Skill

cloudflare

Cloudflare ekosistem disipline (CDN'in ötesinde) — account/RBAC + API token scoped, DNS (proxied vs gray, CNAME flattening, DNSSEC, CAA), SSL/TLS (Full strict zorunlu, HSTS, Authenticated Origin Pulls mTLS), WAF (Managed Ruleset + Rate Limit + Bot Management), Workers (CPU < 50ms, wrangler.toml, gradual deployment, Service Bindings, Logpush), R2 (S3-compat egress FREE), Pages (JAMstack + Functions + preview Access), Zero Trust (Access + Tunnel + Service Token + Device Posture), D1/Queues/KV/Durable Objects, Turnstile (server siteverify), Logpush + Analytics, cost model (Free/Pro/Business/Enterprise + Workers Paid + R2 storage).

npx claudepluginhub resultakak/argos --plugin argos

Tool Access

This skill uses the workspace's default tool permissions.

Preview

`agents/shared/severity-rubric.md` ve `agents/shared/escalation-matrix.md`

SKILL.md

Similar Skills

using-superpowers

185.1k

Mandates invoking relevant skills via tools before any response in coding sessions. Covers access, priorities, and adaptations for Claude Code, Copilot CLI, Gemini CLI.

3 files

superpowers

Stats

Stars0

Forks0

Last CommitMay 11, 2026

Actions

View Source View Plugin View on GitHub View README

Help us improve

Share bugs, ideas, or general feedback.

Cloudflare

Ortak Doktrin

agents/shared/severity-rubric.md ve agents/shared/escalation-matrix.md default-load sayılır (agents/coordination.md §11). Bu skill'in çıktısı Critical / High / Medium / Low + kanıt formatında olmak zorunda — spekülatif Critical yasak. Sahiplik dışı bulgu ilgili agent'a delege; karar yetkisi eşiği aşılırsa kullanıcı onayı zorunlu.

Felsefe

Full (strict) SSL zorunlu — Flexible MITM riski.
Tunnel + origin lock — origin IP private.
API Token scoped — Global Key YASAK.
WAF Managed Ruleset always-on.
Workers CPU < 50ms + Service Bindings.
R2 egress FREE → S3'ten avantaj.
Pages preview Access ile koru.
Rulesets Engine > Page Rules (modern).
KV eventual + Durable Objects strong ayrımı.

Ne Zaman Kullanılır

Cloudflare yeni zone onboarding (DNS + SSL + WAF + cache bootstrap)
Mevcut Cloudflare audit (SSL mode, WAF, Workers, R2, Pages)
AWS CloudFront/Fastly → Cloudflare migration
Workers edge compute design (auth, A/B, geo, image transform)
R2 onboarding (S3 alternative, egress save)
Pages JAMstack site + Functions + Access preview
Zero Trust Access kurulum (SSO + Tunnel origin lock)
DDoS incident response + WAF custom rule
Rate limiting auth endpoint
Logpush SIEM forward
Turnstile CAPTCHA rollout
Cost optimization (egress R2, Workers req, plan tier)
Cloudflare Pages preview deployment + Access

Workflow

1) Discovery

# API token gerekli
curl -s -H "Authorization: Bearer $CF_TOKEN" https://api.cloudflare.com/client/v4/zones | jq '.result[] | {name, status, plan: .plan.name}'
curl -s -H "Authorization: Bearer $CF_TOKEN" https://api.cloudflare.com/client/v4/zones/$ZONE_ID/settings/ssl
curl -s -H "Authorization: Bearer $CF_TOKEN" https://api.cloudflare.com/client/v4/zones/$ZONE_ID/settings/always_use_https
wrangler whoami
wrangler r2 bucket list

2) Account / DNS posture

API Token scope minimal? Global Key kullanılıyor mu?
2FA + SSO zorunlu mu?
DNS records: proxied vs gray ayrımı doğru mu (MX/email gray)?
DNSSEC prod aktif mi?
CAA: Cloudflare + Let's Encrypt issuance var mı?
TTL sane (proxied auto, non-proxied 300s)?

3) SSL / TLS

Encryption mode: Full (strict) mi? Flexible/Full(non-strict) YASAK.
Min TLS version: 1.2+ (1.3 aç).
HSTS: aktif + include-subdomains + preload (post-test).
Always Use HTTPS: aç.
Authenticated Origin Pulls mTLS: prod kritik?
Origin Cert: Cloudflare-issued veya Let's Encrypt; rotation 90g.

4) WAF / Firewall

Managed Ruleset OWASP + Cloudflare Managed aç mı?
Rate Limiting: login/signup/password-reset rule var mı?
Bot Management (Pro+): bot fight mode?
Custom WAF rules: açıklayıcı isim + comment + audit?
IP Access Rules: admin path geo + IP allowlist?

5) DDoS posture

Under Attack Mode: kullanılıyor mu? son çare.
Argo Smart Routing: latency improve (paid).
L3/L4 otomatik aktif.

6) Cache (CDN delegasyon)

rules/cdn.md + cdn-engineering skill'e delege. Cloudflare-spesifik:

Cache Rules (modern) vs Page Rules (legacy)?
Custom Cache Key cookie/query whitelist?
Tiered Cache Smart Topology (origin shield)?
Cache Reserve (Enterprise) long-tail?

7) Workers

wrangler.toml Git-tracked + compatibility_date pin?
Routes explicit (api.acme.com/*); wildcard zone YASAK.
Secret: wrangler secret put (plain [vars] non-sensitive)?
CPU profile: p99 < 50ms (Paid) — wrangler tail ile inspect.
Service Bindings: Workers arası RPC mı yoksa fetch() mu?
Gradual deployment: 1%→10%→100% rollout var mı?
Logpush: R2/S3'e log forward prod?
console.log PII: PII leak yok mu?

# wrangler.toml minimum
name = "api-edge"
main = "src/index.ts"
compatibility_date = "2026-05-01"
workers_dev = false

[env.prod]
routes = [{ pattern = "api.acme.com/*", custom_domain = true }]

[[env.prod.observability]]
enabled = true

8) R2

S3-compat endpoint: <account>.r2.cloudflarestorage.com.
Bucket purpose-based ayrım.
Default private; public read sadece CDN behind static.
Pre-signed URL 15dk expire + Content-Length condition.
Lifecycle MPU abort 7g zorunlu.
Egress $0 → CDN behind asset için R2 + Cloudflare CDN combo.
Replication: built-in yok; cross-bucket rclone cron.

9) Pages

Branch deploy prod main + preview feature.
Build env lock (Node version pin).
_headers Cache-Control immutable + security header (CSP, X-Frame-Options).
_redirects explicit.
Functions functions/ Workers-backed.
Preview Access: SSO-protected mi (public preview tehlikeli)?

10) Zero Trust

Access: IdP bağlı (Google/Okta/Azure)? Application policy explicit?
Tunnel cloudflared + origin IP private (firewall inbound kapalı)?
Service Token machine-to-machine?
Device Posture WARP + check (Enterprise)?
CASB / DLP: SaaS data leakage policy?

11) D1 / Queues / KV / Durable Objects

KV: hot config OK (eventual ~60s); transactional state YASAK.
D1: small read-heavy; large DB için Postgres.
Queues: at-least-once + DLQ; idempotent consumer.
Durable Objects: counter, coordination, single-instance state.

12) Logging / Analytics

Logpush SIEM target (Splunk/Datadog/R2/S3)?
Web Analytics cookie-less aktif mi?
Workers Analytics Engine custom metric?
Logs Explorer 30g retention yeterli mi?

13) Cost

Plan tier: Free / Pro / Business / Enterprise — feature gerek/maliyet doğru mu?
Workers Paid $5 + req over.
R2 storage + Class A request.
Egress $0 → S3'ten geçişte ROI hesabı.

14) Findings + Action items

Critical / High / Medium / Low + kanıt + sahip + tarih + projected impact.

Antipatterns

Flexible / Full (non-strict) SSL prod (MITM).
Global API Key automation (scoped token kullan).
DNSSEC kapalı prod.
HSTS yok prod.
WAF Managed Ruleset kapalı.
Rate Limit yok auth endpoint.
wrangler.toml secret commit.
Workers wildcard * zone route.
console.log PII Workers (Logpush PII leak).
R2 public bucket user data + CDN behind değil.
Pages preview public (Access yok).
Tunnel olmadan origin public prod.
Page Rules new project (Rulesets Engine kullan).
KV strongly consistent bekle.
D1 büyük DB.
Turnstile server siteverify yok.
Workers gradual deploy yok (100% direkt).
2FA kapalı admin.
Logpush yok prod (incident forensic eksik).

Delege

cdn-engineering skill — CDN cache + TTL + purge detay.
security-reviewer — SSL mode, WAF, Access policy, secret.
platform-engineer — Tunnel + DNS + zone topology.
frontend-implementer — Pages build + _headers + Functions.
backend-reviewer — Workers + R2 SDK pattern.
observability-engineer — Logpush + Workers Analytics.
finops-review skill — plan tier + R2 + Workers cost.
iac-engineer — Cloudflare Terraform provider.

Çıktı şablonu

# Cloudflare Review: acme.com

## Current state
- Plan: Pro / 1 zone
- SSL: Flexible (KRİTİK — edge↔origin plaintext)
- Workers: 3 service (api-edge, geo-redirect, image-resize)
- R2: 2 bucket (avatars, backups)
- Pages: 1 site (admin), preview public

## Findings
- **Critical**: SSL Flexible — MITM riski
- **Critical**: Pages preview public (admin code expose)
- **Critical**: Tunnel yok, origin IP public
- **High**: API Token Global Key (scope minimal değil)
- **High**: HSTS kapalı
- **High**: WAF Managed Ruleset off
- **Medium**: Workers gradual deploy yok (100% direkt)
- **Medium**: Rate Limit yok login endpoint
- **Medium**: Logpush yok (incident forensic 30g UI only)
- **Low**: R2 avatar bucket public (CDN behind değil)

## Action items
| P0 | SSL Full (strict) + origin cert | @platform | 2026-05-18 |
| P0 | Pages preview Access policy | @security | 2026-05-18 |
| P0 | Tunnel cloudflared kurulum + origin firewall inbound deny | @platform | 2026-05-20 |
| P1 | API Token scope: Zone:Read/Workers:Edit; Global Key revoke | @security | 2026-05-23 |
| P1 | HSTS preload (max-age 6mo → 1y after test) | @security | 2026-05-23 |
| P1 | WAF Managed Ruleset OWASP + CF Managed enable | @security | 2026-05-23 |
| P2 | Workers gradual deploy 1→10→100% | @platform | 2026-06-06 |
| P2 | Rate Limit /login 10 req/min/IP | @security | 2026-06-06 |
| P2 | Logpush → R2 retention 90g | @observability | 2026-06-13 |
| P3 | R2 avatar bucket private + CDN behind | @platform | 2026-06-20 |