# Cloudflare

SureCloud connects to Cloudflare to retrieve zone configuration, Web Application Firewall (WAF) rule status, DNS records, SSL/TLS settings, and Cloudflare Access policy configuration. This allows SureCloud to verify that network security controls are in place — confirming that WAF rules are active, that HTTPS is enforced, that DDoS protection is enabled, and that Cloudflare Access policies are correctly restricting application access where required.

## Authentication and setup

Cloudflare authenticates API requests using an API token. SureCloud uses a scoped read-only API token with access to the relevant zones and account resources.

{% stepper %}
{% step %}
**Create a scoped API token in Cloudflare**

Log in to the Cloudflare dashboard at [dash.cloudflare.com](https://dash.cloudflare.com/). Navigate to **My Profile → API Tokens** and click **Create Token**. Select **Create Custom Token**. Name it `SureCloud CCM`.

Under **Permissions**, add the following:

* Zone → Zone → Read
* Zone → WAF → Read
* Zone → DNS → Read
* Zone → SSL and Certificates → Read
* Account → Cloudflare Access: Apps and Policies → Read
* Account → Account Settings → Read

Under **Zone Resources**, select **All Zones** (or restrict to specific zones if preferred). Click **Continue to Summary** and then **Create Token**. Copy the token.
{% endstep %}

{% step %}
**Enter the token in SureCloud**

Navigate to **SureCloud → Integrations → Cloudflare → Connect**. Paste the API token and enter your Cloudflare Account ID (visible in the Cloudflare dashboard URL or under **Account Home → Account ID**). Click **Save** and then **Test Connection**.
{% endstep %}
{% endstepper %}

{% hint style="warning" %}
Store the API token securely. SureCloud encrypts it at rest, but treat it as a sensitive credential. Rotate it every 90 days in **Cloudflare → My Profile → API Tokens** and update it in **SureCloud → Integrations → Cloudflare → Edit Connection**.
{% endhint %}

## Endpoints

| API Call                                               | Use Case                                                                                     |
| ------------------------------------------------------ | -------------------------------------------------------------------------------------------- |
| `GET /client/v4/zones`                                 | Enumerate all zones (domains) under the account                                              |
| `GET /client/v4/zones/{zone_id}/settings`              | Retrieve zone security settings including HTTPS enforcement, TLS version, and security level |
| `GET /client/v4/zones/{zone_id}/firewall/waf/packages` | Enumerate WAF packages enabled on the zone                                                   |
| `GET /client/v4/zones/{zone_id}/firewall/rules`        | Retrieve custom firewall rules configured for the zone                                       |
| `GET /client/v4/zones/{zone_id}/dns_records`           | Retrieve DNS records for zone configuration evidence                                         |
| `GET /client/v4/zones/{zone_id}/ssl/certificate_packs` | Retrieve SSL/TLS certificate status and expiry                                               |
| `GET /client/v4/accounts/{account_id}/access/apps`     | Enumerate Cloudflare Access applications and their access policies                           |
| `GET /client/v4/accounts/{account_id}/access/policies` | Retrieve Access policy definitions including allowed identity providers                      |

## Pagination

`GET /client/v4/zones` and `GET /client/v4/zones/{zone_id}/dns_records` use page-based pagination. SureCloud increments the `page` parameter until the `result_info.total_pages` count is reached.

```json
GET /client/v4/zones?page=2&per_page=50
```

`GET /client/v4/accounts/{account_id}/access/apps` uses the same pattern. `GET /client/v4/zones/{zone_id}/settings` returns a complete settings object in a single response.

## Required permissions

SureCloud requires a Cloudflare API token with the following scoped permissions:

| Resource                                       | Permission |
| ---------------------------------------------- | ---------- |
| Zone → Zone                                    | Read       |
| Zone → WAF                                     | Read       |
| Zone → DNS                                     | Read       |
| Zone → SSL and Certificates                    | Read       |
| Account → Cloudflare Access: Apps and Policies | Read       |
| Account → Account Settings                     | Read       |

No write, purge, or configuration-change permissions are required.

## Polling frequency

| Data Type                                    | Interval       |
| -------------------------------------------- | -------------- |
| Zone security settings and WAF configuration | Every 24 hours |
| DNS records                                  | Every 24 hours |
| SSL/TLS certificate status                   | Every 24 hours |
| Cloudflare Access applications and policies  | Every 24 hours |

## Troubleshooting

<details>

<summary>Connection test returns "Invalid API Token" or 403 Forbidden</summary>

The API token is invalid, has been revoked, or is missing required permissions. Navigate to **Cloudflare → My Profile → API Tokens**, confirm the token is active and has all the required permissions listed above. Regenerate the token if necessary and update it in **SureCloud → Integrations → Cloudflare → Edit Connection**.

</details>

<details>

<summary>Some zones are missing from SureCloud's data collection</summary>

If the API token was created with zone restrictions (specific zones rather than All Zones), only those zones will be returned. Update the token's zone resource scope in **Cloudflare → My Profile → API Tokens → \[Token Name] → Edit** to include all required zones.

</details>

<details>

<summary>Cloudflare Access data is empty</summary>

Access application and policy data requires the **Account → Cloudflare Access: Apps and Policies → Read** permission on the token. If this permission was not included when the token was created, Access data will not be collected. Create a new token with the correct permissions — Cloudflare does not allow permissions to be added to an existing token.

</details>

<details>

<summary>WAF rules endpoint returns empty results</summary>

WAF availability depends on your Cloudflare plan. The WAF packages and rules endpoints require a Pro, Business, or Enterprise plan. If your zones are on a Free plan, WAF data will not be available via the API. Check your Cloudflare plan level in the dashboard.

</details>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://surecloud.gitbook.io/surecloud-docs/integrations/ccm-and-evidence-collection-integrations/cloudflare.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.