IT Security Stack Exchange
IT Security Stack Exchange

Questions tagged [cloudflare]

Cloudflare is a Content Delivery Network (CDN).

47 questions
22
votes
3 answers

How does a company like CloudFlare block bot crawling and email harvesters?

I saw this on CloudFlares homepage: CloudFlare protects against a range of threats: cross site scripting, SQL injection, comment spam, excessive bot crawling, email harvesters, and more. How could a company like CloudFlare block crawler bots and…
Anders
  • 64,406
  • 24
  • 178
  • 215
16
votes
2 answers

Is cloudflare injecting tracking code for PDF requests in browsers via the browser PDF plugin?

Opening a PDF link in the browser (e.g. google chrome with the ootb PDF viewer plugin) apparently indicates that when the PDF is hosted on a cloudflare-facing domain there is additional data present in the embed code. Inspecting the page source of a…
ccpizza
  • 291
  • 2
  • 8
13
votes
3 answers

Webserver DDOS protection without giving away private keys (https, tls, ssl)

What are the possible ways to protect an organization's web servers from a DDoS attack without giving away your web server's https private keys? Many of the common solutions for DDoS protection of a web server (eg CloudFlare) require you to give a…
Michael Altfield
  • 826
  • 4
  • 19
9
votes
3 answers

How can CloudFlare provide a valid SSL certificate for domains not under its control?

CloudFlare provides a reverse proxy, and it offers SSL support ("flexible", "full", "strict full", and "keyless"). How does CloudFlare manage to get a valid certificate for domains it does not own? Don't the certificate authorities normally require…
Flimm
  • 1,230
  • 3
  • 13
  • 22
8
votes
1 answer

What does using Cloudflares WARP app offer that HTTPS (websites) alongside DNS over HTTPS / TLS doesn't?

Intoduction to Cloudflare WARP I’ve been looking at Cloudflares WARP app for mobile. It claims to be a VPN but without some of the IP hiding anonymity features normal VPNS have: “Under the covers, WARP acts as a VPN. But now in the 1.1.1.1 App, if…
SneakyShrike
  • 183
  • 1
  • 5
7
votes
2 answers

Does cloudflare protect against BREACH attacks?

I know that enabling http compression would make a server vulnerable to the BREACH attacks. So we have disabled compression from the server side, tested and it was all good. Then we implemented CloudFlare for the instance. We performed the SSL…
Anonymous Platypus
  • 1,392
  • 3
  • 18
  • 33
6
votes
1 answer

How SSL/TLS handshake happens when we use Cloudflare Service?

I was reading about the offerings of the Cloudflare and then I read about the working of Cloudflare. Based on my understanding, the domain name of my website(alice.com) is resolved to the IP address of Cloudflare Data Center which communicates with…
Shiv Sahni
  • 921
  • 8
  • 16
5
votes
2 answers

Does Cloudflare masking my IP make my server more secure?

I've heard in a conversation and read in some forum posts that Cloudflare will proxy your IP, hiding it from the public, and this mitigates the risk of an attacker finding your server in the first place, making it more secure. Is there any truth to…
TCooper
  • 336
  • 1
  • 8
5
votes
2 answers

How can cloudflare read encrypted request without private key?

We have Cloudflare in our production server and the encryption level is full, not flexible. This webpage said Cloudflare can decrypt the request. But we didn't give our server's private key to cloudflare. How this even possible? Does this mean…
Jonathan L.
  • 51
  • 2
3
votes
0 answers

How does Cloudflare negotiate its server certificate?

When I access https://example.com on my company's laptop that has a X509 client certificate installed, using my home internet connection, without using a VPN, the requested page is signed using the company's Root CA (which was distributed to my…
Lemon Sky
  • 153
  • 4
3
votes
2 answers

How do I prevent traffic on my site from a source other than Cloudflare?

I use Google Cloud Platform to serve the site I manage. I have one load balancer there, which controls the movement to several virtual machines. When I came across the problem of DDOS attacks on this site, I started using Google Armor to block the…
simhumileco
  • 183
  • 7
3
votes
1 answer

Why is TLS1.2 wrapped in TLS1.3?

I was just curious about TLS1.3 which Cloudflare is one of the companies leading the implementation. I then visited blog.cloudflare.com and turned on my Wireshark. I am not 100% clear about all technical details of TLS1.3, but one of the new…
匿名柴棍
  • 303
  • 1
  • 7
2
votes
1 answer

Rate Limit DNS Subdomain Requests

I work at a company that provides a SaaS program for other organizations, and each subscribed organization receives their own subdomain of their choosing - generally they choose the organization name. We recently discovered that there are tools that…
Daryl1976
  • 123
  • 2
2
votes
3 answers

Security implications of Cloudflare's SSL Full mode (not Strict)

Cloudflare enables several options regarding the communication between its servers and our own. "SSL Full" means Cloudflare encrypts the traffic but doesn't check the validity of our servers' certificate. "SSL Full (Strict)" means Cloudflare…
Vic Seedoubleyew
  • 31
  • 9
2
votes
1 answer

Seems my CNAMEs got "curled". Somebody please explain this to me

According to my CloudFlare firewall logs, somebody went through each of my subdomains. My website is not advertised, it doesn't even show on Google unless typing the exact domain name into it. I think I know where they found it listed,…
Mere Mortal
  • 29
  • 1
1
2 3 4