37a867c485
- Complete Cloudflare Terraform configuration (DNS, WAF, tunnels, access) - WAF Intelligence MCP server with threat analysis and ML classification - GitOps automation with PR workflows and drift detection - Observatory monitoring stack with Prometheus/Grafana - IDE operator rules for governed development - Security playbooks and compliance frameworks - Autonomous remediation and state reconciliation
1.6 KiB
1.6 KiB
Cloudflare WAF Baseline
Purpose
A hardened, reproducible baseline for Web Application Firewall (WAF) configuration across VaultMesh, OffSec, and associated domains.
1. Core WAF Mode
- OWASP Core Ruleset: Enabled (Latest version)
- Paranoia Level: 1 (default) – raise to 2 for internal/admin surfaces
- Bot Protection: Enabled
- Super Bot Fight Mode: Enabled (if plan supports)
- API Shield: Enabled on
/api/*paths
2. Mandatory Managed Rules
- Cloudflare Managed WAF Rules: Enabled
- Directory Traversal: Block
- SQL Injection: Block
- XSS: Block
- File Inclusion: Block
- Broken Authentication: Block
- Common Vulnerabilities: Block
3. Custom Firewall Rules (Baseline)
Block non-HTTPS
(if not ssl) then block
Restrict admin panels
(http.request.uri.path contains "/admin" and ip.src not in {trusted_admin_ips}) -> block
Rate-limit API endpoints
Path: /api/
Threshold: 30 req/10s per IP
Action: block for 1 minute
Challenge suspicious countries
ip.src.country in {CN, RU, KP, IR} -> managed_challenge
4. TLS Settings
- TLS Mode: Full (strict)
- Minimum TLS Version: 1.2
- HSTS: Enabled (1 yr + includeSubDomains)
- TLS Keyless Origin: Optional (if needed)
5. Logging & Metrics
- Logpush to R2/SIEM: Enabled
- Track:
- WAF rule matches
- Rate-limit triggers
- Bot detections
- Country spikes
- Alerts:
- 10× spike in WAF blocks
- Repeated blocks for same URI
6. Change-Control
All modifications:
- Must be captured in VaultMesh receipt
- Weekly WAF snapshot → anchored
- Changes require dual approval for OffSec cluster