I’ve ended up on this thread for the exact same reason. I was disappointed to see that the API Token would apply to the whole DNS zone. It becomes unusable for us because of security concerns.
1 Like
+1 would be great to get fine grained security controls and allow restricting API token at subdomain level.
1 Like
With the recent announcements about Foundation DNS being rolled out to Enterprise plans, one of the mentioned features is per-record scoped API tokens and user permissions. No idea on the release schedule.
+1 After closing of Google Domains looking for a new registrar.
It is only available for enterprise customers and not for domain only users.
Definitely a major vulnerability. It is terrifying to have 1 API key that has the power to destroy your entire business.
8 Likes
Looks like Cloudflare does not want to add this easy to implement functionality to free accounts.
Very major vulnerability that need to be fixed.
It sounds like you’ve got this figured out. Cloudflare is hiring. Maybe you can join and help them solve these easy problems.
If joining Cloudflare is not on your career roadmap, you can at least submit a POC and claim a bug bounty for the vulnerability you found.