Cloudflare Protection
Allow health checks via a secret X-Status-Token header while keeping full Cloudflare security for normal traffic.
Use a single secret header token instead of broad path-based bypasses. Only requests that include your private token header are treated as trusted health checks and have strict Cloudflare security features disabled; every other request still passes through full protection.
Why This Method
| Issue With Simple Path Bypass | Token Header Solution Benefit |
|---|---|
| Anyone can probe health endpoints once path known | Secret header not guessable (high entropy) |
| Must weaken security for every hit to the path | Security disabled only for authenticated monitor requests |
| Risk of caching / manipulation | Header creates distinct trust condition |
| Hard to rotate path (impacting infra/tools) | Rotate header value without changing endpoint |
Overview
- Generate a cryptographically strong random token.
- Add header
X-Status-Token: <token>in the monitor's advanced settings. - Create a Cloudflare rule that matches ONLY when that header EXACTLY equals the token.
- In that rule, disable / relax specific security features (Browser Integrity Check, Security Level, optional bot checks) so health probes never face a challenge.
Step 1 – Generate a Secret Token
openssl rand -hex 32[System.Convert]::ToBase64String((New-Object System.Security.Cryptography.RNGCryptoServiceProvider).GetBytes(32))node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"Example (do NOT reuse): MySuperSecretKey
Step 2 – Add Header to Your Garmingo HTTP Monitor
Headers:
X-Status-Token: MySuperSecretKeyTip: Dedicated health check endpoints should return fast JSON {"status":"ok"} with:
Cache-Control: no-cache, no-store, must-revalidate
Content-Type: application/jsonStep 3 – Cloudflare Rule Matching Expression
Expression:
any(http.request.headers["x-status-token"][*] == "MySuperSecretKey")Step 4 – Actions (Disable Only For Matches)
| Feature | Action |
|---|---|
| Browser Integrity Check | Disable |
| Security Level | Essentially Off |
| (Optional) Bot Fight / Super Bot Fight | Skip |
| (Optional) Rate Limiting | Exclude or high threshold |
| (Optional) Managed Challenge / DDoS | Skip |
Optional: Token Rotation
Temporary dual‑token expression:
( any(http.request.headers["x-status-token"][*] == "OldToken") or any(http.request.headers["x-status-token"][*] == "NewToken") )Remove the old token after several successful checks.
Validation
curl -i \
-H "X-Status-Token: MySuperSecretKey" \
https://yourdomain.tld/healthExpect HTTP Code 200 (OK) & no challenge. Repeat without header → should hit normal security (challenge / different headers acceptable).
Troubleshooting
| Symptom | Cause | Fix |
|---|---|---|
| 403 with header | Rule priority or not deployed | Move rule higher / deploy |
| Flapping monitor | Header missing in monitor | Re-add exact header |
| Still challenged | Another product not skipped | Add skip actions |
| Token leaked | Exposure | Rotate immediately |
Security Notes
- Treat token like a credential; rotate quarterly or on staff changes.
- Use ≥ 32 bytes entropy.
- Never expose in public client code or status pages.
Video Walkthrough
https://www.youtube.com/watch?v=aZZ46kb3Pis
Quick Reference
| Task | Snippet |
|---|---|
| Generate token | openssl rand -hex 32 |
| Monitor header | X-Status-Token: <token> |
| CF rule match | any(http.request.headers["x-status-token"][*] == "<token>") |
| Disable features | BIC + Security Level (low) + optional bot/rate skips |
| Rotate | OR old/new tokens then remove old |