Skip to main content

Cloudflare Security Posture

Overview

The site chrisnewcomb.name is proxied through Cloudflare CDN with security features enabled at the edge. This document records the current configuration and rationale.

Active Protections

WAF (Web Application Firewall)

The Cloudflare Managed Ruleset is enabled (always active). It covers web application exploits, DDoS attacks, bot traffic, and API abuse. This provides baseline protection even though the site is static — it prevents the domain from being used as a vector and blocks known exploit patterns.

DDoS Protection

Cloudflare's built-in DDoS mitigation is active by default on all proxied domains. No additional configuration is required for a static site.

Bot Protection

Bot traffic protection is included in the Cloudflare Managed Ruleset (tagged under "Bot traffic"). It challenges automated traffic that does not appear to be legitimate browsers, reducing scraping and general bot abuse.

Web Analytics

Cloudflare Web Analytics is enabled with automatic setup (CDN injection). Privacy-friendly, no cookies, no tracking scripts in the application code. See the Web Analytics dashboard for visitor data.

Zero Trust (Ready, Not Active)

Cloudflare Zero Trust is available on the account (free tier, up to 50 users). It is not currently configured because the site has no staging environment, admin panel, or authenticated endpoints.

When any of the following are added, Zero Trust should be configured to gate access:

  • Staging or preview environments with sensitive content
  • Admin panels or API endpoints
  • Internal documentation not intended for public access

Not Currently Configured

The following Cloudflare features are not enabled and should be evaluated as the site evolves:

  • Rate Limiting rules — not needed for a static site with no authentication endpoints. Revisit if API endpoints or forms are added.
  • Hotlink Protection — consider enabling if image bandwidth becomes a concern.
  • Page Shield — monitors for malicious scripts injected via third-party resources. Consider enabling when external scripts are added.

Security headers (CSP, HSTS, X-Frame-Options), DNS security (DNSSEC, CAA, DMARC), and TLS configuration are documented in Web Security Configuration.

Review Schedule

This document should be reviewed when:

  • New Cloudflare features are enabled or disabled
  • The site adds authentication, API endpoints, or staging environments
  • Cloudflare plan changes
  • Quarterly as part of general security review

Related Content