardening plan.

DNS security

What we review

Proxy status, CAA, DNSSEC, risky records

Example output

DNS security cleanup plan.

TLS/certificates

What we review

SSL mode, TLS minimums, cert coverage

Example output

TLS hardening recommendations.

Zero Trust

What we review

Access, Gateway, WARP, tunnels, posture

Example output

Zero Trust security findings.

Logging

What we review

Logpush, SIEM, alerts, retention

Example output

Security observability improvement plan.

Governance

What we review

Users, roles, API tokens, audit logs

Example output

Access and change-control recommendations.

Deployment steps

  1. 01 Define scope, accounts, zones, applications, APIs, Zero Trust components, documentation sources, and read-only access.
  2. 02 Inventory account settings, DNS, WAF, bot, DDoS, API Shield, rate limits, certificates, origins, Logpush, API tokens, and Zero Trust policies.
  3. 03 Assess security exposure, availability risk, false-positive risk, logging gaps, governance issues, and incident readiness.
  4. 04 Document evidence-based findings with severity, affected zones or services, business impact, recommendations, and implementation notes.
  5. 05 Prioritize remediation into critical fixes, quick wins, planned improvements, and maturity work.
  6. 06 Run a findings workshop with stakeholders to validate assumptions and agree on action order.
  7. 07 Optionally support remediation, runbook creation, tuning, hardening, logging, and managed Cloudflare security operations.

Risks and mitigations

Risk

Origin exposure.

Mitigation

Restrict origin access to Cloudflare, use Authenticated Origin Pulls, remove direct records, and review leaked origin paths.

Risk

Weak TLS posture.

Mitigation

Use Full Strict, valid origin certificates, modern TLS minimums, and careful HSTS planning.

Risk

Overbroad WAF skip rules.

Mitigation

Replace broad skips with scoped exceptions by hostname, path, method, IP, header, or integration.

Risk

WAF stuck in log mode.

Mitigation

Review events, tune exceptions, then promote controls gradually to challenge or block.

Risk

Missing rate limits.

Mitigation

Add scoped limits for login, forms, search, expensive APIs, and abuse-prone endpoints.

Risk

Bot false positives.

Mitigation

Use bot score review, verified bot handling, path-specific policies, and monitor-to-challenge rollout.

Risk

Unprotected APIs.

Mitigation

Add API-specific WAF rules, rate limits, API Shield, mTLS, and schema validation where appropriate.

Risk

Missing visibility.

Mitigation

Configure Logpush, dashboards, alerting, and security event review workflows.

Risk

Excessive API token permissions.

Mitigation

Replace broad tokens with scoped tokens and documented ownership.

Risk

Zero Trust policy drift.

Mitigation

Review Access, Gateway, WARP, tunnels, identity groups, and device posture policies.

Cloudflare security audit checklist

  • Cloudflare accounts and zones inventoried
  • Users and roles reviewed
  • API tokens reviewed
  • Audit logs reviewed
  • DNS records and proxy status reviewed
  • DNSSEC and CAA reviewed
  • SSL/TLS mode reviewed
  • Minimum TLS version reviewed
  • Certificate coverage reviewed
  • Origin exposure reviewed
  • Authenticated Origin Pulls reviewed
  • WAF Managed Rules reviewed
  • WAF Custom Rules reviewed
  • WAF skip rules reviewed
  • WAF exceptions reviewed
  • Rate limits reviewed
  • Bot Management posture reviewed
  • Verified bot handling reviewed
  • API Shield posture reviewed
  • Login, checkout, form, and API paths reviewed
  • DDoS readiness reviewed
  • Logpush and SIEM visibility reviewed
  • Alerting and incident workflows reviewed
  • Zero Trust Access policies reviewed
  • Gateway and WARP policies reviewed
  • Tunnels and private routes reviewed
  • Change control and rollback reviewed

Deliverables

  • Cloudflare security audit report
  • Executive summary
  • Technical findings with severity ratings
  • Evidence and affected zones/services
  • WAF posture review
  • Bot and rate limiting review
  • DDoS readiness assessment
  • API security review
  • Origin exposure assessment
  • DNS and TLS security review
  • Zero Trust security review, if in scope
  • Logging and SIEM visibility review
  • Account governance review
  • Quick-win remediation list
  • Prioritized security roadmap
  • Review workshop
  • Optional remediation backlog

Plan-aware recommendations

Cloudflare security capabilities vary by plan and add-on. Nanosek audits the environment against the controls available in your current Cloudflare plan, then separates recommendations into immediate configuration improvements, plan-dependent enhancements, and optional future-state controls.

Business plan controls may require different rule design than Enterprise.
Some Bot Management, Advanced Rate Limiting, API Shield, Logpush, or account-level controls may depend on plan or purchased features.
Recommendations distinguish available-now actions from upgrade-dependent actions.
The report avoids treating unavailable controls as mandatory for the current plan.

When Nanosek should help

You already use Cloudflare but are not sure if security is configured correctly.
You need to identify exposed origins, weak TLS, or risky DNS records.
You want to improve WAF, bot, DDoS, API, and rate limiting posture.
You are preparing for an audit, renewal, incident review, or managed services handover.
You need plan-aware recommendations based on your Cloudflare subscription.
You need a remediation roadmap instead of generic best practices.
You want Nanosek to help implement and operate improvements after the audit.

Frequently asked questions

What is a Cloudflare security audit?
A Cloudflare security audit is a structured review of Cloudflare security configuration across WAF, DDoS protection, Bot Management, API Shield, Rate Limiting, DNS, TLS, certificates, origin protection, Zero Trust, logging, account access, and operational workflows.
Is this different from a Cloudflare environment audit?
Yes. A security audit focuses primarily on security posture, exposure, control effectiveness, false-positive risk, logging, and incident readiness. An environment audit is broader and also covers performance, operations, standardization, and maturity.
What access does Nanosek need?
Most audit work can start with read-only access to the relevant Cloudflare accounts, zones, and Zero Trust configuration. The exact access model depends on scope and customer policy.
Will Nanosek make changes during the audit?
By default, the audit is a review and recommendation engagement. Remediation can be handled as a separate approved phase after findings are reviewed.
What are common Cloudflare security issues?
Common issues include exposed origins, weak TLS settings, overbroad WAF skip rules, missing rate limits, untuned bot controls, unprotected APIs, missing Logpush visibility, excessive API token permissions, and inconsistent Zero Trust policies.
Can this audit include Cloudflare Zero Trust?
Yes. If included in scope, Nanosek can review Access applications, Gateway policies, WARP profiles, tunnels, private routes, identity provider integration, device posture, and policy structure.
Do you account for Cloudflare plan limitations?
Yes. Nanosek can separate recommendations into controls available in the current plan, configuration improvements, and optional plan-dependent enhancements.
How are findings prioritized?
Findings are prioritized by severity, business impact, affected zones or services, exploitability, operational risk, and implementation effort. The output includes quick wins and a practical remediation roadmap.
Can Nanosek help implement the recommendations?
Yes. Nanosek can help tune WAF and bot controls, harden origins, add rate limits, improve TLS posture, configure Logpush, tighten account governance, create runbooks, and provide managed Cloudflare operations.

Turn Cloudflare security findings into action

Nanosek helps you identify real risks, prioritize remediation, and improve Cloudflare security controls with evidence-based recommendations and practical implementation support.

Talk to Nanosek View managed Cloudflare services
Ready to talk?

Deliver Cloudflare without surprises.

Whether you're migrating, hardening, or operating Cloudflare — Nanosek brings authorized MSP & ASDP delivery, rollback-ready cutovers, and managed operations after launch.

Talk to Nanosek Run readiness assessment