diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index f11224200aaa7f..0a9205b3217cc4 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -4,17 +4,17 @@ # More dev-specific files -/.github/ @kodster28 @pedrosousa @haleycode @kristianfreeman @GregBrimble @KianNH @maxvp @marciocloudflare +/.github/ @kodster28 @pedrosousa @haleycode @kristianfreeman @GregBrimble @KianNH @maxvp @marciocloudflare @WalshyDev /.github/CODEOWNERS @cloudflare/pcx-technical-writing /.github/actions/assign-issue/index.js @cloudflare/pcx-technical-writing /.github/actions/assign-pr/index.js @cloudflare/pcx-technical-writing /.github/styles/cloudflare/spelling-exceptions.txt @cloudflare/pcx-technical-writing -/src/components/ @cloudflare/developer-advocacy @kristianfreeman @kodster28 @pedrosousa @marciocloudflare @haleycode @maxvp @GregBrimble @KianNH -/functions/ @cloudflare/developer-advocacy @kristianfreeman @kodster28 @pedrosousa @haleycode @marciocloudflare @maxvp @GregBrimble @KianNH -*.js @cloudflare/developer-advocacy @kristianfreeman @kodster28 @pedrosousa @haleycode @maxvp @marciocloudflare @GregBrimble @KianNH -*.ts @cloudflare/developer-advocacy @kristianfreeman @kodster28 @pedrosousa @haleycode @maxvp @marciocloudflare @GregBrimble @KianNH +/src/components/ @cloudflare/developer-advocacy @kristianfreeman @kodster28 @pedrosousa @marciocloudflare @haleycode @maxvp @GregBrimble @KianNH @WalshyDev +/functions/ @cloudflare/developer-advocacy @kristianfreeman @kodster28 @pedrosousa @haleycode @marciocloudflare @maxvp @GregBrimble @KianNH @WalshyDev +*.js @cloudflare/developer-advocacy @kristianfreeman @kodster28 @pedrosousa @haleycode @maxvp @marciocloudflare @GregBrimble @KianNH @WalshyDev +*.ts @cloudflare/developer-advocacy @kristianfreeman @kodster28 @pedrosousa @haleycode @maxvp @marciocloudflare @GregBrimble @KianNH @WalshyDev /src/content/workers-ai-models/ @kodster28 @craigsdennis @pedrosousa @cloudflare/pcx-technical-writing -/public/_redirects @GregBrimble @KianNH @kodster28 @pedrosousa @cloudflare/pcx-technical-writing +/public/_redirects @GregBrimble @KianNH @kodster28 @pedrosousa @WalshyDev @cloudflare/pcx-technical-writing # AI diff --git a/astro.config.mjs b/astro.config.mjs index 3369fe654bc1d1..e42e3b55e64186 100644 --- a/astro.config.mjs +++ b/astro.config.mjs @@ -146,6 +146,7 @@ export default defineConfig({ }, sidebar: await autogenSections(), customCss: [ + "./src/asides.css", "./src/headings.css", "./src/input.css", "./src/kbd.css", diff --git a/public/_redirects b/public/_redirects index 70589baf477297..2ca453ce37cd6a 100644 --- a/public/_redirects +++ b/public/_redirects @@ -1180,8 +1180,14 @@ /turnstile/concepts/widget-types/ /turnstile/concepts/widget/ 301 # waf -/waf/about/file-scanning/ /waf/about/content-scanning/ 301 -/waf/about/waf-ml/ /waf/about/waf-attack-score/ 301 +/waf/about/ /waf/concepts/ 301 +/waf/about/content-scanning/ /waf/detections/malicious-uploads/ 301 +/waf/about/content-scanning/get-started/ /waf/detections/malicious-uploads/get-started/ 301 +/waf/about/content-scanning/example-rules/ /waf/detections/malicious-uploads/example-rules/ 301 +/waf/about/content-scanning/api-calls/ /waf/detections/malicious-uploads/api-calls/ 301 +/waf/about/file-scanning/ /waf/detections/malicious-uploads/ 301 +/waf/about/waf-attack-score/ /waf/detections/attack-score/ 301 +/waf/about/waf-ml/ /waf/detections/attack-score/ 301 /waf/alerts/ /waf/reference/alerts/ 301 /waf/custom-rules/custom-firewall/ /waf/custom-rules/ 301 /waf/custom-rules/custom-firewall/create-api/ /waf/custom-rules/create-api/ 301 @@ -1523,6 +1529,7 @@ /cloudflare-one/analytics/access/ /cloudflare-one/insights/analytics/access/ 301 /cloudflare-one/analytics/gateway/ /cloudflare-one/insights/analytics/gateway/ 301 /cloudflare-one/analytics/users/ /cloudflare-one/insights/logs/users/ 301 +/cloudflare-one/api-terraform/access-api-examples/azure-group/ /cloudflare-one/api-terraform/access-api-examples/entra-group/ 301 /cloudflare-one/applications/non-http/arbitrary-tcp/ /cloudflare-one/applications/non-http/cloudflared-authentication/arbitrary-tcp/ 301 /cloudflare-one/connections/connect-apps/configuration/ /cloudflare-one/connections/connect-networks/configure-tunnels/ 301 /cloudflare-one/connections/connect-apps/install-and-setup/setup/ /cloudflare-one/connections/connect-networks/get-started/ 301 @@ -1601,6 +1608,7 @@ /cloudflare-one/identity/devices/require-gateway/ /cloudflare-one/identity/devices/warp-client-checks/require-gateway/ 301 /cloudflare-one/identity/devices/require-warp/ /cloudflare-one/identity/devices/warp-client-checks/require-warp/ 301 /cloudflare-one/identity/devices/sentinel-one/ /cloudflare-one/identity/devices/warp-client-checks/sentinel-one/ 301 +/cloudflare-one/identity/idp-integration/azuread/ /cloudflare-one/identity/entra-id/ 301 /cloudflare-one/identity/idp-integration/one-time-pin/ /cloudflare-one/identity/one-time-pin/ 301 /cloudflare-one/identity/idp-integration/saml-centrify/ /cloudflare-one/identity/idp-integration/centrify-saml/ 301 /cloudflare-one/identity/idp-integration/ping-saml/ /cloudflare-one/identity/idp-integration/pingfederate-saml/ 301 @@ -1630,6 +1638,8 @@ /support/traffic/argo-tunnel/ /cloudflare-one/connections/connect-networks/ 301 /support/traffic/argo-tunnel/exposing-applications-running-on-microsoft-azure-with-cloudflare-argo-tunnel/ /cloudflare-one/connections/connect-apps/deployment-guides/azure/ 301 /cloudflare-docs/content/cloudflare-one/tutorials/area-1/ /cloudflare-one/applications/configure-apps/saas-apps/area-1/ 301 +/cloudflare-docs/content/cloudflare-one/tutorials/azuread-conditional-access/ /cloudflare-docs/content/cloudflare-one/tutorials/entra-id-conditional-access/ 301 +/cloudflare-docs/content/cloudflare-one/tutorials/azuread-risky-users/ /cloudflare-docs/content/cloudflare-one/tutorials/entra-id-risky-users/ 301 /cloudflare-one/tutorials/zendesk-sso-saas/ /cloudflare-one/applications/configure-apps/saas-apps/zendesk-sso-saas/ 301 /cloudflare-one/tutorials/docusign-access/ /cloudflare-one/applications/configure-apps/saas-apps/docusign-access/ 301 /cloudflare-one/tutorials/hubspot-saas/ /cloudflare-one/applications/configure-apps/saas-apps/hubspot-saas/ 301 diff --git a/src/asides.css b/src/asides.css new file mode 100644 index 00000000000000..71751b68cc447f --- /dev/null +++ b/src/asides.css @@ -0,0 +1,36 @@ +.starlight-aside { + border: unset; + border-radius: 4px; + + &.starlight-aside--note { + background-color: rgb(236, 244, 255); + } + + &.starlight-aside--caution { + background-color: rgb(255, 248, 228); + + } + + .starlight-aside__title { + margin-left: 30px; + + svg { + margin-left: -30px; + } + } + + .starlight-aside__content { + margin-top: unset; + margin-left: 30px; + } +} + +:root[data-theme="dark"] { + .starlight-aside--note { + background-color: rgb(0, 28, 67); + } + + .starlight-aside--caution { + background-color: rgb(98, 73, 10); + } +} \ No newline at end of file diff --git a/src/components/overrides/Sidebar.astro b/src/components/overrides/Sidebar.astro index 48e454c9cc34b6..a614b80a2c8ec9 100644 --- a/src/components/overrides/Sidebar.astro +++ b/src/components/overrides/Sidebar.astro @@ -86,6 +86,7 @@ async function handleGroup(group: Group): Promise { group.label = frontmatter.sidebar.group?.label ?? frontmatter.title; group.order = frontmatter.sidebar.order ?? Number.MAX_VALUE; + group.badge = frontmatter.sidebar.group?.badge; if (frontmatter.hideChildren) { return { @@ -205,20 +206,46 @@ const lookupProductTitle = async (slug: string) => { diff --git a/src/content/changelogs/security-center.yaml b/src/content/changelogs/security-center.yaml index b4d2f471d08f63..28c72f8e378124 100644 --- a/src/content/changelogs/security-center.yaml +++ b/src/content/changelogs/security-center.yaml @@ -12,3 +12,7 @@ entries: - publish_date: "2024-09-19" description: |- - Customers can now create a `security.txt` file file to provide the security research team with a standardized way to report vulnerabilities. + + - publish_date: "2024-09-23" + description: |- + - Customers can now export all matches from a saved query. Select your **Query name** > select the three dots > **Export matches**. \ No newline at end of file diff --git a/src/content/changelogs/waf-general.yaml b/src/content/changelogs/waf-general.yaml index f5d23b15b84818..d4bc9afba385e9 100644 --- a/src/content/changelogs/waf-general.yaml +++ b/src/content/changelogs/waf-general.yaml @@ -10,8 +10,8 @@ entries: - publish_date: "2024-08-29" title: Fixed occasional attack score mismatches description: |- - Fixed an issue causing score mismatches between the global [WAF attack score](/waf/about/waf-attack-score/) and subscores. In certain cases, subscores were higher (not an attack) than expected while the global attack score was lower than expected (attack), leading to false positives. + Fixed an issue causing score mismatches between the global [WAF attack score](/waf/detections/attack-score/) and subscores. In certain cases, subscores were higher (not an attack) than expected while the global attack score was lower than expected (attack), leading to false positives. - publish_date: "2024-05-23" title: Improved detection capabilities description: |- - [WAF attack score](/waf/about/waf-attack-score/) now automatically detects and decodes Base64 and JavaScript (Unicode escape sequences) in HTTP requests. This update is available for all customers with access to WAF attack score (Business customers with access to a single field and Enterprise customers). + [WAF attack score](/waf/detections/attack-score/) now automatically detects and decodes Base64 and JavaScript (Unicode escape sequences) in HTTP requests. This update is available for all customers with access to WAF attack score (Business customers with access to a single field and Enterprise customers). diff --git a/src/content/docs/cloudflare-one/api-terraform/access-api-examples/azure-group.mdx b/src/content/docs/cloudflare-one/api-terraform/access-api-examples/azure-group.mdx deleted file mode 100644 index 8c7d5cd90e3af3..00000000000000 --- a/src/content/docs/cloudflare-one/api-terraform/access-api-examples/azure-group.mdx +++ /dev/null @@ -1,23 +0,0 @@ ---- -type: example -summary: Allow members of an Azure Group. The ID is the group UUID (`id`) in Azure. -tags: - - Azure® Group -title: Azure® Group -pcx_content_type: example -sidebar: - order: 4 -description: Allow members of an Azure Group. The ID is the group UUID (`id`) in Azure. - ---- - -Allow members of an Azure Group. The ID is the group UUID (*`id`*) in Azure: - -```json -{ - "azureAD": { - "id": "86773093-5feb-48dd-814b-7ccd3676ff50", - "identity_provider_id": "ca298b82-93b5-41bf-bc2d-10493f09b761" - } -} -``` diff --git a/src/content/docs/cloudflare-one/api-terraform/access-api-examples/entra-group.mdx b/src/content/docs/cloudflare-one/api-terraform/access-api-examples/entra-group.mdx new file mode 100644 index 00000000000000..0bfd23afa61a5f --- /dev/null +++ b/src/content/docs/cloudflare-one/api-terraform/access-api-examples/entra-group.mdx @@ -0,0 +1,22 @@ +--- +type: example +summary: Allow members of a Microsoft Entra group. The ID is the group UUID (`id`) in Microsoft Entra ID. +tags: + - Microsoft Entra Group +title: Microsoft Entra Group +pcx_content_type: example +sidebar: + order: 4 +description: Allow members of a Microsoft Entra group. The ID is the group UUID (`id`) in Microsoft Entra ID. +--- + +Allow members of a Microsoft Entra group. The ID is the group UUID (`id`) in Microsoft Entra ID: + +```json +{ + "azureAD": { + "id": "86773093-5feb-48dd-814b-7ccd3676ff50", + "identity_provider_id": "ca298b82-93b5-41bf-bc2d-10493f09b761" + } +} +``` diff --git a/src/content/docs/cloudflare-one/api-terraform/access-api-examples/github-org.mdx b/src/content/docs/cloudflare-one/api-terraform/access-api-examples/github-org.mdx index 8fd28e126f0605..ee43dba8acc0e2 100644 --- a/src/content/docs/cloudflare-one/api-terraform/access-api-examples/github-org.mdx +++ b/src/content/docs/cloudflare-one/api-terraform/access-api-examples/github-org.mdx @@ -2,20 +2,19 @@ type: example summary: Allow members of a specific GitHub organization. tags: - - GitHub™ Organization + - GitHub Organization title: GitHub™ Organization pcx_content_type: example sidebar: order: 4 description: Allow members of a specific GitHub organization. - --- ```json { - "github-organization": { - "name": "cloudflare", - "identity_provider_id": "ca298b82-93b5-41bf-bc2d-10493f09b761" - } + "github-organization": { + "name": "cloudflare", + "identity_provider_id": "ca298b82-93b5-41bf-bc2d-10493f09b761" + } } ``` diff --git a/src/content/docs/cloudflare-one/api-terraform/access-api-examples/gsuite-group.mdx b/src/content/docs/cloudflare-one/api-terraform/access-api-examples/gsuite-group.mdx index 2f8a06b1324605..6879330cf99b38 100644 --- a/src/content/docs/cloudflare-one/api-terraform/access-api-examples/gsuite-group.mdx +++ b/src/content/docs/cloudflare-one/api-terraform/access-api-examples/gsuite-group.mdx @@ -2,20 +2,19 @@ type: example summary: Allow members of a specific G Suite group. tags: - - G Suite® Group -title: G Suite® Group + - G Suite Group +title: G Suite Group pcx_content_type: example sidebar: order: 4 description: Allow members of a specific G Suite group. - --- ```json { - "gsuite": { - "email": "admins@mycompanygsuite.com", - "identity_provider_id": "ca298b82-93b5-41bf-bc2d-10493f09b761" - } + "gsuite": { + "email": "admins@mycompanygsuite.com", + "identity_provider_id": "ca298b82-93b5-41bf-bc2d-10493f09b761" + } } ``` diff --git a/src/content/docs/cloudflare-one/api-terraform/access-api-examples/okta-group.mdx b/src/content/docs/cloudflare-one/api-terraform/access-api-examples/okta-group.mdx index b5a52d27cff686..d51cd6ca3cea3a 100644 --- a/src/content/docs/cloudflare-one/api-terraform/access-api-examples/okta-group.mdx +++ b/src/content/docs/cloudflare-one/api-terraform/access-api-examples/okta-group.mdx @@ -2,20 +2,19 @@ type: example summary: Allow members of an Okta Group. tags: - - Okta® Group -title: Okta® Group + - Okta Group +title: Okta Group pcx_content_type: example sidebar: order: 4 description: Allow members of an Okta Group. - --- ```json { - "okta": { - "name": "admins", - "identity_provider_id": "ca298b82-93b5-41bf-bc2d-10493f09b761" - } + "okta": { + "name": "admins", + "identity_provider_id": "ca298b82-93b5-41bf-bc2d-10493f09b761" + } } ``` diff --git a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/generic-saml-saas.mdx b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/generic-saml-saas.mdx index 71bd68b59da52b..446dfec843ade6 100644 --- a/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/generic-saml-saas.mdx +++ b/src/content/docs/cloudflare-one/applications/configure-apps/saas-apps/generic-saml-saas.mdx @@ -45,7 +45,7 @@ Obtain the following URLs from your SaaS application account: :::note[IdP groups] -If you are using Okta, AzureAD, Google Workspace, or GitHub as your IdP, Access will automatically send a SAML attribute titled `groups` with all of the user's associated groups as attribute values. +If you are using Okta, Microsoft Entra ID (formerly Azure AD), Google Workspace, or GitHub as your IdP, Access will automatically send a SAML attribute titled `groups` with all of the user's associated groups as attribute values. ::: 11. (Optional) Configure [App Launcher settings](/cloudflare-one/applications/app-launcher/) for the application. diff --git a/src/content/docs/cloudflare-one/applications/non-http/infrastructure-apps.mdx b/src/content/docs/cloudflare-one/applications/non-http/infrastructure-apps.mdx index ef911298340293..2e025556381d13 100644 --- a/src/content/docs/cloudflare-one/applications/non-http/infrastructure-apps.mdx +++ b/src/content/docs/cloudflare-one/applications/non-http/infrastructure-apps.mdx @@ -8,7 +8,7 @@ sidebar: text: New --- -import { Badge, Details, Tabs, TabItem, Render } from "~/components" +import { Badge, Details, Tabs, TabItem, Render } from "~/components"; Access for Infrastructure allows you to have granular control over how users access individual servers, clusters, or databases in your private network. By adding an infrastructure application to Cloudflare Access, you can configure how users authenticate to the resource as well as control and authorize the ports, protocols, and usernames that they can connect with. Access and command logs ensure regulatory compliance and allow for auditing of user activity in case of a security breach. @@ -37,13 +37,14 @@ Access for Infrastructure is available in early access and currently only suppor ### Selectors The following [Access policy selectors](/cloudflare-one/policies/access/#selectors) are available for securing infrastructure applications: + - Email - Emails ending in - SAML group - Country - Authentication method - Device posture -- Azure group, GitHub organization, Google Workspace group, Okta group +- Entra group, GitHub organization, Google Workspace group, Okta group ## 4. Configure the server @@ -63,8 +64,6 @@ To connect to targets that are in different VNETS, users will need to [switch th If a user is connected to a target in VNET-A and needs to connect to a target in VNET-B, switching their VNET will not break any existing connections to targets within VNET-A. At present, connections are maintained between VNETs. ::: - ## Revoke a user's session To revoke a user's access to all infrastructure targets, you can either [revoke the user from Zero Trust](/cloudflare-one/identity/users/session-management/#per-user) or revoke their device. Cloudflare does not currently support revoking a user's session for a specific target. - diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-sessions.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-sessions.mdx index 72079539bbcd2f..c8d2f2b1559d59 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-sessions.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-sessions.mdx @@ -3,10 +3,9 @@ pcx_content_type: how-to title: WARP sessions sidebar: order: 12 - --- -import { Render, Badge } from "~/components" +import { Render, Badge } from "~/components"; Cloudflare Zero Trust enforces WARP client reauthentication on a per-application basis, unlike legacy VPNs which treat it as a global setting. You can configure WARP session timeouts for your [Access applications](#configure-warp-sessions-in-access) or as part of your [Gateway policies](#configure-warp-sessions-in-gateway). @@ -52,10 +51,10 @@ If the user has an active browser session with the IdP, WARP will use the existi ### Supported IdPs -* [Azure AD](/cloudflare-one/identity/idp-integration/azuread/#force-user-interaction-during-warp-reauthentication) +- [Microsoft Entra ID](/cloudflare-one/identity/idp-integration/entra-id/#force-user-interaction-during-warp-reauthentication) ## Limitations -* **Only one user per device** — If a device is already registered with User A, User B will not be able to log in on that device through the re-authentication flow. To switch the device registration to a different user, User A must first log out from Zero Trust (if [Allow device to leave organization](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#allow-device-to-leave-organization) is enabled), or an admin can revoke the registration from **My Team** > **Devices**. User B can then properly [enroll](/cloudflare-one/connections/connect-devices/warp/deployment/manual-deployment/). -* **Active connections are not terminated** — Active sessions such as SSH and RDP will remain connected beyond the timeout limit. -* **Binding Cookie is not supported** - WARP authentication will not work for Access applications that have the [Binding Cookie](/cloudflare-one/identity/authorization-cookie/#binding-cookie) enabled. +- **Only one user per device** — If a device is already registered with User A, User B will not be able to log in on that device through the re-authentication flow. To switch the device registration to a different user, User A must first log out from Zero Trust (if [Allow device to leave organization](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/#allow-device-to-leave-organization) is enabled), or an admin can revoke the registration from **My Team** > **Devices**. User B can then properly [enroll](/cloudflare-one/connections/connect-devices/warp/deployment/manual-deployment/). +- **Active connections are not terminated** — Active sessions such as SSH and RDP will remain connected beyond the timeout limit. +- **Binding Cookie is not supported** - WARP authentication will not work for Access applications that have the [Binding Cookie](/cloudflare-one/identity/authorization-cookie/#binding-cookie) enabled. diff --git a/src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/windows-prelogin.mdx b/src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/windows-prelogin.mdx index fa334e791f3dcb..150e80d2d61625 100644 --- a/src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/windows-prelogin.mdx +++ b/src/content/docs/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/windows-prelogin.mdx @@ -3,11 +3,9 @@ pcx_content_type: how-to title: Connect WARP before Windows login sidebar: order: 3 - --- - -import { Details, Render } from "~/components" +import { Details, Render } from "~/components";
@@ -17,13 +15,12 @@ import { Details, Render } from "~/components" | System | Availability | Minimum WARP version | | -------- | ------------ | -------------------- | -| Windows | ✅ | 2024.6.415.0 | -| macOS | ❌ | | -| Linux | ❌ | | -| iOS | ❌ | | -| Android | ❌ | | -| ChromeOS | ❌ | | - +| Windows | ✅ | 2024.6.415.0 | +| macOS | ❌ | | +| Linux | ❌ | | +| iOS | ❌ | | +| Android | ❌ | | +| ChromeOS | ❌ | |
@@ -31,7 +28,7 @@ With Cloudflare Zero Trust, you can use an on-premise Active Directory (or simil ## Prerequisites -* Active Directory resources are [connected to Cloudflare](/cloudflare-one/connections/connect-networks/private-net/). +- Active Directory resources are [connected to Cloudflare](/cloudflare-one/connections/connect-networks/private-net/). ## 1. Create a service token @@ -49,7 +46,6 @@ In your [device enrollment permissions](/cloudflare-one/connections/connect-devi Devices enrolled via a service token are identified by the email address `non_identity@.cloudflareaccess.com`. Using this email address, you can apply specific [device profile settings](/cloudflare-one/connections/connect-devices/warp/configure-warp/device-profiles/) and [Gateway network policies](/cloudflare-one/policies/gateway/network-policies/) during the pre-login state. For example, you could provide access to only those resources necessary to complete the Windows login and/or device management activities. -
| Selector | Operator | Value | Logic | @@ -57,10 +53,8 @@ Devices enrolled via a service token are identified by the email address `non_id | User email | in | `non_identity@.cloudflareaccess.com` | And | | Operating system | is | Windows | | -
-
| Selector | Operator | Value | Logic | @@ -73,7 +67,6 @@ Devices enrolled via a service token are identified by the email address `non_id | ------ | | Allow | -
## 3. Configure the MDM file diff --git a/src/content/docs/cloudflare-one/faq/teams-general-faq.mdx b/src/content/docs/cloudflare-one/faq/teams-general-faq.mdx index 1ba7f4018e2765..24ca17331b2511 100644 --- a/src/content/docs/cloudflare-one/faq/teams-general-faq.mdx +++ b/src/content/docs/cloudflare-one/faq/teams-general-faq.mdx @@ -5,7 +5,6 @@ sidebar: order: 3 head: [] description: Review frequently asked questions about Cloudflare Zero Trust. - --- [❮ Back to FAQ](/cloudflare-one/faq/) @@ -26,11 +25,11 @@ Access does not have an independent or out-of-band MFA feature. These browsers are supported: -* Internet Explorer® 11 -* Edge® (current release, last release) -* Firefox® (current release, last release) -* Chrome® (current release, last release) -* Safari® (current release, last release) +- Internet Explorer 11 +- Edge (current release, last release) +- Firefox (current release, last release) +- Chrome (current release, last release) +- Safari (current release, last release) ## What data localization services are supported? diff --git a/src/content/docs/cloudflare-one/identity/authorization-cookie/application-token.mdx b/src/content/docs/cloudflare-one/identity/authorization-cookie/application-token.mdx index efbf699117fce7..8d0f8af84942ee 100644 --- a/src/content/docs/cloudflare-one/identity/authorization-cookie/application-token.mdx +++ b/src/content/docs/cloudflare-one/identity/authorization-cookie/application-token.mdx @@ -71,7 +71,7 @@ Access allows you to add custom SAML attributes and OIDC claims to your JWT for #### User identity -User identity is useful for checking application permissions. For example, your application can validate that a given user is a member of an Okta or AzureAD group such as `Finance-Team`. +User identity is useful for checking application permissions. For example, your application can validate that a given user is a member of an Okta or Microsoft Entra ID group such as `Finance-Team`. Due to cookie size limits and bandwidth considerations, the application token only contains a subset of the user's identity. To get the user's full identity, send the `CF_Authorization` cookie to `https://.cloudflareaccess.com/cdn-cgi/access/get-identity`. Your request should be structured as follows: diff --git a/src/content/docs/cloudflare-one/identity/devices/access-integrations/index.mdx b/src/content/docs/cloudflare-one/identity/devices/access-integrations/index.mdx index af92057a7fecf7..d8fa38b6ad4fe9 100644 --- a/src/content/docs/cloudflare-one/identity/devices/access-integrations/index.mdx +++ b/src/content/docs/cloudflare-one/identity/devices/access-integrations/index.mdx @@ -3,13 +3,12 @@ pcx_content_type: navigation title: Access integrations sidebar: order: 4 - --- These device posture checks can only be enforced for Cloudflare Access applications. They cannot be used in Gateway network policies. -| Device posture check | macOS | Windows | Linux | iOS | Android/ChromeOS | [WARP mode](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/) | -| --------------------------------------------------------------------------------------------- | ----- | ------- | ----- | --- | ---------------- | ---------------------------------------------------------------------------------------- | -| [Azure AD Conditional Access](/cloudflare-one/tutorials/azuread-conditional-access/) | ✅ | ✅ | ❌ | ❌ | ❌ | WARP not required | -| [Mutual TLS](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/) | ✅ | ✅ | ✅ | ✅ | ✅ | WARP not required | -| [Tanium](/cloudflare-one/identity/devices/access-integrations/tanium/) | ✅ | ✅ | ✅ | ❌ | ❌ | Gateway with WARP, Secure Web Gateway without DNS filtering, or Device Information Only | +| Device posture check | macOS | Windows | Linux | iOS | Android/ChromeOS | [WARP mode](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/) | +| ----------------------------------------------------------------------------------------------- | ----- | ------- | ----- | --- | ---------------- | ---------------------------------------------------------------------------------------- | +| [Microsoft Entra ID Conditional Access](/cloudflare-one/tutorials/entra-id-conditional-access/) | ✅ | ✅ | ❌ | ❌ | ❌ | WARP not required | +| [Mutual TLS](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/) | ✅ | ✅ | ✅ | ✅ | ✅ | WARP not required | +| [Tanium](/cloudflare-one/identity/devices/access-integrations/tanium/) | ✅ | ✅ | ✅ | ❌ | ❌ | Gateway with WARP, Secure Web Gateway without DNS filtering, or Device Information Only | diff --git a/src/content/docs/cloudflare-one/identity/devices/warp-client-checks/domain-joined.mdx b/src/content/docs/cloudflare-one/identity/devices/warp-client-checks/domain-joined.mdx index 0406db71a9a1e6..37660af5c32eba 100644 --- a/src/content/docs/cloudflare-one/identity/devices/warp-client-checks/domain-joined.mdx +++ b/src/content/docs/cloudflare-one/identity/devices/warp-client-checks/domain-joined.mdx @@ -6,16 +6,21 @@ sidebar: head: - tag: title content: Domain joined - --- -import { Render } from "~/components" +import { Render } from "~/components"; The Domain Joined device posture attribute ensures that a user is a member of a specific Windows Active Directory domain. ## Prerequisites -* +- ## Enable the Domain Joined check diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/adfs.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/adfs.mdx index 7cdeb74c4c7b1a..2c6ad37646b41f 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/adfs.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/adfs.mdx @@ -1,12 +1,16 @@ --- pcx_content_type: how-to -title: Active Directory® (SAML) -sidebar: - order: 3 +title: Active Directory (SAML) --- import { GlossaryTooltip } from "~/components"; +:::caution +Microsoft recommends migrating your Active Directory Federation Service (AD FS) SSO to Microsoft Entra ID. For more information, refer to [Microsoft Learn](https://learn.microsoft.com/windows-server/identity/ad-fs/ad-fs-overview). + +To set up the Microsoft Entra ID IdP integration with Zero Trust, refer to [Microsoft Entra ID](/cloudflare-one/identity/idp-integration/entra-id/). +::: + Active Directory is a directory service developed by Microsoft for Windows domain networks. It is included in most Windows Server operating systems as a set of processes and services. Active Directory integrates with Cloudflare Access using Security Assertion Markup Language (SAML). ## Before you start @@ -15,12 +19,12 @@ To get started, you need: - An Active Directory Domain Controller where all users have an email attribute - Generic SAML enabled for your Access Identity Provider (IdP) -- A Microsoft server running with Active Directory Federation Services (ADFS) installed. All screenshots in these instructions are for Server 2012R2. Similar steps will work for newer versions. -- A browser safe certificate for Active Directory Federation Services (ADFS) +- A Microsoft server running with Active Directory Federation Services (AD FS) installed. All screenshots in these instructions are for Server 2012R2. Similar steps will work for newer versions. +- A browser safe certificate for Active Directory Federation Services (AD FS) -Once you fulfill the requirements above, you are ready to begin. Installation and basic configuration of Active Directory Federation Services (ADFS) is outside the scope of this guide. A detailed guide can be found in a [Microsoft KB](). +Once you fulfill the requirements above, you are ready to begin. Installation and basic configuration of Active Directory Federation Services (AD FS) is outside the scope of this guide. A detailed guide can be found in a [Microsoft KB](). -Then to begin the connection between Cloudflare Access and ADFS create a Relying Party Trust in ADFS. +Then to begin the connection between Cloudflare Access and AD FS create a Relying Party Trust in AD FS. ## Create a Relying Party Trust @@ -78,13 +82,13 @@ To create a Relying Party Trust: 21. Review your settings. -22. Select **Next**. Cloudflare now relies on ADFS for user-identity authorization. +22. Select **Next**. Cloudflare now relies on AD FS for user-identity authorization. The **Edit Claim Rules for CF Login** screen automatically displays. ## Create claim rules -Now create 2 Claim Rules so that ADFS can take information from Cloudflare and return it to create [Access policies](/cloudflare-one/policies/access/). +Now create 2 Claim Rules so that AD FS can take information from Cloudflare and return it to create [Access policies](/cloudflare-one/policies/access/). If you closed the Add Relying Trust wizard, use Explorer to find the **Relying Party Trusts** folder, select the newly created RPT file, and select **Edit Claim Rules** in the **Action** sidebar. @@ -124,11 +128,11 @@ Both Claim Rules are now available to export to your Cloudflare Access account. ## Export the certificate -Now you'll configure Cloudflare to recognize ADFS by extracting the _token-signing certificate_ from ADFS. +Now you'll configure Cloudflare to recognize AD FS by extracting the _token-signing certificate_ from AD FS. To export the certificate: -1. Within the ADFS management console, select the **Service** under AD FS and choose the **Certificates** folder which contains the certificate to export. +1. Within the AD FS management console, select the **Service** under AD FS and choose the **Certificates** folder which contains the certificate to export. 2. In the **Certificates** card, right-click on the entry under **Token-signing**, and select **View certificate**. The **Certificates** window displays. @@ -152,9 +156,9 @@ To export the certificate: Note the file path for later. -## Configure ADFS to sign SAML responses +## Configure AD FS to sign SAML responses -To ensure that ADFS signs the full response when communicating with Cloudflare, open your local **PowerShell** and enter the following command: +To ensure that AD FS signs the full response when communicating with Cloudflare, open your local **PowerShell** and enter the following command: ```bash Set-ADFSRelyingPartyTrust -TargetName "Name of RPT Display Name" -SamlResponseSignature "MessageAndAssertion" @@ -162,7 +166,7 @@ Set-ADFSRelyingPartyTrust -TargetName "Name of RPT Display Name" -SamlResponseSi ## Configure Cloudflare Zero Trust -To enable Cloudflare Zero Trust to accept the claims and assertions sent from ADFS, follow these steps: +To enable Cloudflare Zero Trust to accept the claims and assertions sent from AD FS, follow these steps: 1. In Zero Trust, go to **Settings** > **Authentication**. @@ -178,7 +182,7 @@ To enable Cloudflare Zero Trust to accept the claims and assertions sent from AD https://hostnameOfADFS/adfs/ls/ ``` - This is the default location. You can find your federation service identifier in ADFS. + This is the default location. You can find your federation service identifier in AD FS. 6. In the **IdP Entity ID or Issuer URL** field, enter your Zero Trust team domain and include this callback at the end of the path: `/cdn-cgi/access/callback`. For example: diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/aws-saml.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/aws-saml.mdx index 8ca9cd84894da4..d067d7c5705ee7 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/aws-saml.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/aws-saml.mdx @@ -1,16 +1,13 @@ --- pcx_content_type: how-to title: AWS IAM (SAML) -sidebar: - order: 5 - --- AWS IAM Identity Center provides SSO identity management for users who interact with AWS resources (such as EC2 instances or S3 buckets). You can integrate AWS IAM with Cloudflare Zero Trust as a SAML identity provider, which allows users to authenticate to Zero Trust using their AWS credentials. ## Prerequisites -* Admin access to an IAM Identity Center [organization instance](https://docs.aws.amazon.com/singlesignon/latest/userguide/identity-center-instances.html) +- Admin access to an IAM Identity Center [organization instance](https://docs.aws.amazon.com/singlesignon/latest/userguide/identity-center-instances.html) ## Set up AWS IAM as a SAML provider @@ -44,7 +41,7 @@ You can find your team name in Zero Trust under **Settings** > **Custom Pages**. 11. Select **Submit**. -12. Next, select the **Actions** dropdown menu and select *Edit attribute mappings*. +12. Next, select the **Actions** dropdown menu and select _Edit attribute mappings_. 13. For the `Subject` user attribute, enter `${user:email}`. @@ -82,19 +79,17 @@ To [test](/cloudflare-one/identity/idp-integration/#test-idps-in-zero-trust) tha ```json { - "config": { - "issuer_url": "https://portal.sso.eu-central-1.amazonaws.com/saml/assertion/b2yJrC4kjy3ZAS0a2SeDJj74ebEAxozPfiURId0aQsal3", - "sso_target_url": "https://portal.sso.eu-central-1.amazonaws.com/saml/assertion/b2yJrC4kjy3ZAS0a2SeDJj74ebEAxozPfiURId0aQsal3", - "attributes": [ - "email" - ], - "email_attribute_name": "email", - "sign_request": true, - "idp_public_certs": [ - "MIIDpDCCAoygAwIBAgIGAV2ka+55MA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG\nA1UEC.....GF/Q2/MHadws97cZg\nuTnQyuOqPuHbnN83d/2l1NSYKCbHt24o" - ] - }, - "type": "saml", - "name": "AWS IAM SAML example" + "config": { + "issuer_url": "https://portal.sso.eu-central-1.amazonaws.com/saml/assertion/b2yJrC4kjy3ZAS0a2SeDJj74ebEAxozPfiURId0aQsal3", + "sso_target_url": "https://portal.sso.eu-central-1.amazonaws.com/saml/assertion/b2yJrC4kjy3ZAS0a2SeDJj74ebEAxozPfiURId0aQsal3", + "attributes": ["email"], + "email_attribute_name": "email", + "sign_request": true, + "idp_public_certs": [ + "MIIDpDCCAoygAwIBAgIGAV2ka+55MA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG\nA1UEC.....GF/Q2/MHadws97cZg\nuTnQyuOqPuHbnN83d/2l1NSYKCbHt24o" + ] + }, + "type": "saml", + "name": "AWS IAM SAML example" } ``` diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/awscognito-oidc.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/awscognito-oidc.mdx index 13e7e9701d75d0..fea281e2d38a0a 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/awscognito-oidc.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/awscognito-oidc.mdx @@ -1,16 +1,13 @@ --- pcx_content_type: how-to title: Amazon Cognito -sidebar: - order: 4 - --- Amazon Cognito provides SSO identity management for end users of web and mobile apps. You can integrate Amazon Cognito as an OIDC identity provider for Cloudflare Zero Trust. ## Prerequisites -* An Amazon Cognito [user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/tutorial-create-user-pool.html) +- An Amazon Cognito [user pool](https://docs.aws.amazon.com/cognito/latest/developerguide/tutorial-create-user-pool.html) ## Set up Amazon Cognito (OIDC) @@ -18,11 +15,11 @@ Amazon Cognito provides SSO identity management for end users of web and mobile The following Amazon Cognito values are required to set up the integration: -* App (client) ID -* Client secret -* Auth URL -* Token URL -* Certificate (key) URL +- App (client) ID +- Client secret +- Auth URL +- Token URL +- Certificate (key) URL To retrieve those values: @@ -36,9 +33,9 @@ To retrieve those values: 5. Make note of the following [Amazon Cognito OIDC endpoints](https://docs.aws.amazon.com/cognito/latest/developerguide/federation-endpoints.html): - * **Auth URL**: `https:///oauth2/authorize` - * **Token URL**: `https:///oauth2/token` - * **Certificate (key) URL**: `https://cognito-idp..amazonaws.com//.well-known/jwks.json` (This is the **Token signing key URL** shown in **User pool overview**.) + - **Auth URL**: `https:///oauth2/authorize` + - **Token URL**: `https:///oauth2/token` + - **Certificate (key) URL**: `https://cognito-idp..amazonaws.com//.well-known/jwks.json` (This is the **Token signing key URL** shown in **User pool overview**.) 6. Under **App client list**, select **Create app client**. @@ -92,16 +89,16 @@ To [test](/cloudflare-one/identity/idp-integration/#test-idps-in-zero-trust) tha ```json { - "config": { - "client_id": "", - "client_secret": "", - "auth_url": "https:///oauth2/authorize", - "token_url": "https:///oauth2/token", - "certs_url": "https://cognito-idp..amazonaws.com//.well-known/jwks.json", - "scopes": ["openid", "email", "profile"], - "claims": ["sub", "cognito:username", "name", "cognito:groups"] - }, - "type": "oidc", - "name": "Amazon Cognito example" + "config": { + "client_id": "", + "client_secret": "", + "auth_url": "https:///oauth2/authorize", + "token_url": "https:///oauth2/token", + "certs_url": "https://cognito-idp..amazonaws.com//.well-known/jwks.json", + "scopes": ["openid", "email", "profile"], + "claims": ["sub", "cognito:username", "name", "cognito:groups"] + }, + "type": "oidc", + "name": "Amazon Cognito example" } ``` diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/centrify-saml.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/centrify-saml.mdx index b7cbf2ff1e299b..1250f499a95a00 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/centrify-saml.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/centrify-saml.mdx @@ -1,9 +1,6 @@ --- pcx_content_type: how-to title: Centrify (SAML) -sidebar: - order: 8 - --- Centrify secures access to infrastructure, DevOps, cloud, and other modern enterprise so you can prevent the #1 cause of breaches – privileged access abuse. @@ -94,15 +91,15 @@ To get your Cloudflare metadata file: ```json { - "config": { - "issuer_url": "https://abc123.my.centrify.com/baaa2117-0ec0-4d76-84cc-abccb551a123", - "sso_target_url": "https://abc123.my.centrify.com/applogin/appKey/baaa2117-0ec0-4d76-84cc-abccb551a123/customerId/abc123", - "attributes": ["email"], - "email_attribute_name": "", - "sign_request": false, - "idp_public_cert": "MIIDpDCCAoygAwIBAgIGAV2ka+55MA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG\nA1UEC.....GF/Q2/MHadws97cZg\nuTnQyuOqPuHbnN83d/2l1NSYKCbHt24o" - }, - "type": "saml", - "name": "centrify saml example" + "config": { + "issuer_url": "https://abc123.my.centrify.com/baaa2117-0ec0-4d76-84cc-abccb551a123", + "sso_target_url": "https://abc123.my.centrify.com/applogin/appKey/baaa2117-0ec0-4d76-84cc-abccb551a123/customerId/abc123", + "attributes": ["email"], + "email_attribute_name": "", + "sign_request": false, + "idp_public_cert": "MIIDpDCCAoygAwIBAgIGAV2ka+55MA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG\nA1UEC.....GF/Q2/MHadws97cZg\nuTnQyuOqPuHbnN83d/2l1NSYKCbHt24o" + }, + "type": "saml", + "name": "centrify saml example" } ``` diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/centrify.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/centrify.mdx index 58a92d54d6ce67..dcd6b705decc82 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/centrify.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/centrify.mdx @@ -1,8 +1,6 @@ --- pcx_content_type: how-to title: Centrify -sidebar: - order: 7 --- Centrify secures access to infrastructure, DevOps, cloud, and other modern enterprise so you can prevent the number one cause of breaches: privileged access abuse. diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/citrixadc-saml.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/citrixadc-saml.mdx index 8aca79ecd82205..c6aaa613f55952 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/citrixadc-saml.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/citrixadc-saml.mdx @@ -1,9 +1,6 @@ --- pcx_content_type: how-to title: Citrix ADC (SAML) -sidebar: - order: 9 - --- Cloudflare Zero Trust can integrate with Citrix ADC (formerly Citrix NetScaler ADC) as a SAML IdP. Documentation from Citrix shows you [how to configure Citrix ADC as a SAML IdP](https://docs.citrix.com/en-us/citrix-adc/12-1/aaa-tm/saml-authentication/citrix-adc-saml-idp.html). These steps are specific to Cloudflare Zero Trust. @@ -14,8 +11,8 @@ To set up Citrix ADC (SAML) as your identity provider: 1. First, you'll need to configure 2 SAML certificates: - * A certificate to **terminate TLS at the vServer**. Ensure that the certificate is issued by a publicly trusted CA. - * A certificate for **signing SAML assertions**. + - A certificate to **terminate TLS at the vServer**. Ensure that the certificate is issued by a publicly trusted CA. + - A certificate for **signing SAML assertions**. If you do not already have a certificate for signing SAML assertions, you can use a self-signed certificate generated on Citrix ADC by following these steps: @@ -46,7 +43,7 @@ To set up Citrix ADC (SAML) as your identity provider: | **Name ID Format** | EmailAddress | | **Attribute 1** | `email = AAA.USER.ATTRIBUTE("email")` | - Cloudflare Access currently sends the IdP address in place of the *Service Provider ID* for the AuthN request. + Cloudflare Access currently sends the IdP address in place of the _Service Provider ID_ for the AuthN request. 2. Create an Authentication Policy that refers to the Profile just created, and bind it to the authentication vServer mentioned above. diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/azuread.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/entra-id.mdx similarity index 55% rename from src/content/docs/cloudflare-one/identity/idp-integration/azuread.mdx rename to src/content/docs/cloudflare-one/identity/idp-integration/entra-id.mdx index 7de7e6aee7d602..373ccdfea8d331 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/azuread.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/entra-id.mdx @@ -1,40 +1,37 @@ --- pcx_content_type: how-to -title: Azure AD® -sidebar: - order: 6 - +title: Microsoft Entra ID --- -import { Render } from "~/components" +import { Render } from "~/components"; -You can integrate Microsoft Azure AD® (Active Directory) with Cloudflare Zero Trust and build policies based on user identity and group membership. Users will authenticate to Zero Trust using their Azure AD credentials. +You can integrate Microsoft Entra ID (formerly Azure Active Directory) with Cloudflare Zero Trust and build policies based on user identity and group membership. Users will authenticate to Zero Trust using their Entra ID credentials. -## Set up Azure AD as an identity provider +## Set up Entra ID as an identity provider -### 1. Obtain Azure AD settings +### 1. Obtain Entra ID settings -The following Azure AD values are required to set up the integration: +The following Entra ID values are required to set up the integration: -* Application (client) ID -* Directory (tenant) ID -* Client secret +- Application (client) ID +- Directory (tenant) ID +- Client secret To retrieve those values: 1. Log in to the [Azure dashboard](https://portal.azure.com/). -2. Go to **All services** > **Azure Active Directory**. +2. Go to **All services** > **Microsoft Entra ID**. -3. In the Azure Active Directory menu, go to **Enterprise applications**. +3. In the sidebar, go to **Manage** > **Enterprise applications**. -4. Select **New application** > **Create your own application**. +4. Select **New application**, then select **Create your own application**. 5. Name your application. -6. Select **Register an application to integrate with Azure AD (App you're developing)** and then select **Create**. +6. Select **Register an application to integrate with Microsoft Entra ID (App you're developing)** and then select **Create**. -7. Under **Redirect URI**, select the *Web* platform and enter the following URL: +7. Under **Redirect URI**, select the _Web_ platform and enter the following URL: ```txt https://.cloudflareaccess.com/cdn-cgi/access/callback @@ -46,13 +43,13 @@ To retrieve those values: 8. Select **Register**. -9. Next, return to the Azure Active Directory menu and go to **App registrations**. +9. Next, return to Microsoft Entra ID and go to go to **Manage** > **App registrations**. 10. Select the app you just created. Copy the **Application (client) ID** and **Directory (tenant) ID**. ![Viewing the Application ID and Directory ID in Azure](~/assets/images/cloudflare-one/identity/azure/azure-values.png) -11. Go to **Certificates & secrets** and select **New client secret**. +11. Under **Client credentials**, go to **Add a certificate or secret**. Select **New client secret**. 12. Name the client secret and choose an expiration period. @@ -60,7 +57,7 @@ To retrieve those values: ![Location of client secret in Azure](~/assets/images/cloudflare-one/identity/azure/client-cert-value.png) -### 2. Configure API permissions in Azure +### 2. Configure API permissions in Entra ID 1. From the **App registrations** page for your application, go to **API permissions**. @@ -68,19 +65,18 @@ To retrieve those values: 3. Select **Microsoft Graph**. -4. Select **Delegated permissions** and enable the following [permissions](https://learn.microsoft.com/en-us/graph/permissions-reference): +4. Select **Delegated permissions** and enable the following [permissions](https://learn.microsoft.com/graph/permissions-reference): - * `email` - * `offline_access` - * `openid` - * `profile` - * `User.Read` - * `Directory.Read.All` - * `GroupMember.Read.All` + - `email` + - `offline_access` + - `openid` + - `profile` + - `User.Read` + - `Directory.Read.All` + - `GroupMember.Read.All` :::note - -More narrow permissions may be used, however this is the set of permissions that are tested and supported by Cloudflare. +More narrow permissions may be used, however this is the set of permissions that are tested and supported by Cloudflare. ::: 5. Once all seven permissions are enabled, select **Add permissions**. @@ -89,7 +85,7 @@ More narrow permissions may be used, however this is the set of permissions that ![Configured permissions list in Azure](~/assets/images/cloudflare-one/identity/azure/configured-perms.png) -### 3. Add Azure AD as an identity provider +### 3. Add Entra ID as an identity provider 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Authentication**. @@ -97,16 +93,16 @@ More narrow permissions may be used, however this is the set of permissions that 3. Select **Azure AD**. -4. Enter the **Application (client) ID**, **Client secret**, and **Directory (tenant) ID** obtained from the Azure dashboard. +4. Enter the **Application (client) ID**, **Client secret**, and **Directory (tenant) ID** obtained from Microsoft Entra ID. 5. (Optional) Configure the following settings: - * **Proof Key for Code Exchange**: Perform [PKCE](https://www.oauth.com/oauth2-servers/pkce/) on all login attempts. - * **Support Groups**: Allow Cloudflare to read a user's Azure AD group membership. - * **Azure AD Policy Sync**: Refer to our [Azure AD Conditional Access tutorial](/cloudflare-one/tutorials/azuread-conditional-access/). - * **Enable SCIM**: Refer to [Synchronize users and groups](#synchronize-users-and-groups). - * **Email claim**: Enter the Azure AD claim that you wish to use for user identification (for example, `preferred_username`). - * **OIDC Claims**: Enter [custom OIDC claims](/cloudflare-one/identity/idp-integration/generic-oidc/#oidc-claims) that you wish to add to your users' identity. This information will be available in the [user identity endpoint](/cloudflare-one/identity/authorization-cookie/application-token/#user-identity). + - **Proof Key for Code Exchange**: Perform [PKCE](https://www.oauth.com/oauth2-servers/pkce/) on all login attempts. + - **Support Groups**: Allow Cloudflare to read a user's Entra ID group membership. + - **Entra ID Policy Sync**: Refer to our [Entra ID Conditional Access tutorial](/cloudflare-one/tutorials/entra-id-conditional-access/). + - **Enable SCIM**: Refer to [Synchronize users and groups](#synchronize-users-and-groups). + - **Email claim**: Enter the Entra ID claim that you wish to use for user identification (for example, `preferred_username`). + - **OIDC Claims**: Enter [custom OIDC claims](/cloudflare-one/identity/idp-integration/generic-oidc/#oidc-claims) that you wish to add to your users' identity. This information will be available in the [user identity endpoint](/cloudflare-one/identity/authorization-cookie/application-token/#user-identity). 6. Select **Save**. @@ -114,24 +110,26 @@ To [test](/cloudflare-one/identity/idp-integration/#test-idps-in-zero-trust) tha ## Synchronize users and groups -The Azure AD integration allows you to synchronize IdP groups and automatically deprovision users using [SCIM](/cloudflare-one/identity/users/scim/). +The Microsoft Entra ID integration allows you to synchronize IdP groups and automatically deprovision users using [SCIM](/cloudflare-one/identity/users/scim/). ### Prerequisites -* Microsoft Entra ID P1 or P2 license +- Microsoft Entra ID P1 or P2 license ### 1. Enable SCIM in Zero Trust - + -### 2. Configure SCIM in Azure +### 2. Configure SCIM in Entra ID :::note - -SCIM requires a separate enterprise application from the one created during [initial setup](#set-up-azure-ad-as-an-identity-provider). +SCIM requires a separate enterprise application from the one created during [initial setup](#set-up-entra-id-as-an-identity-provider). ::: -1. In the Azure Active Directory menu, go to **Enterprise applications**. +1. In the Microsoft Entra ID menu, go to **Enterprise applications**. 2. Select **New application** > **Create your own application**. @@ -139,11 +137,11 @@ SCIM requires a separate enterprise application from the one created during [ini 4. Select **Integrate any other application you don't find in the gallery (Non-gallery)**. -5. Once the SCIM application is created, [assign users and groups to the application](https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/assign-user-or-group-access-portal?pivots=portal). +5. Once the SCIM application is created, [assign users and groups to the application](https://learn.microsoft.com/entra/identity/enterprise-apps/assign-user-or-group-access-portal). 6. Go to **Provisioning** and select **Get started**. -7. For **Provisioning Mode**, choose *Automatic*. +7. For **Provisioning Mode**, choose _Automatic_. 8. In the **Tenant URL** field, enter the **SCIM Endpoint** obtained from Zero Trust. @@ -153,68 +151,68 @@ SCIM requires a separate enterprise application from the one created during [ini 11. Select **Save**. -12. On the **Provisioning** page, select **Start provisioning**. You will see the synchronization status in Azure. +12. On the **Provisioning** page, select **Start provisioning**. You will see the synchronization status in Entra ID. To check which users and groups were synchronized, select **View provisioning logs**. ### Provisioning attributes -Provisioning attributes define the user properties that Azure AD will synchronize with Cloudflare Access. To modify your provisioning attributes, go to the **Provisioning** page in Azure AD and select **Edit attribute mappings**. +Provisioning attributes define the user properties that Entra ID will synchronize with Cloudflare Access. To modify your provisioning attributes, go to the **Provisioning** page in Entra ID and select **Edit attribute mappings**. We recommend enabling the following user attribute mappings: -| customappsso Attribute | Azure AD Attribute | Recommendation | +| customappsso Attribute | Entra ID Attribute | Recommendation | | ------------------------------ | ------------------ | -------------- | | `emails[type eq "work"].value` | `mail` | Required | | `name.givenName` | `givenName` | Recommended | | `name.familyName` | `surname` | Recommended | -## Azure groups in Zero Trust policies +## Entra groups in Zero Trust policies ### Automatic entry -When [SCIM synchronization is enabled](#synchronize-users-and-groups), your Azure group names will automatically appear in the Access and Gateway policy builders. +When [SCIM synchronization is enabled](#synchronize-users-and-groups), your Entra group names will automatically appear in the Access and Gateway policy builders. -If building an Access policy, choose the *Azure Groups* selector. +If building an Access policy, choose the _Azure Groups_ selector. ![Azure group names displayed in the Access policy builder](~/assets/images/cloudflare-one/identity/azure/azure-scim-groups.png) -If building a Gateway policy, choose the [*User Group Names*](/cloudflare-one/policies/gateway/identity-selectors/#user-group-names) selector. +If building a Gateway policy, choose the [_User Group Names_](/cloudflare-one/policies/gateway/identity-selectors/#user-group-names) selector. ### Manual entry -You can create Access and Gateway policies for groups that are not synchronized with SCIM. Azure AD exposes directory groups in a format that consists of random strings, the `Object Id`, that is distinct from the `Name`. +You can create Access and Gateway policies for groups that are not synchronized with SCIM. Entra ID exposes directory groups in a format that consists of random strings, the `Object Id`, that is distinct from the `Name`. -1. Make sure you enable **Support groups** as you set up Azure AD in Zero Trust. +1. Make sure you enable **Support groups** as you set up Microsoft Entra ID in Zero Trust. -2. On your Azure dashboard, note the `Object Id` for the Azure group. In the example below, the group named Admins has an ID of `61503835-b6fe-4630-af88-de551dd59a2`. +2. On your Azure dashboard, note the `Object Id` for the Entra group. In the example below, the group named Admins has an ID of `61503835-b6fe-4630-af88-de551dd59a2`. ![Viewing the Azure group ID on the Azure dashboard](~/assets/images/cloudflare-one/identity/azure/object-id.png) -3. If building an Access policy, choose the *Azure Groups* selector. If building a Gateway policy, choose the *User Group IDs* selector. +3. If building an Access policy, choose the _Azure Groups_ selector. If building a Gateway policy, choose the _User Group IDs_ selector. -4. In the **Value** field, enter the `Object Id` for the Azure group. +4. In the **Value** field, enter the `Object Id` for the Entra group. ![Entering an Azure group ID in Zero Trust](~/assets/images/cloudflare-one/identity/azure/configure-group-n.png) ### Nested groups -Access and Gateway policies for an Azure group will also apply to all [nested groups](https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/how-to-manage-groups#add-or-remove-a-group-from-another-group). For example, if a user belongs to the group `US devs`, and `US devs` is part of the broader group `Devs`, the user would be allowed or blocked by all policies created for `Devs`. +Access and Gateway policies for an Entra group will also apply to all [nested groups](https://learn.microsoft.com/entra/fundamentals/how-to-manage-groups#add-a-group-to-another-group). For example, if a user belongs to the group `US devs`, and `US devs` is part of the broader group `Devs`, the user would be allowed or blocked by all policies created for `Devs`. ## Force user interaction during WARP reauthentication -You can require users to re-enter their credentials into Azure AD whenever they [re-authenticate their WARP session](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-sessions/). To configure this setting, make a [`PUT` request](/api/operations/access-identity-providers-update-an-access-identity-provider) and set the `prompt` parameter to either `login` or `select_account`. +You can require users to re-enter their credentials into Entra ID whenever they [re-authenticate their WARP session](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-sessions/). To configure this setting, make a [`PUT` request](/api/operations/access-identity-providers-update-an-access-identity-provider) and set the `prompt` parameter to either `login` or `select_account`. ## Example API Configuration ```json { - "config": { - "client_id": "", - "client_secret": "", - "directory_id": "", - "support_groups": true - }, - "type": "azureAD", - "name": "my example idp" + "config": { + "client_id": "", + "client_secret": "", + "directory_id": "", + "support_groups": true + }, + "type": "azureAD", + "name": "my example idp" } ``` diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/facebook-login.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/facebook-login.mdx index a8411d94d8b165..97c8350d0e965c 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/facebook-login.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/facebook-login.mdx @@ -1,9 +1,6 @@ --- pcx_content_type: how-to title: Facebook -sidebar: - order: 10 - --- Use these steps to set up Facebook as your identity provider. @@ -66,11 +63,11 @@ To test that your connection is working, follow the steps on [SSO Integration](/ ```json { - "config": { - "client_id": "", - "client_secret": "" - }, - "type": "facebook", - "name": "my example idp" + "config": { + "client_id": "", + "client_secret": "" + }, + "type": "facebook", + "name": "my example idp" } ``` diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/github.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/github.mdx index 39abd43d8bb6ff..a6eb40f302d3bb 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/github.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/github.mdx @@ -1,12 +1,6 @@ --- pcx_content_type: how-to title: GitHub -sidebar: - order: 11 -head: - - tag: title - content: GitHub - IdP Integration - --- Cloudflare Zero Trust allows your team to connect to your applications using their GitHub login. Administrators can build rules for specific individuals or using GitHub organizations. You do not need to have a GitHub organization to use the integration. @@ -32,6 +26,7 @@ To configure GitHub access in both GitHub and Cloudflare Zero Trust: You can find your team name in Zero Trust under **Settings** > **Custom Pages**. 5. In the GitHub **Authorization callback URL** field, enter the following URL: + ```txt https://.cloudflareaccess.com/cdn-cgi/access/callback ``` @@ -59,11 +54,11 @@ If you have GitHub two-factor authentication enabled, you will need to first log ```json { - "config": { - "client_id": "", - "client_secret": "" - }, - "type": "github", - "name": "my example idp" + "config": { + "client_id": "", + "client_secret": "" + }, + "type": "github", + "name": "my example idp" } ``` diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/google.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/google.mdx index 2ccc8db9712115..07df2251151b12 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/google.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/google.mdx @@ -1,9 +1,6 @@ --- pcx_content_type: how-to title: Google -sidebar: - order: 12 - --- You can integrate Google authentication with Cloudflare Access without a Google Workspace account. The integration allows any user with a Google account to log in (if the [Access policy](/cloudflare-one/policies/access/) allows them to reach the resource). Unlike the instructions for [Google Workspace](/cloudflare-one/identity/idp-integration/gsuite/), the steps below will not allow you to pull group membership information from a Google Workspace account. @@ -22,7 +19,7 @@ You do not need to be a Google Cloud Platform user to integrate Google Suite as 4. Choose `External` as the User Type. Since this application is not being created in a Google Workspace account, any user with a Gmail address can login. -5. Name the application, add a support email, and input contact fields. Google Cloud Platform requires an email in your account. +5. Name the application, add a support email, and input contact fields. Google Cloud Platform requires an email in your account. :::note In the **Scopes** section, we recommend adding the `userinfo.email` scope. This is not required for the integration, but shows authenticating users what information is being gathered. You do not need to add test users. ::: @@ -40,6 +37,7 @@ You do not need to be a Google Cloud Platform user to integrate Google Suite as You can find your team name in Zero Trust under **Settings** > **Custom Pages**. 8. Under **Authorized redirect URIs**, in the **URIs** field, enter the following URL: + ```txt https://.cloudflareaccess.com/cdn-cgi/access/callback ``` @@ -64,11 +62,11 @@ To test that your connection is working, go to **Authentication** > **Login meth ```json { - "config": { - "client_id": "", - "client_secret": "" - }, - "type": "google", - "name": "my example idp" + "config": { + "client_id": "", + "client_secret": "" + }, + "type": "google", + "name": "my example idp" } ``` diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/gsuite.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/gsuite.mdx index 55def605b97969..ddfcb56bb22f87 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/gsuite.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/gsuite.mdx @@ -1,17 +1,11 @@ --- pcx_content_type: how-to title: Google Workspace -sidebar: - order: 13 -head: - - tag: title - content: Google Workspace - IdP - --- :::note -The Google Workspace IdP integration is not supported if your Google Workspace account is protected by Access. +The Google Workspace IdP integration is not supported if your Google Workspace account is protected by Access. ::: You can integrate a Google Workspace (formerly Google Suite) account with Cloudflare Access. Unlike the instructions for [generic Google authentication](/cloudflare-one/identity/idp-integration/google/), the steps below will allow you to pull group membership information from your Google Workspace account. @@ -28,7 +22,7 @@ You do not need to be a Google Cloud Platform user to integrate Google Workspace 3. Go to **APIs & Services** and select **+ Enable APIs and Services**. The API Library will load. -4. In the API Library, search for `admin` and select *Admin SDK API*. +4. In the API Library, search for `admin` and select _Admin SDK API_. 5. **Enable** the Admin SDK API. @@ -49,7 +43,7 @@ You do not need to be a Google Cloud Platform user to integrate Google Workspace ![Location of OAuth client ID settings on Google Cloud Platform credentials page.](~/assets/images/cloudflare-one/identity/google/create-oauth.png) -10. Choose *Web application* as the Application type. +10. Choose _Web application_ as the Application type. 11. Under **Authorized JavaScript origins**, in the **URIs** field, enter your team domain: @@ -94,12 +88,12 @@ To test that your connection is working, go to **Authentication** > **Login meth ```json { - "config": { - "client_id": "", - "client_secret": "", - "apps_domain": "mycompany.com" - }, - "type": "google-apps", - "name": "my example idp" + "config": { + "client_id": "", + "client_secret": "", + "apps_domain": "mycompany.com" + }, + "type": "google-apps", + "name": "my example idp" } ``` diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/index.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/index.mdx index 35835e5253b8d0..265f4aef181f7b 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/index.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/index.mdx @@ -1,12 +1,9 @@ --- pcx_content_type: how-to title: SSO integration -sidebar: - order: 3 - --- -import { Render } from "~/components" +import { Render } from "~/components"; Cloudflare Zero Trust allows you to integrate your organization's identity providers (IdPs) with Cloudflare Access. Your team can simultaneously use multiple providers, reducing friction when working with partners or contractors. @@ -14,10 +11,8 @@ Adding an identity provider as a login method requires configuration both in [Ze :::undefined - Cloudflare Zero Trust supports social identity providers that do not require administrator accounts, open source providers, and corporate providers. Cloudflare also supports using signed AuthN requests with SAML providers. - ::: ## Set up IdPs in Zero Trust diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/jumpcloud-saml.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/jumpcloud-saml.mdx index 69aa542057a296..593e9d8f5d058f 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/jumpcloud-saml.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/jumpcloud-saml.mdx @@ -1,11 +1,9 @@ --- pcx_content_type: how-to title: Jumpcloud (SAML) -sidebar: - order: 14 --- -JumpCloud provides [Directory-as-a-Service®](https://jumpcloud.com/daas-product/) to securely connect user identities to systems, apps, files, and networks. Cloudflare Access integrates with JumpCloud using the SAML protocol. [This documentation from JumpCloud](https://support.jumpcloud.com/s/article/getting-started-applications-saml-sso2) can help you configure applications within your JumpCloud deployment. +JumpCloud provides [Directory-as-a-Service](https://jumpcloud.com/daas-product/) to securely connect user identities to systems, apps, files, and networks. Cloudflare Access integrates with JumpCloud using the SAML protocol. [This documentation from JumpCloud](https://support.jumpcloud.com/s/article/getting-started-applications-saml-sso2) can help you configure applications within your JumpCloud deployment. These steps focus on requirements specific to Cloudflare Zero Trust. diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/keycloak.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/keycloak.mdx index 11294188531c07..1f08efefbdb58c 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/keycloak.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/keycloak.mdx @@ -1,9 +1,6 @@ --- pcx_content_type: how-to title: Keycloak (SAML) -sidebar: - order: 15 - --- Keycloak is an open source identity and access management solution built by JBoss. If you need a Keycloak lab environment for testing, refer to [this example](https://github.com/mw866/tunnel-keycloak). diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/linkedin.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/linkedin.mdx index aa4b9179eb5dc0..0562a49e6d1f31 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/linkedin.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/linkedin.mdx @@ -1,9 +1,6 @@ --- pcx_content_type: how-to title: LinkedIn -sidebar: - order: 16 - --- Cloudflare Access allows your users to use LinkedIn as their identity provider (IdP). @@ -72,11 +69,11 @@ To test that your connection is working, in Zero Trust, go to **Authentication** ```json { - "config": { - "client_id": "", - "client_secret": "" - }, - "type": "linkedin", - "name": "my example idp" + "config": { + "client_id": "", + "client_secret": "" + }, + "type": "linkedin", + "name": "my example idp" } ``` diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/okta-saml.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/okta-saml.mdx index 88143ea206fc7c..a14b86cf11dde5 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/okta-saml.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/okta-saml.mdx @@ -1,8 +1,6 @@ --- pcx_content_type: how-to title: Okta (SAML) -sidebar: - order: 18 --- Cloudflare Zero Trust can integrate SAML with Okta as an identity provider. diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/okta.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/okta.mdx index 7f016032d1ebf1..468a7d6dc56b55 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/okta.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/okta.mdx @@ -1,8 +1,6 @@ --- pcx_content_type: how-to title: Okta -sidebar: - order: 17 --- import { Render } from "~/components"; @@ -42,8 +40,7 @@ Additionally, you can configure Okta to use risk information from Zero Trust [us 9. Set the **Groups claim filter** to _Matches regex_ and its value to `.*`. :::note - - Groups managed outside of Okta (for example, Entra ID/Azure AD or Google groups) may require different regex values. For more information, refer to the [Okta documentation](https://support.okta.com/help/s/article/Why-isnt-my-Groups-claim-returning-Active-Directory-groups). + Groups managed outside of Okta (for example, Microsoft Entra ID or Google groups) may require different regex values. For more information, refer to the [Okta documentation](https://support.okta.com/help/s/article/Why-isnt-my-Groups-claim-returning-Active-Directory-groups). ::: 10. In the **General** tab, copy the **Client ID** and **Client secret**. diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/onelogin-oidc.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/onelogin-oidc.mdx index 54073a1ff3f5dd..aea84e3a662ce1 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/onelogin-oidc.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/onelogin-oidc.mdx @@ -1,9 +1,6 @@ --- pcx_content_type: how-to title: OneLogin -sidebar: - order: 19 - --- OneLogin provides SSO identity management. Cloudflare Access supports OneLogin as an OIDC identity provider. @@ -41,10 +38,11 @@ OneLogin provides SSO identity management. Cloudflare Access supports OneLogin a 12. Select **OneLogin**. 13. Fill in the following information: - * **Name**: Name your identity provider. - * **App ID**: Enter your OneLogin client ID. - * **Client secret**: Enter your OneLogin client secret. - * **OneLogin account URL**: Enter your OneLogin domain, for example `https://.onelogin.com`. + + - **Name**: Name your identity provider. + - **App ID**: Enter your OneLogin client ID. + - **Client secret**: Enter your OneLogin client secret. + - **OneLogin account URL**: Enter your OneLogin domain, for example `https://.onelogin.com`. 14. (Optional) Under **Optional configurations**, enter [custom OIDC claims](/cloudflare-one/identity/idp-integration/generic-oidc/#oidc-claims) that you wish to add to your Access [application token](/cloudflare-one/identity/authorization-cookie/application-token/). @@ -56,12 +54,12 @@ To test that your connection is working, go to **Authentication** > **Login meth ```json { - "config": { - "client_id": "", - "client_secret": "", - "onelogin_account": "https://mycompany.onelogin.com" - }, - "type": "onelogin", - "name": "my example idp" + "config": { + "client_id": "", + "client_secret": "", + "onelogin_account": "https://mycompany.onelogin.com" + }, + "type": "onelogin", + "name": "my example idp" } ``` diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/onelogin-saml.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/onelogin-saml.mdx index 82aec021b834f9..f49e025cdc3ab2 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/onelogin-saml.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/onelogin-saml.mdx @@ -1,9 +1,6 @@ --- pcx_content_type: how-to title: OneLogin (SAML) -sidebar: - order: 20 - --- OneLogin provides SSO identity management. Cloudflare Access supports OneLogin as an SAML identity provider. @@ -84,15 +81,15 @@ To add a metadata file to your OneLogin SAML configuration: ```json { - "config": { - "issuer_url": "https://app.onelogin.com/saml/metadata/1b84ee45-d4fa-4373-8853-abz438942123", - "sso_target_url": "https://sandbox.onelogin.com/trust/saml2/http-post/sso/123456", - "attributes": ["email"], - "email_attribute_name": "", - "sign_request": false, - "idp_public_cert": "MIIDpDCCAoygAwIBAgIGAV2ka+55MA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG\nA1UEC.....GF/Q2/MHadws97cZg\nuTnQyuOqPuHbnN83d/2l1NSYKCbHt24o" - }, - "type": "saml", - "name": "onelogin saml example" + "config": { + "issuer_url": "https://app.onelogin.com/saml/metadata/1b84ee45-d4fa-4373-8853-abz438942123", + "sso_target_url": "https://sandbox.onelogin.com/trust/saml2/http-post/sso/123456", + "attributes": ["email"], + "email_attribute_name": "", + "sign_request": false, + "idp_public_cert": "MIIDpDCCAoygAwIBAgIGAV2ka+55MA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG\nA1UEC.....GF/Q2/MHadws97cZg\nuTnQyuOqPuHbnN83d/2l1NSYKCbHt24o" + }, + "type": "saml", + "name": "onelogin saml example" } ``` diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/pingfederate-saml.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/pingfederate-saml.mdx index 32b1290ada6293..805ea6cba88023 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/pingfederate-saml.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/pingfederate-saml.mdx @@ -1,12 +1,9 @@ --- pcx_content_type: how-to -title: PingFederate® -sidebar: - order: 21 - +title: PingFederate --- -The PingFederate® offering from PingIdentity provides SSO identity management. Cloudflare Access supports PingFederate as a SAML identity provider. +The PingFederate offering from PingIdentity provides SSO identity management. Cloudflare Access supports PingFederate as a SAML identity provider. ## Set up PingFederate as an identity provider @@ -18,25 +15,25 @@ The PingFederate® offering from PingIdentity provides SSO identity management. 4. Complete the fields for name, description, and category. - These can be any value. A prompt displays to select a signing certificate to use. +These can be any value. A prompt displays to select a signing certificate to use. 5. In the **SAML attribute configuration** dialog select **Email attribute** > **urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress**. - :::note - There is an additional setting for PingFederate prior to 9.0. - ::: +:::note +There is an additional setting for PingFederate prior to 9.0. +::: 6. In the **Signature Policy** tab, disable the option to **Always Sign Assertion**. 7. Leave the option enabled for **Sign Response As Required**. - This ensures that SAML destination headers are sent during the integration. +This ensures that SAML destination headers are sent during the integration. - In versions 9.0 above, you can leave both of these options enabled. +In versions 9.0 above, you can leave both of these options enabled. 8. A prompt displays to download the SAML metadata from Ping. - This file shares several fields with Cloudflare Access so you do not have to input this data. +This file shares several fields with Cloudflare Access so you do not have to input this data. 9. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Authentication**. @@ -46,11 +43,11 @@ The PingFederate® offering from PingIdentity provides SSO identity management. 12. In the **IdP Entity ID** field, enter the following URL: - ```txt - https://.cloudflareaccess.com/cdn-cgi/access/callback - ``` +```txt +https://.cloudflareaccess.com/cdn-cgi/access/callback +``` - You can find your team name in Zero Trust under **Settings** > **Custom Pages**. +You can find your team name in Zero Trust under **Settings** > **Custom Pages**. 13. Fill the other fields with values from your Ping dashboard. @@ -62,15 +59,15 @@ To test that your connection is working, go to **Authentication** > **Login meth ```json { - "config": { - "issuer_url": "https://example.cloudflareaccess.com/cdn-cgi/access/callback", - "sso_target_url": "https://sso.connect.pingidentity.com/sso/idp/SSO.saml2?idpid=aebe6668-32fe-4a87-8c2b-avcd3599a123", - "attributes": ["PingOne.AuthenticatingAuthority", "PingOne.idpid"], - "email_attribute_name": "", - "sign_request": false, - "idp_public_cert": "MIIDpDCCAoygAwIBAgIGAV2ka+55MA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG\nA1UEC.....GF/Q2/MHadws97cZg\nuTnQyuOqPuHbnN83d/2l1NSYKCbHt24o" - }, - "type": "saml", - "name": "ping saml example" + "config": { + "issuer_url": "https://example.cloudflareaccess.com/cdn-cgi/access/callback", + "sso_target_url": "https://sso.connect.pingidentity.com/sso/idp/SSO.saml2?idpid=aebe6668-32fe-4a87-8c2b-avcd3599a123", + "attributes": ["PingOne.AuthenticatingAuthority", "PingOne.idpid"], + "email_attribute_name": "", + "sign_request": false, + "idp_public_cert": "MIIDpDCCAoygAwIBAgIGAV2ka+55MA0GCSqGSIb3DQEBCwUAMIGSMQswCQYDVQQGEwJVUzETMBEG\nA1UEC.....GF/Q2/MHadws97cZg\nuTnQyuOqPuHbnN83d/2l1NSYKCbHt24o" + }, + "type": "saml", + "name": "ping saml example" } ``` diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/pingone-oidc.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/pingone-oidc.mdx index 4d4cb75bdd8b3e..e05afcf45079d4 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/pingone-oidc.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/pingone-oidc.mdx @@ -1,12 +1,9 @@ --- pcx_content_type: how-to -title: PingOne® -sidebar: - order: 22 - +title: PingOne --- -The PingOne® cloud platform from PingIdentity provides SSO identity management. Cloudflare Access supports PingOne as an OIDC identity provider. +The PingOne cloud platform from PingIdentity provides SSO identity management. Cloudflare Access supports PingOne as an OIDC identity provider. ## Set up PingOne as an OIDC provider @@ -25,6 +22,7 @@ The PingOne® cloud platform from PingIdentity provides SSO identity management. ``` You can find your team name in Zero Trust under **Settings** > **Custom Pages**. + 10. Select **Save**. 11. In [Zero Trust](https://one.dash.cloudflare.com/), go to **Settings** > **Authentication**. 12. Under **Login methods**, select **Add new**. @@ -40,12 +38,12 @@ You can now [test your connection](/cloudflare-one/identity/idp-integration/#tes ```json { - "config": { - "client_id": "", - "client_secret": "", - "ping_env_id": "" - }, - "type": "ping", - "name": "my example idp" + "config": { + "client_id": "", + "client_secret": "", + "ping_env_id": "" + }, + "type": "ping", + "name": "my example idp" } ``` diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/pingone-saml.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/pingone-saml.mdx index 0881fca7ed334c..bbd495bb02bb0c 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/pingone-saml.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/pingone-saml.mdx @@ -1,14 +1,11 @@ --- pcx_content_type: how-to -title: PingOne® (SAML) -sidebar: - order: 23 - +title: PingOne (SAML) --- -import { GlossaryTooltip } from "~/components" +import { GlossaryTooltip } from "~/components"; -The PingOne® cloud platform from PingIdentity provides SSO identity management. Cloudflare Access supports PingOne as a SAML identity provider. +The PingOne cloud platform from PingIdentity provides SSO identity management. Cloudflare Access supports PingOne as a SAML identity provider. ## Set up PingOne as a SAML provider diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/signed_authn.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/signed_authn.mdx index 24fe603931739a..c0df9177e3ee25 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/signed_authn.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/signed_authn.mdx @@ -1,12 +1,9 @@ --- pcx_content_type: how-to title: Signed AuthN requests (SAML) -sidebar: - order: 24 - --- -import { GlossaryTooltip } from "~/components" +import { GlossaryTooltip } from "~/components"; In a SAML request flow, Cloudflare Access functions as the service provider (SP) to the identity provider (IdP). Cloudflare Access sends a SAML request to your IdP. The signing certificate that you upload from your SAML provider verifies the response. @@ -36,14 +33,14 @@ To set up Signed AuthN requests: Cloudflare Access uses a certificate that includes the following 2 distinguished name fields: - * **Issuer Distinguished Name** – `CN=cloudflareaccess.com, C=US, ST=Texas, L=Austin, O=Cloudflare` - * **Subject Distinguished Name** – `CN=*.cloudflareaccess.com, C=US, ST=Texas, L=Austin, O=Cloudflare` + - **Issuer Distinguished Name** – `CN=cloudflareaccess.com, C=US, ST=Texas, L=Austin, O=Cloudflare` + - **Subject Distinguished Name** – `CN=*.cloudflareaccess.com, C=US, ST=Texas, L=Austin, O=Cloudflare` Most IdP configurations require 3 components to enforce AuthN signature verification: - * **Certificate issuer [distinguished name (DN)](https://knowledge.digicert.com/generalinformation/INFO1745.html)** - * **Certificate subject distinguished name** - * **Public certificate** + - **Certificate issuer [distinguished name (DN)](https://knowledge.digicert.com/generalinformation/INFO1745.html)** + - **Certificate subject distinguished name** + - **Public certificate** 6. In your IdP account, replace your authorization domain with the team domain generated by Cloudflare Access. diff --git a/src/content/docs/cloudflare-one/identity/idp-integration/yandex.mdx b/src/content/docs/cloudflare-one/identity/idp-integration/yandex.mdx index 94f6e432840110..baa29536195e91 100644 --- a/src/content/docs/cloudflare-one/identity/idp-integration/yandex.mdx +++ b/src/content/docs/cloudflare-one/identity/idp-integration/yandex.mdx @@ -1,9 +1,6 @@ --- pcx_content_type: how-to title: Yandex -sidebar: - order: 25 - --- Yandex is a web search engine that also offers identity provider (IdP) services. @@ -58,11 +55,11 @@ To set up Yandex for Cloudflare Access: ```json { - "config": { - "client_id": "", - "client_secret": "" - }, - "type": "yandex", - "name": "my example idp" + "config": { + "client_id": "", + "client_secret": "" + }, + "type": "yandex", + "name": "my example idp" } ``` diff --git a/src/content/docs/cloudflare-one/identity/one-time-pin.mdx b/src/content/docs/cloudflare-one/identity/one-time-pin.mdx index 8e9082cbc38911..25185d3caa4df8 100644 --- a/src/content/docs/cloudflare-one/identity/one-time-pin.mdx +++ b/src/content/docs/cloudflare-one/identity/one-time-pin.mdx @@ -3,14 +3,13 @@ pcx_content_type: how-to title: One-time PIN login sidebar: order: 2 - --- -import { Render } from "~/components" +import { Render } from "~/components"; Cloudflare Access can send a one-time PIN (OTP) to approved email addresses as an alternative to integrating an identity provider. You can simultaneously configure OTP login and the identity provider of your choice to allow users to select their own authentication method. -For example, if your team uses Okta® but you are collaborating with someone outside your organization, you can use OTP to grant access to guests. +For example, if your team uses Okta but you are collaborating with someone outside your organization, you can use OTP to grant access to guests. ## Set up OTP @@ -29,26 +28,26 @@ To log in to Access using the one-time PIN: :::note -By design, blocked users will not receive an email. The login page will always say **A code has been emailed to you**, regardless of whether or not an email was sent. +By design, blocked users will not receive an email. The login page will always say **A code has been emailed to you**, regardless of whether or not an email was sent. ::: 4. Paste the PIN into the Access login page and select **Sign in**. ![Enter PIN to sign in.](~/assets/images/cloudflare-one/identity/otp/otp2.png) - * If the code was valid, you will be redirected to the application. - * If the code was invalid, you will see **That account does not have access.** + - If the code was valid, you will be redirected to the application. + - If the code was invalid, you will see **That account does not have access.** :::note -Access only logs an authentication attempt after the user enters a code. If the user enters their email but never submits a code, the event will not appear in your [audit logs](/cloudflare-one/insights/logs/audit-logs/#authentication-audit-logs). +Access only logs an authentication attempt after the user enters a code. If the user enters their email but never submits a code, the event will not appear in your [audit logs](/cloudflare-one/insights/logs/audit-logs/#authentication-audit-logs). ::: ## Example API Config ```json { - "config": {}, - "type": "onetimepin", - "name": "my example idp" + "config": {}, + "type": "onetimepin", + "name": "my example idp" } ``` diff --git a/src/content/docs/cloudflare-one/policies/access/index.mdx b/src/content/docs/cloudflare-one/policies/access/index.mdx index 1bafdd39cb0022..3324e101b7adb3 100644 --- a/src/content/docs/cloudflare-one/policies/access/index.mdx +++ b/src/content/docs/cloudflare-one/policies/access/index.mdx @@ -6,16 +6,15 @@ sidebar: head: - tag: title content: Access policies - --- Cloudflare Access determines who can reach your application by applying the Access policies you configure. An Access policy consists of an **Action** as well as rules which determine the scope of the action. To build a rule, you need to choose a **Rule type**, **Selector**, and a **Value** for the selector. -* [Actions](#actions) -* [Rule types](#rule-types) -* [Selectors](#selectors) +- [Actions](#actions) +- [Rule types](#rule-types) +- [Selectors](#selectors) ## Actions @@ -56,10 +55,8 @@ For example, this configuration blocks every request to the application, except :::caution[Warning] - Bypass does not enforce any Access security controls and requests are not logged. This should be tested before deploying to production. Consider using Service Auth if you would like to enforce policies and maintain logging without requiring user authentication. - ::: The Bypass action disables any Access enforcement for traffic that meets the defined rule criteria. Bypass is typically used to enable applications that require specific endpoints to be public. For example, some applications have an endpoint under the `/admin` route that must be publicly routable. In this situation, you could create an Access application for the domain `test.example.com/admin/` and add the following Bypass policy: @@ -72,10 +69,8 @@ As part of implementing a Zero Trust security model, we do not recommend using B :::note - When applying a Bypass action, security settings revert to the defaults configured for the zone and any configured Page Rules. If **Always use HTTPS** is enabled for the site, then traffic to the bypassed destination continues in HTTPS. If **Always use HTTPS** is disabled, traffic is HTTP. - ::: ### Service Auth @@ -134,26 +129,29 @@ Identity-based attributes are only checked when a user authenticates to Access, | Selector | Description | Checked at login | Checked continuously1 | | ------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------- | -------------------------------- | -| Emails | `you@company.com` | ✅ | ❌ | -| Emails ending in | `@company.com` | ✅ | ❌ | -| External Evaluation | Allows or denies access based on [custom logic](/cloudflare-one/policies/access/external-evaluation/) in an external API. | ✅ | ❌ | -| IP ranges | `192.168.100.1/24` (supports IPv4/IPv6 addresses and CIDR ranges) | ✅ | ✅ | -| Country | Uses the IP address to determine country. | ✅ | ✅ | -| Everyone | Allows, denies, or bypasses access to everyone. | ✅ | ❌ | -| Common Name | The request will need to present a valid certificate with an expected common name. | ✅ | ✅ | -| Valid Certificate | The request will need to present any valid client certificate. | ✅ | ✅ | -| Service Token | The request will need to present the correct service token headers configured for the specific application. | ✅ | ✅ | -| Any Access Service Token | The request will need to present the headers for any [service token](/cloudflare-one/identity/service-tokens/) created for this account. | ✅ | ✅ | -| Login Methods | Checks the identity provider used at the time of login. | ✅ | ❌ | -| Authentication Method | Checks the [multifactor authentication](/cloudflare-one/policies/access/mfa-requirements/) method used by the user, if supported by the identity provider. | ✅ | ❌ | -| Identity provider group | Checks the user groups you configured with your identity provider (IdP). This selector only displays if you use AzureAD, GitHub, Google, or Okta as your IdP. | ✅ | ❌ | -| SAML Group | Checks a SAML attribute name / value pair. This selector only displays if you use a [generic SAML](/cloudflare-one/identity/idp-integration/generic-saml/) identity provider. | ✅ | ❌ | -| OIDC Claim | Checks an OIDC claim name / value pair. This selector only displays if you use a [generic OIDC](/cloudflare-one/identity/idp-integration/generic-oidc/) identity provider. | ✅ | ❌ | -| Device posture | Checks [device posture signals](/cloudflare-one/identity/devices/) from the WARP client or a third-party service provider. | ✅ | ✅ | -| Warp | Checks that the device is connected to WARP, including the consumer version. | ✅ | ✅ | -| Gateway | Checks that the device is connected to your Zero Trust instance through the [WARP client](/cloudflare-one/connections/connect-devices/warp/). | ✅ | ✅ | - -1 For SaaS applications, Access can only enforce policies at the time of initial sign on and when reissuing the SaaS session. Once the user has authenticated to the SaaS app, session management falls solely within the purview of the SaaS app. +| Emails | `you@company.com` | ✅ | ❌ | +| Emails ending in | `@company.com` | ✅ | ❌ | +| External Evaluation | Allows or denies access based on [custom logic](/cloudflare-one/policies/access/external-evaluation/) in an external API. | ✅ | ❌ | +| IP ranges | `192.168.100.1/24` (supports IPv4/IPv6 addresses and CIDR ranges) | ✅ | ✅ | +| Country | Uses the IP address to determine country. | ✅ | ✅ | +| Everyone | Allows, denies, or bypasses access to everyone. | ✅ | ❌ | +| Common Name | The request will need to present a valid certificate with an expected common name. | ✅ | ✅ | +| Valid Certificate | The request will need to present any valid client certificate. | ✅ | ✅ | +| Service Token | The request will need to present the correct service token headers configured for the specific application. | ✅ | ✅ | +| Any Access Service Token | The request will need to present the headers for any [service token](/cloudflare-one/identity/service-tokens/) created for this account. | ✅ | ✅ | +| Login Methods | Checks the identity provider used at the time of login. | ✅ | ❌ | +| Authentication Method | Checks the [multifactor authentication](/cloudflare-one/policies/access/mfa-requirements/) method used by the user, if supported by the identity provider. | ✅ | ❌ | +| Identity provider group | Checks the user groups you configured with your identity provider (IdP). This selector only displays if you use Microsoft Entra ID, GitHub, Google, or Okta as your IdP. | ✅ | ❌ | +| SAML Group | Checks a SAML attribute name / value pair. This selector only displays if you use a [generic SAML](/cloudflare-one/identity/idp-integration/generic-saml/) identity provider. | ✅ | ❌ | +| OIDC Claim | Checks an OIDC claim name / value pair. This selector only displays if you use a [generic OIDC](/cloudflare-one/identity/idp-integration/generic-oidc/) identity provider. | ✅ | ❌ | +| Device posture | Checks [device posture signals](/cloudflare-one/identity/devices/) from the WARP client or a third-party service provider. | ✅ | ✅ | +| Warp | Checks that the device is connected to WARP, including the consumer version. | ✅ | ✅ | +| Gateway | Checks that the device is connected to your Zero Trust instance through the [WARP client](/cloudflare-one/connections/connect-devices/warp/). | ✅ | ✅ | + +1 For SaaS applications, Access can only enforce policies at the time +of initial sign on and when reissuing the SaaS session. Once the user has +authenticated to the SaaS app, session management falls solely within the +purview of the SaaS app. ## Order of execution @@ -161,11 +159,11 @@ Policies are evaluated based on their action type and ordering. Bypass and Servi For example, if you have a list of policies arranged as follows: -* Allow A -* Block B -* Service Auth C -* Bypass D -* Allow E +- Allow A +- Block B +- Service Auth C +- Bypass D +- Allow E The policies will execute in this order: Service Auth C > Bypass D > Allow A > Block B > Allow E. Once a user matches an Allow or Block policy, evaluation stops and no subsequent policies can override the decision. diff --git a/src/content/docs/cloudflare-one/policies/access/mfa-requirements.mdx b/src/content/docs/cloudflare-one/policies/access/mfa-requirements.mdx index baa901a90c44e8..a35b76f395f224 100644 --- a/src/content/docs/cloudflare-one/policies/access/mfa-requirements.mdx +++ b/src/content/docs/cloudflare-one/policies/access/mfa-requirements.mdx @@ -3,19 +3,18 @@ pcx_content_type: how-to title: Enforce MFA sidebar: order: 6 - --- -import { GlossaryTooltip } from "~/components" +import { GlossaryTooltip } from "~/components"; With Zero Trust policies, you can require that users log in to certain applications with specific types of multifactor authentication (MFA) methods. For example, you can create rules that only allow users to reach a given application if they authenticate with a physical hard key. This feature is only available if you are using the following identity providers: -* Okta -* Azure AD -* OpenID Connect (OIDC) -* SAML +- Okta +- Microsoft Entra ID (formerly Azure AD) +- OpenID Connect (OIDC) +- SAML To enforce an MFA requirement to an application: @@ -29,20 +28,18 @@ To enforce an MFA requirement to an application: The rule must contain an Include rule which defines an identity. For example, the Include rule should allow for users who are part of a user [group](/cloudflare-one/identity/users/groups/), email domain, or identity provider group. -5. Add a *Require* action to the rule. +5. Add a _Require_ action to the rule. -6. Select *Authentication Method* and choose `mfa - multiple-factor authentication`. +6. Select _Authentication Method_ and choose `mfa - multiple-factor authentication`. 7. Save the rule. :::caution[Important] - **What happens if the user fails to present the required MFA method?** Cloudflare Access will reject the user, even if they successfully login to the identity provider with an alternative method. - ::: ## Adding authentication methods into the JWT diff --git a/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-profiles/predefined-profiles.mdx b/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-profiles/predefined-profiles.mdx index 1473f9b65a4ff5..4b6a0d54f3e85d 100644 --- a/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-profiles/predefined-profiles.mdx +++ b/src/content/docs/cloudflare-one/policies/data-loss-prevention/dlp-profiles/predefined-profiles.mdx @@ -3,7 +3,6 @@ pcx_content_type: reference title: Predefined profiles sidebar: order: 2 - --- Cloudflare Zero Trust provides predefined DLP profiles for common types of sensitive data. Some profiles include built-in validation checks to increase detection granularity. Additionally, you can configure [advanced settings](/cloudflare-one/policies/data-loss-prevention/dlp-profiles/advanced-settings/) for predefined profiles. @@ -12,17 +11,15 @@ Cloudflare Zero Trust provides predefined DLP profiles for common types of sensi The following secrets are validated with regex. -* Google Cloud Platform keys -* AWS keys -* Azure API keys -* SSH keys +- Google Cloud Platform keys +- AWS keys +- Azure API keys +- SSH keys ## Financial information Credit card numbers begin with a six or eight-digit Issuer Identification Number (IIN) and are followed by up to 23 additional digits. CVVs are not validated. - - | Detection entry | Notes | | -------------------------------- | --------------------------------------------------------------------------------- | | American Express Card Number | Validated using [Luhn's algorithm](https://en.wikipedia.org/wiki/Luhn_algorithm). | @@ -38,22 +35,18 @@ Credit card numbers begin with a six or eight-digit Issuer Identification Number | United States ABA Routing Number | Validated algorithmically with checksum. | | IBAN | Validated with checksum. | - - ## Health information The following diagnosis and medication names are checked for surrounding ASCII characters to prevent false positives. -* FDA active ingredients -* FDA drug names -* ICD-10 FY2023 short descriptions +- FDA active ingredients +- FDA drug names +- ICD-10 FY2023 short descriptions ## National identifiers Detections are validated algorithmically when possible. - - | Detection entry | Notes | | ---------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | United States SSN Numeric Detection | Commonly used separators are required to match the detection entry. For example, `000-00-0000` matches but `000000000` does not. Social security numbers do not adhere to algorithmic validation. | @@ -71,21 +64,19 @@ Detections are validated algorithmically when possible. | United Kingdom NHS Number | Validated with checksum. | | United Kingdom National Insurance Number | Validated with regex. | - - ## Source code The following programming languages are validated with natural language processing (NLP). -* C -* C++ -* C# -* Go -* Haskell -* Java -* JavaScript -* Lua -* Python -* R -* Rust -* Swift +- C +- C++ +- C# +- Go +- Haskell +- Java +- JavaScript +- Lua +- Python +- R +- Rust +- Swift diff --git a/src/content/docs/cloudflare-one/policies/gateway/identity-selectors.mdx b/src/content/docs/cloudflare-one/policies/gateway/identity-selectors.mdx index b508b7f000ef66..9e501287b988eb 100644 --- a/src/content/docs/cloudflare-one/policies/gateway/identity-selectors.mdx +++ b/src/content/docs/cloudflare-one/policies/gateway/identity-selectors.mdx @@ -96,15 +96,15 @@ Cloudflare Gateway can integrate with your organization's identity providers (Id Because IdPs expose user groups in different formats, reference the list below to choose the appropriate identity-based selector. -### Azure AD +### Microsoft Entra ID | Selector | Value | | -------------- | ------------------------------------- | | User Group IDs | `61503835-b6fe-4630-af88-de551dd59a2` | -**Value** is the [Object Id](/cloudflare-one/identity/idp-integration/azuread/#azure-groups-in-zero-trust-policies) for an Azure group. +**Value** is the [Object Id](/cloudflare-one/identity/idp-integration/entra-id/#entra-groups-in-zero-trust-policies) for an Entra group. -If you enabled user and group synchronization with [SCIM](/cloudflare-one/identity/idp-integration/azuread/#synchronize-users-and-groups), the synchronized groups will appear under _User Group Names_: +If you enabled user and group synchronization with [SCIM](/cloudflare-one/identity/idp-integration/entra-id/#synchronize-users-and-groups), the synchronized groups will appear under _User Group Names_: | Selector | Value | | ---------------- | ------------ | diff --git a/src/content/docs/cloudflare-one/tutorials/azuread-conditional-access.mdx b/src/content/docs/cloudflare-one/tutorials/entra-id-conditional-access.mdx similarity index 65% rename from src/content/docs/cloudflare-one/tutorials/azuread-conditional-access.mdx rename to src/content/docs/cloudflare-one/tutorials/entra-id-conditional-access.mdx index e14c6a0af12d17..313c628889baa7 100644 --- a/src/content/docs/cloudflare-one/tutorials/azuread-conditional-access.mdx +++ b/src/content/docs/cloudflare-one/tutorials/entra-id-conditional-access.mdx @@ -2,31 +2,27 @@ updated: 2024-01-12 category: 🔐 Access pcx_content_type: tutorial -title: Use Azure AD Conditional Access policies in Cloudflare Access - +title: Use Microsoft Entra ID Conditional Access policies in Cloudflare Access --- -With Azure Active Directory (AD)'s [Conditional Access](https://learn.microsoft.com/en-us/azure/active-directory/conditional-access/overview), administrators can enforce policies on applications and users directly in Azure AD. Conditional Access has a set of checks that are specialized to Windows and are often preferred by organizations with Windows power users. - +With [Conditional Access](https://learn.microsoft.com/entra/identity/conditional-access/overview) in Microsoft Entra ID (formerly Azure Active Directory), administrators can enforce policies on applications and users directly in Entra ID. Conditional Access has a set of checks that are specialized to Windows and are often preferred by organizations with Windows power users. ## Before you begin - Make sure you have: -* Global admin rights to an Azure AD account -* Configured users in the Azure AD account +- Global admin rights to Microsoft Entra ID account +- Configured users in the Microsoft Entra ID account ## Set up an identity provider for your application -Refer to [our IdP setup instructions](/cloudflare-one/identity/idp-integration/azuread/#set-up-azure-ad-as-an-identity-provider) for Azure AD. - +Refer to [our IdP setup instructions](/cloudflare-one/identity/idp-integration/entra-id/#set-up-entra-id-as-an-identity-provider) for Entra ID. -## Add API permission in Azure AD +## Add API permission in Entra ID -Once the base IdP integration is tested and working, grant permission for Cloudflare to read Conditional Access policies from Azure AD. +Once the base IdP integration is tested and working, grant permission for Cloudflare to read Conditional Access policies from Entra ID. -1. In Azure Active Directory, go to **App registrations**. +1. In Microsoft Entra ID, go to **App registrations**. 2. Select the application you created for the IdP integration. @@ -38,16 +34,16 @@ Once the base IdP integration is tested and working, grant permission for Cloudf 6. Select **Grant admin consent**. -## Configure Conditional Access in Azure AD +## Configure Conditional Access in Entra ID -1. In Azure Active Directory, go to **Enterprise applications** > **Conditional Access**. +1. In Microsoft Entra ID, go to **Enterprise applications** > **Conditional Access**. 2. Go to **Authentication Contexts**. 3. [Create an authentication context](https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-cloud-apps#authentication-context) to reference in your Cloudflare Access policies. Give the authentication context a descriptive name (for example, `Require compliant devices`). 4. Next, go to **Policies**. 5. [Create a new Conditional Access policy](https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-conditional-access-policies) or select an existing policy. 6. Assign the conditional access policy to an authentication context: 1. In the policy builder, select **Target resources**. - 2. In the **Select what this policy applies to** dropdown, select *Authentication context*. + 2. In the **Select what this policy applies to** dropdown, select _Authentication context_. 3. Select the authentication context that will use this policy. 4. Save the policy. @@ -56,7 +52,7 @@ Once the base IdP integration is tested and working, grant permission for Cloudf To import your Conditional Access policies into Cloudflare Access: 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Authentication**. -2. Find your Azure AD integration and select **Edit**. +2. Find your Microsoft Entra ID integration and select **Edit**. 3. Enable **Azure AD Policy Sync**. 4. Select **Save**. @@ -70,16 +66,13 @@ To enforce your Conditional Access policies on a Cloudflare Access application: 3. In **Application domain**, enter the target URL of the protected application. -4. For **Identity providers**, select your Azure AD integration. +4. For **Identity providers**, select your Microsoft Entra ID integration. -5. Finally, create an [Access policy](/cloudflare-one/policies/access/) using the *Azure AD - Auth context* selector. For example: +5. Finally, create an [Access policy](/cloudflare-one/policies/access/) using the _Azure AD - Auth context_ selector. For example: | Action | Rule type | Selector | Value | | ------ | --------- | ----------------------- | --------------------------- | | Allow | Include | Emails ending in | `@example.com` | | | Require | Azure AD - Auth context | `Require compliant devices` | -Users will only be allowed access if they pass the Azure AD Conditional Access policies associated with this authentication context. - - - +Users will only be allowed access if they pass the Microsoft Entra ID Conditional Access policies associated with this authentication context. diff --git a/src/content/docs/cloudflare-one/tutorials/azuread-risky-users.mdx b/src/content/docs/cloudflare-one/tutorials/entra-id-risky-users.mdx similarity index 70% rename from src/content/docs/cloudflare-one/tutorials/azuread-risky-users.mdx rename to src/content/docs/cloudflare-one/tutorials/entra-id-risky-users.mdx index a67051243acce9..5b75fa8b83b759 100644 --- a/src/content/docs/cloudflare-one/tutorials/azuread-risky-users.mdx +++ b/src/content/docs/cloudflare-one/tutorials/entra-id-risky-users.mdx @@ -3,12 +3,12 @@ updated: 2023-01-06 category: 🔐 Zero Trust difficulty: Advanced pcx_content_type: tutorial -title: Isolate Azure AD risky users +title: Isolate risky Entra ID users --- -Azure Active Directory (AD) calculates a user's [risk level](https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk) based on the probability that their account has been compromised. With Cloudflare Zero Trust, you can synchronize the Azure AD risky users list with Cloudflare Access and apply more stringent Zero Trust policies to users at higher risk. +Microsoft Entra ID (formerly Azure Active Directory) calculates a user's [risk level](https://learn.microsoft.com/entra/id-protection/howto-identity-protection-investigate-risk) based on the probability that their account has been compromised. With Cloudflare Zero Trust, you can synchronize the Entra ID risky users list with Cloudflare Access and apply more stringent Zero Trust policies to users at higher risk. -This tutorial demonstrates how to automatically redirect users to a remote browser when they are deemed risky by Azure. +This tutorial demonstrates how to automatically redirect users to a remote browser when they are deemed risky by Entra ID. **Time to complete:** @@ -16,15 +16,15 @@ This tutorial demonstrates how to automatically redirect users to a remote brows ## Prerequisites -- Azure AD Premium P2 license +- Microsoft Entra ID Premium P2 license - [Cloudflare Browser Isolation](/cloudflare-one/policies/browser-isolation/) add-on - [Gateway HTTP filtering](/cloudflare-one/policies/gateway/initial-setup/http/) enabled on your devices - [npm](https://docs.npmjs.com/getting-started) installation - [Node.js](https://nodejs.org/en/) installation -## 1. Set up Azure AD as an identity provider +## 1. Set up Entra ID as an identity provider -Refer to [our IdP setup instructions](/cloudflare-one/identity/idp-integration/azuread/#set-up-azure-ad-as-an-identity-provider) for Azure AD. +Refer to [our IdP setup instructions](/cloudflare-one/identity/idp-integration/entra-id/#set-up-entra-id-as-an-identity-provider) for Entra ID. :::note @@ -32,11 +32,11 @@ Refer to [our IdP setup instructions](/cloudflare-one/identity/idp-integration/a - Save the **Application (client) ID**, **Directory (tenant) ID**, and **Client secret** as you will need them again in a later step. ::: -## 2. Add Azure AD API permissions +## 2. Add Entra ID API permissions -Once the base IdP integration is tested and working, enable additional permissions that will allow a script to create and update risky user groups in Azure AD: +Once the base IdP integration is tested and working, enable additional permissions that will allow a script to create and update risky user groups in Entra ID: -1. In Azure Active Directory, go to **App registrations**. +1. In Microsoft Entra ID, go to **App registrations**. 2. Select the application you created for the IdP integration. @@ -57,13 +57,13 @@ Once the base IdP integration is tested and working, enable additional permissio You will see the list of enabled permissions. -![API permissions in Azure AD](~/assets/images/cloudflare-one/identity/azure/risky-users-permissions.png) +![API permissions in Entra ID](~/assets/images/cloudflare-one/identity/azure/risky-users-permissions.png) -## 3. Add risky users to Azure AD group +## 3. Add risky users to Entra ID group -Next, configure an automated script that will populate an Azure AD security group with risky users. +Next, configure an automated script that will populate an Entra ID security group with risky users. -To get started quickly, deploy our example Cloudflare Workers script by following the step-by-step instructions below. Alternatively, you can implement the script using [Azure Functions](https://learn.microsoft.com/en-us/azure/azure-functions/functions-overview) or any other tool. +To get started quickly, deploy our example Cloudflare Workers script by following the step-by-step instructions below. Alternatively, you can implement the script using [Azure Functions](https://learn.microsoft.com/azure/azure-functions/functions-overview) or any other tool. 1. Open a terminal and clone our example project. @@ -80,8 +80,8 @@ To get started quickly, deploy our example Cloudflare Workers script by followin 3. Modify `wrangler.toml` to include the following values: - ``: your Cloudflare [account ID](/fundamentals/setup/find-account-and-zone-ids/). - - ``: your Azure AD **Directory (tenant) ID**, obtained when [setting up Azure AD as an identity provider](#1-set-up-azure-ad-as-an-identity-provider). - - ``: your Azure AD **Application (client) ID**, obtained when [setting up Azure AD as an identity provider](#1-set-up-azure-ad-as-an-identity-provider). + - ``: your Entra ID **Directory (tenant) ID**, obtained when [setting up Entra ID as an identity provider](#1-set-up-entra-id-as-an-identity-provider). + - ``: your Entra ID **Application (client) ID**, obtained when [setting up Entra ID as an identity provider](#1-set-up-entra-id-as-an-identity-provider). ```toml name = "risky-users" @@ -116,7 +116,7 @@ The [Cron Trigger](/workers/configuration/cron-triggers/) in this example schedu wrangler secret put AZURE_AD_CLIENT_SECRET ``` - You will be prompted to input the secret's value. Enter the **Client secret** obtained when [setting up AzureAD as an identity provider](#1-set-up-azure-ad-as-an-identity-provider). + You will be prompted to input the secret's value. Enter the **Client secret** obtained when [setting up Microsoft Entra ID as an identity provider](#1-set-up-azure-ad-as-an-identity-provider). The Worker script will begin executing once per minute. To view realtime logs, run the following command and wait for the script to execute: @@ -124,22 +124,22 @@ The Worker script will begin executing once per minute. To view realtime logs, r wrangler tail --format pretty ``` -After the initial run, the auto-generated groups will appear in the Azure AD dashboard. +After the initial run, the auto-generated groups will appear in the Entra ID dashboard. -![Risky user groups in the Azure AD dashboard](~/assets/images/cloudflare-one/identity/azure/risky-users-groups.png) +![Risky user groups in the Entra ID dashboard](~/assets/images/cloudflare-one/identity/azure/risky-users-groups.png) ## 4. Synchronize risky user groups -Next, synchronize Azure AD risky user groups with Cloudflare Access: +Next, synchronize Entra ID risky user groups with Cloudflare Access: -1. [Enable SCIM synchronization](/cloudflare-one/identity/idp-integration/azuread/#synchronize-users-and-groups). +1. [Enable SCIM synchronization](/cloudflare-one/identity/idp-integration/entra-id/#synchronize-users-and-groups). -2. In Azure AD, assign the following groups to your SCIM enterprise application: +2. In Entra ID, assign the following groups to your SCIM enterprise application: - `IdentityProtection-RiskyUser-RiskLevel-high` - `IdentityProtection-RiskyUser-RiskLevel-medium` - `IdentityProtection-RiskyUser-RiskLevel-low` -Cloudflare Access will now synchronize changes in group membership with Azure AD. You can verify the synchronization status on the SCIM application's **Provisioning** page. +Cloudflare Access will now synchronize changes in group membership with Entra ID. You can verify the synchronization status on the SCIM application's **Provisioning** page. ## 5. Create a browser isolation policy @@ -156,4 +156,4 @@ Finally, create a [Gateway HTTP policy](/cloudflare-one/policies/gateway/http-po | Domain | in | `app1.example.com`, `app2.example.com` | And | Isolate | | User Group Names | in | `IdentityProtection-RiskyUser-RiskLevel-high` | | | -To test the policy, refer to the Microsoft documentation for [simulating risky detections](https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-simulate-risk). +To test the policy, refer to the Microsoft documentation for [simulating risky detections](https://learn.microsoft.com/entra/id-protection/howto-identity-protection-simulate-risk). diff --git a/src/content/docs/cloudflare-one/tutorials/gitlab.mdx b/src/content/docs/cloudflare-one/tutorials/gitlab.mdx index 2aa0d911143060..b1fb35b936e7d5 100644 --- a/src/content/docs/cloudflare-one/tutorials/gitlab.mdx +++ b/src/content/docs/cloudflare-one/tutorials/gitlab.mdx @@ -134,7 +134,7 @@ When a user makes a request to a site protected by Access, that request hits Clo ![GitLab Services](~/assets/images/cloudflare-one/zero-trust-security/gitlab/teams-diagram.png) -To determine who can reach the application, Cloudflare Access relies on integration with identity providers like Okta or AzureAD or Google to issue the identity cards that get checked at the door. While a VPN allows users free range on a private network unless someone builds an active rule to stop them, Access enforces that identity check on every request (and at any granularity configured). +To determine who can reach the application, Cloudflare Access relies on integration with identity providers like Okta, Microsoft Entra ID, or Google to issue the identity cards that get checked at the door. While a VPN allows users free range on a private network unless someone builds an active rule to stop them, Access enforces that identity check on every request (and at any granularity configured). For GitLab, start by building two policies. Users will connect to GitLab in a couple of methods: in the web app and over SSH. Create policies to secure a subdomain for each. First, the web app. diff --git a/src/content/docs/images/index.mdx b/src/content/docs/images/index.mdx index 042ab0613ccc72..0507445c738d29 100644 --- a/src/content/docs/images/index.mdx +++ b/src/content/docs/images/index.mdx @@ -5,7 +5,7 @@ sidebar: order: 1 head: - tag: title - content: Cloudflare Image Optimization + content: Cloudflare Images --- diff --git a/src/content/docs/reference-architecture/architectures/cloudflare-sase-with-microsoft.mdx b/src/content/docs/reference-architecture/architectures/cloudflare-sase-with-microsoft.mdx index 8b5fe6019d1299..974fd93e0c692f 100644 --- a/src/content/docs/reference-architecture/architectures/cloudflare-sase-with-microsoft.mdx +++ b/src/content/docs/reference-architecture/architectures/cloudflare-sase-with-microsoft.mdx @@ -10,6 +10,7 @@ sidebar: order: 1 label: Cloudflare SASE with Microsoft updated: 2024-13-06 + --- import { Render } from "~/components"; @@ -111,4 +112,4 @@ By leveraging Cloudflare and its integrations with Microsoft, organizations can ## Related resources - [Overview of Microsoft and Cloudflare partnership](https://www.cloudflare.com/partners/technology-partners/microsoft/) -- [Set up Entra ID (formerly Azure AD) as an identity provider](/cloudflare-one/identity/idp-integration/azuread/#set-up-azure-ad-as-an-identity-provider) +- [Set up Microsoft Entra ID (formerly Azure Active Directory) as an identity provider](/cloudflare-one/identity/idp-integration/entra-id/#set-up-entra-id-as-an-identity-provider) diff --git a/src/content/docs/reference-architecture/architectures/sase.mdx b/src/content/docs/reference-architecture/architectures/sase.mdx index 10cb3e459993fd..8c5d63eb9232ce 100644 --- a/src/content/docs/reference-architecture/architectures/sase.mdx +++ b/src/content/docs/reference-architecture/architectures/sase.mdx @@ -468,7 +468,7 @@ But, before organizations define policies to manage that access, they need to kn The first step in any access decision is to determine who is making the request – i.e., to authenticate the user. -Cloudflare integrates with identity providers that manage secure access to resources for organizations' employees, contractors, partners, and other users. This includes support for integrations with any [SAML](/cloudflare-one/identity/idp-integration/generic-saml/) - or OpenID Connect ([OIDC](/cloudflare-one/identity/idp-integration/generic-oidc/)) - compliant service; Cloudflare One also includes pre-built integrations with [Okta](/cloudflare-one/identity/idp-integration/okta/), [Microsoft Azure AD](/cloudflare-one/identity/idp-integration/azuread/), [Google Workspace](/cloudflare-one/identity/idp-integration/gsuite/), as well as consumer IdPs such as [Facebook](/cloudflare-one/identity/idp-integration/facebook-login/), [GitHub](/cloudflare-one/identity/idp-integration/github/) and [LinkedIn](/cloudflare-one/identity/idp-integration/linkedin/). +Cloudflare integrates with identity providers that manage secure access to resources for organizations' employees, contractors, partners, and other users. This includes support for integrations with any [SAML](/cloudflare-one/identity/idp-integration/generic-saml/) - or OpenID Connect ([OIDC](/cloudflare-one/identity/idp-integration/generic-oidc/)) - compliant service; Cloudflare One also includes pre-built integrations with [Okta](/cloudflare-one/identity/idp-integration/okta/), [Microsoft Entra ID (formerly Azure Active Directory)](/cloudflare-one/identity/idp-integration/entra-id/), [Google Workspace](/cloudflare-one/identity/idp-integration/gsuite/), as well as consumer IdPs such as [Facebook](/cloudflare-one/identity/idp-integration/facebook-login/), [GitHub](/cloudflare-one/identity/idp-integration/github/) and [LinkedIn](/cloudflare-one/identity/idp-integration/linkedin/). Multiple IdPs can be integrated, allowing organizations to apply policies to a wide range of both internal and external users. When a user attempts to access a Cloudflare secured application or service, they are redirected to authenticate via one of the integrated IdPs. When using the device agent, users must also authenticate to one of their organization's configured IdPs. diff --git a/src/content/docs/reference-architecture/architectures/security.mdx b/src/content/docs/reference-architecture/architectures/security.mdx index 0afb2bb23040c9..6234054bef59f8 100644 --- a/src/content/docs/reference-architecture/architectures/security.mdx +++ b/src/content/docs/reference-architecture/architectures/security.mdx @@ -246,7 +246,7 @@ Web Application Firewall (WAF) [Managed Rules](/waf/managed-rules/) allow you to WAF checks incoming web requests and filters undesired traffic based on sets of rules (rulesets) deployed at the edge. These managed rulesets are maintained and regularly updated by Cloudflare. From the extensive threat intelligence obtained from across our global network, Cloudflare is able to quickly detect and classify threats. As new attacks/threats are identified, Cloudflare will automatically push WAF rules to customers to ensure they are protected against the latest zero-day attacks. -Additionally, Cloudflare provides for [WAF Attack Score](/waf/about/waf-attack-score/), which complements Cloudflare managed rules by detecting attack variations. These variations are typically achieved by malicious actors via fuzzing techniques that are trying to identify ways to bypass existing security policies. WAF classifies each request using a machine learning algorithm, assigning an attack score from 1 to 99 based on the likelihood that the request is malicious. Rules can then be written which use these scores to determine what traffic is permitted to the application. +Additionally, Cloudflare provides for [WAF Attack Score](/waf/detections/attack-score/), which complements Cloudflare managed rules by detecting attack variations. These variations are typically achieved by malicious actors via fuzzing techniques that are trying to identify ways to bypass existing security policies. WAF classifies each request using a machine learning algorithm, assigning an attack score from 1 to 99 based on the likelihood that the request is malicious. Rules can then be written which use these scores to determine what traffic is permitted to the application. ![Machine learning maintains lists of managed rules to determine if the request should be let through the WAF or not.](~/assets/images/reference-architecture/security/security-ref-arch-6.svg) @@ -349,7 +349,7 @@ Malware can refer to viruses, worms, trojans, ransomware, spyware, adware, and o When Uploaded Content Scanning is enabled, content scanning attempts to detect items such as uploaded files, and scans them for malicious signatures like malware. The scan results, along with additional metadata, are exposed as fields available in WAF custom rules, allowing customers to implement fine-grained mitigation rules. -Products: [WAF - Uploaded Content Scanning](/waf/about/content-scanning/) +Products: [WAF - Uploaded Content Scanning](/waf/detections/malicious-uploads/) #### Cloudflare application security products diff --git a/src/content/docs/rules/transform/managed-transforms/configure.mdx b/src/content/docs/rules/transform/managed-transforms/configure.mdx index c74d19cdf45dd6..56aae3beeae4b3 100644 --- a/src/content/docs/rules/transform/managed-transforms/configure.mdx +++ b/src/content/docs/rules/transform/managed-transforms/configure.mdx @@ -68,6 +68,11 @@ curl https://api.cloudflare.com/client/v4/zones/{zone_id}/managed_headers \ "enabled": false, "has_conflict": false, "conflicts_with": ["add_true_client_ip_headers"] + }, + { + "id": "add_waf_credential_check_status_header", + "enabled": false, + "has_conflict": false } ], "managed_response_headers": [ diff --git a/src/content/docs/rules/transform/managed-transforms/index.mdx b/src/content/docs/rules/transform/managed-transforms/index.mdx index b9586fc384877a..dc8b30777c5172 100644 --- a/src/content/docs/rules/transform/managed-transforms/index.mdx +++ b/src/content/docs/rules/transform/managed-transforms/index.mdx @@ -3,15 +3,15 @@ title: Managed Transforms pcx_content_type: concept sidebar: order: 4 - --- Managed Transforms allow you to perform common adjustments to HTTP request and response headers with the click of a button. The available adjustments include: -* Add bot protection request headers. -* Remove or add headers related to the visitor's IP address. -* Add security-related response headers. -* Remove "X-Powered-By" response headers. +- Add bot protection request headers. +- Remove or add headers related to the visitor's IP address. +- Add request header when the WAF detects leaked credentials. +- Add security-related response headers. +- Remove "X-Powered-By" response headers. For a complete list, refer to [Available Managed Transforms](/rules/transform/managed-transforms/reference/). @@ -20,8 +20,7 @@ When you enable a Managed Transform, Cloudflare internally deploys one or more T Enabled Managed Transforms will apply to all inbound requests for the zone. :::note - -The generated internal Transform Rules will not appear in the Transform Rules list in the Cloudflare dashboard. +The generated internal Transform Rules will not appear in the Transform Rules list in the Cloudflare dashboard. ::: ## Next steps diff --git a/src/content/docs/rules/transform/managed-transforms/reference.mdx b/src/content/docs/rules/transform/managed-transforms/reference.mdx index a7e2fb7c4508db..4d09d1503920cd 100644 --- a/src/content/docs/rules/transform/managed-transforms/reference.mdx +++ b/src/content/docs/rules/transform/managed-transforms/reference.mdx @@ -106,6 +106,25 @@ For example, consider an incoming request proxied by two CDNs (`CDN_1` and `CDN_ With **Remove visitor IP headers** enabled, the `x-forwarded-for` header sent to the origin server will be:
`x-forwarded-for: ` +### Add Leaked Credentials Checks Header + +Adds an `Exposed-Credential-Check` request header whenever the WAF detects leaked credentials in the incoming request. + +The header can have these values: + +| Header + Value | Description | Availability | +| ----------------------------- | ----------------------------------------------------------------------- | ------------------ | +| `Exposed-Credential-Check: 1` | Previously leaked username and password detected | Pro plan and above | +| `Exposed-Credential-Check: 2` | Previously leaked username detected | Enterprise plan | +| `Exposed-Credential-Check: 3` | Similar combination of previously leaked username and password detected | Enterprise plan | +| `Exposed-Credential-Check: 4` | Previously leaked password detected | All plans | + +You will only receive this managed header at your origin server if: + +- The [leaked credentials detection](/waf/detections/leaked-credentials/) in the WAF is turned on. +- The **Add Leaked Credentials Checks Header** managed transform is turned on. +- Your Cloudflare plan supports the type of credentials detection. For example, Free plans can only know if a password was previously leaked. In this situation, Cloudflare will add an `Exposed-Credential-Check: 4` header to the request. + ## HTTP response headers ### Remove "X-Powered-By" headers diff --git a/src/content/docs/rules/transform/url-rewrite/index.mdx b/src/content/docs/rules/transform/url-rewrite/index.mdx index b70649a9d5a4a1..4bba00ec4d74a7 100644 --- a/src/content/docs/rules/transform/url-rewrite/index.mdx +++ b/src/content/docs/rules/transform/url-rewrite/index.mdx @@ -37,6 +37,6 @@ Create rewrite URL rules [in the dashboard](/rules/transform/url-rewrite/create- ## Serve images from custom paths -When using Cloudflare Image Optimization, you can use URL rewrites to serve images from a custom path. For more information, refer to [Serve images from custom domains](/images/manage-images/serve-images/serve-from-custom-domains/). +When using Cloudflare Images, you can use URL rewrites to serve images from a custom path. For more information, refer to [Serve images from custom domains](/images/manage-images/serve-images/serve-from-custom-domains/). diff --git a/src/content/docs/ruleset-engine/rules-language/fields/dynamic-fields.mdx b/src/content/docs/ruleset-engine/rules-language/fields/dynamic-fields.mdx index 2d3fc454c7ba96..f6de4da0e8bb85 100644 --- a/src/content/docs/ruleset-engine/rules-language/fields/dynamic-fields.mdx +++ b/src/content/docs/ruleset-engine/rules-language/fields/dynamic-fields.mdx @@ -16,7 +16,9 @@ Dynamic fields represent computed or derived values, typically related to threat - Access to `cf.bot_management.*` fields requires a Cloudflare Enterprise plan with [Bot Management](/bots/plans/bm-subscription/) enabled. -- Access to `cf.waf.content_scan.*` fields requires a Cloudflare Enterprise plan with [WAF content scanning](/waf/about/content-scanning/) enabled. +- Access to `cf.waf.content_scan.*` fields requires a Cloudflare Enterprise plan with [malicious uploads detection](/waf/detections/malicious-uploads/) enabled. + +- Access to fields `cf.waf.auth_detected` and `cf.waf.credential_check.*` depends on your Cloudflare plan and add-ons. For more information, refer to [Leaked credentials detection](/waf/detections/leaked-credentials/). - The `cf.tls_client_auth.*` string fields are only filled in if the request includes a client certificate for [mTLS authentication](/ssl/client-certificates/enable-mtls/). @@ -372,7 +374,7 @@ Example: When `true`, the request contains at least one [content object](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/). -For more details, refer to [Uploaded content scanning](/waf/about/content-scanning/). +For more details, refer to [Malicious uploads detection](/waf/detections/malicious-uploads/). ## `cf.waf.content_scan.has_malicious_obj` @@ -380,7 +382,7 @@ For more details, refer to [Uploaded content scanning](/waf/about/content-scanni When `true`, the request contains at least one malicious content object. -For more details, refer to [Uploaded content scanning](/waf/about/content-scanning/). +For more details, refer to [Malicious uploads detection](/waf/detections/malicious-uploads/). ## `cf.waf.content_scan.num_malicious_obj` @@ -388,7 +390,7 @@ For more details, refer to [Uploaded content scanning](/waf/about/content-scanni The number of malicious content objects detected in the request (zero or greater). -For more details, refer to [Uploaded content scanning](/waf/about/content-scanning/). +For more details, refer to [Malicious uploads detection](/waf/detections/malicious-uploads/). ## `cf.waf.content_scan.has_failed` @@ -396,7 +398,7 @@ For more details, refer to [Uploaded content scanning](/waf/about/content-scanni When `true`, the file scanner was unable to scan all the content objects detected in the request. -For more details, refer to [Uploaded content scanning](/waf/about/content-scanning/). +For more details, refer to [Malicious uploads detection](/waf/detections/malicious-uploads/). ## `cf.waf.content_scan.num_obj` @@ -404,7 +406,7 @@ For more details, refer to [Uploaded content scanning](/waf/about/content-scanni The number of content objects detected in the request (zero or greater). -For more details, refer to [Uploaded content scanning](/waf/about/content-scanning/). +For more details, refer to [Malicious uploads detection](/waf/detections/malicious-uploads/). ## `cf.waf.content_scan.obj_sizes` @@ -412,7 +414,7 @@ For more details, refer to [Uploaded content scanning](/waf/about/content-scanni An array of file sizes in bytes, in the order the content objects were detected in the request. -For more details, refer to [Uploaded content scanning](/waf/about/content-scanning/). +For more details, refer to [Malicious uploads detection](/waf/detections/malicious-uploads/). ## `cf.waf.content_scan.obj_types` @@ -420,7 +422,7 @@ For more details, refer to [Uploaded content scanning](/waf/about/content-scanni An array of file types in the order the content objects were detected in the request. If Cloudflare cannot determine the file type of a content object, the corresponding value in the `obj_types` array will be `application/octet-stream`. -For more details, refer to [Uploaded content scanning](/waf/about/content-scanning/). +For more details, refer to [Malicious uploads detection](/waf/detections/malicious-uploads/). ## `cf.waf.content_scan.obj_results` @@ -428,13 +430,13 @@ For more details, refer to [Uploaded content scanning](/waf/about/content-scanni An array of scan results in the order the content objects were detected in the request. The possible values are: `clean`, `suspicious`, `infected`, and `not scanned`. -For more details, refer to [Uploaded content scanning](/waf/about/content-scanning/). +For more details, refer to [Malicious uploads detection](/waf/detections/malicious-uploads/). ## `cf.waf.score` `cf.waf.score` `Number` -A global score from 1 to 99 that combines the score of each WAF attack vector into a single score. This is the standard [WAF attack score](/waf/about/waf-attack-score/) to detect variants of attack patterns. +A global score from 1 to 99 that combines the score of each WAF attack vector into a single score. This is the standard [WAF attack score](/waf/detections/attack-score/) to detect variants of attack patterns. ## `cf.waf.score.sqli` @@ -460,6 +462,46 @@ An attack score from 1 to 99 classifying the command injection or Remote Code Ex The attack score class of the current request, based on the WAF attack score. Can have one of the following values: `attack`, `likely_attack`, `likely_clean`, `clean`. +## `cf.waf.auth_detected` + +`cf.waf.auth_detected` `Boolean` + +When `true`, the Cloudflare WAF detected authentication credentials in the request. + +Only available when [leaked credentials detection](/waf/detections/leaked-credentials/) is enabled. + +## `cf.waf.credential_check.password_leaked` + +`cf.waf.credential_check.password_leaked` `Boolean` + +When `true`, the password detected in the request was previously leaked. + +Only available when [leaked credentials detection](/waf/detections/leaked-credentials/) is enabled. + +## `cf.waf.credential_check.username_leaked` + +`cf.waf.credential_check.username_leaked` `Boolean` + +When `true`, the username detected in the request was previously leaked. + +Only available when [leaked credentials detection](/waf/detections/leaked-credentials/) is enabled. + +## `cf.waf.credential_check.username_and_password_leaked` + +`cf.waf.credential_check.username_and_password_leaked` `Boolean` + +When `true`, the authentication credentials detected in the request (username and password pair) were previously leaked. + +Only available when [leaked credentials detection](/waf/detections/leaked-credentials/) is enabled. + +## `cf.waf.credential_check.username_password_similar` + +`cf.waf.credential_check.username_password_similar` `Boolean` + +When `true`, a similar version of the username and password credentials detected in the request were previously leaked. + +Only available when [leaked credentials detection](/waf/detections/leaked-credentials/) is enabled. + ## `cf.worker.upstream_zone` `cf.worker.upstream_zone` `String` diff --git a/src/content/docs/style-guide/documentation-content-strategy/content-types/3rd-party-integration-guide.mdx b/src/content/docs/style-guide/documentation-content-strategy/content-types/3rd-party-integration-guide.mdx index 4c2134221130f3..dcc19cd924adb2 100644 --- a/src/content/docs/style-guide/documentation-content-strategy/content-types/3rd-party-integration-guide.mdx +++ b/src/content/docs/style-guide/documentation-content-strategy/content-types/3rd-party-integration-guide.mdx @@ -1,7 +1,6 @@ --- pcx_content_type: concept title: 3rd-party integration guide - --- ## Purpose @@ -12,7 +11,7 @@ The purpose of a 3rd-party integration guide is to explain how to use a 3rd-part instructional, straightforward -## content\_type +## content_type `integration-guide` @@ -44,10 +43,9 @@ Link out for basic concepts (Regex, JavaScript, web server maintenance). :::caution - Step-by-step instructions of 3rd-party environments are discouraged generally, but acceptable in certain situations. General preference is to link back to an article that someone else maintains. -They easily become out-of-date, especially if we can not access the 3rd-party product +They easily become out-of-date, especially if we can not access the 3rd-party product ::: [**Links**](/style-guide/documentation-content-strategy/component-attributes/links/): May be a bulleted list that references the 3rd-party product or in-text links to the 3rd-party process documentation. @@ -68,10 +66,9 @@ Link to reputable sources within reason. :::note - Screenshots of the 3rd-party product are highly discouraged. It has all the problems of video or screenshot maintenance, but with a much greater risk that something changes and we are not aware of it. -It may become a bigger problem if we can not access the 3rd-party product. +It may become a bigger problem if we can not access the 3rd-party product. ::: ## Templates @@ -138,17 +135,17 @@ Prerequisites **3rd-party integration in the Cloudflare dashboard**: -* [Enable Logpush to Sumo Logic](/logs/get-started/enable-destinations/sumo-logic/) -* [Device Posture - Carbon Black](/cloudflare-one/identity/devices/warp-client-checks/carbon-black/) +- [Enable Logpush to Sumo Logic](/logs/get-started/enable-destinations/sumo-logic/) +- [Device Posture - Carbon Black](/cloudflare-one/identity/devices/warp-client-checks/carbon-black/) **Linking to external documentation**: -* [GitHub SMS notifications using Twilio](/workers/tutorials/github-sms-notifications-using-twilio/#sending-a-text-with-twilio) +- [GitHub SMS notifications using Twilio](/workers/tutorials/github-sms-notifications-using-twilio/#sending-a-text-with-twilio) (Discouraged but acceptable scenario) **How to with instructions in 3rd-party environment and within Cloudflare dashboard**: -* [IDP integration - Microsoft Azure AD](/cloudflare-one/identity/idp-integration/azuread/) -* [Managed deployment - Partners - Jamf](/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/partners/jamf/) +- [IDP integration - Microsoft Entra ID (formerly Azure Active Directory)](/cloudflare-one/identity/idp-integration/entra-id/) +- [Managed deployment - Partners - Jamf](/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/partners/jamf/) ### Additional information @@ -160,6 +157,6 @@ We publish with the expectation of maintenance. If you want to publish something ### Products where we frequently see 3rd-party information -* [Workers](/workers/tutorials/) -* [Zero Trust](/cloudflare-one/identity/idp-integration/) -* [Analytics](/analytics/analytics-integrations/) +- [Workers](/workers/tutorials/) +- [Zero Trust](/cloudflare-one/identity/idp-integration/) +- [Analytics](/analytics/analytics-integrations/) diff --git a/src/content/docs/style-guide/documentation-content-strategy/content-types/concept.mdx b/src/content/docs/style-guide/documentation-content-strategy/content-types/concept.mdx index aac422db96b8b3..b9fb73cc9d6f54 100644 --- a/src/content/docs/style-guide/documentation-content-strategy/content-types/concept.mdx +++ b/src/content/docs/style-guide/documentation-content-strategy/content-types/concept.mdx @@ -1,7 +1,6 @@ --- pcx_content_type: concept title: Concept - --- ## Purpose @@ -12,7 +11,7 @@ The purpose of a concept is to provide conceptual or descriptive information so instructional, descriptive, approachable, supportive -## content\_type +## content_type `concept` @@ -51,6 +50,6 @@ Do not recreate information that's already available online. Instead, consider w [Load Balancing](/load-balancing/) -[WAF](/waf/about/) +[WAF](/waf/) [Magic Transit](/magic-transit/about/) diff --git a/src/content/docs/style-guide/frontmatter/index.mdx b/src/content/docs/style-guide/frontmatter/index.mdx index 0d0676ce78ae7b..5841b7a844333e 100644 --- a/src/content/docs/style-guide/frontmatter/index.mdx +++ b/src/content/docs/style-guide/frontmatter/index.mdx @@ -4,9 +4,6 @@ description: | You can customize individual Markdown and MDX pages in Starlight by setting values in their frontmatter. For example, a regular page might set title and description fields. sidebar: - badge: - variant: tip - text: New! order: 3 banner: content: | @@ -25,10 +22,7 @@ description: | You can customize individual Markdown and MDX pages in Starlight by setting values in their frontmatter. For example, a regular page might set title and description fields. sidebar: - label: Overview - badge: - variant: tip - text: New! + order: 3 banner: content: |

Hello, world!

diff --git a/src/content/docs/style-guide/frontmatter/sidebar.mdx b/src/content/docs/style-guide/frontmatter/sidebar.mdx index 029f62c5fb6e7f..2624754b08b001 100644 --- a/src/content/docs/style-guide/frontmatter/sidebar.mdx +++ b/src/content/docs/style-guide/frontmatter/sidebar.mdx @@ -157,3 +157,40 @@ Since these pages are still accessible via other links and directly navigating t ### Hiding child pages of a group To make a group render as if it was a single page, which links to the index page, use the top-level `hideChildren` property. + +## Badges + +### Links + +To specify a badge next to the link, use the `sidebar.badge` property. + +```mdx title="/src/content/docs/examples/example.mdx" +--- +title: Example +sidebar: + badge: New! +--- +``` + + +- Examples + - Example [New!] + + +### Groups + +To specify a badge next to the group label, use the `sidebar.group.badge` inside the group's `index.mdx` frontmatter. + +```mdx title="/src/content/docs/examples/index.mdx" +--- +title: Examples +sidebar: + group: + badge: New! +--- +``` + + +- Examples [New!] + - Example + \ No newline at end of file diff --git a/src/content/docs/waf/analytics/security-analytics.mdx b/src/content/docs/waf/analytics/security-analytics.mdx index 18b2ef76e97cf5..6a139a202d902c 100644 --- a/src/content/docs/waf/analytics/security-analytics.mdx +++ b/src/content/docs/waf/analytics/security-analytics.mdx @@ -5,33 +5,35 @@ sidebar: order: 1 --- -import { GlossaryTooltip, Badge } from "~/components"; +import { FeatureTable, GlossaryTooltip, Badge } from "~/components"; Security Analytics displays information about all incoming HTTP requests for your domain, including requests not handled by Cloudflare security products. -:::note -Available to customers on Business and Enterprise plans. -::: - Use the Security Analytics dashboard to: - View the traffic distribution for your domain. - Understand which traffic is being mitigated by Cloudflare security products, and where non-mitigated traffic is being served from (Cloudflare global network or origin server). - Analyze suspicious traffic and create tailored WAF custom rules based on applied filters. -- Learn more about Cloudflare’s security scores (attack score, [bot score](/bots/concepts/bot-score/), [uploaded content scanning](/waf/about/content-scanning/) results) with real data. +- Learn more about Cloudflare's security scores (attack score, [bot score](/bots/concepts/bot-score/), [malicious uploads](/waf/detections/malicious-uploads/), and [leaked credentials](/waf/detections/leaked-credentials/) results) with real data. - [Find an appropriate rate limit](/waf/rate-limiting-rules/find-rate-limit/) for incoming traffic. If you need to modify existing security-related rules you already configured, consider also using the [Security Events](/waf/analytics/security-events/) dashboard. This dashboard displays information about requests affected by Cloudflare security products. +## Availability + +Zone/domain-level analytics are included with all plans, though the retention period, query window, displayed statistics, and filter options vary by plan. Account-level analytics are only available to customers on Business and Enterprise domain plans. + + + ## Access To use Security Analytics: 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/) and select your account. -2. Go to the account or zone dashboard: +2. Go to the account or zone/domain dashboard: - - For the zone dashboard, select your domain and go to **Security** > **Analytics**. + - For the zone/domain dashboard, select your domain and go to **Security** > **Analytics**. - For the account dashboard, go to **Security Center** > **Security Analytics**. ## Adjusting displayed data @@ -90,9 +92,9 @@ To apply the filters for an insight to the data displayed in the Security Analyt ### Score-based analyses -The **Attack likelihood**, **Bot likelihood**, and **Malicious uploads** sections display statistics related to WAF attack scores, bot scores, and WAF content scanning scores of incoming requests for the selected time frame. +The **Attack likelihood**, **Bot likelihood**, **Malicious uploads**, and **Account abuse likelihood** sections display statistics related to WAF attack scores, bot scores, WAF content scanning scores, and leaked credentials scanning of incoming requests for the selected time frame. All plans include access to the **Leaked Credentials Check** under **Account Abuse Likelihood**. This feature detects login attempts using credentials that have been exposed online. For more information on what to do if you have credentials that have been leaked, refer to the [mitigation examples page](/waf/detections/leaked-credentials/examples/). -You can examine different traffic segments according to the current metric (attack, bot, or content scanning). To apply score filters for different segments, select the buttons below the traffic chart. For example, select **Likely attack** under **Attack likelihood** to filter requests that are likely an attack (requests with WAF attack score values between 21 and 50). +You can examine different traffic segments according to the current metric (attack score, bot score, or content scanning). To apply score filters for different segments, select the buttons below the traffic chart. For example, select **Likely attack** under **Attack likelihood** to filter requests that are likely an attack (requests with WAF attack score values between 21 and 50). Additionally, you can use the slider tool below the chart to filter incoming requests according to the current metric. This allows you to filter traffic groups outside the predefined segments. @@ -106,7 +108,7 @@ The main chart displays the following data for the selected time frame, accordin - **Served by Cloudflare**: Requests served by the Cloudflare global network such as cached content and redirects. - **Served by origin**: Requests served by your origin server. -- **Attack likelihood**: [WAF attack score](/waf/about/waf-attack-score/) analysis of incoming requests, classifying them as _Clean_, _Likely clean_, _Likely attack_, or _Attack_. +- **Attack likelihood**: [WAF attack score](/waf/detections/attack-score/) analysis of incoming requests, classifying them as _Clean_, _Likely clean_, _Likely attack_, or _Attack_. - **Bot likelihood**: [Bot score](/bots/concepts/bot-score/) analysis of incoming requests, classifying them as _Automated_, _Likely automated_, or _Likely human_. @@ -159,6 +161,6 @@ You can switch to [Log Explorer](/logs/log-explorer/) to dive deeper on your ana Currently, changing the time frame or the applied filters while showing raw logs may cause the Cloudflare dashboard to switch automatically to sampled logs. This happens if the total number of request logs for the selected time frame is high. ::: -## Final remarks +## Sampling The Security Analytics dashboard uses [sampled data](/analytics/graphql-api/sampling/), except when showing raw logs. Most information in the dashboard is obtained from `httpRequestsAdaptiveGroups` and `httpRequestsAdaptive` GraphQL nodes. For more information on working directly with GraphQL datasets, refer to [Datasets (tables)](/analytics/graphql-api/features/data-sets/). diff --git a/src/content/docs/waf/about/index.mdx b/src/content/docs/waf/concepts.mdx similarity index 53% rename from src/content/docs/waf/about/index.mdx rename to src/content/docs/waf/concepts.mdx index 4064e7005f7369..efec5d9281931e 100644 --- a/src/content/docs/waf/about/index.mdx +++ b/src/content/docs/waf/concepts.mdx @@ -25,18 +25,19 @@ A [ruleset](/ruleset-engine/about/rulesets/) is an ordered set of rules that you The Cloudflare WAF includes: - [Managed Rules](/waf/managed-rules/) (for example, the [Cloudflare Managed Ruleset](/waf/managed-rules/reference/cloudflare-managed-ruleset/)), which are signature-based rules created by Cloudflare that provide immediate protection against known attacks. -- [Traffic detections](#available-traffic-detections) (for example, bot score and attack score) that enrich requests with metadata. +- [Traffic detections](/waf/detections/) (for example, bot score and attack score) that enrich requests with metadata. - User-defined rules for your specific needs, including [custom rules](/waf/custom-rules/) and rate limiting rules. ## Detection versus mitigation The two main roles of the Cloudflare WAF are the following: -- **Detection**: Run incoming requests through one or more [traffic detections](#available-traffic-detections) to find malicious or potentially malicious activity. The scores from enabled detections are available in the [Security Analytics](/waf/analytics/security-analytics/) dashboard, where you can analyze your security posture and determine the most appropriate mitigation rules. +- **Detection**: Run incoming requests through one or more [traffic detections](/waf/detections/) to find malicious or potentially malicious activity. The scores from enabled detections are available in the [Security Analytics](/waf/analytics/security-analytics/) dashboard, where you can analyze your security posture and determine the most appropriate mitigation rules. -- **Mitigation**: Blocks, challenges, or throttles requests through different [mitigation features](#waf-mitigation-features) such as custom rules, WAF Managed Rules, and rate limiting rules. Rules that mitigate traffic can include scores from traffic scans in their expressions to better address possibly malicious requests. +- **Mitigation**: Blocks, challenges, or throttles requests through different mitigation features such as [custom rules](/waf/custom-rules/), [Managed Rules](/waf/managed-rules/), and [rate limiting rules](/waf/rate-limiting-rules/). Rules that mitigate traffic can include scores from traffic scans in their expressions to better address possibly malicious requests. + +:::caution[Warning] -:::caution Enabling traffic detections will not apply any mitigation measures to incoming traffic; detections only provide signals that you can use to define your attack mitigation strategy. ::: @@ -44,26 +45,16 @@ Enabling traffic detections will not apply any mitigation measures to incoming t The WAF currently provides the following detections for finding security threats in incoming requests: -- [**Bots**](/bots/reference/bot-management-variables/#ruleset-engine-fields): Scores traffic on a scale from 1 (likely to be a bot) to 99 (likely to be human). -- [**Attacks**](/waf/about/waf-attack-score/): Checks for known attack variations and malicious payloads. Scores traffic on a scale from 1 (likely to be malicious) to 99 (unlikely to be malicious). -- [**Malicious uploads**](/waf/about/content-scanning/): Scans content objects, such as uploaded files, for malicious signatures like malware. +- [**Bot score**](/bots/concepts/bot-score/): Scores traffic on a scale from 1 (likely to be a bot) to 99 (likely to be human). +- [**Attack score**](/waf/detections/attack-score/): Checks for known attack variations and malicious payloads. Scores traffic on a scale from 1 (likely to be malicious) to 99 (unlikely to be malicious). +- [**Malicious uploads**](/waf/detections/malicious-uploads/): Scans content objects, such as uploaded files, for malicious signatures like malware. To enable traffic detections in the Cloudflare dashboard, go to your domain > **Security** > **Settings**. :::note -Currently, you cannot manage the [Bots](/bots/reference/bot-management-variables/#ruleset-engine-fields) and [Attacks](/waf/about/waf-attack-score/) detections from the **Security** > **Settings** page. Refer to the documentation of each feature for availability details. +Currently, you cannot manage the [bot score](/bots/concepts/bot-score/) and [attack score](/waf/detections/attack-score/) detections from the **Security** > **Settings** page. Refer to the documentation of each feature for availability details. ::: -### WAF mitigation features - -The WAF provides the following mitigation features for traffic posing as a security threat: - -- [**Custom rules**](/waf/custom-rules/): Allow you to control incoming traffic by filtering requests to a zone. You can perform actions like Block or Managed Challenge on incoming requests according to rules you define. -- [**Rate limiting rules**](/waf/rate-limiting-rules/): Allow you to define rate limits for requests matching an expression, and the action to perform when those rate limits are reached. -- [**Managed rules**](/waf/managed-rules/): Allow you to deploy pre-configured managed rulesets that provide immediate protection against common attacks. - -To configure these mitigation features in the Cloudflare dashboard, go to your domain > **Security** > **WAF**. - --- ## Rule execution order diff --git a/src/content/docs/waf/custom-rules/index.mdx b/src/content/docs/waf/custom-rules/index.mdx index ffd2b83081a050..d446a1cbda7300 100644 --- a/src/content/docs/waf/custom-rules/index.mdx +++ b/src/content/docs/waf/custom-rules/index.mdx @@ -2,27 +2,26 @@ pcx_content_type: concept title: Custom rules sidebar: - order: 4 - + order: 5 --- -Custom rules allow you to control incoming traffic by filtering requests to a zone. You can perform actions like *Block* or *Managed Challenge* on incoming requests according to rules you define. +Custom rules allow you to control incoming traffic by filtering requests to a zone. You can perform actions like _Block_ or _Managed Challenge_ on incoming requests according to rules you define. Like other rules evaluated by Cloudflare's [Ruleset Engine](/ruleset-engine/), custom rules have the following basic parameters: -* An [expression](/ruleset-engine/rules-language/expressions/) that specifies the criteria you are matching traffic on using the [Rules language](/ruleset-engine/rules-language/). -* An [action](/ruleset-engine/rules-language/actions/) that specifies what to perform when there is a match for the rule. +- An [expression](/ruleset-engine/rules-language/expressions/) that specifies the criteria you are matching traffic on using the [Rules language](/ruleset-engine/rules-language/). +- An [action](/ruleset-engine/rules-language/actions/) that specifies what to perform when there is a match for the rule. -Custom rules are evaluated in order, and some actions like *Block* will stop the evaluation of other rules. For more details on actions and their behavior, refer to the [actions reference](/ruleset-engine/rules-language/actions/). +Custom rules are evaluated in order, and some actions like _Block_ will stop the evaluation of other rules. For more details on actions and their behavior, refer to the [actions reference](/ruleset-engine/rules-language/actions/). :::note[Did you migrate from Cloudflare Firewall Rules?] -Refer to the [migration guide](/waf/reference/migration-guides/firewall-rules-to-custom-rules/#main-differences) to learn more about the differences between firewall rules and custom rules. +Refer to the [migration guide](/waf/reference/migration-guides/firewall-rules-to-custom-rules/#main-differences) to learn more about the differences between firewall rules and custom rules. ::: To define sets of custom rules that apply to more than one zone, use [custom rulesets](/waf/custom-rules/custom-rulesets/), which require an Enterprise plan with a paid add-on. -*** +--- ## Next steps diff --git a/src/content/docs/waf/about/waf-attack-score.mdx b/src/content/docs/waf/detections/attack-score.mdx similarity index 83% rename from src/content/docs/waf/about/waf-attack-score.mdx rename to src/content/docs/waf/detections/attack-score.mdx index b52d2df2f66e2f..08fc433ec13c70 100644 --- a/src/content/docs/waf/about/waf-attack-score.mdx +++ b/src/content/docs/waf/detections/attack-score.mdx @@ -3,20 +3,20 @@ title: WAF attack score pcx_content_type: concept sidebar: order: 2 + label: Attack score --- import { GlossaryTooltip } from "~/components"; -WAF attack score is a feature that complements [WAF Managed Rules](/waf/managed-rules/). +The attack score [traffic detection](/waf/concepts/#detection-versus-mitigation) helps identify variations of known attacks and their malicious payloads. This detection complements [WAF Managed Rules](/waf/managed-rules/). WAF's managed rulesets contain rules that are continuously updated to better detect malicious payloads. They target specific patterns of established attack vectors and have a very low rate of false positives. However, managed rulesets are not optimized for attacks based on variations of the original signature introduced, for example, by fuzzing techniques. -WAF attack score allows you to identify these attack variations and their malicious payloads. It classifies each request using a machine learning algorithm, assigning an attack score from 1 to 99 based on the likelihood that the request is malicious. Just like [Bot Management](/bots/plans/bm-subscription/), you can use this score to identify potentially malicious traffic that is not an exact match to any of the rules in WAF Managed Rules. +Attack score allows you to identify these attack variations and their malicious payloads. It classifies each request using a machine learning algorithm, assigning an attack score from 1 to 99 based on the likelihood that the request is malicious. Just like [Bot Management](/bots/plans/bm-subscription/), you can use this score to identify potentially malicious traffic that is not an exact match to any of the rules in WAF Managed Rules. -To maximize protection, Cloudflare recommends that you use both Managed Rules and WAF attack score. +To maximize protection, Cloudflare recommends that you use both Managed Rules and attack score. :::note - This feature is available to Enterprise customers. Business plans have access to a single field (WAF Attack Score Class). ::: @@ -32,7 +32,7 @@ The Cloudflare WAF provides the following attack scores: | WAF RCE Attack Score | Enterprise | Remote Code Execution (RCE) | [`cf.waf.score.rce`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfwafscorerce) | | WAF Attack Score Class | Business | N/A (global classification) | [`cf.waf.score.class`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfwafscoreclass) | -You can use the fields for these scores in expressions of [custom rules](/waf/custom-rules/) and [rate limiting rules](/waf/rate-limiting-rules/) where: +You can use these fields in expressions of [custom rules](/waf/custom-rules/) and [rate limiting rules](/waf/rate-limiting-rules/) where: - A score of `1` indicates that the request is almost certainly malicious. - A score of `99` indicates that the request is likely clean. @@ -55,7 +55,7 @@ Attack score automatically detects and decodes Base64, JavaScript (Unicode escap --- -## Start using the WAF attack score +## Start using WAF attack score ### 1. Create a custom rule diff --git a/src/content/docs/waf/detections/index.mdx b/src/content/docs/waf/detections/index.mdx new file mode 100644 index 00000000000000..f311d6ee355800 --- /dev/null +++ b/src/content/docs/waf/detections/index.mdx @@ -0,0 +1,41 @@ +--- +pcx_content_type: concept +title: Traffic detections +sidebar: + order: 4 +head: + - tag: title + content: Traffic detections +--- + +import { DirectoryListing, FeatureTable } from "~/components"; + +WAF traffic detections check incoming requests for malicious or potentially malicious activity. Each enabled detection provides one or more scores — available in the [Security Analytics](/waf/analytics/security-analytics/) dashboard — that you can use in WAF rule expressions. + +The WAF currently provides the following detections for finding security threats in incoming requests: + + + +## Availability + + + +For more information on bot score, refer to the [Bots documentation](/bots/concepts/bot-score/). + +## Turn on a detection + +To turn on a traffic detection: + +1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain. +2. Go to **Security** > **Settings**. +3. Under **Incoming traffic detections**, turn on the desired detections. + +Enabled detections will run for all incoming traffic. + +:::note +Currently, you cannot manage the [bot score](/bots/concepts/bot-score/) and [attack score](/waf/detections/attack-score/) detections from the **Security** > **Settings** page. Refer to the documentation of each feature for availability details. +::: + +## More resources + +For more information on detection versus mitigation, refer to [Concepts](/waf/concepts/#detection-versus-mitigation). diff --git a/src/content/docs/waf/detections/leaked-credentials/api-calls.mdx b/src/content/docs/waf/detections/leaked-credentials/api-calls.mdx new file mode 100644 index 00000000000000..3f20577c6a5f37 --- /dev/null +++ b/src/content/docs/waf/detections/leaked-credentials/api-calls.mdx @@ -0,0 +1,123 @@ +--- +title: Common API calls +pcx_content_type: configuration +sidebar: + order: 3 +head: + - tag: title + content: Common API calls | Leaked credentials detection +--- + +## Required API token permissions + +The API token used in API requests to manage the leaked credentials detection and custom detection locations must have one of the following [permissions](/fundamentals/api/reference/permissions/): + +- Zone WAF Edit +- Account WAF Edit + +--- + +## General operations + +The following API examples cover basic operations such as enabling and disabling the leaked credentials detection. + +### Turn on leaked credentials detection + +To turn on leaked credentials detection, use a `POST` request similar to the following: + +```bash +curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/leaked-credential-checks" \ +--header "X-Auth-Email: " \ +--header "X-Auth-Key: " \ +--header "Content-Type: application/json" \ +--data '{ "enabled": true }' +``` + +### Turn off leaked credentials detection + +To turn off leaked credentials detection, use a `POST` request similar to the following: + +```bash +curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/leaked-credential-checks" \ +--header "X-Auth-Email: " \ +--header "X-Auth-Key: " \ +--header "Content-Type: application/json" \ +--data '{ "enabled": false }' +``` + +### Get status of leaked credentials detection + +To obtain the current status of the leaked credentials detection, use a `GET` request similar to the following: + +```bash +curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/leaked-credential-checks" \ +--header "X-Auth-Email: " \ +--header "X-Auth-Key: " +``` + +```json output +{ + "result": { + "enabled": true + }, + "success": true, + "errors": [], + "messages": [] +} +``` + +## Custom detection location operations + +The following API examples cover operations on custom detection locations for leaked credentials detection. + +### Get existing custom detection locations + +To get a list of existing custom detection locations, use a `GET` request similar to the following: + +```bash +curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/leaked-credential-checks/detections" \ +--header "X-Auth-Email: " \ +--header "X-Auth-Key: " +``` + +```json output +{ + "result": [ + { + "id": "", + "username": "lookup_json_string(http.request.body.raw, \"user\")", + "password": "lookup_json_string(http.request.body.raw, \"secret\")" + } + // (...) + ], + "success": true, + "errors": [], + "messages": [] +} +``` + +### Add a custom detection location + +Use a `POST` request similar to the following: + +```bash +curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/leaked-credential-checks/detections" \ +--header "X-Auth-Email: " \ +--header "X-Auth-Key: " \ +--header "Content-Type: application/json" \ +--data '{ + "username": "lookup_json_string(http.request.body.raw, \"user\")", + "password": "lookup_json_string(http.request.body.raw, \"secret\")" +}' +``` + +### Delete a custom detection location + +Use a `DELETE` request similar to the following: + +```bash +curl --request DELETE \ +"https://api.cloudflare.com/client/v4/zones/{zone_id}/leaked-credential-checks/detections/{item_id}" \ +--header "X-Auth-Email: " \ +--header "X-Auth-Key: " +``` diff --git a/src/content/docs/waf/detections/leaked-credentials/examples.mdx b/src/content/docs/waf/detections/leaked-credentials/examples.mdx new file mode 100644 index 00000000000000..e10ac2950f77a6 --- /dev/null +++ b/src/content/docs/waf/detections/leaked-credentials/examples.mdx @@ -0,0 +1,59 @@ +--- +title: Mitigation examples +pcx_content_type: configuration +sidebar: + order: 4 + label: Mitigation examples +head: + - tag: title + content: Leaked credentials mitigation examples +description: Examples of rules for mitigating requests containing leaked credentials. +--- + +import { Example } from "~/components"; + +## Rate limit suspicious logins with leaked credentials + +:::note +Access to the `cf.waf.credential_check.username_and_password_leaked` field requires a Pro plan or above. +::: + +Create a [rate limiting rule](/waf/rate-limiting-rules/) using [account takeover (ATO) detection](/bots/concepts/detection-ids/#account-takeover-detections) and leaked credentials fields to limit volumetric attacks from particular IP addresses, JA4 Fingerprints, or countries. + +The following example rule applies rate limiting to requests with a specific [ATO detection ID](/bots/concepts/detection-ids/#account-takeover-detections) (corresponding to `Observes all login traffic to the zone`) that contain a previously leaked username and password: + + + +**When incoming requests match**:
+`(any(cf.bot_management.detection_ids[*] eq 201326593 and cf.waf.credential_check.username_and_password_leaked))` + +**With the same characteristics**: _IP_ + +When rate exceeds: + +- **Requests**: `5` +- **Period**: _1 minute_ + + + +## Challenge requests containing leaked credentials + +:::note +Access to the _User and Password Leaked_ (`cf.waf.credential_check.username_and_password_leaked`) field requires a Pro plan or above. +::: + +Create a [custom rule](/waf/custom-rules/) that challenges requests containing a previously leaked set of credentials (username and password). + +- **Expression**: If you use the Expression Builder, configure the following expression: + + | Field | Operator | Value | + | ------------------------ | -------- | ----- | + | User and Password Leaked | equals | True | + + If you use the Expression Editor, enter the following expression: + + ```txt + (cf.waf.credential_check.username_and_password_leaked) + ``` + +- **Action**: _Managed Challenge_ diff --git a/src/content/docs/waf/detections/leaked-credentials/get-started.mdx b/src/content/docs/waf/detections/leaked-credentials/get-started.mdx new file mode 100644 index 00000000000000..2eeda618ab7ef7 --- /dev/null +++ b/src/content/docs/waf/detections/leaked-credentials/get-started.mdx @@ -0,0 +1,171 @@ +--- +title: Get started +pcx_content_type: get-started +sidebar: + order: 2 +head: + - tag: title + content: Get started with leaked credentials detection +--- + +import { TabItem, Tabs, Details } from "~/components"; + +## 1. Turn on leaked credentials detection + +On Free plans, the leaked credentials detection is enabled by default, and no action is required. On paid plans, you can turn on the detection in the Cloudflare dashboard or via API. + + + +1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain. +2. Go to **Security** > **Settings**. +3. Under **Incoming traffic detections**, turn on **Leaked credentials**. + + + +Enable the feature using a `POST` request similar to the following: + +```bash +curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/leaked-credential-checks" \ +--header "X-Auth-Email: " \ +--header "X-Auth-Key: " \ +--header "Content-Type: application/json" \ +--data '{ "enabled": true }' +``` + + + +:::note +To achieve optimal latency performance, Cloudflare recommends that you turn off [Exposed Credentials Checks](/waf/managed-rules/reference/exposed-credentials-check/) (a previous implementation) after turning on leaked credentials detection and setting up your mitigation strategy as described in the next steps. +::: + +## 2. Validate the leaked credentials detection behavior + +Use [Security Analytics](/waf/analytics/security-analytics/) and HTTP logs to validate that the WAF is correctly detecting leaked credentials in incoming requests. + +Refer to [Test your configuration](#test-your-configuration) for more information on the test credentials you can use to validate your configuration. + +Alternatively, create a WAF custom rule like the one described in the next step using a _Log_ action (only available to Enterprise customers). This rule will generate firewall events (available in **Security** > **Events**) that will allow you to validate your configuration. + +## 3. Mitigate requests with leaked credentials + +If you are on a Free plan, deploy the suggested [rate limiting rule](/waf/rate-limiting-rules/) template available in **WAF** > **Rate limiting rules**. When you deploy a rule using this template, you get instant protection against IPs attempting to access your application with a leaked password more than five times per 10 seconds. This rule can delay attacks by blocking them for a period of time. Alternatively, you can create a custom rule. + +Paid plans have access to more granular controls when creating a WAF rule. If you are on a paid plan, create a [custom rule](/waf/custom-rules/) that challenges requests containing leaked credentials: + +| Field | Operator | Value | +| ------------------------ | -------- | ----- | +| User and Password Leaked | equals | True | + +If you use the Expression Editor, enter the following expression: + +```txt +(cf.waf.credential_check.username_and_password_leaked) +``` + +Rule action: _Managed Challenge_ + +This rule will match requests where the WAF detects a previously leaked set of credentials (username and password). For a list of fields provided by leaked credentials detection, refer to [Leaked credentials fields](/waf/detections/leaked-credentials/#leaked-credentials-fields). + +
+ +You can combine the previous expression with other [fields](/ruleset-engine/rules-language/fields/) and [functions](/ruleset-engine/rules-language/functions/) of the Rules language. This allows you to customize the rule scope or combine leaked credential checking with other security features. For example: + +- The following expression will match requests containing leaked credentials addressed at an authentication endpoint: + + | Field | Operator | Value | Logic | + | ------------------------ | -------- | ------------------ | ----- | + | User and Password Leaked | equals | True | And | + | URI Path | contains | `/admin/login.php` | | + + Expression when using the editor:
+ `(cf.waf.credential_check.username_and_password_leaked and http.request.uri.path contains "/admin/login.php")` + +- The following expression will match requests coming from bots that include authentication credentials: + + | Field | Operator | Value | Logic | + | ----------------------- | --------- | ----- | ----- | + | Authentication detected | equals | True | And | + | Bot Score | less than | `10` | | + + Expression when using the editor:
+ `(cf.waf.auth_detected and cf.bot_management.score lt 10)` + +
+ +For additional examples, refer to [Mitigation examples](/waf/detections/leaked-credentials/examples/). + +### Handle detected leaked credentials at the origin server + +Additionally, you may want to handle leaked credentials detected by Cloudflare at your origin server. + +1. Turn on the [**Add Leaked Credentials Checks Header** managed transform](/rules/transform/managed-transforms/reference/#add-leaked-credentials-checks-header). + +2. For requests received at your origin server containing the `Exposed-Credential-Check` header, you could redirect your end users to your reset password page when detecting previously leaked credentials. + +## 4. (Optional) Configure a custom detection location + +To check for leaked credentials in a way that is not covered by the default configuration, add a custom detection location. + + + +1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/), and select your account and domain. +2. Go to **Security** > **Settings**. +3. Under **Incoming traffic detections**, select **Leaked credentials** and then select the three dots to add a custom detection. +4. In **Username location**, enter an expression for obtaining the username in the HTTP request. For example: + + ```txt + lookup_json_string(http.request.body.raw, "user") + ``` + +5. In **Password location**, enter an expression for obtaining the password in the HTTP request. For example: + + ```txt + lookup_json_string(http.request.body.raw, "secret") + ``` + +6. Select **Save**. + + + +Use a `POST` request similar to the following: + +```bash +curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/leaked-credential-checks/detections" \ +--header "X-Auth-Email: " \ +--header "X-Auth-Key: " \ +--header "Content-Type: application/json" \ +--data '{ + "username": "lookup_json_string(http.request.body.raw, \"user\")", + "password": "lookup_json_string(http.request.body.raw, \"secret\")" +}' +``` + +This pair of lookup expressions (for username and password) will scan incoming HTTP requests containing a JSON body with a structure similar to the following: + +```js +{"user": "", "secret": ""} +``` + + + +You only need to provide an expression for the username in custom detection locations. + +--- + +## Test your configuration + +Cloudflare provides a special set of case-sensitive credentials for testing the configuration of the leaked credentials detection. + +After enabling and configuring the detection, you can use the credentials mentioned in this section in your test HTTP requests. + +Test credentials for users on a Free plan (will also work in paid plans): + +- Username: `CF_LEAKED_USERNAME_FREE` +- Password: `CF_LEAKED_PASSWORD` + +Test credentials for users on paid plans (will not work on Free plans): + +- Username: `CF_EXPOSED_USERNAME` or `CF_EXPOSED_USERNAME@example.com` +- Password: `CF_EXPOSED_PASSWORD` + +The Cloudflare WAF considers these specific credentials as having been previously leaked. Use them in your tests to check the behavior of your current configuration. diff --git a/src/content/docs/waf/detections/leaked-credentials/index.mdx b/src/content/docs/waf/detections/leaked-credentials/index.mdx new file mode 100644 index 00000000000000..f8330909f10d4c --- /dev/null +++ b/src/content/docs/waf/detections/leaked-credentials/index.mdx @@ -0,0 +1,97 @@ +--- +title: Leaked credentials detection +pcx_content_type: concept +sidebar: + order: 3 + group: + label: Leaked credentials +--- + +The leaked credentials [traffic detection](/waf/detections/) scans incoming requests for previously leaked credentials (usernames and passwords) previously leaked from data breaches. + +## How it works + +Once enabled, leaked credentials detection will scan incoming HTTP requests for known authentication patterns from common web apps and any custom detection locations you configure. + +If Cloudflare detects authentication credentials in the request, those credentials are checked against a list of known leaked credentials. This list of credentials consists of Cloudflare-collected credentials, in addition to the [Have I been Pwned (HIBP)](https://haveibeenpwned.com) matched passwords dataset. + +Cloudflare will populate the existing [leaked credentials fields](#leaked-credentials-fields) based on the scan results. You can check these results in the Security Analytics dashboard, and use these fields in rule expressions ([custom rules](/waf/custom-rules/) or [rate limiting rules](/waf/rate-limiting-rules/)) to protect your application against the usage of compromised credentials by your end users, and also against leaked credential attacks. + +In addition, leaked credentials detection provides a [managed transform](/rules/transform/managed-transforms/reference/#add-leaked-credentials-checks-header) that adds an `Exposed-Credential-Check` request header with a value indicating which field was leaked. For example, if both username and password were previously leaked, the header value will be `1`; if only the password was leaked, the value will be `4`. + +One common approach used in web applications when detecting the use of stolen credentials is to warn end users about the situation and ask them to update their password. You can do this based on the managed header received at your origin server. + +:::note +Cloudflare may detect leaked credentials either because an attacker is performing a credential stuffing attack or because a legitimate end user is reusing a previously leaked password. +::: + +## Availability + +For details on available features per plan, refer to [Availability](/waf/detections/#availability) in the traffic detections page. + +## Default scan locations + +Leaked credentials detection includes rules for identifying credentials in HTTP requests for the following well-known web applications: + +- Drupal +- Joomla +- Ghost +- Magento +- Plone +- WordPress +- Microsoft Exchange OWA + +Additionally, the scan includes generic rules for other common web authentication patterns. + +You can also configure custom detection locations to address the specific authentication mechanism used in your web applications. A custom detection location tells the Cloudflare WAF where to find usernames and passwords in HTTP requests of your web application. + +## Custom detection locations + +:::note +Only available for Enterprise customers. +::: + +Sometimes, you may wish to specify where to find credentials in HTTP requests for the specific case of your web applications. + +For example, if the JSON body of an HTTP authenticating a user looked like the following in your web application: + +```json +{ "user": "", "secret": "" } +``` + +You could configure a custom detection location with the following settings: + +- Custom location for username:
+ `lookup_json_string(http.request.body.raw, "user")` +- Custom location for password:
+ `lookup_json_string(http.request.body.raw, "secret")` + +When specifying a custom detection location, only the location of the username field is required. + +Expressions used to specify custom detection locations can include the following fields and functions: + +- Fields: + - [`http.request.body.raw`](/ruleset-engine/rules-language/fields/http-request-body/#httprequestbodyraw) + - [`http.request.headers`](/ruleset-engine/rules-language/fields/http-request-header/#httprequestheaders) + - [`http.request.uri.query`](/ruleset-engine/rules-language/fields/standard-fields/#httprequesturiquery) +- Functions: + - [`lookup_json_string()`](/ruleset-engine/rules-language/functions/#lookup_json_string) + - [`lower()`](/ruleset-engine/rules-language/functions/#lower) + +For instructions on configuring a custom detection location, refer to [Get started](/waf/detections/leaked-credentials/get-started/#4-optional-configure-a-custom-detection-location). + +## Leaked credentials fields + +| Field name in the dashboard | Field | Availability | +| --------------------------- | ----------------------------------------------------------- | ------------------ | +| Password Leaked | [`cf.waf.credential_check.password_leaked`][1] | All plans | +| User and Password Leaked | [`cf.waf.credential_check.username_and_password_leaked`][2] | Pro plan and above | +| Username Leaked | [`cf.waf.credential_check.username_leaked`][3] | Enterprise plan | +| Similar Password Leaked | [`cf.waf.credential_check.username_password_similar`][4] | Enterprise plan | +| Authentication detected | [`cf.waf.auth_detected`][5] | Enterprise plan | + +[1]: /ruleset-engine/rules-language/fields/dynamic-fields/#cfwafcredential_checkpassword_leaked +[2]: /ruleset-engine/rules-language/fields/dynamic-fields/#cfwafcredential_checkusername_and_password_leaked +[3]: /ruleset-engine/rules-language/fields/dynamic-fields/#cfwafcredential_checkusername_leaked +[4]: /ruleset-engine/rules-language/fields/dynamic-fields/#cfwafcredential_checkusername_password_similar +[5]: /ruleset-engine/rules-language/fields/dynamic-fields/#cfwafauth_detected diff --git a/src/content/docs/waf/detections/link-bots.mdx b/src/content/docs/waf/detections/link-bots.mdx new file mode 100644 index 00000000000000..1d032b0984ace5 --- /dev/null +++ b/src/content/docs/waf/detections/link-bots.mdx @@ -0,0 +1,7 @@ +--- +pcx_content_type: navigation +title: Bot score +external_link: /bots/concepts/bot-score/ +sidebar: + order: 4 +--- diff --git a/src/content/docs/waf/about/content-scanning/api-calls.mdx b/src/content/docs/waf/detections/malicious-uploads/api-calls.mdx similarity index 100% rename from src/content/docs/waf/about/content-scanning/api-calls.mdx rename to src/content/docs/waf/detections/malicious-uploads/api-calls.mdx diff --git a/src/content/docs/waf/about/content-scanning/example-rules.mdx b/src/content/docs/waf/detections/malicious-uploads/example-rules.mdx similarity index 77% rename from src/content/docs/waf/about/content-scanning/example-rules.mdx rename to src/content/docs/waf/detections/malicious-uploads/example-rules.mdx index 4602f4c25b57a6..d889c17654f877 100644 --- a/src/content/docs/waf/about/content-scanning/example-rules.mdx +++ b/src/content/docs/waf/detections/malicious-uploads/example-rules.mdx @@ -5,43 +5,42 @@ sidebar: order: 3 head: - tag: title - content: Example rules for content scanning - + content: Example rules checking uploaded content objects --- ## Log requests with an uploaded content object This [custom rule](/waf/custom-rules/) example logs all requests with at least one uploaded content object: -* Expression: `cf.waf.content_scan.has_obj` -* Action: *Log* +- Expression: `cf.waf.content_scan.has_obj` +- Action: _Log_ ## Block requests to URI path with a malicious content object This custom rule example blocks requests addressed at `/upload.php` that contain at least one uploaded content object considered malicious: -* Expression: `cf.waf.content_scan.has_malicious_obj and http.request.uri.path eq "/upload.php"` -* Action: *Block* +- Expression: `cf.waf.content_scan.has_malicious_obj and http.request.uri.path eq "/upload.php"` +- Action: _Block_ ## Block requests with non-PDF file uploads This custom rule example blocks requests addressed at `/upload` with uploaded content objects that are not PDF files: -* Expression: `any(cf.waf.content_scan.obj_types[*] != "application/pdf") and http.request.uri.path eq "/upload"` -* Action: *Block* +- Expression: `any(cf.waf.content_scan.obj_types[*] != "application/pdf") and http.request.uri.path eq "/upload"` +- Action: _Block_ ## Block requests with uploaded files over 500 KB This custom rule example blocks requests addressed at `/upload` with uploaded content objects over 500 KB in size: -* Expression: `any(cf.waf.content_scan.obj_sizes[*] > 500000) and http.request.uri.path eq "/upload"` -* Action: *Block* +- Expression: `any(cf.waf.content_scan.obj_sizes[*] > 500000) and http.request.uri.path eq "/upload"` +- Action: _Block_ ## Block requests with uploaded files over the content scanning limit (15 MB) This custom rule example blocks requests with uploaded content objects over 15 MB in size (the current content scanning limit): -* Expression: `any(cf.waf.content_scan.obj_sizes[*] >= 15000000)` -* Action: *Block* +- Expression: `any(cf.waf.content_scan.obj_sizes[*] >= 15000000)` +- Action: _Block_ In this example, you must also test for equality because currently any file over 15 MB will be handled internally as if it had a size of 15 MB. This means that using the `>` (greater than) [comparison operator](/ruleset-engine/rules-language/operators/#comparison-operators) would not work for this particular rule — you should use `>=` (greater than or equal) instead. diff --git a/src/content/docs/waf/about/content-scanning/get-started.mdx b/src/content/docs/waf/detections/malicious-uploads/get-started.mdx similarity index 93% rename from src/content/docs/waf/about/content-scanning/get-started.mdx rename to src/content/docs/waf/detections/malicious-uploads/get-started.mdx index 873f55e61275fc..2a3f8e881b2c59 100644 --- a/src/content/docs/waf/about/content-scanning/get-started.mdx +++ b/src/content/docs/waf/detections/malicious-uploads/get-started.mdx @@ -60,7 +60,7 @@ If you use the Expression Editor, enter the following expression: (cf.waf.content_scan.has_malicious_obj) ``` -This rule will match requests where the WAF detects a suspicious or malicious content object. For a list of fields provided by WAF content scanning, refer to [Content scanning fields](/waf/about/content-scanning/#content-scanning-fields). +This rule will match requests where the WAF detects a suspicious or malicious content object. For a list of fields provided by WAF content scanning, refer to [Content scanning fields](/waf/detections/malicious-uploads/#content-scanning-fields).
@@ -94,11 +94,11 @@ You can combine the previous expression with other [fields](/ruleset-engine/rule
-For additional examples, refer to [Example rules](/waf/about/content-scanning/example-rules/). +For additional examples, refer to [Example rules](/waf/detections/malicious-uploads/example-rules/). ## 4. (Optional) Configure a custom scan expression -To check uploaded content in a way that is not covered by the default configuration, add a [custom scan expression](/waf/about/content-scanning/#custom-scan-expressions). +To check uploaded content in a way that is not covered by the default configuration, add a [custom scan expression](/waf/detections/malicious-uploads/#custom-scan-expressions). diff --git a/src/content/docs/waf/about/content-scanning/index.mdx b/src/content/docs/waf/detections/malicious-uploads/index.mdx similarity index 92% rename from src/content/docs/waf/about/content-scanning/index.mdx rename to src/content/docs/waf/detections/malicious-uploads/index.mdx index aecb464614b7bf..8058c6fda9434c 100644 --- a/src/content/docs/waf/about/content-scanning/index.mdx +++ b/src/content/docs/waf/detections/malicious-uploads/index.mdx @@ -1,18 +1,19 @@ --- -title: Uploaded content scanning +title: Malicious uploads detection pcx_content_type: concept sidebar: order: 3 + group: + label: Malicious uploads --- import { GlossaryTooltip } from "~/components"; -WAF content scanning is a WAF [traffic detection](/waf/about/#detection-versus-mitigation) that scans content being uploaded to your application. +The malicious uploads detection, also called uploaded content scanning, is a WAF [traffic detection](/waf/concepts/#detection-versus-mitigation) that scans content being uploaded to your application. When enabled, content scanning attempts to detect content objects, such as uploaded files, and scans them for malicious signatures like malware. The scan results, along with additional metadata, are exposed as fields available in WAF [custom rules](/waf/custom-rules/), allowing you to implement fine-grained mitigation rules. :::note - This feature is available to customers on an Enterprise plan with a paid add-on. ::: @@ -28,7 +29,7 @@ Cloudflare uses the same [anti-virus (AV) scanner used in Cloudflare Zero Trust] Content scanning will not apply any mitigation actions to requests with content objects considered malicious. It only provides a signal that you can use to define your attack mitigation strategy. You must create rules — [custom rules](/waf/custom-rules/) or [rate limiting rules](/waf/rate-limiting-rules/) — to perform actions based on detected signals. -For more information on detection versus mitigation, refer to [Concepts](/waf/about/#detection-versus-mitigation). +For more information on detection versus mitigation, refer to [Concepts](/waf/concepts/#detection-versus-mitigation). ::: @@ -68,9 +69,9 @@ Sometimes, you may wish to specify where to find the content objects, such as wh { "file": "" } ``` -In these situations, configure a custom scan expression to tell the content scanner where to find the content objects. For more information, refer to [Configure a custom scan expression](/waf/about/content-scanning/get-started/#4-optional-configure-a-custom-scan-expression). +In these situations, configure a custom scan expression to tell the content scanner where to find the content objects. For more information, refer to [Configure a custom scan expression](/waf/detections/malicious-uploads/get-started/#4-optional-configure-a-custom-scan-expression). -## ​​Content scanning fields +## Content scanning fields When content scanning is enabled, you can use the following fields in WAF rules: @@ -85,4 +86,4 @@ When content scanning is enabled, you can use the following fields in WAF rules: | Content object type | [`cf.waf.content_scan.obj_types`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfwafcontent_scanobj_types) | | Content object result
Values: `clean`, `suspicious`,
`infected`, and `not scanned` | [`cf.waf.content_scan.obj_results`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfwafcontent_scanobj_results) | -For examples of rule expressions using these fields, refer to [Example rules](/waf/about/content-scanning/example-rules/). +For examples of rule expressions using these fields, refer to [Example rules](/waf/detections/malicious-uploads/example-rules/). diff --git a/src/content/docs/waf/get-started.mdx b/src/content/docs/waf/get-started.mdx index 2453033d25e4d2..55c4e2fb5937fb 100644 --- a/src/content/docs/waf/get-started.mdx +++ b/src/content/docs/waf/get-started.mdx @@ -11,7 +11,7 @@ The Cloudflare Web Application Firewall (Cloudflare WAF) checks incoming web and This page will guide you through the recommended initial steps for configuring the WAF to get immediate protection against the most common attacks. -Refer to [Concepts](/waf/about/) for more information on WAF concepts, main components, and roles. +Refer to [Concepts](/waf/concepts/) for more information on WAF concepts, main components, and roles. :::note This guide focuses on configuring WAF for individual domains, known as zones. The WAF configuration is also available at the account level for Enterprise customers with a paid add-on. @@ -52,7 +52,7 @@ For more information on configuring the Cloudflare Managed Ruleset in the dashbo WAF attack score is only available to Business customers (limited access to a single field) and Enterprise customers (full access). ::: -[WAF attack score](/waf/about/waf-attack-score/) is a machine-learning layer that complements Cloudflare's managed rulesets, providing additional protection against SQL injection (SQLi), Cross-site scripting (XSS), and many remote code execution (RCE) attacks. It helps identify rule bypasses and potentially new, undiscovered attacks. +[WAF attack score](/waf/detections/attack-score/) is a machine-learning layer that complements Cloudflare's managed rulesets, providing additional protection against SQL injection (SQLi), Cross-site scripting (XSS), and many remote code execution (RCE) attacks. It helps identify rule bypasses and potentially new, undiscovered attacks. If you are an Enterprise customer, do the following: @@ -71,7 +71,7 @@ If you are an Enterprise customer, do the following: - **Choose action**: Block -If you are on a Business plan, create a custom rule as mentioned above but use the [WAF Attack Score Class](/waf/about/waf-attack-score/#available-scores) field instead. For example, you could use the following rule expression: `WAF Attack Score Class equals Attack`. +If you are on a Business plan, create a custom rule as mentioned above but use the [WAF Attack Score Class](/waf/detections/attack-score/#available-scores) field instead. For example, you could use the following rule expression: `WAF Attack Score Class equals Attack`. ## 3. Create custom rule based on bot score @@ -133,7 +133,7 @@ Users on the Free plan only have access to Security Events. After setting up your WAF configuration, review how incoming traffic is being affected by your current settings using the following dashboards: -- Use [Security Analytics](/waf/analytics/security-analytics/) to explore all traffic, including traffic not affected by WAF mitigation measures. All data provided by [traffic detections](/waf/about/#available-traffic-detections) is available in this dashboard. +- Use [Security Analytics](/waf/analytics/security-analytics/) to explore all traffic, including traffic not affected by WAF mitigation measures. All data provided by [traffic detections](/waf/concepts/#available-traffic-detections) is available in this dashboard. - Use [Security Events](/waf/analytics/security-events/) to get more information about requests that are being mitigated by Cloudflare security products. Enterprise customers can also obtain data about HTTP requests and security events using [Cloudflare Logs](/logs/). @@ -166,7 +166,7 @@ Use [leaked credential checks](/waf/managed-rules/check-for-exposed-credentials/ Available to Enterprise customers with a paid add-on. ::: -[Use WAF content scanning](/waf/about/content-scanning/get-started/) to scan content being uploaded to your application, searching for malicious content. +[Use WAF content scanning](/waf/detections/malicious-uploads/get-started/) to scan content being uploaded to your application, searching for malicious content. ### Get additional security for your APIs diff --git a/src/content/docs/waf/index.mdx b/src/content/docs/waf/index.mdx index 9568506056b0cb..89eddcc7a21c9b 100644 --- a/src/content/docs/waf/index.mdx +++ b/src/content/docs/waf/index.mdx @@ -37,8 +37,8 @@ Learn how to [get started](/waf/get-started/). Create your own custom rules to protect your website and your APIs from malicious incoming traffic. Use advanced features like [WAF attack - score](/waf/about/waf-attack-score/) and [uploaded content - scanning](/waf/about/content-scanning/) in your custom rules. + score](/waf/detections/attack-score/) and [malicious uploads + detection](/waf/detections/malicious-uploads/) in your custom rules. diff --git a/src/content/docs/waf/managed-rules/check-for-exposed-credentials/configure-api.mdx b/src/content/docs/waf/managed-rules/check-for-exposed-credentials/configure-api.mdx index 5e0d9c24669cd4..bc94af87c7a72f 100644 --- a/src/content/docs/waf/managed-rules/check-for-exposed-credentials/configure-api.mdx +++ b/src/content/docs/waf/managed-rules/check-for-exposed-credentials/configure-api.mdx @@ -8,15 +8,18 @@ head: content: Configure exposed credentials checks via API --- +import { Render } from "~/components"; + Configure exposed credentials checks using the [Rulesets API](/ruleset-engine/rulesets-api/). You can do the following: - [Deploy the Cloudflare Exposed Credentials Check Managed Ruleset](/waf/managed-rules/reference/exposed-credentials-check/#configure-via-api). - Create custom rules that check for exposed credentials. + + ## Create a custom rule checking for exposed credentials :::note - This feature requires account-level WAF, which is available to Enterprise customers with a paid add-on. ::: diff --git a/src/content/docs/waf/managed-rules/check-for-exposed-credentials/how-checks-work.mdx b/src/content/docs/waf/managed-rules/check-for-exposed-credentials/how-checks-work.mdx index 9f86497bf49b7d..e549742c162237 100644 --- a/src/content/docs/waf/managed-rules/check-for-exposed-credentials/how-checks-work.mdx +++ b/src/content/docs/waf/managed-rules/check-for-exposed-credentials/how-checks-work.mdx @@ -6,15 +6,18 @@ sidebar: head: - tag: title content: How exposed credentials checks work - --- -import { Example } from "~/components" +import { Render, Example } from "~/components"; WAF rules can include a check for exposed credentials. When enabled in a given rule, exposed credentials checking happens when there is a match for the rule expression (that is, the rule expression evaluates to `true`). At this point, the WAF looks up the username/password pair in the request against a database of publicly available stolen credentials. When both the rule expression and the exposed credentials check are true, there is a rule match, and Cloudflare performs the action configured in the rule. + + +## Example + For example, the following rule matches `POST` requests to the `/login.php` URI when Cloudflare identifies the submitted credentials as previously exposed: @@ -26,10 +29,10 @@ Rule expression:
Exposed credentials check with the following configuration: -* Username expression: `http.request.body.form["user_id"]` -* Password expression: `http.request.body.form["password"]` +- Username expression: `http.request.body.form["user_id"]` +- Password expression: `http.request.body.form["password"]` -Action: *Interactive Challenge* +Action: _Interactive Challenge_ diff --git a/src/content/docs/waf/managed-rules/check-for-exposed-credentials/index.mdx b/src/content/docs/waf/managed-rules/check-for-exposed-credentials/index.mdx index 117115ed494bc5..4ce562356b69d5 100644 --- a/src/content/docs/waf/managed-rules/check-for-exposed-credentials/index.mdx +++ b/src/content/docs/waf/managed-rules/check-for-exposed-credentials/index.mdx @@ -3,53 +3,50 @@ pcx_content_type: concept title: Check for exposed credentials sidebar: order: 12 - --- -import { GlossaryTooltip } from "~/components" +import { GlossaryTooltip, Render } from "~/components"; -Many web applications have suffered credential stuffing attacks in the recent past. In these attacks there is a massive number of login attempts using username/password pairs from databases of exposed credentials. +Many web applications have suffered credential stuffing attacks in the recent past. In these attacks there is a massive number of login attempts using username/password pairs from databases of exposed credentials. Cloudflare offers you automated checks for exposed credentials using Cloudflare Web Application Firewall (WAF). -:::note - - -This feature is available to all paid plans. - - -::: + The WAF provides two mechanisms for this check: -* The [Exposed Credentials Check Managed Ruleset](/waf/managed-rules/reference/exposed-credentials-check/), which contains predefined rules for popular CMS applications. By enabling this ruleset for a given zone, you immediately enable checks for exposed credentials for these well-known applications. +- The [Exposed Credentials Check Managed Ruleset](/waf/managed-rules/reference/exposed-credentials-check/), which contains predefined rules for popular CMS applications. By enabling this ruleset for a given zone, you immediately enable checks for exposed credentials for these well-known applications. The managed ruleset is available to all paid plans. -* The ability to [write custom rules](#exposed-credentials-checks-in-custom-rules) at the account level that check for exposed credentials according to your criteria. +- The ability to [write custom rules](#exposed-credentials-checks-in-custom-rules) at the account level that check for exposed credentials according to your criteria. This configuration option is available to Enterprise customers with a paid add-on. Cloudflare updates the databases of exposed credentials supporting the exposed credentials check feature on a regular basis. -The username and password credentials in clear text never leave the Cloudflare network. The WAF only uses an anonymized version of the username and password when determining if there are previously exposed credentials. Cloudflare follows the approach based on the *k*-Anonymity mathematical property described in the following blog post: [Validating Leaked Passwords with k-Anonymity](https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/). +The username and password credentials in clear text never leave the Cloudflare network. The WAF only uses an anonymized version of the username and password when determining if there are previously exposed credentials. Cloudflare follows the approach based on the _k_-Anonymity mathematical property described in the following blog post: [Validating Leaked Passwords with k-Anonymity](https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/). ## Available actions The WAF can perform one of the following actions when it detects exposed credentials: -* **Exposed-Credential-Check Header**: Adds a new HTTP header to HTTP requests with exposed credentials. Your application at the origin can then force a password reset, start a two-factor authentication process, or perform any other action. The name of the added HTTP header is `Exposed-Credential-Check` and its value is `1`. -* **Managed Challenge**: Helps reduce the lifetimes of human time spent solving CAPTCHAs across the Internet. Depending on the characteristics of a request, Cloudflare will dynamically choose the appropriate type of challenge based on specific criteria. -* **Block**: Blocks HTTP requests containing exposed credentials. -* **JS Challenge**: Presents a non-interactive challenge to the clients making HTTP requests with exposed credentials. -* **Log**: Only available on Enterprise plans. Logs requests with exposed credentials in the Cloudflare logs. Recommended for validating a rule before committing to a more severe action. -* **Interactive Challenge**: Presents an interactive challenge to the clients making HTTP requests with exposed credentials. +- **Exposed-Credential-Check Header**: Adds a new HTTP header to HTTP requests with exposed credentials. Your application at the origin can then force a password reset, start a two-factor authentication process, or perform any other action. The name of the added HTTP header is `Exposed-Credential-Check` and its value is `1`. + + :::caution + While the header name is the same as when using the [**Add Leaked Credentials Checks Header** managed transform](/rules/transform/managed-transforms/reference/#add-leaked-credentials-checks-header), the header can have different values when using the managed transform (from `1` to `4`), depending on your Cloudflare plan. + ::: -The default action for the rules in the Exposed Credentials Check Managed Ruleset is *Exposed-Credential-Check Header* (named `rewrite` in the API). +- **Managed Challenge**: Helps reduce the lifetimes of human time spent solving CAPTCHAs across the Internet. Depending on the characteristics of a request, Cloudflare will dynamically choose the appropriate type of challenge based on specific criteria. +- **Block**: Blocks HTTP requests containing exposed credentials. +- **JS Challenge**: Presents a non-interactive challenge to the clients making HTTP requests with exposed credentials. +- **Log**: Only available on Enterprise plans. Logs requests with exposed credentials in the Cloudflare logs. Recommended for validating a rule before committing to a more severe action. +- **Interactive Challenge**: Presents an interactive challenge to the clients making HTTP requests with exposed credentials. -Cloudflare recommends that you only use the following actions: *Exposed-Credential-Check Header* (named `rewrite` in the API) and *Log* (`log`). +The default action for the rules in the Exposed Credentials Check Managed Ruleset is _Exposed-Credential-Check Header_ (named `rewrite` in the API). + +Cloudflare recommends that you only use the following actions: _Exposed-Credential-Check Header_ (named `rewrite` in the API) and _Log_ (`log`). ## Exposed credentials checks in custom rules :::note - -Exposed credentials checks in custom rules are only available via API and require account-level WAF, which is available to Enterprise customers with a paid add-on. +Exposed credentials checks in custom rules are only available via API and require account-level WAF, which is available to Enterprise customers with a paid add-on. ::: Besides enabling the [Exposed Credentials Check Managed Ruleset](/waf/managed-rules/reference/exposed-credentials-check/), you can also check for exposed credentials in [custom rules](/waf/custom-rules/). One common use case is to create custom rules on the end user authentication endpoints of your application to check for exposed credentials. Rules that check for exposed credentials run before rate limiting rules. diff --git a/src/content/docs/waf/managed-rules/check-for-exposed-credentials/monitor-events.mdx b/src/content/docs/waf/managed-rules/check-for-exposed-credentials/monitor-events.mdx index da899973534576..f8b69196be6e4d 100644 --- a/src/content/docs/waf/managed-rules/check-for-exposed-credentials/monitor-events.mdx +++ b/src/content/docs/waf/managed-rules/check-for-exposed-credentials/monitor-events.mdx @@ -5,14 +5,16 @@ sidebar: order: 6 --- +import { Render } from "~/components"; + The **Activity log** in Security Events shows entries for requests with exposed credentials identified by rules with the _Log_ action. Check for exposed credentials events in the Security Events dashboard (**Security** > **Events** tab), filtering by a specific Rule ID. For more information on filtering security events, refer to [Adjusting displayed data](/waf/analytics/security-events/paid-plans/#adjusting-displayed-data). -:::caution + -- Exposed credentials events are only logged after you activate the Exposed Credentials Check Managed Ruleset or create a custom rule checking for exposed credentials. +## Important notes -- The log entries will not contain the values of the exposed credentials (username, email, or password). However, if [matched payload logging](/waf/managed-rules/payload-logging/) is enabled, the log entries will contain the values of the fields in the rule expression that triggered the rule. These values might be the values of credential fields, depending on your rule configuration. +Exposed credentials events are only logged after you activate the Exposed Credentials Check Managed Ruleset or create a custom rule checking for exposed credentials. -::: +The log entries will not contain the values of the exposed credentials (username, email, or password). However, if [matched payload logging](/waf/managed-rules/payload-logging/) is enabled, the log entries will contain the values of the fields in the rule expression that triggered the rule. These values might be the values of credential fields, depending on your rule configuration. diff --git a/src/content/docs/waf/managed-rules/check-for-exposed-credentials/test-configuration.mdx b/src/content/docs/waf/managed-rules/check-for-exposed-credentials/test-configuration.mdx index 03bea1308b05d6..2cfc7fb72110ac 100644 --- a/src/content/docs/waf/managed-rules/check-for-exposed-credentials/test-configuration.mdx +++ b/src/content/docs/waf/managed-rules/check-for-exposed-credentials/test-configuration.mdx @@ -6,13 +6,14 @@ sidebar: head: - tag: title content: Test your exposed credentials checks configuration - --- -import { Render } from "~/components" +import { Render } from "~/components"; After enabling and configuring exposed credentials checks, you may want to test if the checks are working properly. + + Cloudflare provides a special set of case-sensitive credentials for this purpose: diff --git a/src/content/docs/waf/managed-rules/reference/exposed-credentials-check.mdx b/src/content/docs/waf/managed-rules/reference/exposed-credentials-check.mdx index a10ea4c291dd87..904f7edd0431f9 100644 --- a/src/content/docs/waf/managed-rules/reference/exposed-credentials-check.mdx +++ b/src/content/docs/waf/managed-rules/reference/exposed-credentials-check.mdx @@ -5,11 +5,11 @@ sidebar: order: 4 --- +import { Render } from "~/components"; + The Cloudflare Exposed Credentials Check Managed Ruleset is a set of pre-configured rules for well-known CMS applications that perform a lookup against a public database of stolen credentials. -:::note -The Cloudflare Exposed Credentials Check Managed Ruleset is only available in the Cloudflare WAF announced on March 2021. -::: + The managed ruleset includes rules for the following CMS applications: @@ -28,9 +28,7 @@ Additionally, this managed ruleset also includes generic rules for other common The default action for the rules in managed ruleset is _Exposed-Credential-Check Header_ (named `rewrite` in the API). -:::note[Note] -The managed ruleset contains an additional rule that blocks HTTP requests already containing the `Exposed-Credential-Check` HTTP header used by the _Exposed-Credential-Check Header_ action. These requests could be used to trick the origin into believing that a request contained (or did not contain) exposed credentials. -::: +The managed ruleset also contains a rule that blocks HTTP requests already containing the `Exposed-Credential-Check` HTTP header used by the _Exposed-Credential-Check Header_ action. These requests could be used to trick the origin into believing that a request contained (or did not contain) exposed credentials. For more information on exposed credential checks, refer to [Check for exposed credentials](/waf/managed-rules/check-for-exposed-credentials/). diff --git a/src/content/glossary/waf.yaml b/src/content/glossary/waf.yaml index fd470e78de8b9f..a1bb4f6832d775 100644 --- a/src/content/glossary/waf.yaml +++ b/src/content/glossary/waf.yaml @@ -23,9 +23,9 @@ entries: general_definition: |- credential stuffing is the automated injection of stolen username and password pairs (known as "credentials") into website login forms, trying to gain access to user accounts. - - term: exposed credentials + - term: leaked credentials general_definition: |- - exposed credentials refers to sensitive authentication information disclosed in some way (for example, due to misconfigurations, data breaches, or simple human error), allowing other parties to gain access to digital resources. + leaked credentials refers to sensitive authentication information disclosed in some way (for example, due to misconfigurations, data breaches, or simple human error), allowing other parties to gain access to digital resources. Credentials may include usernames, passwords, API keys, authentication tokens, or private keys. diff --git a/src/content/partials/cloudflare-one/access/idp-integration.mdx b/src/content/partials/cloudflare-one/access/idp-integration.mdx index 1b186cebea3879..83797bc7d10c9a 100644 --- a/src/content/partials/cloudflare-one/access/idp-integration.mdx +++ b/src/content/partials/cloudflare-one/access/idp-integration.mdx @@ -1,6 +1,5 @@ --- {} - --- 1. In [Zero Trust](https://one.dash.cloudflare.com), go to **Settings** > **Authentication**. diff --git a/src/content/partials/cloudflare-one/access/scim-supported-idps.mdx b/src/content/partials/cloudflare-one/access/scim-supported-idps.mdx index e274346e69f203..b01254af5649c3 100644 --- a/src/content/partials/cloudflare-one/access/scim-supported-idps.mdx +++ b/src/content/partials/cloudflare-one/access/scim-supported-idps.mdx @@ -1,7 +1,6 @@ --- {} - --- -* [Microsoft Entra ID](/cloudflare-one/identity/idp-integration/azuread/) (formerly known as Azure AD) -* [Okta](/cloudflare-one/identity/idp-integration/okta/) +- [Microsoft Entra ID](/cloudflare-one/identity/idp-integration/entra-id/) (formerly known as Azure AD) +- [Okta](/cloudflare-one/identity/idp-integration/okta/) diff --git a/src/content/partials/fundamentals/cloudflare-security.mdx b/src/content/partials/fundamentals/cloudflare-security.mdx index 7892588ac12f9e..4953a86fc31c1f 100644 --- a/src/content/partials/fundamentals/cloudflare-security.mdx +++ b/src/content/partials/fundamentals/cloudflare-security.mdx @@ -1,10 +1,9 @@ --- {} - --- Beyond hiding your origin's IP address from potential attackers, Cloudflare also stops malicious traffic before it reaches your origin web server. -Cloudflare automatically mitigates security risks using our [WAF](/waf/about/) and [DDoS protection](/ddos-protection/). +Cloudflare automatically mitigates security risks using our [WAF](/waf/) and [DDoS protection](/ddos-protection/). For additional details on security, refer to our guide on how to [Secure your website](/learning-paths/application-security/). diff --git a/src/content/partials/version-management/product-limitations.mdx b/src/content/partials/version-management/product-limitations.mdx index b3f03ac931d16e..2c91147ea04f6d 100644 --- a/src/content/partials/version-management/product-limitations.mdx +++ b/src/content/partials/version-management/product-limitations.mdx @@ -1,118 +1,117 @@ --- {} - --- -import { Details } from "~/components" +import { Details } from "~/components"; Version Management does not currently support or have limited support for the following products or features: -
-* Some [API Shield](/api-shield/) configurations are not cloned when a new zone version is created. -* Customers are allowed to opt-in to remove the UI block that prevents enabling Version Management. -
+- Some [API Shield](/api-shield/) configurations are not cloned when a new zone version is created. +- Customers are allowed to opt-in to remove the UI block that prevents enabling Version Management. +
-* [Authenticated Origin Pull](/ssl/origin-configuration/authenticated-origin-pull/) does not work with Zone Versioning. -* Accessing your domain from an allowlisted IP returns a Cloudflare 520 error. -
+- [Authenticated Origin Pull](/ssl/origin-configuration/authenticated-origin-pull/) does not work with Zone Versioning. +- Accessing your domain from an allowlisted IP returns a Cloudflare 520 error. +
-* [Cache](/workers/runtime-apis/cache/) configurations are versioned, but cache keys are not. -* Caching a new URL on staging would cache it for production as well. -* Purging cache on staging would purge it on production too. -* Promoting a new version to production would wipe all exiting cache. -
+- [Cache](/workers/runtime-apis/cache/) configurations are versioned, but cache keys are not. +- Caching a new URL on staging would cache it for production as well. +- Purging cache on staging would purge it on production too. +- Promoting a new version to production would wipe all exiting cache. +
-* [Image Resizing](/images/) does not work with the `additional_cacheable_ports` [Cache Rule](/cache/how-to/cache-rules/) setting and Zone Versioning. -* If you use `additional_cacheable_ports` with Image Resizing, the image will be resized every time it is requested and will result in low performance. -
+- [Image Resizing](/images/) does not work with the `additional_cacheable_ports` [Cache Rule](/cache/how-to/cache-rules/) setting and Zone Versioning. +- If you use `additional_cacheable_ports` with Image Resizing, the image will be resized every time it is requested and will result in low performance. +
-* [Workers Cache API](/workers/runtime-apis/cache/) does not work with Version Management. -* If you use the Workers Cache API with Zone Versioning, you might encounter unexpected caching behaviours. -
+- [Workers Cache API](/workers/runtime-apis/cache/) does not work with Version Management. +- If you use the Workers Cache API with Zone Versioning, you might encounter unexpected caching behaviours. +
-* Regardless of the version deployed to production, traffic in China will always target the root zone. -* Other incompatibility issues with Access and ICP licenses. -
+- Regardless of the version deployed to production, traffic in China will always target the root zone. +- Other incompatibility issues with Access and ICP licenses. +
-* Zone Version Management does not currently expose a public [API](/api/). -* Customers can only use Version Management through the [Cloudflare dashboard](https://dash.cloudflare.com/). -
+- Zone Version Management does not currently expose a public [API](/api/). +- Customers can only use Version Management through the [Cloudflare dashboard](https://dash.cloudflare.com/). +
-* [Domain-scoped Roles](/fundamentals/setup/manage-members/roles/#domain-scoped-roles) apply only to your root zone. -* Once a new version is created, these roles do not copy over and they lose access to versions. -
+- [Domain-scoped Roles](/fundamentals/setup/manage-members/roles/#domain-scoped-roles) apply only to your root zone. +- Once a new version is created, these roles do not copy over and they lose access to versions. +
-* Changes made to [Image Transformations](/images/transform-images/#transform-images) are not cloned when a new zone version is created. -
+- Changes made to [Image Transformations](/images/transform-images/#transform-images) are not cloned when a new zone version is created. +
-* [Network Error Logging](/network-error-logging/) configurations are not cloned when a new version is created. -
+- [Network Error Logging](/network-error-logging/) configurations are not cloned when a new version is created. +
-* [Page Shield](/page-shield/) is not available for versioning and is only configurable under your Global Configuration. -
+- [Page Shield](/page-shield/) is not available for versioning and is only configurable under your Global Configuration. +
-* [Security Insights](/security-center/security-insights/) are not shown when Zone Versioning is enabled and the first version is deployed to production. -
+- [Security Insights](/security-center/security-insights/) are not shown when Zone Versioning is enabled and the first version is deployed to production. +
-* Zone Version Management does not currently support [Terraform](/terraform/). -* Customers should either use Terraform or Version Management. -
+- Zone Version Management does not currently support [Terraform](/terraform/). +- Customers should either use Terraform or Version Management. +
-* [WAF Attack Score](/waf/about/waf-attack-score/) configurations are not cloned when a new zone version is created. -
+- [WAF Attack Score](/waf/detections/attack-score/) configurations are not cloned when a new zone version is created. +
-* [Waiting Room](/waiting-room/) users active on the site may be placed back in the queue. -* Waiting Room users in the queue may lose their place in line. -* Traffic may exceed limits. -
+- [Waiting Room](/waiting-room/) users active on the site may be placed back in the queue. +- Waiting Room users in the queue may lose their place in line. +- Traffic may exceed limits. +
-* If a version has a Worker route, it might disappear when a Worker is deployed via [Wrangler](/workers/wrangler/). -* If two versions have the same custom domains, the Worker might randomly choose between them. +- If a version has a Worker route, it might disappear when a Worker is deployed via [Wrangler](/workers/wrangler/). +- If two versions have the same custom domains, the Worker might randomly choose between them. +
diff --git a/src/content/partials/waf/leaked-credentials-recommend-detection.mdx b/src/content/partials/waf/leaked-credentials-recommend-detection.mdx new file mode 100644 index 00000000000000..5c70ec5bb26e88 --- /dev/null +++ b/src/content/partials/waf/leaked-credentials-recommend-detection.mdx @@ -0,0 +1,7 @@ +--- +{} +--- + +:::note[Recommendation: Use leaked credentials detection instead] +Cloudflare recommends that you use [leaked credentials detection](/waf/detections/leaked-credentials/) instead of Cloudflare Exposed Credentials Check, which refers to a previous implementation. +::: diff --git a/src/content/partials/waf/waf-managed-rules-intro.mdx b/src/content/partials/waf/waf-managed-rules-intro.mdx index 72d85027a855e7..35bcde0c0eb321 100644 --- a/src/content/partials/waf/waf-managed-rules-intro.mdx +++ b/src/content/partials/waf/waf-managed-rules-intro.mdx @@ -1,14 +1,13 @@ --- {} - --- WAF Managed Rules allow you to deploy pre-configured managed rulesets that provide immediate protection against: -* Zero-day vulnerabilities -* Top-10 attack techniques -* Use of stolen/exposed credentials -* Extraction of sensitive data +- Zero-day vulnerabilities +- Top-10 attack techniques +- Use of stolen/leaked credentials +- Extraction of sensitive data These managed rulesets are regularly updated. Each rule has a default action that varies according to the severity of the rule. You can adjust the behavior of specific rules, choosing from several possible actions. diff --git a/src/content/plans/index.json b/src/content/plans/index.json index b267bff7e5b62c..6b0dfcd32a3e8b 100644 --- a/src/content/plans/index.json +++ b/src/content/plans/index.json @@ -1490,11 +1490,25 @@ "properties": { "availability": { "title": "Availability", - "summary": "Business and above", - "free": "No", - "pro": "No", + "summary": "Available on all plans", + "free": "Yes", + "pro": "Yes", "biz": "Yes", "ent": "Yes" + }, + "retention": { + "title": "Retention", + "free": "7", + "pro": "31", + "biz": "31", + "ent": "90" + }, + "query_window": { + "title": "Query window", + "free": "1", + "pro": "7", + "biz": "31", + "ent": "31" } } }, @@ -1622,7 +1636,63 @@ } } }, - "waf_b_custom_rules": { + "waf_b_detections": { + "title": "WAF detections", + "link": "/waf/detections/", + "properties": { + "availability": { + "title": "Availability", + "summary": "Available on all plans", + "free": "Yes", + "pro": "Yes", + "biz": "Yes", + "ent": "Yes" + }, + "b_malicious_uploads": { + "title": "Malicious uploads detection", + "summary": "Enterprise with add-on", + "link": "/waf/detections/malicious-uploads/", + "free": "No", + "pro": "No", + "biz": "No", + "ent": "Paid add-on" + }, + "c_leaked_creds": { + "title": "Leaked credentials detection", + "link": "/waf/detections/leaked-credentials/", + "free": "Yes", + "pro": "Yes", + "biz": "Yes", + "ent": "Yes" + }, + "d_leaked_creds_fields": { + "title": "Leaked credentials fields", + "link": "/waf/detections/leaked-credentials/", + "free": "Password Leaked", + "pro": "Password Leaked, User and Password Leaked", + "biz": "Password Leaked, User and Password Leaked", + "ent": "All leaked credentials fields" + }, + "e_leaked_creds_locations": { + "title": "Number of custom detection locations", + "summary": "Enterprise-only", + "free": "0", + "pro": "0", + "biz": "0", + "ent": "10" + }, + "f_attack_score": { + "title": "Attack score", + "summary": "Business and Enterprise plans", + "link": "/waf/detections/attack-score/", + "free": "No", + "pro": "No", + "biz": "One field only", + "ent": "Yes" + } + } + }, + "waf_c_custom_rules": { "title": "WAF custom rules", "link": "/waf/custom-rules/", "properties": { diff --git a/src/content/products/exposed-credentials.yaml b/src/content/products/exposed-credentials.yaml deleted file mode 100644 index 5348d068e1b41b..00000000000000 --- a/src/content/products/exposed-credentials.yaml +++ /dev/null @@ -1,8 +0,0 @@ -name: Exposed credential checks - -product: - title: Exposed credential checks - group: Application security - url: /waf/managed-rules/check-for-exposed-credentials/ - wrap: true - grid_placeholder: true diff --git a/src/content/products/images.yaml b/src/content/products/images.yaml index 1e998f019bde80..35ef23265409ee 100644 --- a/src/content/products/images.yaml +++ b/src/content/products/images.yaml @@ -1,7 +1,7 @@ -name: Cloudflare Image Optimization +name: Cloudflare Images product: - title: Cloudflare Image Optimization + title: Cloudflare Images url: /images/ group: Developer platform additional_groups: [Media] @@ -9,10 +9,9 @@ product: preview_tryout: true meta: - title: Cloudflare Image Optimization docs + title: Cloudflare Images docs description: - Choose between Cloudflare Images and Cloudflare Image Resizing, two - products tailored to your different needs. + Store, transform, optimize, and deliver images at scale. author: "@cloudflare" resources: diff --git a/src/content/products/leaked-credentials.yaml b/src/content/products/leaked-credentials.yaml new file mode 100644 index 00000000000000..f5772c55877bfb --- /dev/null +++ b/src/content/products/leaked-credentials.yaml @@ -0,0 +1,8 @@ +name: Leaked credentials checks + +product: + title: Leaked credentials checks + group: Application security + url: /waf/detections/leaked-credentials/ + wrap: true + grid_placeholder: true diff --git a/src/schemas/base.ts b/src/schemas/base.ts index 5a1a476a028d2c..8cb4f5558566e2 100644 --- a/src/schemas/base.ts +++ b/src/schemas/base.ts @@ -1,4 +1,5 @@ import { z } from "astro:schema"; +import { BadgeConfigSchema } from "./types/badge"; const spotlightAuthorDetails = z .object({ @@ -89,6 +90,7 @@ export const baseSchema = z.object({ .describe( "Hides the index page from the sidebar. Refer to https://developers.cloudflare.com/style-guide/frontmatter/sidebar/.", ), + badge: BadgeConfigSchema(), }) .optional(), }) diff --git a/src/schemas/types/badge.ts b/src/schemas/types/badge.ts new file mode 100644 index 00000000000000..31967cf0805ddd --- /dev/null +++ b/src/schemas/types/badge.ts @@ -0,0 +1,40 @@ +// Vendored from https://github.com/withastro/starlight/blob/a171a996b842f1fdb37a0bdbb2c9d86e1073e1a4/packages/starlight/schemas/badge.ts# +import { z } from 'astro:schema'; + +const badgeBaseSchema = z.object({ + variant: z.enum(['note', 'danger', 'success', 'caution', 'tip', 'default']).default('default'), + class: z.string().optional(), +}); + +const badgeSchema = badgeBaseSchema.extend({ + text: z.string(), +}); + +const i18nBadgeSchema = badgeBaseSchema.extend({ + text: z.union([z.string(), z.record(z.string())]), +}); + +export const BadgeComponentSchema = badgeSchema + .extend({ + size: z.enum(['small', 'medium', 'large']).default('small'), + }) + .passthrough(); + +export type BadgeComponentProps = z.input; + +export const BadgeConfigSchema = () => + z + .union([z.string(), badgeSchema]) + .transform((badge) => { + if (typeof badge === 'string') { + return { variant: 'default' as const, text: badge }; + } + return badge; + }) + .optional(); + +export const I18nBadgeConfigSchema = () => z.union([z.string(), i18nBadgeSchema]).optional(); + +export type Badge = z.output; +export type I18nBadge = z.output; +export type I18nBadgeConfig = z.output>;