Initial commit: Cloudflare infrastructure with WAF Intelligence
- Complete Cloudflare Terraform configuration (DNS, WAF, tunnels, access) - WAF Intelligence MCP server with threat analysis and ML classification - GitOps automation with PR workflows and drift detection - Observatory monitoring stack with Prometheus/Grafana - IDE operator rules for governed development - Security playbooks and compliance frameworks - Autonomous remediation and state reconciliation
This commit is contained in:
Vault Sovereign
79
cloudflare_waf_baseline.md
Normal file
79
cloudflare_waf_baseline.md
Normal file
@@ -0,0 +1,79 @@
|
||||
# Cloudflare WAF Baseline
|
||||
|
||||
## Purpose
|
||||
A hardened, reproducible baseline for Web Application Firewall (WAF) configuration across VaultMesh, OffSec, and associated domains.
|
||||
|
||||
---
|
||||
|
||||
## 1. Core WAF Mode
|
||||
- OWASP Core Ruleset: **Enabled (Latest version)**
|
||||
- Paranoia Level: **1 (default)** – raise to 2 for internal/admin surfaces
|
||||
- Bot Protection: **Enabled**
|
||||
- Super Bot Fight Mode: **Enabled (if plan supports)**
|
||||
- API Shield: **Enabled on `/api/*` paths**
|
||||
|
||||
---
|
||||
|
||||
## 2. Mandatory Managed Rules
|
||||
- Cloudflare Managed WAF Rules: **Enabled**
|
||||
- Directory Traversal: Block
|
||||
- SQL Injection: Block
|
||||
- XSS: Block
|
||||
- File Inclusion: Block
|
||||
- Broken Authentication: Block
|
||||
- Common Vulnerabilities: Block
|
||||
|
||||
---
|
||||
|
||||
## 3. Custom Firewall Rules (Baseline)
|
||||
### Block non-HTTPS
|
||||
```
|
||||
(if not ssl) then block
|
||||
```
|
||||
|
||||
### Restrict admin panels
|
||||
```
|
||||
(http.request.uri.path contains "/admin" and ip.src not in {trusted_admin_ips}) -> block
|
||||
```
|
||||
|
||||
### Rate-limit API endpoints
|
||||
```
|
||||
Path: /api/
|
||||
Threshold: 30 req/10s per IP
|
||||
Action: block for 1 minute
|
||||
```
|
||||
|
||||
### Challenge suspicious countries
|
||||
```
|
||||
ip.src.country in {CN, RU, KP, IR} -> managed_challenge
|
||||
```
|
||||
|
||||
---
|
||||
|
||||
## 4. TLS Settings
|
||||
- TLS Mode: **Full (strict)**
|
||||
- Minimum TLS Version: **1.2**
|
||||
- HSTS: Enabled (1 yr + includeSubDomains)
|
||||
- TLS Keyless Origin: Optional (if needed)
|
||||
|
||||
---
|
||||
|
||||
## 5. Logging & Metrics
|
||||
- Logpush to R2/SIEM: Enabled
|
||||
- Track:
|
||||
- WAF rule matches
|
||||
- Rate-limit triggers
|
||||
- Bot detections
|
||||
- Country spikes
|
||||
- Alerts:
|
||||
- 10× spike in WAF blocks
|
||||
- Repeated blocks for same URI
|
||||
|
||||
---
|
||||
|
||||
## 6. Change-Control
|
||||
All modifications:
|
||||
1. Must be captured in VaultMesh receipt
|
||||
2. Weekly WAF snapshot → anchored
|
||||
3. Changes require dual approval for OffSec cluster
|
||||
|
||||
Reference in New Issue
Block a user