6. Security Checks

FlareInspect runs 40+ security checks across 21 categories against your Cloudflare account and zones.

6.26. Categories

Category	Description
Account	MFA enforcement, admin access, audit logging
DNS	DNSSEC, proxy status, wildcard records, CAA, DoH
SSL/TLS	SSL mode, TLS versions, HSTS, certificate validity
WAF	Security level, custom rules, rate limiting, OWASP
Zero Trust	IdP, access policies, device enrollment, tunnels, Gateway
Workers & Pages	Route security, resource limits, deployment protection
API Gateway	API Shield, API Discovery
Bot Management	Bot Fight Mode, Turnstile widget security
Attack Surface	Security Center, exposed credentials, origin IP exposure
DLP	Data Loss Prevention policies
Page Shield	Client-side script monitoring
Tunnels & Gateway	Cloudflare Tunnels, Secure Web Gateway
Cache Deception	Cache Deception Armor protection
Snippets	Edge snippet security
Custom Hostnames	Custom hostname validation
AI Gateway	AI Gateway configuration security
Origin Certs	Origin certificate expiry monitoring
Logpush	Logpush destination and coverage
mTLS	Mutual TLS enforcement and certificate rotation

6.27. Quick Start

Run only specific check categories:

flareinspect assess --token $TOKEN --checks dns,ssl,waf

Or run all checks against all zones:

flareinspect assess --token $TOKEN