# Security Remediation TODO — Cloudflare **Created:** 2026-04-24 01:50 UTC **Owner:** Wadsworth 📋 **Source:** Cloudflare security scan (2026-04-18) **Reminder:** Offer API token to agent for automated changes if desired --- ## Critical: Email Authentication (DMARC) | Item | Status | Action | |------|--------|--------| | DMARC record missing | 🔴 CRITICAL | Add TXT record `_dmarc.hoffdesk.com` | **Why it matters:** Without DMARC, emails sent from hoffdesk.com may be flagged as spam or rejected by recipients. **Dashboard path:** DNS → Records → Add record | Field | Value | |-------|-------| | Type | TXT | | Name | `_dmarc` | | Content | `v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@hoffdesk.com` | | TTL | Auto | **Stricter option (after testing):** ``` v=DMARC1; p=reject; rua=mailto:dmarc-reports@hoffdesk.com; pct=100 ``` --- ## Moderate: TLS/HTTPS Configuration | Issue | Domain | Status | Action | |-------|--------|--------|--------| | Missing TLS Encryption | cal.hoffdesk.com | 🟡 MODERATE | Enable Full (strict) SSL | | Missing TLS Encryption | hook.hoffdesk.com | 🟡 MODERATE | Enable Full (strict) SSL | | Always Use HTTPS | hook.hoffdesk.com | 🟡 MODERATE | Enable redirect | | HSTS missing | cal.hoffdesk.com | 🟡 MODERATE | Enable HSTS | | HSTS missing | hook.hoffdesk.com | 🟡 MODERATE | Enable HSTS | **Dashboard path:** SSL/TLS → Overview → Edge Certificates **Settings to enable:** 1. [ ] SSL/TLS encryption mode: **Full (strict)** 2. [ ] Always Use HTTPS: **On** 3. [ ] HSTS: **Enable** (max-age: 31536000, include subdomains) --- ## Optional: Security Hardening | Item | Severity | Action | |------|----------|--------| | Block AI bots | Moderate | Security → Bots → Block AI bots: **On** | | AI Labyrinth | Low | Security → Bots → AI Labyrinth: **Enable** | | Bot Fight Mode | Moderate | Security → Bots → Bot Fight Mode: **Toggle on** | | Security.txt | Low | SSL/TLS → Edge Certificates → Security.txt: **Configure** | --- ## API Token Option **Reminder from Matt:** Offer API token to agent for automated changes. If you'd like me to make these changes programmatically: 1. **Create token:** Cloudflare → My Profile → API Tokens → Create Token 2. **Permissions needed:** - Zone:Read (for zone ID lookup) - DNS:Edit (for DMARC record) - SSL/TLS:Edit (for HTTPS/HSTS settings) - Zone Settings:Edit (for Security.txt, Bot Fight Mode) 3. **Zone resources:** Include hoffdesk.com 4. **Client IP filtering:** Optional — restrict to Tailscale IPs **Token delivery:** DM me the token (it will be handled securely) **Alternative:** I can continue providing step-by-step dashboard instructions. --- ## Recommended Order 1. **DMARC record** — Critical for email reliability 2. **TLS/HSTS** — Security baseline 3. **Email routing** — After DNS propagates (~5 min) 4. **Optional hardening** — When convenient --- **Estimated time:** - Manual (dashboard): 10-15 minutes - With API token: 2-3 minutes (I can script it) What's your preference?