Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Using a single Cloudflare account in Wordpress with WP Super Cache with visible API key

Tags:

We are starting to use Cloudflare on a few Wordpress client accounts and notice in the CDN settings that my email address and API key are visible to the client.

Is this a potential security issues where others can see my Cloudlflare email address and API key? Should I be using 1 Cloudflare account per client account?

Here is a screenshot (i have blurred the API key and deleted the email input box in the console) but both these values are visible to the customer.

dpr

What is the worse thing they could do with these 2 pieces of data?

like image 491
Gracie Avatar asked Nov 17 '19 13:11

Gracie


1 Answers

you have to use tokens instead of global api key. you strict token to certain zone only

enter image description here

This only will NOT solve the problem, you have to manually modify wp fastest cache plugin to modify the request to match API tokens usage. the requests can be found in inc\cdn.php

The modified file: https://gist.github.com/ahmed-abdelazim/7c8170f7fc4e821c6b015d770fcbf14a

so

                $header = array("method" => "DELETE",
                                'headers' => array(
                                                "X-Auth-Email" => $email,
                                                "X-Auth-Key" => $key,
                                                "Content-Type" => "application/json"
                                                ),
                                "body" => '{"purge_everything":true}'
                                );

is converted to

                $header = array("method" => "DELETE",
                                'headers' => array(
                                                //"X-Auth-Email" => $email,
                                                "Authorization" => "Bearer ".$key,
                                                "Content-Type" => "application/json"
                                                ),
                                "body" => '{"purge_everything":true}'
                                );

and this occured five times in the plugin in the cdn.php file

like image 123
Ahmed Abdelazim Avatar answered Oct 04 '22 23:10

Ahmed Abdelazim