Garmingo Docs
Guides

Cloudflare Protection

Allow health checks via a secret X-Status-Token header while keeping full Cloudflare security for normal traffic.

Use a single secret header token instead of broad path-based bypasses. Only requests that include your private token header are treated as trusted health checks and have strict Cloudflare security features disabled; every other request still passes through full protection.

Why This Method

Issue With Simple Path BypassToken Header Solution Benefit
Anyone can probe health endpoints once path knownSecret header not guessable (high entropy)
Must weaken security for every hit to the pathSecurity disabled only for authenticated monitor requests
Risk of caching / manipulationHeader creates distinct trust condition
Hard to rotate path (impacting infra/tools)Rotate header value without changing endpoint

Overview

  1. Generate a cryptographically strong random token.
  2. Add header X-Status-Token: <token> in the monitor's advanced settings.
  3. Create a Cloudflare rule that matches ONLY when that header EXACTLY equals the token.
  4. In that rule, disable / relax specific security features (Browser Integrity Check, Security Level, optional bot checks) so health probes never face a challenge.

Step 1 – Generate a Secret Token

openssl rand -hex 32
[System.Convert]::ToBase64String((New-Object System.Security.Cryptography.RNGCryptoServiceProvider).GetBytes(32))
node -e "console.log(require('crypto').randomBytes(32).toString('hex'))"

Example (do NOT reuse): MySuperSecretKey

Step 2 – Add Header to Your Garmingo HTTP Monitor

Headers:

X-Status-Token: MySuperSecretKey

Tip: Dedicated health check endpoints should return fast JSON {"status":"ok"} with:

Cache-Control: no-cache, no-store, must-revalidate
Content-Type: application/json

Step 3 – Cloudflare Rule Matching Expression

Expression:

any(http.request.headers["x-status-token"][*] == "MySuperSecretKey")

Step 4 – Actions (Disable Only For Matches)

FeatureAction
Browser Integrity CheckDisable
Security LevelEssentially Off
(Optional) Bot Fight / Super Bot FightSkip
(Optional) Rate LimitingExclude or high threshold
(Optional) Managed Challenge / DDoSSkip

Optional: Token Rotation

Temporary dual‑token expression:

( any(http.request.headers["x-status-token"][*] == "OldToken") or any(http.request.headers["x-status-token"][*] == "NewToken") )

Remove the old token after several successful checks.

Validation

curl -i \
  -H "X-Status-Token: MySuperSecretKey" \
  https://yourdomain.tld/health

Expect HTTP Code 200 (OK) & no challenge. Repeat without header → should hit normal security (challenge / different headers acceptable).

Troubleshooting

SymptomCauseFix
403 with headerRule priority or not deployedMove rule higher / deploy
Flapping monitorHeader missing in monitorRe-add exact header
Still challengedAnother product not skippedAdd skip actions
Token leakedExposureRotate immediately

Security Notes

  • Treat token like a credential; rotate quarterly or on staff changes.
  • Use ≥ 32 bytes entropy.
  • Never expose in public client code or status pages.

Video Walkthrough

https://www.youtube.com/watch?v=aZZ46kb3Pis

Quick Reference

TaskSnippet
Generate tokenopenssl rand -hex 32
Monitor headerX-Status-Token: <token>
CF rule matchany(http.request.headers["x-status-token"][*] == "<token>")
Disable featuresBIC + Security Level (low) + optional bot/rate skips
RotateOR old/new tokens then remove old