Hi CF team,
Today I figured out the ‘HSTS not enforced’ warning in security center.
That’s because ‘Security Center’ blocked/challenged by Firewall Rules. If you open ‘Overview’ page of ‘Firewall’, you should see something like this:
you host here
Empty query string
AS132892 CLOUDFLARE Cloudflare, Inc.
This is the second time I insist that CF team should use a CF-like UA when you send a request to everyone’s website… How hard can it be to change ‘User-Agent’ string when coding?
I have suggested CF team uses a proper UA before:
I finally did a lookup on that one. I believe the Speed Test was developed by an engineer before they joined Cloudflare. It’s the one location in South Carolina.
PS: about RDP warning, I still can’t figure it out. maybe it’s also a bug I think.
Python, eh? That’s one of the worst user agents I have problems with probing my sites.
I’ll add Cloudflare’s ASN as an Allow and see how it goes.
Honestly, I think there’s a vurnerability if you add CF ASN to your CF firewall whitelist. CF provides serverless service(A.K.A ‘Worker’). It’s very hard to block a CF ip If someone use ‘Worker’ to visit/scan your website illegally. I think we can add CF’s ip to iptables but we should not add CF ASN(without a proper UA) to CF firewall whitelist.
Who doesn’t block python these days?
did fix the HSTS warning. Now I can get rid of that Allow statement and stop wondering.
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.