From NCSC Web Check to
Cloudflare Security Insights
Cloudflare Security Insights automates and enhances web security checks, moving from periodic scanning to continuous monitoring with integrated remediation capabilities.
Key Advantage
The most significant upgrade from Web Check to Cloudflare is the transition from "detection" to "remediation". While Web Check merely flagged a missing HSTS header, Cloudflare allows you to enable HSTS with a single toggle. Where Web Check identified a vulnerable CMS, Cloudflare's WAF provides virtual patching through managed rules.
Web Security Feature Comparison
| Web Check Finding | Risk Category | Cloudflare Solution | Advantage |
|---|---|---|---|
| Certificate Validity | Cryptographic failure | SSL/TLS Edge Certificates | Automated renewal and monitoring prevents expiry |
| HTTP to HTTPS Redirects | Downgrade attacks | "Always Use HTTPS" Setting | Enforces redirection at the edge before hitting origin |
| Insecure Security Headers | XSS and clickjacking | HSTS & WAF Managed Rules | Detects missing HSTS and injects headers dynamically |
| Security.txt Absence | Disclosure friction | Managed Security.txt | Built-in generator and dynamic hosting at the edge |
| Dangling DNS Records | Subdomain takeover | Security Insights | Proactively flags records pointing to dead resources |
| Exposed Sensitive Ports | Unauthorized access | Open Port Scanning (Beta) | Detects RDP or other services exposed to the internet |
| Old TLS Version Support | Weak encryption | Minimum TLS Version Setting | Identifies and can block traffic below TLS 1.2 |
| Script Vulnerabilities | Client-side attacks | Page Shield | Continuous monitoring for malicious JS in the browser |
Security Insights Capabilities
- Automatic Discovery: Scans all hostnames (proxied and unproxied) every 3-7 days without manual enrollment
- Dangling DNS Detection: Identifies CNAMEs pointing to decommissioned resources that could enable subdomain takeover
- Exposed Origin Detection: Flags unproxied A/AAAA records that expose your origin servers
- Configuration Drift Alerts: Monitors for changes that weaken your security posture
One-Click Remediation
- HSTS: Enable HTTP Strict Transport Security with a single toggle
- Always HTTPS: Force all traffic to use encrypted connections
- Minimum TLS: Set TLS 1.2 or 1.3 as the minimum acceptable version
- WAF Rules: Virtual patching blocks CVE exploitation at the edge
WAF Managed Rulesets: Automatic Protection
Protection Against Known & Zero-Day Vulnerabilities
Web Check could only tell you about vulnerabilities. Cloudflare's WAF Managed Rulesets automatically block exploitation attempts at the edge—before they ever reach your servers.
Learn About Managed RulesZero-Day Protection
Cloudflare's threat intelligence team deploys rules within hours of new CVEs being disclosed—often before patches are available.
Virtual Patching
Block Log4j, Spring4Shell, and other critical exploits instantly—even if your backend systems remain unpatched.
Automatic Updates
Managed rulesets update continuously—no manual intervention required to stay protected against emerging threats.
Pre-configured rules covering OWASP Top 10, CVEs, and application-specific vulnerabilities.
New rules deployed globally within an hour of critical vulnerability disclosure.
Every request inspected at the edge—no traffic bypasses protection.
Managed Security.txt
Web Check verified the presence of a security.txt file (RFC 9116), which encourages responsible disclosure by security researchers.
Cloudflare provides a built-in generator and dynamic hosting for security.txt at the edge. This means:
- No need to modify your origin server
- Consistent security contact information across all your domains
- Automatic HTTPS delivery with proper caching
- Compliant with RFC 9116 requirements
Page Shield: Client-Side Security
Beyond Web Check
Web Check did not assess client-side script security. Cloudflare Page Shield provides continuous monitoring for malicious JavaScript in the browser, protecting against:
Supply Chain Attacks
Detect when third-party scripts are compromised
Magecart-Style Skimmers
Identify unauthorized data exfiltration code
Script Changes
Alert when JavaScript resources are modified
Implementation Quick Start
Review Security Insights
Access the Security Center dashboard to see automatically discovered findings across all your zones.
Enable Security Headers
Turn on HSTS, Always HTTPS, and set minimum TLS version to 1.2 or higher for all domains.
Configure Security.txt
Use the built-in generator to create and host your security.txt file at the edge.
Address Findings
Remediate dangling DNS records and exposed origins identified by Security Insights.
Continue Your Assessment
Review the complete gap analysis to understand where complementary solutions may be needed.