Cloudflare integration guide

Overview

Humadroid's Cloudflare integration automatically collects compliance evidence from your Cloudflare account. Once connected, it continuously monitors your zones' security configurations, SSL/TLS settings, WAF rules, and DDoS protection, gathering evidence that satisfies controls for SOC 2 and ISO 27001 compliance frameworks.

Key Benefits

• Automated evidence collection - No more manual screenshots or exports

• Compliance-focused collection - Evidence collected on schedule (daily or weekly)

• Auto-verification - All evidence sources are automatically checked against compliance rules

• Multi-framework support - Single integration satisfies controls across SOC 2 and ISO 27001

Security Model

• Read-only access - Humadroid cannot modify your Cloudflare configuration

• API token authentication - Fine-grained, scoped API tokens instead of global API keys

• Zone-level permissions - Access limited to selected zones

• Full audit trail - All API calls can be tracked in Cloudflare's audit log (Business+ plans)

Evidence Sources

The Cloudflare integration collects 11 distinct evidence types across four categories:

SSL/TLS & Encryption

SSL/TLS Mode

• Description: Verifies SSL/TLS encryption mode for all zones (off, flexible, full, strict)

• Frequency: Daily

• Auto-Verify: Yes

Minimum TLS Version

• Description: Verifies minimum TLS version setting for all zones

• Frequency: Daily

• Auto-Verify: Yes

HSTS Configuration

• Description: Collects HTTP Strict Transport Security settings including max-age, includeSubDomains, and preload

• Frequency: Daily

• Auto-Verify: Yes

Certificate Status

• Description: Monitors SSL certificate validity and expiration status

• Frequency: Daily

• Auto-Verify: Yes

Web Application Firewall

WAF Configuration

• Description: Collects WAF configuration including managed rules, custom rules, and security settings

• Frequency: Daily

• Auto-Verify: Yes

Access Rules

• Description: Collects IP access rules and firewall access control configurations

• Frequency: Daily

• Auto-Verify: Yes

DDoS & Bot Protection

DDoS Protection Status

• Description: Verifies DDoS protection is enabled (always on for Cloudflare-proxied traffic)

• Frequency: Daily

• Auto-Verify: Yes

Rate Limiting Rules

• Description: Collects rate limiting rule configurations

• Frequency: Daily

• Auto-Verify: Yes

Bot Protection Status

• Description: Collects bot protection settings including bot fight mode and managed bot protection

• Frequency: Daily

• Auto-Verify: Yes

DNS Security

DNSSEC Status

• Description: Verifies DNSSEC is enabled for DNS security

• Frequency: Daily

• Auto-Verify: Yes

Security Headers

• Description: Collects security header configurations (HSTS, X-Content-Type-Options, X-Frame-Options)

• Frequency: Daily

• Auto-Verify: Yes

SOC 2 Control Coverage

The Cloudflare integration provides evidence for the following SOC 2 (2017) Trust Services Criteria:

CC6 - Logical and Physical Access Controls

CC6.1 - Logical Access Security

The entity implements logical access security software, infrastructure, and architectures to protect information assets

• SSL/TLS Mode - End-to-end encryption protects data in transit

• TLS Version - Modern TLS protocols prevent protocol downgrade attacks

• Certificate Status - Valid certificates ensure secure connections

CC6.6 - Logical Access Security Measures

The entity implements controls to prevent or detect and act upon unauthorized logical access

• WAF Configuration - Web Application Firewall blocks malicious traffic

• Access Rules - IP-based access controls restrict unauthorized access

• Rate Limiting - Prevents brute force and credential stuffing attacks

• Bot Protection - Detects and blocks malicious bot traffic

• Security Headers - Prevents clickjacking and content-type attacks

CC6.7 - Data Transmission Controls

The entity restricts transmission and movement of data

• SSL/TLS Mode - Encryption protects data during transmission

• TLS Version - Strong protocols ensure secure data transfer

• HSTS Configuration - Forces HTTPS to prevent downgrade attacks

• Certificate Status - Valid certificates ensure data integrity

CC7 - System Operations

CC7.1 - Security Monitoring

The entity monitors system components for anomalies and security events

• WAF Configuration - Monitors and logs security threats

• Bot Protection - Monitors for malicious bot activity

• DDoS Protection - Monitors for DDoS attacks

A1 - Availability

A1.2 - Recovery Procedures

The entity's recovery procedures support system recovery in accordance with recovery objectives

• DDoS Protection - Mitigates availability attacks

• DNSSEC Status - Protects DNS integrity to ensure availability

ISO 27001:2022 Control Coverage

The Cloudflare integration provides evidence for the following ISO 27001:2022 Annex A controls:

A.5 - Organizational Controls

A.5.15 - Access Control

Rules to control physical and logical access to information and other associated assets shall be established and implemented

• WAF Configuration - Access control via web application firewall

• Access Rules - IP-based access restrictions

A.8 - Technological Controls

A.8.3 - Information Access Restriction

Access to information and other associated assets shall be restricted

• WAF Configuration - Restricts access to web applications

• Access Rules - IP, country, and ASN-based access controls

A.8.20 - Networks Security

Networks and network devices shall be secured, managed and controlled

• WAF Configuration - Web application layer security

• DDoS Protection - Network-level attack protection

• Rate Limiting - Network traffic controls

• Bot Protection - Automated traffic filtering

• DNSSEC Status - DNS security extensions

• Security Headers - HTTP security headers

A.8.24 - Use of Cryptography

Rules for the effective use of cryptography, including cryptographic key management, shall be defined and implemented

• SSL/TLS Mode - Encryption mode configuration

• TLS Version - Cryptographic protocol version

• HSTS Configuration - Enforced HTTPS communication

• Certificate Status - Certificate management and validity

Verification Rules

Auto-verified evidence sources are checked against the following compliance thresholds:

SSL/TLS Mode

• Minimum SSL mode: Full (configurable)

• Options: off, flexible, full, strict

• Recommended: Strict

TLS Version

• Minimum TLS version: 1.2 (configurable)

• Options: 1.0, 1.1, 1.2, 1.3

• Recommended: 1.2 or higher

HSTS Configuration

• HSTS enabled: Required

• Include subdomains: Required

• Minimum max-age: 31536000 seconds (1 year)

• Preload: Recommended (not required by default)

Certificate Status

• Valid certificate: Required

• Minimum days until expiry: 30 days (configurable)

• Universal SSL: Recommended

WAF Configuration

• WAF enabled: Required

• Managed rules configured: Required

DDoS Protection

• DDoS protection active: Required (automatic for proxied zones)

Rate Limiting

• Rate limiting configured: Recommended (not required by default)

Bot Protection

• Bot protection enabled: Required (bot management or browser check)

• Advanced Bot Management: Not required by default

DNSSEC Status

• DNSSEC enabled: Required

Access Rules

• Block rules configured: Recommended (not required by default)

Security Headers

• HSTS header: Required

• X-Content-Type-Options: Required

• X-Frame-Options: Recommended (not required by default)

Summary: Control Coverage Matrix

SOC 2 Controls by Evidence Source

SSL/TLS Mode

• CC6.1: Yes

• CC6.7: Yes

TLS Version

• CC6.1: Yes

• CC6.7: Yes

HSTS Configuration

• CC6.7: Yes

Certificate Status

• CC6.1: Yes

• CC6.7: Yes

WAF Configuration

• CC6.6: Yes

• CC7.1: Yes

Access Rules

• CC6.6: Yes

DDoS Protection

• CC6.6: Yes

• CC7.1: Yes

• A1.2: Yes

Rate Limiting

• CC6.6: Yes

Bot Protection

• CC6.6: Yes

• CC7.1: Yes

DNSSEC Status

• A1.2: Yes

Security Headers

• CC6.6: Yes

ISO 27001 Controls by Evidence Source

SSL/TLS Mode

• A.8.24: Yes

TLS Version

• A.8.24: Yes

HSTS Configuration

• A.8.24: Yes

Certificate Status

• A.8.24: Yes

WAF Configuration

• A.5.15: Yes

• A.8.3: Yes

• A.8.20: Yes

Access Rules

• A.5.15: Yes

• A.8.3: Yes

DDoS Protection

• A.8.20: Yes

Rate Limiting

• A.8.20: Yes

Bot Protection

• A.8.20: Yes

DNSSEC Status

• A.8.20: Yes

Security Headers

• A.8.20: Yes

Getting Started

To set up the Cloudflare integration:

1. Navigate to Settings > Integrations > Cloudflare

2. Click Connect Cloudflare Account

3. Create an API token in your Cloudflare dashboard (see permissions below)

4. Paste the API token and validate the connection

5. Select the zones you want to monitor

6. Enable evidence sources for your compliance controls

Cloudflare Permissions Required

Create a custom API token with the following permissions:

Zone Permissions (Read-only)

Zone → Zone → Read

• Basic zone information for zone listing and status

Zone → Zone Settings → Read

• Zone configuration for SSL mode, TLS version, HSTS

Zone → SSL and Certificates → Read

• Certificate information for status and expiry monitoring

Zone → Firewall Services → Read

• Firewall rules for access rules and rate limiting

Zone → WAF → Read

• WAF configuration for status and managed rules

Zone → DNS → Read

• DNS settings for DNSSEC status

Account Permissions (Read-only)

Account → Account Settings → Read

• Account information for verification

Setup Instructions

1. Log into your Cloudflare Dashboard

2. Go to Profile → API Tokens → Create Token

3. Click Create Custom Token

4. Name the token "Humadroid Compliance Read-Only"

5. Add the permissions listed above

6. Set Zone Resources: Include all zones (or specific zones)

7. Create the token and copy it to Humadroid

Cloudflare Plan Feature Matrix

Free Plan

Available features:

• SSL/TLS Mode

• Minimum TLS Version

• HSTS Configuration

• Certificate Status

• DDoS Protection (Always On)

• DNSSEC

• Basic WAF

• Bot Fight Mode

• Access Rules

• Security Headers

Not available:

• Rate Limiting (requires Pro+)

Pro Plan

Includes all Free features, plus:

• Rate Limiting (5 rules)

• Enhanced WAF

• Polish/Mirage

Business Plan

Includes all Pro features, plus:

• Rate Limiting (Unlimited)

• Page Shield

• Audit Logs

• Advanced WAF

Enterprise Plan

Includes all Business features, plus:

• Advanced Bot Management

• Logpush

• Advanced DDoS Protection

• Custom SSL

Troubleshooting

Common Issues

"Permission denied - API token needs 'Zone:WAF:Read' permission"

• Your API token is missing the WAF read permission

• Edit your token in Cloudflare to add: Zone → WAF → Read

"No accounts accessible with this token"

• Your token doesn't have account-level read access

• Add: Account → Account Settings → Read

"Authentication failed"

• Check that your API token is correct and hasn't expired

• Verify the token has the required permissions

Evidence showing 0 for all metrics

• Ensure the selected zones have the features enabled

• Some features require specific Cloudflare plans

Support

If you need help with your Cloudflare integration:

• Documentation: https://docs.humadroid.com/integrations/cloudflare

• Email: support@humadroid.com

• Status: https://status.humadroid.com

Last updated: January 2026