Cloudflare Credentials

ID

cloudflare_ca_key

Severity

critical

Vendor

Cloudaflare

Family

Other

Description

Cloudflare is a content delivery network and DDoS mitigation company, founded in 2010. It primarily acts as a reverse proxy between a website’s visitor and the Cloudflare customer’s hosting provider.

Security

Any hardcoded Cloudaflare CA Key is a potential secret reported by this detector.

Accidentally checking-in the key to source control repositories could compromise your Cloudaflare account.

Suspicious activity can be checked against the Audit Logs.

Examples

CLOUDFLARE_CA_KEY=v1.0-jrgq925hgsqxavh4rum4he5wk4g2szv6jrb4jtw2c658ne2sc4q8st6bjkzbfj4u-jrgq925hgsqxavh4rum4he5wk4g2szv6jrb4jtw2c658ne2sc4q8st6bjkzbfj4ujrgq925hgsqxavh4rum4he5wk4g2szv6jrb4jtw2c658ne2sc4q8st6bjkzbfj4ujrgq925hgsqxavh4rum4he5wk4g2szv6jrb4jtw2c658ne2sc4q8st6bjkzbfj4uj

Mitigation / Fix

  1. Remove the Keys from the source code or committed configuration file.

  2. Follow your policy for handling leaked secrets, which typically require revoking the secret in the target system(s). To revoke an API token both Cloudflare Dashboard or the API can be used, see Delete Tokens. The Global API key and CA key can only be changed from Cloudflare’s dashboard.

  3. If under a git repository, you may remove unwanted files from the repository history using tools like git filter-repo or BFG Repo-Cleaner. You may follow the procedure listed here for GitHub.

You should consider any sensitive data in commits with secrets as compromised.

Remember that secrets may be removed from history in your projects, but not in other users' cloned or forked repositories.

Reference

https://api.cloudflare.com/