Cloudflare zones are assessed for minimum TLS version configuration by checking if the version is set to at least TLS 1.2 to ensure connections use secure, modern cryptographic protocols.
Risk
Allowing legacy TLS versions (1.0, 1.1) exposes connections to known protocol vulnerabilities.
- Confidentiality: BEAST, POODLE, and weak cipher suites can be exploited for traffic decryption
- Compliance: TLS 1.0/1.1 are deprecated by PCI-DSS, NIST, and major browsers
- Integrity: downgrade attacks can force weaker encryption that is susceptible to tampering
Run this check with Prowler CLI
prowler cloudflare --checks zone_min_tls_version_secure
Recommendation
Set minimum TLS version to 1.2 or higher.
- TLS 1.0 and 1.1 are deprecated by all major browsers and contain known vulnerabilities
- Consider setting to
TLS 1.3for environments with modern client requirements - Test client compatibility before upgrading minimum version
Remediation
Terraform
Other
- Log in to the Cloudflare dashboard and select your account and domain
- Go to SSL/TLS > Edge Certificates
- Scroll to Minimum TLS Version
- Select TLS 1.2 or TLS 1.3 from the dropdown
- Verify that your clients support the selected TLS version
Source Code
Resource Type
Zone