# Web-Infrastructure Security Patterns (Cloudflare Operations)

## 1. Identity & Access Hardening

Patterns across:
- Login / 2FA pages
- Password reset flow
- API tokens page
- Profile preferences

**Emergent pattern:**
Strong account-level security signals: MFA, controlled API tokens, isolated profiles. Cloudflare strongly encourages short-lived scoped tokens → aligns with VaultMesh's capability-based model.

**Takeaway:**
**Centralize identity. Minimize trust radius. Scope everything.**

---

## 2. Boundary Defense via Cloudflare Edge

Patterns across:
- Domain dashboards
- DNS records for vaultmesh.org/cloud/etc
- Quick scans
- Site additions
- Status pages

**Emergent pattern:**
Domains consistently routed through CF proxying + WAF baseline → automatic L7 filtering, caching, and shielding from raw traffic.

**Takeaway:**
**Make the CF edge the only public ingress. Anything bypassing the edge = misconfiguration.**

---

## 3. Zero-Trust Access (Cloudflare One)

Patterns across:
- Cloudflare One onboarding
- Connectors
- Tunnels (Argo / cloudflared)
- Email security
- Log explorer
- Access login callback pages

**Emergent pattern:**
Shifting toward a private mesh: internal services accessible only via CF Tunnels + Access policies. Logs show early adoption of Zero-Trust application routing.

**Takeaway:**
**No public ports. Everything behind identity-gated tunnels.**

---

## 4. DNS Integrity & Delegation Control

Patterns across:
- Multiple domains: vaultmesh.org/cloud, iotek.nexus, offsec.*
- DNS record edits
- Quick-scan recommendations

**Emergent pattern:**
DNS is used as operational infrastructure, not static configuration. Many moving parts → errors here cascade.

**Takeaway:**
**DNS is a security boundary. Capture it in change-control + proofs.**

---

## 5. Secrets & Machine Access

Patterns across:
- API tokens
- Tunnels (credential JSON)
- Connectors
- OffSec domain onboarding

**Emergent pattern:**
Machine-to-machine Cloudflare auth centralized in a few tokens/tunnels that link local services → Cloudflare Access → public.

**Takeaway:**
**Secrets rotate. Machines authenticate explicitly. No long-lived credentials.**

---

## 6. Monitoring & Incident Surfaces

Patterns across:
- Log explorer
- Notifications docs
- 5xx troubleshooting
- Status page

**Emergent pattern:**
Review CF logs + platform errors. No single place currently unifies them into an attack pattern feed.

**Takeaway:**
**Observability must reduce noise and elevate anomalies.**

---

# Security Checklist (Cloudflare-centric)

## Account & Identity
- [ ] Enforce hardware-key MFA on all Cloudflare accounts
- [ ] Disable password-based login where possible
- [ ] Use short-lived, scoped API tokens only
- [ ] Audit who/what holds tokens every 30 days
- [ ] Disable unused user seats immediately

## DNS & Zone Security
- [ ] Lock DNS registrar with transfer lock + 2FA
- [ ] Use DNSSEC on all zones (vaultmesh, offsec.*, iotek, etc.)
- [ ] Ensure **every A/AAAA/CNAME record is proxied through Cloudflare** unless intentionally bypassing
- [ ] Remove stale records to reduce attack paths
- [ ] Maintain a version-controlled DNS manifest

## Edge + WAF
- [ ] Enable "Full (strict)" TLS mode
- [ ] Upload and rotate origin certificates
- [ ] Enable:
  - [ ] Bot Fight Mode
  - [ ] OWASP WAF ruleset (latest)
  - [ ] Custom firewall rules (only allow specific methods, country allowlists, etc.)
- [ ] Rate-limit critical paths (/api, tunnels, login pages)

## Cloudflare One / Zero-Trust
- [ ] All internal services served ONLY via Cloudflare Tunnels
- [ ] No public IP exposure on origin servers
- [ ] Access policies:
  - [ ] Require identity + device posture
  - [ ] Add session duration limits
  - [ ] Require hardware-key MFA for admin paths
- [ ] Use Gateway for outbound filtering from internal nodes

## Origin Server Hygiene
- [ ] Close all public ports except 443
- [ ] Run cloudflared under minimal privileges
- [ ] Ensure tunnel credentials stored with root-only permissions
- [ ] Isolate services behind private networks (Tailnet/WireGuard or CF Warp-to-Tunnel)

## Email + Domain Security
- [ ] Enforce DMARC quarantine or reject
- [ ] Enable DKIM + SPF correctness checks
- [ ] Use Cloudflare Email Security to filter targeted phishing

## Monitoring & Incident Response
- [ ] Enable Logpush to R2 / SIEM
- [ ] Monitor:
  - [ ] DNS changes
  - [ ] New API tokens created
  - [ ] Tunnel connection drops
  - [ ] WAF spikes
- [ ] Create auto-alerts for deviations

## Change-Control + Proofs
- [ ] Every Cloudflare config change → produce a VaultMesh receipt
- [ ] Anchor the state (DNS + Access + WAF configs) weekly
- [ ] Tie Cloudflare logs into ProofChain for tamper-evident audit