Security Overview

Custom domains on Watchman Tower inherit enterprise-grade security from Cloudflare’s infrastructure. This document outlines the security features, best practices, and considerations you should be aware of.

Built-in Security Features

Your custom domain automatically includes:

TLS 1.2+ Encryption

Modern encryption standards enforced for all connections

Automatic SSL Renewal

Certificates renew before expiration without manual intervention

DDoS Protection

Enterprise-grade mitigation for Layer 3, 4, and 7 attacks

Web Application Firewall

Protection against common web exploits and vulnerabilities

Rate Limiting

Prevents abuse and ensures service availability

HSTS Support

HTTP Strict Transport Security for browsers

SSL/TLS Security

Certificate Details

All custom domains use SSL certificates with:
FeatureDetails
IssuerLet’s Encrypt (via Cloudflare)
TypeDomain Validated (DV)
EncryptionRSA 2048-bit or ECC P-256
Validity90 days with auto-renewal
ProtocolsTLS 1.2, TLS 1.3
Cipher SuitesModern, secure ciphers only

TLS Version Enforcement

Enabled protocols:
  • ✅ TLS 1.3 (preferred)
  • ✅ TLS 1.2
Disabled protocols:
  • ❌ TLS 1.1 (deprecated)
  • ❌ TLS 1.0 (insecure)
  • ❌ SSL 3.0 (insecure)
  • ❌ SSL 2.0 (insecure)
This ensures all connections use modern, secure encryption that protects against known vulnerabilities.

Perfect Forward Secrecy

All cipher suites support Perfect Forward Secrecy (PFS), which means:
  • Each session uses unique encryption keys
  • Compromising one session doesn’t affect others
  • Past communications remain secure even if server keys are compromised

Certificate Transparency

All SSL certificates are logged in Certificate Transparency (CT) logs, which:
  • Provides public audit trail of certificate issuance
  • Helps detect unauthorized certificate issuance
  • Increases accountability of certificate authorities
You can monitor your domain’s certificates at crt.sh.

DDoS Protection

Automatic Mitigation

Cloudflare’s DDoS protection operates at multiple layers: Layer 3/4 (Network Layer)
  • Volumetric attacks (floods)
  • Protocol attacks (SYN floods)
  • Reflection attacks (DNS, NTP amplification)
Layer 7 (Application Layer)
  • HTTP floods
  • Slowloris attacks
  • Application-specific exploits
Features:
  • Always-on protection (no manual activation)
  • Automatic detection and mitigation
  • No user configuration needed
  • Capacity to absorb terabit-scale attacks

Rate Limiting

Traffic to your status page is automatically rate limited to:
  • Prevent abuse from single IPs
  • Ensure fair access for all users
  • Protect against scraping and automated attacks
  • Maintain service availability during incidents
Default limits:
  • 10,000 requests per minute per IP
  • 100,000 requests per hour per IP
These limits are generous for legitimate users while blocking abusive traffic.

Web Application Firewall (WAF)

OWASP Protection

Your custom domain is protected against OWASP Top 10 vulnerabilities:
  1. Injection Attacks - SQL injection, XSS, command injection
  2. Broken Authentication - Session hijacking, credential stuffing
  3. Sensitive Data Exposure - Information leakage prevention
  4. XML External Entities - XXE attack prevention
  5. Broken Access Control - Unauthorized access attempts
  6. Security Misconfiguration - Common misconfig exploits
  7. Cross-Site Scripting - XSS filter and sanitization
  8. Insecure Deserialization - Object injection prevention
  9. Known Vulnerabilities - CVE-based attack blocking
  10. Insufficient Logging - Attack monitoring and alerting

Managed Rulesets

Cloudflare’s WAF includes:
  • Cloudflare Managed Ruleset - Core protections updated continuously
  • OWASP ModSecurity Core Rule Set - Industry-standard rules
  • Cloudflare Specials - Zero-day and emerging threat protection
Rules are updated automatically without any action needed from you.

DNS Security

DNSSEC Support

If your domain uses DNSSEC, custom domains are fully compatible:
  • Validates DNS responses are authentic
  • Prevents DNS spoofing and cache poisoning
  • Cryptographically signs DNS records
To enable DNSSEC: Enable it at your DNS provider. Cloudflare automatically handles DNSSEC validation for your custom hostname.

DNS Privacy

DNS queries for your custom domain are:
  • Encrypted in transit (when using DNS-over-HTTPS or DNS-over-TLS)
  • Not logged or sold by Cloudflare for advertising
  • Protected from ISP snooping (when using encrypted DNS)

Security Headers

Your status page automatically includes security-enhancing HTTP headers:

Enabled Headers

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
Referrer-Policy: strict-origin-when-cross-origin
What these do:
Forces browsers to always use HTTPS for your domain, preventing downgrade attacks and SSL stripping.
  • Enforced for 1 year (31536000 seconds)
  • Applies to all subdomains
  • Eligible for HSTS preload list
Prevents browsers from MIME-sniffing responses, reducing risk of drive-by downloads and XSS attacks.
Controls whether your status page can be embedded in frames/iframes. Set to SAMEORIGIN to prevent clickjacking.
Enables browser’s built-in XSS filter for additional protection against cross-site scripting attacks.
Controls how much referrer information is included with requests, protecting user privacy while maintaining analytics capability.

Best Practices

Domain Management

1

Use Strong DNS Provider Security

Enable two-factor authentication (2FA) on your DNS provider account to prevent unauthorized DNS changes.
2

Monitor DNS Changes

Set up alerts in your DNS provider to notify you of any DNS record modifications.
3

Document Your Configuration

Keep a record of your CNAME configuration and setup date for reference.
4

Review Access Regularly

Audit who has access to modify your domain’s DNS settings and remove unnecessary permissions.

Monitoring

1

Enable Domain Status Notifications

Turn on email alerts in Watchman Tower Settings → Notifications for custom domain status changes.
2

Monitor Certificate Expiry

Though auto-renewed, check your dashboard monthly to ensure SSL renewal succeeded.
3

Watch for Unexpected Changes

If your status badge changes from Working to Configuration Error, investigate immediately.

Incident Response

If you suspect security issues:
If someone modifies your CNAME without authorization:
  1. Immediately log into your DNS provider
  2. Verify the CNAME still points to status.watchmantower.com
  3. If changed, restore it immediately
  4. Change your DNS provider password
  5. Enable 2FA if not already active
  6. Review DNS provider access logs
  7. Contact [email protected] if domain is compromised
If your domain appears hijacked:
  1. Check Watchman Tower dashboard status badge
  2. Verify CNAME with: dig CNAME status.mycompany.com
  3. Check domain registration status: whois mycompany.com
  4. Contact your domain registrar immediately
  5. Contact Watchman Tower support: [email protected]
  6. Consider temporarily deleting custom domain in Watchman Tower to prevent misuse
If SSL appears invalid or untrusted:
  1. Check certificate details in browser (click padlock icon)
  2. Verify domain matches: Should be issued to status.mycompany.com
  3. Verify issuer: Should be Cloudflare Inc
  4. Check expiration date: Should be valid
  5. If certificate is for wrong domain or expired, contact support immediately
  6. Do not ignore SSL warnings—investigate the cause

Compliance & Privacy

Data Protection

What data is transmitted through your custom domain:
  • Status page content (public by design)
  • Monitor status information (intentionally shared)
  • Incident updates (public communications)
  • Uptime statistics (publicly displayed)
What data is NOT transmitted:
  • Authentication credentials (status pages are public)
  • Private monitoring data (only public data appears)
  • Customer PII (no user data on status pages)

GDPR Compliance

Custom domains are GDPR-compliant:
  • No personal data collection from status page visitors
  • No cookies requiring consent
  • No tracking scripts by default
  • Cloudflare processes traffic under GDPR-compliant terms

Regional Data Residency

Cloudflare operates globally. Your status page content is:
  • Cached at Cloudflare’s edge locations worldwide
  • Served from the nearest location to each visitor
  • Origin data hosted in Watchman Tower’s primary region
If you have specific data residency requirements, contact sales for enterprise options.

Third-Party Security

Cloudflare Trust

Watchman Tower relies on Cloudflare for SaaS infrastructure: Cloudflare’s Security Certifications:
  • SOC 2 Type II
  • ISO 27001
  • ISO 27018
  • ISO 27701
  • PCI DSS (for applicable services)
Cloudflare Transparency:

Let’s Encrypt Trust

SSL certificates are issued by Let’s Encrypt: Let’s Encrypt Security:
  • Trusted by all major browsers
  • Audited by independent security firms
  • Open-source certificate authority
  • Automated, transparent issuance process
Let’s Encrypt Security

Reporting Security Issues

Responsible Disclosure

If you discover a security vulnerability related to custom domains:

Report Security Issue

Email [email protected] with:
  • Description of the vulnerability
  • Steps to reproduce
  • Potential impact assessment
  • Your contact information (if you want credit)
We commit to:
  • Acknowledge receipt within 24 hours
  • Provide status updates every 7 days
  • Fix critical issues within 30 days
  • Credit researchers (if desired) upon fix
Do not:
  • Publicly disclose vulnerabilities before we’ve had time to fix them
  • Exploit vulnerabilities beyond what’s needed to demonstrate the issue
  • Access other customers’ data

Security Checklist

Use this checklist to ensure your custom domain is secure:
  • Two-factor authentication enabled on DNS provider
  • Strong, unique password for DNS account
  • DNS change notifications configured
  • Limited access to DNS management (principle of least privilege)
  • CNAME points to correct target: status.watchmantower.com
  • Cloudflare proxy disabled (if using Cloudflare DNS)
  • No conflicting DNS records
  • TTL set to reasonable value (3600 or less)
  • Status shows “Working” (green) in dashboard
  • Browser shows padlock icon when visiting domain
  • Certificate is valid and not expired
  • Certificate issued to correct domain
  • HTTPS works without warnings
  • Email notifications enabled for domain status changes
  • Regular checks of dashboard status badge
  • Domain added to uptime monitoring (optional but recommended)
  • Security contacts have access to alerts
  • Setup date documented
  • Team members aware of custom domain configuration
  • DNS provider login information securely stored
  • Incident response plan includes custom domain scenarios

Additional Resources

Cloudflare Security

Learn about Cloudflare’s security practices and certifications

Let's Encrypt

Understand how SSL certificates are issued and validated

OWASP Top 10

Review common web application security risks

DNS Security

Learn about DNS security best practices

Questions?