vaultsovereign/vm-cloudflare
1
0
Fork 0
Code Issues Pull Requests Actions 3 Packages Projects Releases Wiki Activity
Files
f0b8d962de8f3d8a98b33d43419fa3bcb53eee58
vm-cloudflare/cloudflare_waf_baseline.md
Vault Sovereign 37a867c485 Initial commit: Cloudflare infrastructure with WAF Intelligence 
- Complete Cloudflare Terraform configuration (DNS, WAF, tunnels, access)
- WAF Intelligence MCP server with threat analysis and ML classification
- GitOps automation with PR workflows and drift detection
- Observatory monitoring stack with Prometheus/Grafana
- IDE operator rules for governed development
- Security playbooks and compliance frameworks
- Autonomous remediation and state reconciliation
2025-12-16 18:31:53 +00:00

80 lines
1.6 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
# Cloudflare WAF Baseline
## Purpose
A hardened, reproducible baseline for Web Application Firewall (WAF) configuration across VaultMesh, OffSec, and associated domains.
---
## 1. Core WAF Mode
- OWASP Core Ruleset: **Enabled (Latest version)**
- Paranoia Level: **1 (default)** raise to 2 for internal/admin surfaces
- Bot Protection: **Enabled**
- Super Bot Fight Mode: **Enabled (if plan supports)**
- API Shield: **Enabled on `/api/*` paths**
---
## 2. Mandatory Managed Rules
- Cloudflare Managed WAF Rules: **Enabled**
- Directory Traversal: Block
- SQL Injection: Block
- XSS: Block
- File Inclusion: Block
- Broken Authentication: Block
- Common Vulnerabilities: Block
---
## 3. Custom Firewall Rules (Baseline)
### Block non-HTTPS
```
(if not ssl) then block
```
### Restrict admin panels
```
(http.request.uri.path contains "/admin" and ip.src not in {trusted_admin_ips}) -> block
```
### Rate-limit API endpoints
```
Path: /api/
Threshold: 30 req/10s per IP
Action: block for 1 minute
```
### Challenge suspicious countries
```
ip.src.country in {CN, RU, KP, IR} -> managed_challenge
```
---
## 4. TLS Settings
- TLS Mode: **Full (strict)**
- Minimum TLS Version: **1.2**
- HSTS: Enabled (1 yr + includeSubDomains)
- TLS Keyless Origin: Optional (if needed)
---
## 5. Logging & Metrics
- Logpush to R2/SIEM: Enabled
- Track:
- WAF rule matches
- Rate-limit triggers
- Bot detections
- Country spikes
- Alerts:
- 10× spike in WAF blocks
- Repeated blocks for same URI
---
## 6. Change-Control
All modifications:
1. Must be captured in VaultMesh receipt
2. Weekly WAF snapshot → anchored
3. Changes require dual approval for OffSec cluster
Reference in New Issue View Git Blame Copy Permalink