Cloudflare Global API Key

cloudflare_auth_email

Severity

high

Vendor

Cloudflare

Family

API Token

Description

Cloudflare is a content delivery network and DDoS mitigation company, founded in 2010. It primarily acts as a reverse proxy between a website’s visitor and the Cloudflare customer’s hosting provider.

Security

Any hardcoded Cloudaflare Global API Key associated to an email address is a potential secret reported by this detector.

Accidentally checking-in the key to source control repositories could compromise your Cloudaflare account.

Suspicious activity can be checked against the Audit Logs.

Examples

CLOUDFLARE_API_TOKEN=7vyAC_eMLN-wQfDoBVGMm90-Jnw8UK__7m3456afc

Mitigation / Fix

Follow your policy for handling leaked secrets, which typically require revoking the Cloudflare Global API Key in the target system(s). The Global API Key and CA key can only be changed from the API Keys section in the Cloudflare dashboard.
Replace the hard-coded Global API Key with a more secure alternative, such as one of the options documented in How to Prevent Hard-Coded Secrets.
If under a git repository, you may remove unwanted files from the repository history using tools like git filter-repo or BFG Repo-Cleaner. You may follow the procedure listed here for GitHub.

You should consider any sensitive data in commits with secrets as compromised.

Remember that secrets may be removed from history in your projects, but not in other users' cloned or forked repositories.

Reference

Cloudflare API.
API Keys section in Cloudflare dashboard.