I used Access to protect a back-office application, adding Google authenticatio. This application is using some REST API that right now is public. What do you suggest doing from a secure design point of view? I would like to allow this API only for Cloudflare and the development team. What are the best practices in this case, in order to avoid exposing APIs to the entire world?
First, set SSL/TLS security to Full or Full (strict) this protects data
Second, proxy traffic through Cloudflare, if you set to DNS only and see a warning symbol to the left of it, that is exposing IP’S and maybe dangerous.
Third, create a certificate for the site some can be made for free but other’s (like advanced certificates) have to be payed for
Fourth, set security level, there are 6 security levels (1 can only be used with an enterprise plan).
Off (enterprise only)- This should NEVER be used as it doesn’t block low rep IP’S!
Essentially off- Challenges threat scores greater than 48, coming from the worst rep IP’S. This should not be used as it has little security
Low- Challenges threat scores greater than 24, coming from the most threatening visitors
Medium- Challenges threat scores greater than 14, coming from moderate threat visitors and the most threatening visitors
High- Challenges all visitors with threatening behavior in the last 14 days
Don’t use I’m Under Attack Mode when your website is not under a DDOS attack I’m Under Attack Mode affects the website and may block non-threatening connections, should a DDOS
attack be threatened, set security to high, NOT I’m Under Attack Mode
I’d recommend visting https://support.cloudflare.com/hc/en-us/search/click?data=BAh7CzoHaWRsKwgrGhfTUwA6D2FjY291bnRfaWRpA3LSAjoJdHlwZUkiDGFydGljbGUGOgZFVDoIdXJsSSJmaHR0cHM6Ly9zdXBwb3J0LmNsb3VkZmxhcmUuY29tL2hjL2VuLXVzL2FydGljbGVzLzM2MDAyMzc5MjE3MS1HZXR0aW5nLVN0YXJ0ZWQtd2l0aC1DbG91ZGZsYXJlLVNTTAY7CFQ6DnNlYXJjaF9pZEkiKTJmOGQxNTY4LTc1OWUtNDExZS05ODUwLTZmZmU0NzRlYWVjYgY7CEY6CXJhbmtpCg%3D%3D--809e39846f5f48bf86af0e8a9c29f7eefc631a26 for more infomation on SSL.