Find out exactly what your Cloudflare setup is — and isn't — protecting
A clear, expert review of your Cloudflare configuration: security gaps, exposed origin IPs, weak bot rules, cache and performance wins. You get a prioritized report you can act on — not a sales pitch.
A Cloudflare audit is a structured review of how your Cloudflare account is configured — DNS, SSL/TLS, WAF, caching, bot protection, origin exposure, rate limiting, Zero Trust, logs and performance — measured against security and speed best practice. Edgecraft delivers a written report with prioritized, plain-English fixes. The Express Audit starts from $600 for a fast risk snapshot; the Full Audit covers your whole configuration with an implementation roadmap. Pricing is indicative and depends on traffic, number of domains, your Cloudflare plan and complexity. An audit finds and reduces risk, but it does not replace secure development, patching, payment-fraud tools, server hardening, backups or full incident response.
What is a Cloudflare audit, and why do most sites need one?
Cloudflare is powerful, but it ships with safe-but-generic defaults. Over months and years, teams add DNS records, page rules, redirects and WAF tweaks — and nobody is sure what's actually live. An audit replaces guesswork with a clear picture.
The problem with "we already use Cloudflare"
Having Cloudflare in front of your site is not the same as having Cloudflare configured for it. We routinely see stores and SaaS apps where the proxy is on, but the origin IP is still discoverable, the WAF is in log-only mode, bot rules were never tuned, and SSL is set to a mode that quietly allows insecure connections. The dashboard looks green; the protection isn't there.
An audit tells you precisely where you stand so you can fix the high-impact gaps first and stop paying for features you're not using.
- Independent, vendor-neutral review — we don't resell your Cloudflare plan
- Findings ranked by business risk and effort, not by buzzword
- Works for any plan tier: Free, Pro, Business or Enterprise
- A clear path to managed Cloudflare support if you want us to implement it
You walk away with
A written report scoring your current configuration, a prioritized list of fixes (critical → nice-to-have), and a short call to talk it through. If you'd rather we just do the work, the audit doubles as a precise scope for implementation.
Start your audit →What does a Cloudflare audit actually cover?
We work through your account methodically, layer by layer — from DNS at the edge down to how traffic reaches your origin server.
DNS & proxy status
Every record reviewed: which are proxied (orange-cloud) vs. DNS-only, dangling records, leftover staging hosts, and records that quietly bypass Cloudflare entirely.
SSL/TLS configuration
Encryption mode (Flexible vs. Full vs. Full Strict), minimum TLS version, HSTS, certificate validity, and mixed-content or redirect-loop risks.
WAF rules & managed rulesets
Are managed rulesets active and in block mode? Custom rules, OWASP sensitivity, false-positive risk, and gaps around login, checkout and admin paths. See our WAF setup.
Bot protection
Bot Fight Mode / Super Bot Fight Mode status, verified-bot handling, scraping and credential-stuffing exposure, and whether good bots (Google, payment webhooks) are being blocked. More on bot protection.
Origin IP exposure
The big one: we check whether your real server IP is discoverable, leaking through mail records, old DNS history or direct-to-origin access — which lets attackers bypass Cloudflare completely.
Rate limiting & DDoS posture
Rate-limiting rules on sensitive endpoints, L7 DDoS protection settings, and your readiness for traffic spikes. Pairs with DDoS hardening.
Cache & performance settings
Cache rules, Tiered Cache, compression, Argo, image optimization and Cache Hit Ratio — where speed and origin-load wins are being left on the table.
Zero Trust & access
How admin panels, staging and internal tools are exposed, plus any Cloudflare Access / Tunnel configuration. See Zero Trust.
Logs, events & visibility
Security Events, Logpush, analytics and alerting — so you can actually see attacks and measure what your rules are doing, instead of flying blind.
What's included in the report — and what isn't
Every audit ends with a concrete, written deliverable you own. No vague "you should improve security" advice.
What you receive
- A written audit report (PDF) scoring each area: DNS, SSL/TLS, WAF, bots, origin, rate limiting, Zero Trust, cache, logs
- A prioritized fix list: Critical → High → Medium → Low, each with the business reason
- Clear remediation steps for each finding — what to change and why
- An origin-exposure verdict: is your real server IP hidden or reachable?
- Quick performance wins (cache and speed) alongside the security findings
- A 30–45 minute review call to walk through results and answer questions
- A scoped implementation estimate if you'd like us to do the work
What an audit does not include
- Implementing the changes (that's a separate engagement or Managed Care)
- A full application penetration test or source-code review
- PCI DSS certification (we can scope PCI 4.0.1 client-side work separately)
- Server, OS or database hardening on your origin infrastructure
- Payment-fraud screening or chargeback tooling
- 24/7 monitoring or incident response (see emergency support)
When Cloudflare is not enough: A Cloudflare audit finds and reduces edge-layer risk and improves performance — it blocks a lot of malicious traffic and closes common misconfigurations. It does not replace secure application development, regular patching, payment-fraud prevention, server and database hardening, a tested backup strategy, legal/compliance review, or a full incident-response team. Think of the edge as one strong, important layer — not your entire security program.
What does the audit report look like?
Here's the structure of a typical Edgecraft Cloudflare audit report, start to finish.
1. Executive summary
One page for decision-makers: overall risk rating, the three things to fix this week, and the business impact in plain English — no jargon required.
2. Scope & environment
Domains, Cloudflare plan tier, platform (Shopify, WooCommerce, Magento, custom SaaS, API) and the assumptions the audit was based on.
3. Findings by area
A section per layer — DNS, SSL/TLS, WAF, bots, origin exposure, rate limiting, Zero Trust, cache, logs — each with current state, the risk, and the recommended change.
4. Prioritized action plan
Every finding ranked Critical → Low, with estimated effort, so your team knows the order to tackle things and what to safely defer.
5. Performance opportunities
Cache hit ratio, compression, image and speed wins that reduce origin load and improve Core Web Vitals — quantified where we can.
6. Next steps & estimate
Your options: fix it yourself with our notes, hand it to us as a project, or move to ongoing managed care — with an indicative cost for each.
Express Audit vs. Full Audit: which do you need?
Most teams start with an Express Audit for a fast risk read, then upgrade to a Full Audit before a peak season, migration or funding round.
Smaller sites & "is anything obviously wrong?" checks
- High-impact review of DNS, SSL/TLS, origin exposure, WAF & bots
- Top-priority findings & quick wins
- Concise written summary
- Short results call
- Turnaround in days, not weeks
E-commerce, SaaS, APIs & high-traffic or multi-domain sites
- Complete review of all layers, including rate limiting, Zero Trust, cache & logs
- Full prioritized action plan (Critical → Low)
- Performance & cache optimization opportunities
- Detailed PDF report + 30–45 min review call
- Implementation estimate & roadmap
Teams who want it found and fixed in one engagement
- Everything in the Full Audit
- We implement the prioritized fixes
- Pairs with WAF, bot & DDoS setup
- Optional move to Managed Care
- Audit fee credited toward implementation
All prices are indicative and shown "from". Final pricing depends on your traffic volume, number of domains, Cloudflare plan tier, configuration complexity and the level of support you need. Approx. ≈ £475 / €560+ for the Express Audit. Need crawler-specific scope? See the AI crawler control service.
Who should book a Cloudflare audit?
If your revenue, traffic or reputation rides on your site staying fast and online, an audit is one of the highest-leverage things you can do.
Example scenario (hypothetical): A WooCommerce store on Cloudflare Pro sees mysterious load spikes and slow checkout. A Full Audit could reveal the origin IP is still resolvable via an old mail record, the WAF is in log-only mode, and there's no rate limit on the login endpoint — explaining brute-force traffic hitting the origin directly. The fix plan: hide and firewall the origin, switch managed rules to block, and add login rate limiting. Results vary by environment; this is illustrative, not a guarantee.
How do I get started?
Booking an audit is simple — we keep the intake light and do the heavy lifting.
1. Tell us about your site
Send a quick note via the contact form: your platform, rough traffic, number of domains, and what's prompting the audit (peak season, an incident, a migration, due diligence).
2. Pick Express or Full
We confirm scope, timeline and a fixed, indicative price before any work starts — no open-ended billing.
3. Grant read access
You add us as a read-only or scoped user to your Cloudflare account (or screen-share). We never need your origin server passwords to assess the edge.
4. Get your report
We deliver the written report and a review call, with clear next steps — DIY, project, or managed support. Found something urgent mid-audit? We can fast-track emergency help.
Know exactly where your Cloudflare setup stands
An expert review, a prioritized action plan, and zero jargon. Find the gaps before attackers — or your next traffic spike — do. From $600, indicative.
Frequently asked questions
What is a Cloudflare audit?
A Cloudflare audit is a structured, independent review of how your Cloudflare account is configured — DNS, SSL/TLS, WAF rules, caching, bot protection, origin IP exposure, rate limiting, Zero Trust access, logs and performance settings — measured against security and speed best practice. Edgecraft delivers a written report with prioritized, plain-English fixes you can act on or hand to us to implement.
How much does a Cloudflare audit cost?
An Express Audit starts from $600 (≈ £475 / €560) and gives you a fast risk snapshot of the highest-impact areas. A Full Audit covers every layer with a complete action plan and is quoted to your setup. All prices are indicative and shown 'from' — final pricing depends on traffic volume, number of domains, your Cloudflare plan tier, configuration complexity and support needs.
What's the difference between an Express Audit and a Full Audit?
The Express Audit is a fast, high-impact check of the areas most likely to hurt you — DNS, SSL/TLS, origin exposure, WAF and bots — with a concise summary and a short call. The Full Audit is a complete review of every layer (adding rate limiting, Zero Trust, cache and logs), with a detailed PDF report, a fully prioritized action plan, performance opportunities and an implementation estimate. Many teams start Express, then go Full before a peak season or migration.
Will an audit disrupt my live site?
No. An audit is read-only by design — we review your configuration and run safe, non-intrusive checks. We don't change settings, push traffic or run anything that risks downtime. You grant us read-only or scoped access (or screen-share), and we never need your origin server passwords to assess the edge layer.
Do you implement the fixes, or just report them?
Either. The audit deliverable is designed so your own team can act on it, with clear remediation steps. If you'd rather we do the work, the audit doubles as a precise scope — we offer an Audit + Fix bundle (with the audit fee credited toward implementation) and ongoing Managed Cloudflare Care from $1,000/mo.
Why does origin IP exposure matter so much?
If your real server IP is discoverable — through old DNS history, mail records or direct-to-origin access — attackers can bypass Cloudflare entirely and hit your server directly, defeating your WAF, DDoS and bot protections. Checking and closing origin exposure is one of the most common high-impact findings in our audits, which is why every Edgecraft audit includes a clear origin-exposure verdict.
Is a Cloudflare audit enough to secure my store or SaaS on its own?
No, and we're honest about that. An audit finds and reduces edge-layer risk and improves performance, but it does not replace secure application development, regular patching, payment-fraud tooling, server and database hardening, a tested backup strategy, legal/compliance review, or a full incident-response team. Cloudflare is one strong, important layer of defense — not your entire security program. We're an independent consultancy with deep hands-on Cloudflare experience, not an official Cloudflare partner.
How long does a Cloudflare audit take?
An Express Audit is typically delivered within a few business days. A Full Audit usually takes a week or two depending on the number of domains and configuration complexity. If you're dealing with a live incident, we can fast-track via emergency Cloudflare support instead of waiting for a full audit cycle.