Security - separate the credentials for the dashboard and the community sites


Today the same login serve both the operational customer dashboard and this community forum system.
I see this as a security risk since these two systems are in a very different risk level, hence using the dashboard credential (high risk) for a community forum (low risk) expands the risk for possible live session credential theft from the “low” to be used at the “high”.

Thank you.

Cloudflare runs a bug bounty program with HackerOne. If you can demonstrate a session hijack from the community forum which grants access to the dashboard that would be the place to report it.

1 Like

My approach is doing things correctly from the start, doing the basics right, and currently, in my view, this design is not secure and should be improved.
If a vulner is found, it is too late.

I guess I’d recommend using a separate Cloudflare account with no zones or data associated if you believe the design to be insecure. It’s unlikely Cloudflare would abandon SSO in favor of an alternative.

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.