Cloudflare Protection
Allow health checks via a secret X-Status-Token header while keeping full Cloudflare security for normal traffic.
Use a single secret header token instead of broad path-based bypasses. Only requests that include your private token header are treated as trusted health checks and have strict Cloudflare security features disabled; every other request still passes through full protection.
Why This Method
Issue With Simple Path Bypass | Token Header Solution Benefit |
---|---|
Anyone can probe health endpoints once path known | Secret header not guessable (high entropy) |
Must weaken security for every hit to the path | Security disabled only for authenticated monitor requests |
Risk of caching / manipulation | Header creates distinct trust condition |
Hard to rotate path (impacting infra/tools) | Rotate header value without changing endpoint |
Overview
- Generate a cryptographically strong random token.
- Add header
X-Status-Token: <token>
in the monitor's advanced settings. - Create a Cloudflare rule that matches ONLY when that header EXACTLY equals the token.
- In that rule, disable / relax specific security features (Browser Integrity Check, Security Level, optional bot checks) so health probes never face a challenge.
Step 1 – Generate a Secret Token
openssl rand -hex 32
[System.Convert]::ToBase64String((New-Object System.Security.Cryptography.RNGCryptoServiceProvider).GetBytes(32))
node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"
Example (do NOT reuse): MySuperSecretKey
Step 2 – Add Header to Your Garmingo HTTP Monitor
Headers:
X-Status-Token: MySuperSecretKey
Tip: Dedicated health check endpoints should return fast JSON {"status":"ok"}
with:
Cache-Control: no-cache, no-store, must-revalidate
Content-Type: application/json
Step 3 – Cloudflare Rule Matching Expression
Expression:
any(http.request.headers["x-status-token"][*] == "MySuperSecretKey")
Step 4 – Actions (Disable Only For Matches)
Feature | Action |
---|---|
Browser Integrity Check | Disable |
Security Level | Essentially Off |
(Optional) Bot Fight / Super Bot Fight | Skip |
(Optional) Rate Limiting | Exclude or high threshold |
(Optional) Managed Challenge / DDoS | Skip |
Optional: Token Rotation
Temporary dual‑token expression:
( any(http.request.headers["x-status-token"][*] == "OldToken") or any(http.request.headers["x-status-token"][*] == "NewToken") )
Remove the old token after several successful checks.
Validation
curl -i \
-H "X-Status-Token: MySuperSecretKey" \
https://yourdomain.tld/health
Expect HTTP Code 200 (OK) & no challenge. Repeat without header → should hit normal security (challenge / different headers acceptable).
Troubleshooting
Symptom | Cause | Fix |
---|---|---|
403 with header | Rule priority or not deployed | Move rule higher / deploy |
Flapping monitor | Header missing in monitor | Re-add exact header |
Still challenged | Another product not skipped | Add skip actions |
Token leaked | Exposure | Rotate immediately |
Security Notes
- Treat token like a credential; rotate quarterly or on staff changes.
- Use ≥ 32 bytes entropy.
- Never expose in public client code or status pages.
Video Walkthrough
https://www.youtube.com/watch?v=aZZ46kb3Pis
Quick Reference
Task | Snippet |
---|---|
Generate token | openssl rand -hex 32 |
Monitor header | X-Status-Token: <token> |
CF rule match | any(http.request.headers["x-status-token"][*] == "<token>") |
Disable features | BIC + Security Level (low) + optional bot/rate skips |
Rotate | OR old/new tokens then remove old |