Every once in awhile I login to Cloudflare and browse around the dashboard, looking for any new features on the free plan – to their credit CF adds helpful new features frequently. Today I noticed the new Security Center, and I was anxious to try it out.
Doing a bit of research, I found it was launched just a couple of months ago, in December 2021. I either missed or disregarded the small “Beta” label. I shoulda known from my experience with the beta version of Rocket Loader – in CF speak, “beta” means “buggy – use with caution”.
I clicked on the tempting “Scan Now” button, and waited. And waited. And waited. I had plenty of time to make lunch and eat it while I waited. Over an hour later the scan was finally finished. The Security Center proudly let me know it had found 72 security “Insights” for me to inspect and resolve:
- 36 dangling AAAA DNS records (moderate severity)
- 22 instances of HSTS not enforced (moderate severity)
- 11 zones without WAF Managed Rules (low severity)
- 3 domains without “Always Use HTTPS” (moderate severity)
I went to the last item first. I thought I had set all my zones to always use HTTPS. Nope, I had missed one. It was helpful of CF to catch that for me and I immediately fixed it.
The CF free tier does not offer WAF managed firewall rules. When I clicked on that item CF helpfully suggested I pay for the Pro plan. I declined.
I’ve implemented HSTS on only my more important zones – I worry about the implications on doing so for sites that I don’t spend much time maintaining. So, no surprise and no worries regarding the HSTS insight.
The dangling DNS records bothered me. I could think of no reason my IP6 records should be broken. I checked, and my host verified the records as being correct. I used a free online checker and – yep, they looked correct. But, the scanner ran for a *long* time, so it must have checked thoroughly. The error message assured my that those IP6 addresses did not correspond to to my domain names. It urged me to either delete or correct the records. I could not correct them – they were, by all the information I could find, already correct. But, they aren’t required. The IP4 ‘A’ records will do the job on their own – just not always as efficiently. I deleted the presumably faulty AAAA records.
Then, I decided to do a bit more research. I found this helpful note from an expert in the Cloudflare Community forum:
I have a lot of those [dangling AAAA DNS errors], and they’re false positives. Just ignore those for now as they work out the kinks. That’s why Security Center is labeled as a Beta product.
Oh. Crap. Guess I’ll go put ’em back now. That’ll only take me an hour or so.
