Security Insights
Security Insights provides you with a list of insights, covering different areas of your Cloudflare environment, such as: Cloudflare account settings, DNS record configurations, SSL/TLS certificates configurations, Cloudflare Access configurations and Cloudflare WAF configurations.
Listed below are the specific insights currently available:
| Insight Name | Description |
|---|---|
| CASB integration status | We detect unhealthy CASB integrations. |
Dangling A Records | A record is pointing to an IPv4 address that you might no longer control. You are at risk of a subdomain takeover. |
Dangling AAAA Records | A record is pointing to an IPv6 address that you might no longer control. You are at risk of a subdomain takeover. |
Dangling CNAME Records | A record is pointing to a resource that cannot be found. You are at risk of a subdomain takeover. |
| DMARC Record Errors | We detect an incorrect or missing DMARC record. |
| Domains missing TLS Encryption | We detect that there is no TLS encryption for this domain. |
| Domains supporting older TLS version | This domain supports older versions of the TLS protocol. |
| Domains without 'Always Use HTTPS' | HTTP requests to this domain may not redirect to its HTTPS equivalent. |
| Domains without HSTS | HTTP Strict Transport Security (HSTS), is a header which allows a website to specify and enforce security policy in client web browsers. This policy enforcement protects secure websites from downgrade attacks SSL stripping and cookie hijacking. |
| Exposed RDP Servers | We detect an RDP server that is exposed to the public Internet. |
| Get notified of malicious client-side scripts | We detect that Page Shield alerts are not configured. You will not receive notifications when we detect potential malicious scripts executing in your client-side environment. |
| Increased body response size detected on API endpoints | Investigate changes, abuse, or successful attacks that may have led to this increase in response body size. |
| Increased errors detected on API endpoints | Investigate changes, abuse, or successful attacks that may have led to this increase in errors. |
| Increased latency detected on API endpoints | Investigate changes, abuse, or successful attacks that may have led to this increase in response latency. |
| Managed Rules not deployed | No managed rules deployed on a WAF protected domain. |
| Migrate to new Managed Rules | Migration to new Managed Rules system required for optimal protection. |
| Mixed-authentication API endpoints detected | Not all of the successful requests against API endpoints carried session identifiers. |
| New API endpoints detected | API Discovery detects new API endpoints in your zone's traffic. |
| New CASB integrations found | New CASB integrations have been found. |
| Overprovisioned Access Policies | We detect an Access policy to allow everyone access to your application. |
| Page Shield not enabled | Page Shield helps meet PCI DSS v4.0 compliance regarding requirement 6.4.3. |
| SPF Record Errors | We detect an incorrect or missing SPF record. |
| Schema Validation missing from eligible API endpoints | Apply the learned schema to protect your API against fuzzing attacks. |
| Sensitive data in API response | Sensitive data in API responses detected. |
| Turn on JavaScript Detection | One or more of your Bot Management enabled zones does not have JavaScript Detection enabled, which is a critical part of our bot detection suite. |
| Unassigned Access seats | We detect a Zero Trust subscription that is not configured yet. |
| Unauthenticated API endpoints detected | None of the successful requests against API endpoints carried session identifiers. |
| Unprotected Cloudflare Tunnels | We detect an application that is served by a Cloudflare Tunnel but not protected by a corresponding Access policy. |
Unproxied A Records | This DNS record is not proxied by Cloudflare. Cloudflare can not protect this origin because it is exposed to the public Internet. |
Unproxied AAAA Records | This DNS record is not proxied by Cloudflare. Cloudflare can not protect this origin because it is exposed to the public Internet. |
Unproxied CNAME Records | This DNS record is not proxied by Cloudflare. Cloudflare can not protect this origin because it is exposed to the public Internet. |
| Users without MFA | We detect that a Cloudflare administrative user has not enabled multifactor authentication. |
| Zones without WAF Managed Rules | We detect that this domain does not have the WAF's Managed Rules enabled. You are at risk from zero-day and other common vulnerabilities. |
| No Turnstile enabled | We detect that there is no Turnstile widget configured on the account. |
For more information on available operations for Security Insights, refer to Review Security Insights.