Skip to content

The 22 Cloudflare Access security checks Black Cat runs

Black Cat SSPM evaluates 22 security policies against your Cloudflare Access configuration on every scan, classifies each finding by risk, and provides remediation steps. Below is the full list, grouped by category.

access control

criticalApplication Without Policies

Assign at least one access policy to every Cloudflare Access application

highBypass Decision Policy

Replace the bypass decision policy with an allow or block policy to enforce authentication

highPolicy Allows Everyone

Remove the Everyone include rule and restrict access to specific users or groups

lowNo Purpose Justification

Enable purpose justification on the Access policy to require users to state a reason for access

highGroup Includes Everyone

Remove the Everyone rule from the Access group and scope membership to specific identities

mediumGroup With Empty Include Rules

Add at least one include rule to the Access group to define its membership

mediumSingle Identity Provider

Configure a second identity provider in Cloudflare Access to eliminate a single point of failure

mediumApplication Allows All IdPs

Restrict the application to specific identity providers via allowed_idps to prevent weaker IdPs (e.g., OTP) from authenticating users

mediumApplication No Auto-Redirect to IdP

Enable auto-redirect to the identity provider so users cannot choose a weaker authentication method

mediumPolicy Without Require Rules

Add require rules to the Access policy to enforce additional authentication conditions such as MFA

mediumGroup Without Require Rules

Add require rules to the Access group to enforce additional authentication conditions for group members

mediumService Token Over One Year Old

Rotate or revoke the Cloudflare Access service token that is over one year old

authentication

highOne-Time PIN Only Authentication

Add a corporate SAML or OIDC identity provider alongside one-time PIN to enforce stronger authentication

highNo SAML or OIDC Provider

Configure a SAML or OIDC identity provider that supports MFA enforcement in Cloudflare Access

configuration

highCORS Allows All Origins

Restrict CORS allowed origins to specific trusted domains for the Access application

lowApplication Hidden from App Launcher

Make the Access application visible in the App Launcher for easier discovery and auditing

lowService Token Without Name

Give the Cloudflare Access service token a descriptive name for easier auditing and ownership tracking

key management

highService Token Without Expiry

Set an expiration date on the Cloudflare Access service token to limit credential exposure

mediumStale Service Token

Rotate or revoke the Cloudflare Access service token that has not been rotated in over 180 days

lowExpired Service Token Not Deleted

Delete or renew the expired Cloudflare Access service token to remove abandoned credentials

mfa

highNo MFA Requirement

Enable MFA requirement on the Access policy to enforce multi-factor authentication

session management

mediumLong Session Duration

Reduce the Access application session duration to 24 hours or less

See these checks run on your stack

Start a free 14-day trial — no credit card required.

Start Free Trial