Skip to main content
Added in: 5.17.0 Prowler for Cloudflare allows you to scan your Cloudflare zones for security misconfigurations, including SSL/TLS settings, DNSSEC, HSTS, and more.

Prerequisites

Before running Prowler with the Cloudflare provider, ensure you have:
  1. A Cloudflare account with at least one zone
  2. One of the following authentication methods configured (see Authentication):
    • An API Token (recommended)
    • An API Key + Email (legacy)

Quick Start

Step 1: Set Up Authentication

The recommended method is using an API Token via environment variable: 
export CLOUDFLARE_API_TOKEN="your-api-token-here"
Alternatively, use API Key + Email: 
export CLOUDFLARE_API_KEY="your-api-key-here"
export CLOUDFLARE_API_EMAIL="[email protected]"

Step 2: Run Prowler

Run a scan across all your Cloudflare zones: 
prowler cloudflare
That’s it! Prowler will automatically discover all zones in your account and run security checks against them.

Authentication

Prowler reads Cloudflare credentials from environment variables. Set your credentials before running Prowler: API Token (Recommended): 
export CLOUDFLARE_API_TOKEN="your-api-token-here"
prowler cloudflare
API Key + Email (Legacy): 
export CLOUDFLARE_API_KEY="your-api-key-here"
export CLOUDFLARE_API_EMAIL="[email protected]"
prowler cloudflare

Filtering Zones

By default, Prowler scans all zones accessible with your credentials: 
prowler cloudflare
To scan only specific zones, use the -f, --region, or --filter-region argument: 
prowler cloudflare -f example.com
You can specify multiple zones: 
prowler cloudflare -f example.com example.org
You can also use zone IDs instead of domain names: 
prowler cloudflare -f 023e105f4ecef8ad9ca31a8372d0c353

Filtering Accounts

By default, Prowler scans all accounts accessible with your credentials. If your API Token or API Key has access to multiple Cloudflare accounts, you can restrict the scan to specific accounts using the --account-id argument: 
prowler cloudflare --account-id 372e67954025e0ba6aaa6d586b9e0b59
You can specify multiple account IDs: 
prowler cloudflare --account-id 372e67954025e0ba6aaa6d586b9e0b59 9a7806061c88ada191ed06f989cc3dac
If any of the provided account IDs are not found among the accounts accessible with your credentials, Prowler will raise an error and stop execution.
You can combine account and zone filtering to narrow the scan scope further: 
prowler cloudflare --account-id 372e67954025e0ba6aaa6d586b9e0b59 -f example.com

Configuration

Prowler uses a configuration file to customize provider behavior. The Cloudflare configuration includes: 
cloudflare:
  # Maximum number of retries for API requests (default is 2)
  max_retries: 2
To use a custom configuration: 
prowler cloudflare --config-file /path/to/config.yaml

Next Steps