The 22 Cloudflare Access security checks Black Cat runs
Black Cat SSPM evaluates 22 security policies against your Cloudflare Access configuration on every scan, classifies each finding by risk, and provides remediation steps. Below is the full list, grouped by category.
access control
Assign at least one access policy to every Cloudflare Access application
Replace the bypass decision policy with an allow or block policy to enforce authentication
Remove the Everyone include rule and restrict access to specific users or groups
Enable purpose justification on the Access policy to require users to state a reason for access
Remove the Everyone rule from the Access group and scope membership to specific identities
Add at least one include rule to the Access group to define its membership
Configure a second identity provider in Cloudflare Access to eliminate a single point of failure
Restrict the application to specific identity providers via allowed_idps to prevent weaker IdPs (e.g., OTP) from authenticating users
Enable auto-redirect to the identity provider so users cannot choose a weaker authentication method
Add require rules to the Access policy to enforce additional authentication conditions such as MFA
Add require rules to the Access group to enforce additional authentication conditions for group members
Rotate or revoke the Cloudflare Access service token that is over one year old
authentication
Add a corporate SAML or OIDC identity provider alongside one-time PIN to enforce stronger authentication
Configure a SAML or OIDC identity provider that supports MFA enforcement in Cloudflare Access
configuration
Restrict CORS allowed origins to specific trusted domains for the Access application
Make the Access application visible in the App Launcher for easier discovery and auditing
Give the Cloudflare Access service token a descriptive name for easier auditing and ownership tracking
key management
Set an expiration date on the Cloudflare Access service token to limit credential exposure
Rotate or revoke the Cloudflare Access service token that has not been rotated in over 180 days
Delete or renew the expired Cloudflare Access service token to remove abandoned credentials
mfa
Enable MFA requirement on the Access policy to enforce multi-factor authentication
session management
Reduce the Access application session duration to 24 hours or less