To Cloudflare customers: Are you using Argo/Cloudflare Tunnel to connect to your origin server? Have you set up authenticated origin pulls with a customer-generated certificate (not the Cloudflare cert, that doesn't help)? If you answered no to both questions, then all of your Cloudflare security measures can be bypassed.

This includes your WAF, page rules, firewall, DDoS protection... it's all irrelevant if you don't set up your zone carefully, and even the Cloudflare documentation itself doesn't (currently) make this point super clear. And, for security, these best practices should be excruciatingly clear.

read more