Cloudflare Credentials

ID

cloudflare_token

Severity

critical

Vendor

Cloudflare

Family

API Token

Description

Cloudflare is a content delivery network and DDoS mitigation company, founded in 2010. It primarily acts as a reverse proxy between a website’s visitor and the Cloudflare customer’s hosting provider.

Security

Any hardcoded Cloudaflare API Token is a potential secret reported by this detector.

Accidentally checking-in the key to source control repositories could compromise your Cloudflare account.

Suspicious activity can be checked against the Audit Logs.

Examples

CLOUDFLARE_APIKEY=6gqfvaf6db293pt5kfhgor643e7omy136o2qj

Mitigation / Fix

  1. Follow your policy for handling leaked secrets, which typically require revoking the API token in CloudFlare. To revoke an API token both Cloudflare Dashboard at https://dash.cloudflare.com/profile/api-tokens (logged as the token owner), or the API can be used, see Delete Token. The Global API key and CA key can only be changed from Cloudflare Dashboard.

  2. Optionally, remove the leaked token from the source code or committed configuration file.

    If under a git repository, you may remove unwanted files from the repository history using tools like git filter-repo or BFG Repo-Cleaner. You may follow the procedure listed here for GitHub.

You should consider any sensitive data in commits with secrets as compromised.

Remember that secrets may be removed from history in your projects, but not in other users' cloned or forked repositories.

Reference

https://api.cloudflare.com/