prowler
prowler copied to clipboard
prowler-cloud
feat(cloudflare): Add TLS/SSL and email security checks for zones
Context
This PR adds additional security checks for Cloudflare zones, focusing on TLS/SSL configuration and email security. This is part 2 of 4 PRs for complete Cloudflare support.
Depends on: #9423
Description
Adds 9 security checks for Cloudflare zones:
TLS/SSL Checks (4):
| Check | Description |
|---|---|
zones_tls_1_3_enabled |
Validates TLS 1.3 is enabled |
zones_hsts_include_subdomains |
Ensures HSTS includes subdomains |
zones_automatic_https_rewrites_enabled |
Validates automatic HTTPS rewrites are enabled |
zones_universal_ssl_enabled |
Ensures Universal SSL is enabled |
Email Security Checks (4):
| Check | Description |
|---|---|
zones_dmarc_record_exists |
Validates DMARC record exists |
zones_spf_record_exists |
Validates SPF record exists |
zones_caa_record_exists |
Validates CAA record exists |
zones_email_obfuscation_enabled |
Ensures email obfuscation is enabled |
Security Configuration (1):
| Check | Description |
|---|---|
zones_security_level |
Validates security level is appropriately configured |
Steps to review
- Review each check implementation in
prowler/providers/cloudflare/services/zones/ - Verify metadata files have correct severity and remediation guidance
- Test locally:
prowler cloudflare --api-token <token> --check zones_tls_1_3_enabled
Checklist
- Are there new checks included in this PR? Yes (9 checks)
- If so, do we need to update permissions for the provider? No
- [x] Review if the code is being covered by tests.
- [x] Review if code is being documented following this specification https://github.com/google/styleguide/blob/gh-pages/pyguide.md#38-comments-and-docstrings
- [ ] Review if backport is needed.
- [ ] Review if is needed to change the Readme.md
- [ ] Ensure new entries are added to CHANGELOG.md, if applicable.
License
By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.
