Skip to main content
Prowler for Cloudflare scans zones for security misconfigurations, including SSL/TLS settings, DNSSEC, HSTS, WAF rules, DNS records, and more.

Prerequisites

Set up authentication for Cloudflare with the Cloudflare Authentication guide before starting either path:
  • Create a Cloudflare User API Token (recommended) or locate the Global API Key
  • Grant the required read-only permissions (Account Settings:Read, Zone:Read, Zone Settings:Read, DNS:Read)
  • Identify the Cloudflare Account ID to use as the provider identifier

Prowler Cloud

Onboard Cloudflare using Prowler Cloud

Prowler CLI

Onboard Cloudflare using Prowler CLI

Prowler Cloud

Added in: 5.19.0

Step 1: Locate the Account ID

  1. Log into the Cloudflare Dashboard.
  2. Select any zone in the target account.
  3. On the zone overview page, find the Account ID in the right sidebar under the “API” section. Cloudflare Account ID
The Account ID is a 32-character hexadecimal string (e.g., 372e67954025e0ba6aaa6d586b9e0b59). This value acts as the unique identifier for the Cloudflare account in Prowler Cloud.

Step 2: Open Prowler Cloud

  1. Go to Prowler Cloud or launch Prowler App.
  2. Navigate to “Configuration” > “Cloud Providers”. Cloud Providers Page
  3. Click “Add Cloud Provider”. Add a Cloud Provider
  4. Select “Cloudflare”. Select Cloudflare
  5. Add the Account ID and an optional alias, then click “Next”. Add Cloudflare Account ID

Step 3: Choose and Provide Authentication

After the Account ID is in place, select the authentication method that matches the Cloudflare setup: Select Authentication Method
  1. Select API Token.
  2. Enter the User API Token created in the Cloudflare Dashboard. API Token Form
Use this method for scoped, least-privilege access. Full setup steps are in the Authentication guide.

API Key and Email Authentication (Legacy)

  1. Select API Key + Email.
  2. Enter the Global API Key.
  3. Enter the email address associated with the Cloudflare account. API Key and Email Form
For the complete setup workflow, follow the Authentication guide.

Step 4: Launch the Scan

  1. Review the summary.
  2. Click Launch Scan to start auditing Cloudflare. Launch Scan

Prowler CLI

Added in: 5.17.0

Step 1: Set Up Authentication

Choose the matching method from the Cloudflare Authentication guide:
  • User API Token (recommended): Set CLOUDFLARE_API_TOKEN
  • API Key + Email (legacy): Set CLOUDFLARE_API_KEY and CLOUDFLARE_API_EMAIL

Step 2: Run the First Scan

Run a baseline scan after credentials are configured: 
prowler cloudflare
Prowler automatically discovers all zones accessible with the provided credentials and runs security checks against them.

Step 3: Filter the Scan Scope (Optional)

Filter by Zone

To scan only specific zones, use the -f, --region, or --filter-region argument: 
prowler cloudflare -f example.com
Multiple zones can be specified: 
prowler cloudflare -f example.com example.org
Zone IDs are also supported: 
prowler cloudflare -f 023e105f4ecef8ad9ca31a8372d0c353

Filter by Account

To restrict the scan to specific accounts, use the --account-id argument: 
prowler cloudflare --account-id 372e67954025e0ba6aaa6d586b9e0b59
Multiple account IDs can be specified: 
prowler cloudflare --account-id 372e67954025e0ba6aaa6d586b9e0b59 9a7806061c88ada191ed06f989cc3dac
If any of the provided account IDs are not accessible with the current credentials, Prowler raises an error and stops execution.
Account and zone filtering can be combined to narrow the scan scope further: 
prowler cloudflare --account-id 372e67954025e0ba6aaa6d586b9e0b59 -f example.com

Step 4: Use a Custom Configuration (Optional)

Prowler uses a configuration file to customize provider behavior. The Cloudflare configuration includes: 
cloudflare:
  # Maximum number of retries for API requests (default is 2)
  max_retries: 2
To use a custom configuration: 
prowler cloudflare --config-file /path/to/config.yaml