Skip to main content
Prowler for Cloudflare allows you to scan your Cloudflare zones for security misconfigurations, including SSL/TLS settings, DNSSEC, HSTS, and more.

Prerequisites

Before running Prowler with the Cloudflare provider, ensure you have:
  1. A Cloudflare account with at least one zone
  2. One of the following authentication methods configured (see Authentication):
    • An API Token (recommended)
    • An API Key + Email (legacy)

Quick Start

Step 1: Set Up Authentication

The recommended method is using an API Token via environment variable: 
export CLOUDFLARE_API_TOKEN="your-api-token-here"
Alternatively, use API Key + Email: 
export CLOUDFLARE_API_KEY="your-api-key-here"
export CLOUDFLARE_API_EMAIL="[email protected]"

Step 2: Run Prowler

Run a scan across all your Cloudflare zones: 
prowler cloudflare
That’s it! Prowler will automatically discover all zones in your account and run security checks against them.

Authentication

Prowler reads Cloudflare credentials from environment variables. Set your credentials before running Prowler: API Token (Recommended): 
export CLOUDFLARE_API_TOKEN="your-api-token-here"
prowler cloudflare
API Key + Email (Legacy): 
export CLOUDFLARE_API_KEY="your-api-key-here"
export CLOUDFLARE_API_EMAIL="[email protected]"
prowler cloudflare

Filtering Zones

By default, Prowler scans all zones accessible with your credentials: 
prowler cloudflare
To scan only specific zones, use the -f, --region, or --filter-region argument: 
prowler cloudflare -f example.com
You can specify multiple zones: 
prowler cloudflare -f example.com example.org
You can also use zone IDs instead of domain names: 
prowler cloudflare -f 023e105f4ecef8ad9ca31a8372d0c353

Configuration

Prowler uses a configuration file to customize provider behavior. The Cloudflare configuration includes: 
cloudflare:
  # Maximum number of retries for API requests (default is 2)
  max_retries: 2
To use a custom configuration: 
prowler cloudflare --config-file /path/to/config.yaml

Next Steps