Woocommerce Question posted in
The official Woocommerce documentation can be found here.

Woocommerce – Using a single Cloudflare account in WordPress with WP Super Cache with visible API key

We are starting to use Cloudflare on a few WordPress client accounts and notice in the CDN settings that my email address and API key are visible to the client.

Is this a potential security issues where others can see my Cloudlflare email address and API key? Should I be using 1 Cloudflare account per client account?

Here is a screenshot (i have blurred the API key and deleted the email input box in the console) but both these values are visible to the customer.

dpr

What is the worse thing they could do with these 2 pieces of data?

Tags:

2

Answers


  1. 0

    you have to use tokens instead of global api key. you strict token to certain zone only

    enter image description here

    This only will NOT solve the problem, you have to manually modify wp fastest cache plugin to modify the request to match API tokens usage.
    the requests can be found in inccdn.php

    The modified file:
    https://gist.github.com/ahmed-abdelazim/7c8170f7fc4e821c6b015d770fcbf14a

    so 

                    $header = array("method" => "DELETE",
                                'headers' => array(
                                                "X-Auth-Email" => $email,
                                                "X-Auth-Key" => $key,
                                                "Content-Type" => "application/json"
                                                ),
                                "body" => '{"purge_everything":true}'
                                );

    is converted to

                    $header = array("method" => "DELETE",
                                'headers' => array(
                                                //"X-Auth-Email" => $email,
                                                "Authorization" => "Bearer ".$key,
                                                "Content-Type" => "application/json"
                                                ),
                                "body" => '{"purge_everything":true}'
                                );

    and this occured five times in the plugin in the cdn.php file

    Login or Signup to reply.
  2. 0

    simply creating API Token worked for me. There are some pre made template. There was for wordpress one as well. Just selected and created and added it to wp fastest cache and that worked.

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search