Security Insights
Security Insights provides you with a list of insights, covering different areas of your Cloudflare environment, such as: Cloudflare account settings, DNS record configurations, SSL/TLS certificates configurations, Cloudflare Access configurations and Cloudflare WAF configurations.
Listed below are the specific insights currently available:
| Insight Name | Description |
|---|---|
| CASB integration status | We detect unhealthy CASB integrations. |
Dangling A Records | A record is pointing to an IPv4 address that you might no longer control. You are at risk of a subdomain takeover. |
Dangling AAAA Records | A record is pointing to an IPv6 address that you might no longer control. You are at risk of a subdomain takeover. |
Dangling CNAME Records | A record is pointing to a resource that cannot be found. You are at risk of a subdomain takeover. |
| DMARC Record Errors | We detect an incorrect or missing DMARC record. |
| Domains missing TLS Encryption | We detect that there is no TLS encryption for this domain. |
| Domains supporting older TLS version | This domain supports older versions of the TLS protocol. |
| Domains without 'Always Use HTTPS' | HTTP requests to this domain may not redirect to its HTTPS equivalent. |
| Domains without HSTS | HTTP Strict Transport Security (HSTS), is a header which allows a website to specify and enforce security policy in client web browsers. This policy enforcement protects secure websites from downgrade attacks SSL stripping and cookie hijacking. |
| Exposed RDP Servers | We detect an RDP server that is exposed to the public Internet. |
| Get notified of malicious client-side scripts | We detect that client-side security alerts are not configured. You will not receive notifications when we detect potential malicious scripts executing in your client-side environment. |
| Increased body response size detected on API endpoints | Investigate changes, abuse, or successful attacks that may have led to this increase in response body size. |
| Increased errors detected on API endpoints | Investigate changes, abuse, or successful attacks that may have led to this increase in errors. |
| Increased latency detected on API endpoints | Investigate changes, abuse, or successful attacks that may have led to this increase in response latency. |
| Managed Rules not deployed | No managed rules deployed on a WAF protected domain. Refer to Known limitations. |
| Upgrade to new Managed Rules | Upgrade to new Managed Rules system required for optimal protection. |
| Mixed-authentication API endpoints detected | Not all of the successful requests against API endpoints carried session identifiers. |
| New API endpoints detected | API Discovery detects new API endpoints in your zone's traffic. |
| New CASB integrations found | New CASB integrations have been found. |
| Overprovisioned Access Policies | We detect an Access policy to allow everyone access to your application. |
| Client-side security not enabled | Client-side security (formerly known as Page Shield) helps meet PCI DSS v4.0 compliance regarding requirement 6.4.3. |
| SPF Record Errors | We detect an incorrect or missing SPF record. |
| Schema Validation missing from eligible API endpoints | Apply the learned schema to protect your API against fuzzing attacks. |
| Sensitive data in API response | Sensitive data in API responses detected. |
| Turn on JavaScript Detection | One or more of your Bot Management enabled zones does not have JavaScript Detection enabled, which is a critical part of our bot detection suite. |
| Unassigned Access seats | We detect a Zero Trust subscription that is not configured yet. |
| Unauthenticated API endpoints detected | None of the successful requests against API endpoints carried session identifiers. |
| Unprotected Cloudflare Tunnels | We detect an application that is served by a Cloudflare Tunnel but not protected by a corresponding Access policy. |
Unproxied A Records | This DNS record is not proxied by Cloudflare. Cloudflare can not protect this origin because it is exposed to the public Internet. |
Unproxied AAAA Records | This DNS record is not proxied by Cloudflare. Cloudflare can not protect this origin because it is exposed to the public Internet. |
Unproxied CNAME Records | This DNS record is not proxied by Cloudflare. Cloudflare can not protect this origin because it is exposed to the public Internet. |
| Users without MFA | We detect that a Cloudflare administrative user has not enabled multifactor authentication. |
| Zones without WAF Managed Rules | We detect that this domain does not have the WAF's Managed Rules enabled. You are at risk from zero-day and other common vulnerabilities. |
| No Turnstile enabled | We detect that there is no Turnstile widget configured on the account. |
Security Insights scans run periodically and use heuristics to detect potential issues. In some cases, an insight may not accurately reflect your current configuration:
-
Managed Rules not deployed on zones with account-level managed rules: If you deploy managed rules at the account level rather than the zone level, Security Center may not detect them and may report that managed rules are not deployed. If your account-level configuration is correct, you can archive the insight to dismiss it.
-
Vulnerability insights for rules in log mode: If you configure a managed rule with a Log action (for example, to monitor traffic before enforcing), Security Center may still generate a vulnerability insight because the rule is not actively blocking traffic. This is expected behavior. You can archive the insight if you are intentionally using log mode.
To remove a resolved or inaccurate insight from your dashboard, archive the insight or wait for the next automatic scan.
For more information on available operations for Security Insights, refer to Review Security Insights.