Cloudflare API tokens and API keys are very powerful, not to mention what a malicious user could do with it. The lifetime of this tokens can be defined, further its use can be limited by configuring a some network range. Rotating this tokens more often of course is improving the security posture but often is not practical and does not eliminate the risk of possible misuse.
The security perimeter now extends beyond a company’s network to include user and device identity. Modern workplaces no longer are connected to a company’s private network, hence a company’s proxy is no longer in play. As a result the use of the token can no longer be limited by the network range of the company’s proxy.
One solution to the problem could be if Cloudflare introduced conditional access based policies which could be configured on tokens used to administer critical sites.
Signals driving the decision for such policies could be the following :
- Location, origin or timestamp of a API request
- OS User
- Application hash of the client application
- Proof of possession of a certain client certificate
To prove this signals some sort pre-authentication flow must take place before the actual API call is executed. The preauth step could be based on e.g. the secure remote password protocol (SRP / PAKE) or similar