Web Application Penetration Test


We are having a penetration test performed on our web application in a couple of weeks and one of the requirements from the engagement letter is as follows:

“Please add our IP address ranges to the CDN’s web application firewall (WAF) allowlist and provide us with the submitted CDN Ticket or confirmation number prior to testing.”

I have added IP Access Rules to the WAF for the vendor’s IP addresses. Do I need to open a ticket with Cloudflare to obtain further approval? Are there any other things I should do in order to meet the requirement?



Seems like an odd requirement from them. Personally, I would say the changes have been made. If the vendor insists, then you can try opening an account ticket to get confirmation. If you do, make sure to clarify you have already made the changes and are only doing so to fulfill vendor requirements.