Skip to content

Security Insights

Security Insights provides you with a list of insights, covering different areas of your Cloudflare environment, such as: Cloudflare account settings, DNS record configurations, SSL/TLS certificates configurations, Cloudflare Access configurations and Cloudflare WAF configurations.

Listed below are the specific insights currently available:

Insight NameDescription
CASB integration statusWe detect unhealthy CASB integrations.
Dangling A RecordsA record is pointing to an IPv4 address that you might no longer control. You are at risk of a subdomain takeover.
Dangling AAAA RecordsA record is pointing to an IPv6 address that you might no longer control. You are at risk of a subdomain takeover.
Dangling CNAME RecordsA record is pointing to a resource that cannot be found. You are at risk of a subdomain takeover.
DMARC Record ErrorsWe detect an incorrect or missing DMARC record.
Domains missing TLS EncryptionWe detect that there is no TLS encryption for this domain.
Domains supporting older TLS versionThis domain supports older versions of the TLS protocol.
Domains without 'Always Use HTTPS'HTTP requests to this domain may not redirect to its HTTPS equivalent.
Domains without HSTSHTTP Strict Transport Security (HSTS), is a header which allows a website to specify and enforce security policy in client web browsers. This policy enforcement protects secure websites from downgrade attacks SSL stripping and cookie hijacking.
Exposed RDP ServersWe detect an RDP server that is exposed to the public Internet.
Get notified of malicious client-side scriptsWe detect that Page Shield alerts are not configured. You will not receive notifications when we detect potential malicious scripts executing in your client-side environment.
Managed Rules not deployedNo managed rules deployed on a WAF protected domain.
Migrate to new Managed RulesMigration to new Managed Rules system required for optimal protection.
Mixed-authentication API endpoints detectedNot all of the successful requests against API endpoints carried session identifiers.
New API endpoints detectedAPI Discovery detects new API endpoints in your zone's traffic.
New CASB integrations foundNew CASB integrations have been found.
Overprovisioned Access PoliciesWe detect an Access policy to allow everyone access to your application.
Page Shield not enabledPage Shield helps meet PCI DSS v4.0 compliance regarding requirement 6.4.3.
SPF Record ErrorsWe detect an incorrect or missing SPF record.
Sensitive data in API responseSensitive data in API responses detected.
Turn on JavaScript DetectionOne or more of your Bot Management enabled zones does not have JavaScript Detection enabled, which is a critical part of our bot detection suite.
Unassigned Access seatsWe detect a Zero Trust subscription that is not configured yet.
Unauthenticated API endpoints detectedNone of the successful requests against API endpoints carried session identifiers.
Unprotected Cloudflare TunnelsWe detect an application that is served by a Cloudflare Tunnel but not protected by a corresponding Access policy.
Unproxied A RecordsThis DNS record is not proxied by Cloudflare. Cloudflare can not protect this origin because it is exposed to the public Internet.
Unproxied AAAA RecordsThis DNS record is not proxied by Cloudflare. Cloudflare can not protect this origin because it is exposed to the public Internet.
Unproxied CNAME RecordsThis DNS record is not proxied by Cloudflare. Cloudflare can not protect this origin because it is exposed to the public Internet.
Users without MFAWe detect that a Cloudflare administrative user has not enabled multifactor authentication.
Zones without WAF Managed RulesWe detect that this domain does not have the WAF's Managed Rules enabled. You are at risk from zero-day and other common vulnerabilities.
No Turnstile enabledWe detect that there is no Turnstile widget configured on the account.

For more information on available operations for Security Insights, refer to Review Security Insights.