Security Remediation TODO — Cloudflare
Created: 2026-04-24 01:50 UTC
Owner: Wadsworth 📋
Source: Cloudflare security scan (2026-04-18)
Reminder: Offer API token to agent for automated changes if desired
Critical: Email Authentication (DMARC)
| Item | Status | Action |
|---|---|---|
| DMARC record missing | 🔴 CRITICAL | Add TXT record _dmarc.hoffdesk.com |
Why it matters: Without DMARC, emails sent from hoffdesk.com may be flagged as spam or rejected by recipients.
Dashboard path: DNS → Records → Add record
| Field | Value |
|---|---|
| Type | TXT |
| Name | _dmarc |
| Content | v=DMARC1; p=quarantine; rua=mailto:dmarc-reports@hoffdesk.com |
| TTL | Auto |
Stricter option (after testing):
v=DMARC1; p=reject; rua=mailto:dmarc-reports@hoffdesk.com; pct=100
Moderate: TLS/HTTPS Configuration
| Issue | Domain | Status | Action |
|---|---|---|---|
| Missing TLS Encryption | cal.hoffdesk.com | 🟡 MODERATE | Enable Full (strict) SSL |
| Missing TLS Encryption | hook.hoffdesk.com | 🟡 MODERATE | Enable Full (strict) SSL |
| Always Use HTTPS | hook.hoffdesk.com | 🟡 MODERATE | Enable redirect |
| HSTS missing | cal.hoffdesk.com | 🟡 MODERATE | Enable HSTS |
| HSTS missing | hook.hoffdesk.com | 🟡 MODERATE | Enable HSTS |
Dashboard path: SSL/TLS → Overview → Edge Certificates
Settings to enable:
1. [ ] SSL/TLS encryption mode: Full (strict)
2. [ ] Always Use HTTPS: On
3. [ ] HSTS: Enable (max-age: 31536000, include subdomains)
Optional: Security Hardening
| Item | Severity | Action |
|---|---|---|
| Block AI bots | Moderate | Security → Bots → Block AI bots: On |
| AI Labyrinth | Low | Security → Bots → AI Labyrinth: Enable |
| Bot Fight Mode | Moderate | Security → Bots → Bot Fight Mode: Toggle on |
| Security.txt | Low | SSL/TLS → Edge Certificates → Security.txt: Configure |
API Token Option
Reminder from Matt: Offer API token to agent for automated changes.
If you'd like me to make these changes programmatically:
- Create token: Cloudflare → My Profile → API Tokens → Create Token
- Permissions needed:
- Zone:Read (for zone ID lookup)
- DNS:Edit (for DMARC record)
- SSL/TLS:Edit (for HTTPS/HSTS settings)
- Zone Settings:Edit (for Security.txt, Bot Fight Mode) - Zone resources: Include hoffdesk.com
- Client IP filtering: Optional — restrict to Tailscale IPs
Token delivery: DM me the token (it will be handled securely)
Alternative: I can continue providing step-by-step dashboard instructions.
Recommended Order
- DMARC record — Critical for email reliability
- TLS/HSTS — Security baseline
- Email routing — After DNS propagates (~5 min)
- Optional hardening — When convenient
Estimated time:
- Manual (dashboard): 10-15 minutes
- With API token: 2-3 minutes (I can script it)
What's your preference?