--- title: Application security dashboard description: The application security dashboard helps you understand the current security posture of your web applications and allows you configure different security rules for those applications. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/security/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Application security dashboard The application security dashboard is your starting point to better understand the security posture of your web applications, and to configure rules to protect them. New dashboard experience Cloudflare is gradually making the new **Security** dashboard available by default to users. Users who do not have the new dashboard by default can still manually opt in: 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com), and select your account and domain. 2. Open any page under **Security**. 3. In the top right-hand corner of the page, select **Try new dashboard**. To opt out of the new security dashboard: 1. In the Cloudflare dashboard, go to the Security **Settings** page. [ Go to **Settings** ](https://dash.cloudflare.com/?to=/:account/:zone/security/settings) 2. Turn off the setting **New application security dashboard**. The opt-out option will be available for a limited time. ## Features ### Security overview Get a high-level overview of your domain's security posture. [ Explore Security overview ](https://developers.cloudflare.com/security/overview/) ### Security Analytics Shows information about all incoming HTTP requests or mitigated requests (rule matches). Tailor your security configurations based on sampled logs. [ Explore Security Analytics ](https://developers.cloudflare.com/security/analytics/) ### Web assets Discover your web assets (including API endpoints) and instruct Cloudflare how to best protect them. [ Use Web assets ](https://developers.cloudflare.com/security/web-assets/) ### Security rules Perform security actions on incoming requests that match specified filters. [ Use Security rules ](https://developers.cloudflare.com/security/rules/) --- ## More resources [Plans](https://www.cloudflare.com/plans/#overview) Compare available Cloudflare plans ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/security/","name":"Security dashboard"}}]} ``` --- --- title: Security overview description: Review your domain's security posture and action items. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/security/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Security overview Security overview provides an overview of your domain's security posture and allows you to quickly identify security action items that may need your attention. To access Security overview in the new security dashboard, go to the **Overview** page. [ Go to **Overview** ](https://dash.cloudflare.com/?to=/:account/:zone/security/overview) The Security overview page displays: * Security action items * Detection tools * Traffic overview ## Security action items **Security action items** shows you insights and recommendations related to misconfigurations, exposed infrastructure, and suspicious activity. * **Action item types**: * Suspicious activity * Security insight * **Criticality**: Your action items are ranked by the highest criticality, showing critical first, moderate, and low respectively. * **Filters**: You can filter your action items by Criticality, Insight Type, and Security Category. * Criticality: * Low * Moderate * Critical * Insight Types: * Suspicious activity * Exposed infrastructure * Insecure configuration * Configuration suggestion * Compliance Violation * Email Security * Weak Authentication * Security Category: * Web application exploits * AI exploits * DDoS attacks * Bot traffic * API abuse * Client-side abuse * Fraud * **Review**: Review your security action items for more detailed information and recommended actions to resolve. * **Load more**: View the full list of security action items. ### Archive action items You can archive security action items that you do not want to display in the main list. The following archive options are available: * **False Positive**: Removes the action item from your active list and suppresses it indefinitely. Rationale text is optional. * **Accept Risk**: Removes the action item from your active list and suppresses it indefinitely. Rationale text is required. * **Other**: Removes the action item from your active list and suppresses it indefinitely. Rationale text is required. You can move an action item from the archive back to the active list at any time. Archiving suspicious activity Archiving a detected suspicious activity will only archive that item from the security overview page. The suspicious activity will still appear in your security analytics dashboard. ### Audit log API endpoints To view when an action item’s status was changed and the rationale provided for that change, use the following API commands to retrieve audit logs: | Method | Path | Description | | ------ | ----------------------------------------------------------------------- | ------------------------------------------------ | | GET | /api/accounts/{accountID}/insights/audit-log | List all audit logs for an account | | GET | /api/accounts/{accountID}/insights/{insightID}/audit-log | List audit logs for a specific issue | | GET | /api/accounts/{accountID}/issues/audit-log | List all audit logs for account issues | | GET | /api/accounts/{accountID}/issues/{insightID}/audit-log | List all audit logs for a specific issue | | GET | /api/accounts/{accountID}/zones/{zoneID}/insights/audit-log | List all audit logs for a domain | | GET | /api/accounts/{accountID}/zones/{zoneID}/insights/{insightID}/audit-log | List audit logs for a specific issue in a domain | Refer to our [Security Center API documentation](https://developers.cloudflare.com/api/resources/security%5Fcenter) to review the action item audit logs by account, domain, or a specific `issue_id`. ## Detection tools Review the available detection tools and what services are currently running to protect your domain against threats. ## Traffic overview View the patterns and highlights from your domain's traffic in the past 30 days. The Cloudflare dashboard displays: * **Monthly requests**: View the monthly requests and traffic that has been mitigated by Cloudflare. * **How you compare to your peers**: For enterprise plans, understand how your security posture compares to others in your industry protected by Cloudflare. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/security/","name":"Security dashboard"}},{"@type":"ListItem","position":3,"item":{"@id":"/security/overview/","name":"Security overview"}}]} ``` --- --- title: Security Insights description: Scan your account for misconfigurations and potential security risks across all domains. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/security/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Security Insights User permission Ensure your user has one of the necessary roles to access Security Insights. Refer to [Roles and permissions](https://developers.cloudflare.com/security/security-insights/roles-and-permissions/) for more information. Security Insights provides you with a list of insights, covering different areas of your Cloudflare environment, such as: Cloudflare account settings, DNS record configurations, SSL/TLS certificates configurations, Cloudflare Access configurations and Cloudflare WAF configurations. Listed below are the specific insights currently available: | Insight Name | Description | | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [CASB integration status](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/troubleshooting/) | We detect unhealthy CASB integrations. | | [Dangling A Records](https://developers.cloudflare.com/dns/manage-dns-records/reference/dns-record-types/#a-and-aaaa) | A record is pointing to an IPv4 address that you might no longer control. You are at risk of a subdomain takeover. | | [Dangling AAAA Records](https://developers.cloudflare.com/dns/manage-dns-records/reference/dns-record-types/#a-and-aaaa) | A record is pointing to an IPv6 address that you might no longer control. You are at risk of a subdomain takeover. | | [Dangling CNAME Records](https://developers.cloudflare.com/dns/manage-dns-records/reference/dns-record-types/#a-and-aaaa) | A record is pointing to a resource that cannot be found. You are at risk of a subdomain takeover. | | [DMARC Record Errors](https://developers.cloudflare.com/dns/manage-dns-records/reference/dns-record-types/#dmarc) | We detect an incorrect or missing DMARC record. | | [Domains missing TLS Encryption](https://developers.cloudflare.com/ssl/get-started/) | We detect that there is no TLS encryption for this domain. | | [Domains supporting older TLS version](https://developers.cloudflare.com/ssl/reference/protocols/) | This domain supports older versions of the TLS protocol. | | [Domains without 'Always Use HTTPS'](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/always-use-https/) | HTTP requests to this domain may not redirect to its HTTPS equivalent. | | [Domains without HSTS](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/http-strict-transport-security/) | HTTP Strict Transport Security (HSTS), is a header which allows a website to specify and enforce security policy in client web browsers. This policy enforcement protects secure websites from downgrade attacks SSL stripping and cookie hijacking. | | [Exposed RDP Servers](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/use-cases/rdp/) | We detect an RDP server that is exposed to the public Internet. | | [Get notified of malicious client-side scripts](https://developers.cloudflare.com/client-side-security/alerts/) | We detect that client-side security alerts are not configured. You will not receive notifications when we detect potential malicious scripts executing in your client-side environment. | | [Increased body response size detected on API endpoints](https://developers.cloudflare.com/api-shield/management-and-monitoring/endpoint-labels/) | Investigate changes, abuse, or successful attacks that may have led to this increase in response body size. | | [Increased errors detected on API endpoints](https://developers.cloudflare.com/api-shield/management-and-monitoring/endpoint-labels/) | Investigate changes, abuse, or successful attacks that may have led to this increase in errors. | | [Increased latency detected on API endpoints](https://developers.cloudflare.com/api-shield/management-and-monitoring/endpoint-labels/) | Investigate changes, abuse, or successful attacks that may have led to this increase in response latency. | | [Managed Rules not deployed](https://developers.cloudflare.com/waf/managed-rules/) | No managed rules deployed on a WAF protected domain. Refer to [Known limitations](#known-limitations). | | [Upgrade to new Managed Rules](https://developers.cloudflare.com/waf/reference/legacy/old-waf-managed-rules/upgrade/) | Upgrade to new Managed Rules system required for optimal protection. | | [Mixed-authentication API endpoints detected](https://developers.cloudflare.com/api-shield/management-and-monitoring/endpoint-labels/#managed-labels) | Not all of the successful requests against API endpoints carried session identifiers. | | [New API endpoints detected](https://developers.cloudflare.com/api-shield/security/api-discovery/) | API Discovery detects new API endpoints in your zone's traffic. | | [New CASB integrations found](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/) | New CASB integrations have been found. | | [Overprovisioned Access Policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) | We detect an Access policy to allow everyone access to your application. | | [Client-side security not enabled](https://developers.cloudflare.com/client-side-security/get-started/) | Client-side security (formerly known as Page Shield) helps meet PCI DSS v4.0 compliance regarding requirement 6.4.3. | | [SPF Record Errors](https://developers.cloudflare.com/dns/manage-dns-records/reference/dns-record-types/#spf) | We detect an incorrect or missing SPF record. | | [Schema Validation missing from eligible API endpoints](https://developers.cloudflare.com/api-shield/security/schema-validation/) | Apply the learned schema to protect your API against fuzzing attacks. | | [Sensitive data in API response](https://developers.cloudflare.com/api-shield/management-and-monitoring/#sensitive-data-detection) | Sensitive data in API responses detected. | | [Turn on JavaScript Detection](https://developers.cloudflare.com/bots/additional-configurations/javascript-detections/) | One or more of your Bot Management enabled zones does not have JavaScript Detection enabled, which is a critical part of our bot detection suite. | | [Unassigned Access seats](https://developers.cloudflare.com/cloudflare-one/) | We detect a Zero Trust subscription that is not configured yet. | | [Unauthenticated API endpoints detected](https://developers.cloudflare.com/api-shield/management-and-monitoring/endpoint-labels/#managed-labels) | None of the successful requests against API endpoints carried session identifiers. | | [Unprotected Cloudflare Tunnels](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/self-hosted-public-app/#4-connect-your-origin-to-cloudflare) | We detect an application that is served by a Cloudflare Tunnel but not protected by a corresponding Access policy. | | [Unproxied A Records](https://developers.cloudflare.com/dns/manage-dns-records/reference/dns-record-types/#a-and-aaaa) | This DNS record is not proxied by Cloudflare. Cloudflare can not protect this origin because it is exposed to the public Internet. | | [Unproxied AAAA Records](https://developers.cloudflare.com/dns/manage-dns-records/reference/dns-record-types/#a-and-aaaa) | This DNS record is not proxied by Cloudflare. Cloudflare can not protect this origin because it is exposed to the public Internet. | | [Unproxied CNAME Records](https://developers.cloudflare.com/dns/proxy-status/#dns-only-records) | This DNS record is not proxied by Cloudflare. Cloudflare can not protect this origin because it is exposed to the public Internet. | | [Users without MFA](https://developers.cloudflare.com/fundamentals/user-profiles/2fa/) | We detect that a Cloudflare administrative user has not enabled multifactor authentication. | | [Zones without WAF Managed Rules](https://developers.cloudflare.com/waf/managed-rules/) | We detect that this domain does not have the WAF's Managed Rules enabled. You are at risk from zero-day and other common vulnerabilities. | | [No Turnstile enabled](https://developers.cloudflare.com/turnstile/) | We detect that there is no Turnstile widget configured on the account. | ## Known limitations Security Insights scans run periodically and use heuristics to detect potential issues. In some cases, an insight may not accurately reflect your current configuration: * **_Managed Rules not deployed_ on zones with account-level managed rules**: If you deploy managed rules at the account level rather than the zone level, Security Center may not detect them and may report that managed rules are not deployed. If your account-level configuration is correct, you can [archive the insight](https://developers.cloudflare.com/security/security-insights/review-insights/#archive-insights) to dismiss it. * **Vulnerability insights for rules in log mode**: If you configure a managed rule with a _Log_ action (for example, to monitor traffic before enforcing), Security Center may still generate a vulnerability insight because the rule is not actively blocking traffic. This is expected behavior. You can archive the insight if you are intentionally using log mode. To remove a resolved or inaccurate insight from your dashboard, [archive the insight](https://developers.cloudflare.com/security/security-insights/review-insights/#archive-insights) or wait for the next automatic scan. ## More resources For more information on available operations for Security Insights, refer to [Review Security Insights](https://developers.cloudflare.com/security/security-insights/review-insights/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/security/","name":"Security dashboard"}},{"@type":"ListItem","position":3,"item":{"@id":"/security/security-insights/","name":"Security Insights"}}]} ``` --- --- title: How it works description: How Security Insights scans your account and produces security findings. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/security/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # How it works Once you [enable Security Insights](https://developers.cloudflare.com/security-center/get-started/), Cloudflare runs regular security scans on your account. These scans check your Cloudflare account settings, DNS record configurations, and product configurations — such as SSL/TLS, WAF, and Access — across all domains in your account. Each scan compares your current configuration against a set of ideal product configurations that indicate a strong security posture. When your configuration does not match an ideal configuration for one or more checks, the scan produces a **Security Insight** — a finding that represents a potential risk. The [list of insights](https://developers.cloudflare.com/security/security-insights/) may include potential security threats, vulnerabilities, compliance risks, insecure configurations, or any other identified risks. Note Security Insights also checks [non-proxied (DNS-only) hostnames](https://developers.cloudflare.com/dns/proxy-status/#dns-only-records). Because these records are not routed through Cloudflare, they do not benefit from Cloudflare's application security features. ## Scan properties Each insight has the following properties: * **Severity**: The security risk of the insight. The severity values are: _Moderate_, _High_, and _Critical_. The higher the severity level, the higher the risk of threat to your environment. * **Insight**: The insight description detailing the current configuration that is causing the risk or vulnerability. * **Risk**: A description of the risk associated with not addressing the issue. * **Type**: The insight category. For a full list of insight types and their descriptions, refer to [Security Insights](https://developers.cloudflare.com/security/security-insights/). ## Scan frequency Once you enable Security Insights, Cloudflare performs scans automatically. Paying customers (as defined in the table below) are re-scanned daily and can trigger a scan manually: | Plan | Scan Frequency | On-Demand | | ----------------------------------------- | -------------- | --------- | | Accounts on a Free, Pro, or Business plan | Every 7 days | Yes | | Accounts on an Enterprise plan | Every 3 days | Yes | Eligible accounts (Business, Enterprise, or Teams plans) can also manually start a scan. Refer to [Get started](https://developers.cloudflare.com/security-center/get-started/) for instructions. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/security/","name":"Security dashboard"}},{"@type":"ListItem","position":3,"item":{"@id":"/security/security-insights/","name":"Security Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/security/security-insights/how-it-works/","name":"How it works"}}]} ``` --- --- title: Review Security Insights description: Review, filter, and resolve security insights detected across your domains. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/security/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Review Security Insights After [enabling Security Insights](https://developers.cloudflare.com/security-center/get-started/) and letting the first scan run, check the **Security Insights** tab for a list of detected insights that you should address. For each detected insight, you can resolve it or archive it, after understanding its risks. 1. In the Cloudflare dashboard, go to the **Security Insights** page. [ Go to **Security insights** ](https://dash.cloudflare.com/?to=/:account/security-center) 2. Next to the insight you wish to address, select **Details** to review it. ## Resolve an insight Insights will not be automatically removed from your dashboard when you address them. You must either manually [archive insights](#archive-insights), manually trigger another scan or wait for the automatic scan to run as per [scan frequency](https://developers.cloudflare.com/security/security-insights/how-it-works/#scan-frequency). In the Resolve insights page, if you choose to update a configuration based on the recommendation actions, follow the instructions on the insight details page. The following insights follow a different yet straightforward workflow to be resolved: * **Minimum Version of TLS 1.2 not enforced**: To resolve this insight: * Go to **SSL/TLS** \> **Edge Certificates**. * Select **TLS 1.2**. * **Domains without "Always use HTTPS"**: To resolve this insight: * Go to **SSL/TLS** \> **Edge Certificates**. * Select **Always Use HTTPS**. * **Turn on JavaScript Detections**: To resolve this insight: * Go to **Security** \> **Bots** \> Select **Configure Bot Management**. * Select **JavaScript Detections**. ## Export insights You can export security insights to a CSV format directly from the dashboard. To export security insights: 1. In the Cloudflare dashboard, go to the **Security Insights** page. [ Go to **Security insights** ](https://dash.cloudflare.com/?to=/:account/security-center) 2. Select **Export insights**. Exporting security insights allow you to perform a deeper analysis of your insights. The exported CSV file includes information such as the severity of your data, insight type scan date, issue class and additional optional fields, such as insight details, risk assessment, detection method, and recommended actions. ## Archive insights You can archive one or more insights from the dashboard. To archive insights: 1. In the Cloudflare dashboard, go to the **Security Insights** page. [ Go to **Security insights** ](https://dash.cloudflare.com/?to=/:account/security-center) 2. Select the insight(s) you want to archive, then select **Archive selected**. Alternatively, to archive an insight: 1. Select the insight you want to archive and select **Details**. The dashboard will open a page where you will be able to review [insight properties](https://developers.cloudflare.com/security/security-insights/how-it-works/#scan-properties). 2. Select **Archive insight**. ## Enable alerts You can enable alerts for critical insights. To enable alerts: 1. In the Cloudflare dashboard, go to the **Security Insights** page. [ Go to **Security insights** ](https://dash.cloudflare.com/?to=/:account/security-center) 2. Select the security insight(s) you want to create an alert for, then select **Create alert for selected classes**. 3. Enter the notification name, and choose one or more insights classes to filter a notification. 4. Select **Add email recipient** and enter an email address to receive the alert. 5. Select **Save**. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/security/","name":"Security dashboard"}},{"@type":"ListItem","position":3,"item":{"@id":"/security/security-insights/","name":"Security Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/security/security-insights/review-insights/","name":"Review Security Insights"}}]} ``` --- --- title: Roles and permissions description: Cloudflare roles required to access and manage Security Insights. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/security/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Roles and permissions Cloudflare users with the following [roles](https://developers.cloudflare.com/fundamentals/manage-members/roles/) have access to Security Insights in the Cloudflare dashboard: * Administrator * Administrator Read Only * Super Administrator - All Privileges * SSL/TLS, Caching, Performance, Page Rules, and Customization * DNS * Page Shield * Page Shield Read * Firewall ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/security/","name":"Security dashboard"}},{"@type":"ListItem","position":3,"item":{"@id":"/security/security-insights/","name":"Security Insights"}},{"@type":"ListItem","position":4,"item":{"@id":"/security/security-insights/roles-and-permissions/","name":"Roles and permissions"}}]} ``` --- --- title: Security Analytics (new dashboard) description: Security Analytics shows information about all incoming HTTP requests or mitigated requests (rule matches). image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/security/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Security Analytics (new dashboard) Security Analytics shows information about all incoming HTTP requests or only about requests mitigated by Cloudflare. Use Security Analytics as your starting point to understand and analyze traffic patterns, and to create security rules based on the filters you applied. To access Security Analytics in the new security dashboard, go to the **Analytics** page. [ Go to **Analytics** ](https://dash.cloudflare.com/?to=/:account/:zone/security/analytics) By default, Security Analytics queries filter on `requestSource = 'eyeball'`, which represents requests from end users. Note that requests from Cloudflare Workers (subrequests) are not visible in Security Analytics. ## Traffic The **Traffic** tab displays information about all incoming HTTP requests for your domain, including requests not handled by Cloudflare security products. In this tab you can perform several tasks: * View the traffic distribution for your domain. * Understand which traffic is being mitigated by Cloudflare security products, and where non-mitigated traffic is being served from (Cloudflare global network or [origin server ↗](https://www.cloudflare.com/learning/cdn/glossary/origin-server/)). * Analyze suspicious traffic and create tailored custom [security rules](https://developers.cloudflare.com/security/rules/) based on applied filters. * [Find an appropriate rate limit](https://developers.cloudflare.com/waf/rate-limiting-rules/find-rate-limit/) for incoming traffic. For information on how to use the **Traffic** tab, refer to [Security Analytics](https://developers.cloudflare.com/waf/analytics/security-analytics/#adjusting-displayed-data). If you need to modify existing security-related rules you already configured, consider also using the [Events](#events) tab. This tab displays information about requests affected by Cloudflare security products. Note The **Traffic** tab includes functionality available in the [Security Analytics](https://developers.cloudflare.com/waf/analytics/security-analytics/) page in the previous dashboard navigation structure. ## Events Use the **Events** tab to review mitigated requests and to tailor your security configurations. The **Events** tab displays information about requests actioned or flagged by Cloudflare security products. Each incoming HTTP request might generate one or more security events. The tab only shows these events, not the HTTP requests themselves. To obtain information on all incoming HTTP requests, use the [Traffic](#traffic) tab. Users on a Free plan can view summarized events by date in sampled logs. Customers on paid plans have access to additional graphs and dashboards that summarize the most relevant information about the current behavior of Cloudflare's security features on your domain. For more information on the **Events** tab, refer to [Security Events](https://developers.cloudflare.com/waf/analytics/security-events/). Note The **Events** tab corresponds to the [Security Events](https://developers.cloudflare.com/waf/analytics/security-events/) page in the previous dashboard navigation structure. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/security/","name":"Security dashboard"}},{"@type":"ListItem","position":3,"item":{"@id":"/security/analytics/","name":"Security Analytics (new dashboard)"}}]} ``` --- --- title: Web assets description: Discover web assets such as your API endpoints and instruct Cloudflare how to best protect them. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/security/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Web assets Discover web assets such as your API endpoints and instruct Cloudflare how to best protect them. To access web assets in the new security dashboard, go to the **Web assets** page. [ Go to **Web assets** ](https://dash.cloudflare.com/?to=/:account/:zone/security/web-assets) ## Endpoints Use the **Endpoints** tab to manage endpoints available on your domain and monitor their health. You can save endpoints directly from [API Discovery](https://developers.cloudflare.com/api-shield/management-and-monitoring/endpoint-management/#add-endpoints-from-api-discovery), [manually](https://developers.cloudflare.com/api-shield/management-and-monitoring/endpoint-management/#add-endpoints-manually) by method, path, and host, or via [Schema Validation](https://developers.cloudflare.com/api-shield/management-and-monitoring/endpoint-management/#add-endpoints-from-schema-validation). This will add the specified endpoints to your list of managed endpoints. You can view your list of managed endpoints in the **Endpoints** tab. For saved endpoints: * Cloudflare will start collecting [performance data](https://developers.cloudflare.com/api-shield/management-and-monitoring/endpoint-management/#endpoint-analysis) per endpoint. * You can use the [labeling service](https://developers.cloudflare.com/api-shield/management-and-monitoring/endpoint-labels/) to organize your endpoints by use case. For more information on how to manage your endpoints, refer to the following resources. * [Endpoint Management](https://developers.cloudflare.com/api-shield/management-and-monitoring/endpoint-management/) * [Schema learning](https://developers.cloudflare.com/api-shield/management-and-monitoring/endpoint-management/schema-learning/) * [Endpoint Analysis](https://developers.cloudflare.com/api-shield/management-and-monitoring/endpoint-management/#endpoint-analysis) ## Discovery **Discovery** continuously finds your active API endpoints via path normalization. [Add endpoints](https://developers.cloudflare.com/api-shield/management-and-monitoring/endpoint-management/#add-endpoints-from-api-discovery) to produce recommendations and analytics of your APIs. Your [session identifiers](https://developers.cloudflare.com/api-shield/management-and-monitoring/session-identifiers/) must match your API traffic. Otherwise, API endpoints are also discoverable via [Machine Learning](https://developers.cloudflare.com/api-shield/security/api-discovery/#machine-learning-based-discovery). Note **Discovery** is only available for Enterprise customers. If you are an Enterprise customer and interested in this product, contact your account team. ## Sequences Use **Sequences** to discover how users interact with your API, by tracking the order of API session requests over time. Sequences will group and highlight popular user journeys across your API. Once you configure [session identifiers](https://developers.cloudflare.com/api-shield/management-and-monitoring/session-identifiers/), the **Sequences** tab will start grouping and highlighting important user journeys (sequences) across your API. To configure session identifiers: 1. In the Cloudflare dashboard, go to the Security **Settings** page. [ Go to **Settings** ](https://dash.cloudflare.com/?to=/:account/:zone/security/settings) 2. Next to **Session identifiers**, select **Configure session identifiers** . For more information on how Cloudflare identifies API sequences and how you can configure API sequence rules, refer to the following resources: * [Sequence analytics](https://developers.cloudflare.com/api-shield/security/sequence-analytics/) * [Sequence mitigation](https://developers.cloudflare.com/api-shield/security/sequence-mitigation/) Note The **Sequences** tab includes functionality available in [API Shield](https://developers.cloudflare.com/api-shield/) in the previous dashboard navigation structure. ## Schema validation Use **Schema validation** to check if your incoming traffic complies with a previously supplied API Schema. API Schemas are defined by the validity of the API request's properties such as target endpoint, path or query variable format, and HTTP method. A rule is created for incoming traffic and defines which traffic is allowed and which traffic is logged or blocked based on the API schema that you provide or select from the list of learned schemas. You can add schema validation by: * [Uploading a schema](https://developers.cloudflare.com/api-shield/security/schema-validation/#add-validation-by-uploading-a-schema) * [Applying a learned schema to a single endpoint](https://developers.cloudflare.com/api-shield/security/schema-validation/#add-validation-by-applying-a-learned-schema-to-a-single-endpoint) * [Applying a learned schema to an entire hostname](https://developers.cloudflare.com/api-shield/security/schema-validation/#add-validation-by-applying-a-learned-schema-to-an-entire-hostname) * [Adding a fallthrough rule](https://developers.cloudflare.com/api-shield/security/schema-validation/#add-validation-by-adding-a-fallthrough-rule) Note The **Schema validation** tab includes functionality available in [API Shield](https://developers.cloudflare.com/api-shield/) in the previous dashboard navigation structure. ## Client-side resources Use **Client-side resources** to [monitor scripts, connections, and cookies](https://developers.cloudflare.com/client-side-security/detection/monitor-connections-scripts/) on your domain. If you notice unexpected scripts or connections on the dashboard, check them for signs of malicious activity. You should also check for any new or unexpected cookies. Customers with Client-Side Security Advanced will have their connections and scripts [classified as potentially malicious](https://developers.cloudflare.com/client-side-security/how-it-works/malicious-script-detection/) based on threat feeds. Note The **Client-side resources** tab includes functionality available in [client-side security](https://developers.cloudflare.com/client-side-security/) (formerly known as Page Shield) in the previous dashboard navigation structure. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/security/","name":"Security dashboard"}},{"@type":"ListItem","position":3,"item":{"@id":"/security/web-assets/","name":"Web assets"}}]} ``` --- --- title: Security rules description: Security rules perform security actions on incoming requests that match specified filters. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/security/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Security rules Security rules perform security-related actions on incoming requests that match specified filters. Rules are evaluated and executed in order, from first to last. To access security rules in the new security dashboard, go to the **Security rules** page. [ Go to **Security rules** ](https://dash.cloudflare.com/?to=/:account/:zone/security/security-rules) ## Security rules The **Security rules** tab includes a list of different types of rules configured in your domain/zone to protect your applications and resources. To create a security rule: 1. In the Cloudflare dashboard, go to the **Security rules** page. [ Go to **Security rules** ](https://dash.cloudflare.com/?to=/:account/:zone/security/security-rules) 2. (Optional) Select **Templates**, and then select a template from the list. You can customize the default configuration of the template before deploying the new rule. Refer to the resources listed in the next step. 3. Select **Create rule** \> select the type of rule you want to create. Refer to the following resources about each rule type: * [Custom rules](https://developers.cloudflare.com/waf/custom-rules/create-dashboard/#rule-form) * [Rate limiting rules](https://developers.cloudflare.com/waf/rate-limiting-rules/create-zone-dashboard/#rule-form) * [API sequence rules](https://developers.cloudflare.com/api-shield/security/sequence-mitigation/#rule-form) * [API JWT validation rules](https://developers.cloudflare.com/api-shield/security/jwt-validation/#rule-form) (requires a [token configuration](https://developers.cloudflare.com/security/settings/#all-settings)) * [Managed rules exceptions](https://developers.cloudflare.com/waf/managed-rules/waf-exceptions/define-dashboard/#2-define-basic-exception-parameters) * [Content security rules](https://developers.cloudflare.com/client-side-security/rules/create-dashboard/#rule-form) (previously known as policies) Notes To deploy a managed ruleset, go to the Security **Settings** page. For more information, refer to [Deploy a managed ruleset](https://developers.cloudflare.com/waf/managed-rules/deploy-zone-dashboard/#deploy-a-managed-ruleset). The **Security rules** tab includes functionality available in different products in the previous dashboard navigation structure, such as the [WAF](https://developers.cloudflare.com/waf/), [API Shield](https://developers.cloudflare.com/api-shield/), and [client-side security](https://developers.cloudflare.com/client-side-security/). The tab may show additional rule types if you have configured at least one of the following: * [IP access rules](https://developers.cloudflare.com/waf/tools/ip-access-rules/) * [User agent blocking rules](https://developers.cloudflare.com/waf/tools/user-agent-blocking/) * [Zone lockdown rules](https://developers.cloudflare.com/waf/tools/zone-lockdown/) ## DDoS protection The **DDoS protection** tab shows the multiple DDoS mitigation services provided by Cloudflare. You can create rules to override these mitigation tools. DDoS attack protection overrides are only available to Enterprise customers with the Advanced DDoS Protection subscription. To learn more about DDoS protection overrides, refer to the following resources: * [HTTP DDoS attack protection overrides](https://developers.cloudflare.com/ddos-protection/managed-rulesets/http/http-overrides/) * [Network-layer DDoS attack protection overrides](https://developers.cloudflare.com/ddos-protection/managed-rulesets/network/network-overrides/) Note You define [overrides for the Network-layer DDoS attack protection managed ruleset](https://developers.cloudflare.com/ddos-protection/managed-rulesets/network/network-overrides/configure-dashboard/) at the account level. ## Interaction between different app security features If you are using several app security features like custom rules, Managed Rules, and Super Bot Fight Mode, it is important to understand how these features interact and the order in which they execute. Refer to [Security features interoperability](https://developers.cloudflare.com/waf/feature-interoperability/) for more information. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/security/","name":"Security dashboard"}},{"@type":"ListItem","position":3,"item":{"@id":"/security/rules/","name":"Security rules"}}]} ``` --- --- title: Security settings description: Configure different Cloudflare security features that protect your web applications, APIs, and resources. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/security/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Security settings This page describes the security settings available in the new security dashboard for a given domain. To access security settings in the new security dashboard, go to the **Settings** page. [ Go to **Settings** ](https://dash.cloudflare.com/?to=/:account/:zone/security/settings) ## Security setting categories Security settings and detection tools are categorized by the type of threat that they detect and mitigate. ### Web application exploits In the **Web application exploits** security category you can manage the following settings: * Detection tools: * [Leaked credentials detection](https://developers.cloudflare.com/waf/detections/leaked-credentials/) * [Malicious uploads detection](https://developers.cloudflare.com/waf/detections/malicious-uploads/) * [Sensitive data detection](https://developers.cloudflare.com/waf/managed-rules/reference/sensitive-data-detection/) * [Cloudflare managed ruleset](https://developers.cloudflare.com/waf/managed-rules/reference/cloudflare-managed-ruleset/) * [OWASP Core](https://developers.cloudflare.com/waf/managed-rules/reference/owasp-core-ruleset/) ruleset * [AI Security for Apps](https://developers.cloudflare.com/waf/detections/ai-security-for-apps/) * [Under Attack mode](https://developers.cloudflare.com/fundamentals/reference/under-attack-mode/) in Security Level * Managed [security.txt](https://developers.cloudflare.com/security-center/infrastructure/security-file/) Refer to each linked page for details. Note The web application exploits security category includes features and settings from the [Cloudflare WAF](https://developers.cloudflare.com/waf/) in the previous dashboard navigation structure. ### DDoS attacks The **DDoS attacks** security category shows the multiple mitigation services against DDoS attacks provided by Cloudflare. You can create rules to override DDoS attack protection tools. DDoS attack protection overrides are only available to Enterprise customers with the Advanced DDoS Protection subscription. To learn more about DDoS protection overrides, refer to the following resources: * [HTTP DDoS attack protection overrides](https://developers.cloudflare.com/ddos-protection/managed-rulesets/http/http-overrides/) * [Network-layer DDoS attack protection overrides](https://developers.cloudflare.com/ddos-protection/managed-rulesets/network/network-overrides/) Note You define overrides for the Network-layer DDoS attack protection managed ruleset at the account level in Account Home > **L3/4 DDoS** \> **Network-layer DDoS Protection**. Additionally, you can manage the following settings: * [Block AI Bots](https://developers.cloudflare.com/bots/concepts/bot/#ai-bots) * [Bot Management](https://developers.cloudflare.com/bots/get-started/bot-management/) (depending on your Enterprise subscriptions) * [Browser Integrity Check](https://developers.cloudflare.com/waf/tools/browser-integrity-check/) * [Challenge Passage](https://developers.cloudflare.com/cloudflare-challenges/challenge-types/challenge-pages/challenge-passage/) * [Cloudflare managed ruleset](https://developers.cloudflare.com/waf/managed-rules/reference/cloudflare-managed-ruleset/) * [AI Security for Apps](https://developers.cloudflare.com/waf/detections/ai-security-for-apps/) * [Schema learning](https://developers.cloudflare.com/api-shield/management-and-monitoring/endpoint-management/schema-learning/) * [Schema validation](https://developers.cloudflare.com/api-shield/security/schema-validation/) (requires you to upload a schema or apply a learned schema) * [Under Attack mode](https://developers.cloudflare.com/fundamentals/reference/under-attack-mode/) (under Security Level) * SSL/TLS DDoS attack protection ### Bot traffic In the **Bot traffic** security category you can manage the following settings: * [AI Labyrinth](https://developers.cloudflare.com/bots/additional-configurations/ai-labyrinth/) * [Block AI Bots](https://developers.cloudflare.com/bots/concepts/bot/#ai-bots) * [Bot fight mode](https://developers.cloudflare.com/bots/get-started/bot-fight-mode/) (depending on your Cloudflare plan) * [Super Bot fight mode](https://developers.cloudflare.com/bots/get-started/super-bot-fight-mode/) (depending on your Cloudflare plan) * [Bot Management](https://developers.cloudflare.com/bots/get-started/bot-management/) (depending on your Enterprise subscriptions) * AI bot traffic management with [robots.txt](https://developers.cloudflare.com/bots/additional-configurations/managed-robots-txt/) * API [sequence detection](https://developers.cloudflare.com/api-shield/security/sequence-analytics/) (requires you to configure a session identifier) Note The bot traffic security category includes features and settings from [Bots](https://developers.cloudflare.com/bots/) in the previous dashboard navigation structure. ### API abuse In the **API abuse** security category you can manage the following settings: * [Developer portal](https://developers.cloudflare.com/api-shield/management-and-monitoring/developer-portal/) creation * Web asset discovery (always enabled if included in your Enterprise subscriptions. For Enterprise subscriptions, [API endpoint discovery](https://developers.cloudflare.com/api-shield/security/api-discovery/) is also included, which requires you to configure a [session identifier](https://developers.cloudflare.com/api-shield/management-and-monitoring/session-identifiers/)) * [Endpoint labels](https://developers.cloudflare.com/api-shield/management-and-monitoring/endpoint-labels/) * [JWT validation](https://developers.cloudflare.com/api-shield/security/jwt-validation/) (requires you to add a [JWT configuration](https://developers.cloudflare.com/api-shield/security/jwt-validation/api/#token-configurations)) Note The API abuse security category includes features and settings from [API Shield](https://developers.cloudflare.com/api-shield/) in the previous dashboard navigation structure. ### Client-side abuse In the **Client-side abuse** security category you can manage the following settings: * [Continuous script monitoring](https://developers.cloudflare.com/client-side-security/how-it-works/): * [Reporting endpoint](https://developers.cloudflare.com/client-side-security/reference/settings/#reporting-endpoint) to use your hostname instead of a Cloudflare-owned endpoint (only for Enterprise customers with a paid add-on) * [Data logged in client-side abuse reports](https://developers.cloudflare.com/client-side-security/reference/settings/#connection-target-details) (only the hostname or the full URI) * [Email Address Obfuscation](https://developers.cloudflare.com/waf/tools/scrape-shield/email-address-obfuscation/) * [Hotlink Protection](https://developers.cloudflare.com/waf/tools/scrape-shield/hotlink-protection/) Note The client-side abuse security category includes features and settings from [client-side security](https://developers.cloudflare.com/client-side-security/) (formerly known as Page Shield) and [Scrape Shield](https://developers.cloudflare.com/waf/tools/scrape-shield/) in the previous dashboard navigation structure. ## All settings The following table links to additional information about each available setting: | Setting | Location in previous dashboard navigation | | ------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | [AI Labyrinth](https://developers.cloudflare.com/bots/additional-configurations/ai-labyrinth/) | **Security** \> **Bots** \> **Configure Bot Fight ModeSecurity** \> **Bots** \> **Configure Super Bot Fight ModeSecurity** \> **Bots** \> **Configure Bot Management** | | [AI Security for Apps](https://developers.cloudflare.com/waf/detections/ai-security-for-apps/) | _N/A_ | | [Block AI Bots](https://developers.cloudflare.com/bots/concepts/bot/#ai-bots) | **Security** \> **Bots** \> **Configure Bot Fight ModeSecurity** \> **Bots** \> **Configure Super Bot Fight ModeSecurity** \> **Bots** \> **Configure Bot Management** | | [Bot Management](https://developers.cloudflare.com/bots/get-started/bot-management/): | **Security** \> **Bots** | | — [JS detections](https://developers.cloudflare.com/bots/additional-configurations/javascript-detections/) | **Security** \> **Bots** \> **Configure Super Bot Fight ModeSecurity** \> **Bots** \> **Configure Bot Management** | | — [Auto-update machine learning](https://developers.cloudflare.com/bots/reference/machine-learning-models/) | **Security** \> **Bots** \> **Configure Bot Management** | | [Browser integrity check](https://developers.cloudflare.com/waf/tools/browser-integrity-check/) | **Security** \> **Settings** | | Challenge Passage: [Timeout](https://developers.cloudflare.com/cloudflare-challenges/challenge-types/challenge-pages/challenge-passage/) | **Security** \> **Settings** | | [Client certificates](https://developers.cloudflare.com/ssl/client-certificates/) | **SSL** \> **Client Certificates** | | [Cloudflare managed ruleset](https://developers.cloudflare.com/waf/managed-rules/reference/cloudflare-managed-ruleset/) | **Security** \> **WAF** \> **Managed rules** tab | | [Continuous script monitoring](https://developers.cloudflare.com/client-side-security/how-it-works/): | **Security** \> **Client-side security** | | — [Reporting endpoint](https://developers.cloudflare.com/client-side-security/reference/settings/#reporting-endpoint) | **Security** \> **Client-side security** \> **Settings** | | — [Data processing](https://developers.cloudflare.com/client-side-security/reference/settings/#connection-target-details) | **Security** \> **Client-side security** \> **Settings** | | — [Alerts](https://developers.cloudflare.com/client-side-security/alerts/configure/) | **Security** \> **Client-side security** \> **Settings**Account Home > **Notifications** | | [Create a developer portal](https://developers.cloudflare.com/api-shield/management-and-monitoring/developer-portal/) | **Security** \> **API Shield** \> **Settings** | | [Custom fallthrough rules](https://developers.cloudflare.com/api-shield/security/schema-validation/#add-validation-by-adding-a-fallthrough-rule) | **Security** \> **API Shield** \> **Settings** | | [Email Address Obfuscation](https://developers.cloudflare.com/waf/tools/scrape-shield/email-address-obfuscation/) | **Scrape Shield** | | [API endpoint discovery](https://developers.cloudflare.com/api-shield/security/api-discovery/): | **API Shield** \> **Discovery** | | — [Session identifiers](https://developers.cloudflare.com/api-shield/management-and-monitoring/session-identifiers/) | **Security** \> **API Shield** \> **Settings** | | [Endpoint labels](https://developers.cloudflare.com/api-shield/management-and-monitoring/endpoint-labels/) | **Security** \> **Settings** \> **Labels** | | [Hotlink Protection](https://developers.cloudflare.com/waf/tools/scrape-shield/hotlink-protection/) | **Scrape Shield** | | [HTTP DDoS attack protection](https://developers.cloudflare.com/ddos-protection/managed-rulesets/http/): | **Security** \> **DDoS** | | — [Configure overrides](https://developers.cloudflare.com/ddos-protection/managed-rulesets/http/http-overrides/configure-dashboard/) | **Security** \> **DDoS** | | [Instruct AI bot traffic with robots.txt](https://developers.cloudflare.com/bots/additional-configurations/managed-robots-txt/) | **Security** \> **Bots** \> **Configure Bot Fight ModeSecurity** \> **Bots** \> **Configure Super Bot Fight ModeSecurity** \> **Bots** \> **Configure Bot Management** | | [IP access rules](https://developers.cloudflare.com/waf/tools/ip-access-rules/) | **Security** \> **WAF** \> **Tools** tab**Security** \> **WAF** \> **Custom rules** tab | | [IP lists](https://developers.cloudflare.com/waf/tools/lists/custom-lists/#ip-lists) | Account Home > **Manage Account** \> **Configurations** | | [JWT validation](https://developers.cloudflare.com/api-shield/security/jwt-validation/): | **Security** \> **API Shield** \> **Settings** | | — [JWT validation rules](https://developers.cloudflare.com/api-shield/security/jwt-validation/#add-a-jwt-validation-rule) | **Security** \> **API Shield** \> **API Rules** | | — [Token configurations](https://developers.cloudflare.com/api-shield/security/jwt-validation/#add-a-token-validation-configuration) | **Security** \> **API Shield** \> **Settings** | | [Leaked credentials detection](https://developers.cloudflare.com/waf/detections/leaked-credentials/): | **Security** \> **Settings** | | — [Custom username and password location](https://developers.cloudflare.com/waf/detections/leaked-credentials/#custom-detection-locations) | **Security** \> **Settings** | | [Malicious uploads detection](https://developers.cloudflare.com/waf/detections/malicious-uploads/): | **Security** \> **Settings** | | — [Custom content location](https://developers.cloudflare.com/waf/detections/malicious-uploads/#custom-scan-expressions) | **Security** \> **Settings** | | [mTLS rules](https://developers.cloudflare.com/api-shield/security/mtls/configure/) | **SSL/TLS** \> **Client Certificates** | | [Network-layer DDoS attack protection](https://developers.cloudflare.com/ddos-protection/managed-rulesets/network/) | Account Home > **L3/4 DDoS** \> **Network-layer DDoS Protection** | | [OWASP Core](https://developers.cloudflare.com/waf/managed-rules/reference/owasp-core-ruleset/) ruleset | **Security** \> **WAF** \> **Managed rules** tab | | Rate limit authentication requests | **Security** \> **WAF** \> **Rate limiting rules** tab | | [Replace insecure JavaScript libraries](https://developers.cloudflare.com/waf/tools/replace-insecure-js-libraries/) | **Security** \> **Settings** | | [Schema learning](https://developers.cloudflare.com/api-shield/security/schema-validation/): | **Security** \> **API Shield** \> **Schema Validation** | | — [Session identifiers](https://developers.cloudflare.com/api-shield/management-and-monitoring/session-identifiers/) | **Security** \> **API Shield** \> **Settings** | | [Schema validation](https://developers.cloudflare.com/api-shield/security/schema-validation/) | **Security** \> **API Shield** \> **Schema Validation** | | — [Endpoints](https://developers.cloudflare.com/api-shield/management-and-monitoring/endpoint-management/) | **Security** \> **API Shield** | | — [Active schemas](https://developers.cloudflare.com/api-shield/security/schema-validation/#view-active-schemas) | **Security** \> **API Shield** \> **Schema Validation** | | — [Default action](https://developers.cloudflare.com/api-shield/security/schema-validation/#change-the-global-default-action-of-schema-validation) | **Security** \> **API Shield** \> **Schema Validation** | | [Security level: I'm under attack mode](https://developers.cloudflare.com/fundamentals/reference/under-attack-mode/) | **Security** \> **Settings** | | [Security.txt](https://developers.cloudflare.com/security-center/infrastructure/security-file/) | **Security** \> **Settings** | | [Sensitive data detection](https://developers.cloudflare.com/waf/managed-rules/reference/sensitive-data-detection/#configure-in-the-dashboard) ruleset | **Security** \> **Sensitive Data** | | [Sequence detection](https://developers.cloudflare.com/api-shield/security/sequence-analytics/): | **Security** \> **API Shield** \> **API Rules** | | — [Endpoints](https://developers.cloudflare.com/api-shield/management-and-monitoring/endpoint-management/) | **Security** \> **API Shield** | | — [Session identifiers](https://developers.cloudflare.com/api-shield/management-and-monitoring/session-identifiers/) | **Security** \> **API Shield** \> **Settings** | | [Session identifiers](https://developers.cloudflare.com/api-shield/management-and-monitoring/session-identifiers/) | **Security** \> **API Shield** \> **Settings** | | [SSL/TLS DDoS attack protection](https://developers.cloudflare.com/ddos-protection/managed-rulesets/) | **Security** \> **DDoS** | | [Token configurations](https://developers.cloudflare.com/api-shield/security/jwt-validation/) | **Security** \> **API Shield** \> **Settings** | | [User agent blocking](https://developers.cloudflare.com/waf/tools/user-agent-blocking/) | **Security** \> **WAF** \> **Tools** tab**Security** \> **WAF** \> **Custom rules** tab | | [Zone lockdown](https://developers.cloudflare.com/waf/tools/zone-lockdown/) | **Security** \> **WAF** \> **Tools** tab**Security** \> **WAF** \> **Custom rules** tab | ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/security/","name":"Security dashboard"}},{"@type":"ListItem","position":3,"item":{"@id":"/security/settings/","name":"Security settings"}}]} ```