6.12. Attack Surface Security Checks#
Checks that evaluate attack surface reduction including Security Center, exposed credentials, and origin IP exposure.
6.12.1. Check Summary#
Check ID |
Title |
Severity |
Compliance |
|---|---|---|---|
CFL-SEC-001 |
Security Center Insights |
high |
SOC2 CC3.1, NIST ID.RA-1 |
CFL-SEC-002 |
Exposed Credentials |
critical |
SOC2 CC6.1, PCI 6.5, NIST PR.DS-5 |
CFL-INSIGHT-001 |
Infra Proxy Status |
high |
SOC2 CC6.1, NIST PR.DS-5 |
CFL-INSIGHT-002 |
Email Security |
high |
SOC2 CC6.1, PCI 3.4, NIST PR.DS-5 |
CFL-INSIGHT-003 |
Security Center Recs |
medium |
SOC2 CC3.1, NIST ID.RA-1 |
CFL-INSIGHT-004 |
DDoS Protection |
high |
SOC2 CC6.1, PCI 6.5, NIST PR.DS-5 |
CFL-INSIGHT-005 |
Unproxied DNS Records |
medium |
SOC2 CC6.1, NIST PR.DS-5 |
6.12.1.1. CFL-SEC-001: Security Center Insights#
Severity: high | Category: attack-surface
Security Center provides visibility into infrastructure risks and recommendations.
Remediation: Review Security Center recommendations in the Cloudflare Dashboard.
—
6.12.1.2. CFL-SEC-002: Exposed Credentials#
Severity: critical | Category: attack-surface
Exposed credentials in code repositories or public data leaks create an immediate compromise risk.
Remediation: Rotate exposed credentials immediately. Implement secret scanning in CI/CD pipelines.
—
6.12.1.3. CFL-INSIGHT-001: Infra Proxy Status#
Severity: high | Category: attack-surface
Infrastructure not proxied through Cloudflare lacks DDoS protection and WAF coverage.
Remediation: Proxy all infrastructure through Cloudflare to enable protection.
—
6.12.1.4. CFL-INSIGHT-002: Email Security#
Severity: high | Category: attack-surface
Email security features (routing, SPF/DKIM/DMARC) prevent phishing and email-based attacks.
Remediation: Enable email security routing and configure SPF/DKIM/DMARC records.
—
6.12.1.5. CFL-INSIGHT-003: Security Center Recommendations#
Severity: medium | Category: attack-surface
Unresolved Security Center recommendations indicate known but unaddressed risks.
Remediation: Address Security Center recommendations systematically.
—
6.12.1.6. CFL-INSIGHT-004: DDoS Protection#
Severity: high | Category: attack-surface
DDoS protection should be enabled on all zones to absorb volumetric attacks.
Remediation: Enable DDoS protection — it is included by default on all Cloudflare plans.
—
6.12.1.7. CFL-INSIGHT-005: Unproxied DNS Records#
Severity: medium | Category: attack-surface
DNS records that are not proxied expose origin IPs and bypass Cloudflare protection.
Remediation: Enable proxy (orange cloud) on DNS records unless they require direct resolution (e.g., MX, TXT for verification).