Hey. I'm still very new to CloudFlare and I have a question.

Let's say that I have 4 sub domains: a.test.com, b.test.com, c.test.com, d.test.com. They're all under the same domain (test.com).

I have a page rule setup specifically for a.test.com, where "Disable security" is set to On. I did this as a temporary solution so that I can figure out the problems that a.test.com has when the security is enabled (had users complaints regarding not being able to send requests with CF security On), so that it is still accessible while I try to fix it..

By turning disabling security for a.test.com, do I put others (b, c, d) at risk? I had someone telling me that it is possible for attackers to make use of a.test.con (unprotected by CF) in order to attack the other sub-domains. "a.test.com has no protection so attackers can use it to send requests to other secured subdomains, cross-site attack" or something along that line.

I don't get this. I thought page rule is supposed to be active only for the domain where it's being set up and the rest will still be secured, and that if attacker manages to attack the other subdomain its due to the others not having secure applications inside of it.

Dunno if that person was telling the truth or tried to mess around with me with their joke!


  • 4
    Ask in the right forum instead of this place

    Here, we hate cloudflare - the Giant Man In The Middle - fuck em

    You better of not using cloudflare, and instead use something ethical.
  • 6
    @Linux devrant is pivoting to compete with stackoverflow lmao /s
  • 2
    @Linux okay just thought itd be fun to talk here instead of forums, forums are boring as fuck
  • 1
    @DwightSchrute if they all point to the same server then it could be possible to try to send requests to b.test.com and c.test.com via a.test.com ... if they get through or not is up to the server config. So, yes - theoretically it does put them at risk, however, if all the subdomains reside each on it's own individual server nor get proxied or served via the main domain name 'test.com' (not a "shared host" - each subdomain has it's own IP and runs on a different server essentially) then, even with a fairly default config such a situation is less likely.
  • 0
    @theKarlisK Thanks, yeah they all have their own vms aka not the same ip nor os. so I guess it should be fine then
  • 0
    Cloudflare likely only protects servers from external requests (As in external from trusted sources) and allow all request between services to prevent blocking API calls and the like cross domain.

    If you unsecure a domain, and it's compromised, there would be no protection against an SSRF vulnerability in the compromised domain from bypassing the security measures cloudflare protects against.
Add Comment