Skip to main content
Cloudflare sits in front of all traffic to PensionsPortal.ie, providing DDoS mitigation, WAF rule enforcement, and Zero Trust access controls for administrative infrastructure.

Architecture

Internet → Cloudflare Edge (WAF, DDoS, Bot Management)
         → Vercel Edge Network
         → Next.js Application
All DNS for PensionsPortal.ie is managed through Cloudflare. Cloudflare acts as a reverse proxy — the true Vercel origin IP addresses are not publicly disclosed.

Web Application Firewall (WAF)

Managed Rulesets

Cloudflare’s managed WAF rulesets are enabled:
RulesetCoverage
Cloudflare Managed RulesOWASP Top 10, known CVEs, common web exploits
Cloudflare OWASP Core RulesetSQL injection, XSS, path traversal, file inclusion
Cloudflare Exposed Credentials CheckDetects use of compromised credentials
Managed rulesets are updated automatically by Cloudflare as new threats emerge — no manual intervention required.

Custom WAF Rules

Custom rules are configured for the application’s specific risk profile:
RuleActionRationale
Rate limit /api/auth/signinBlock after 5 req/IP/minBrute force protection
Rate limit /api/auth/forgot-passwordBlock after 3 req/IP/5minEmail enumeration prevention
Block requests without User-AgentBlockBasic bot fingerprinting
Challenge non-browser clients on sensitive pathsJS ChallengeReduces automated scanning

Bot Management

Cloudflare Bot Management scores every request. Requests with a bot score below the configured threshold are either challenged (JS Challenge) or blocked. Verified bots (Googlebot, etc.) are allowed through.

DDoS Protection

Cloudflare’s DDoS protection is always-on at the network layer (L3/L4) and application layer (L7). Volumetric attacks are absorbed at Cloudflare’s edge before reaching Vercel. No additional configuration is required.

Cloudflare Zero Trust

Cloudflare Zero Trust (Access) is used to protect administrative access to infrastructure dashboards — these systems are not accessible from the public internet without Cloudflare Access authentication.

Protected Resources

ResourceAccess Policy
Vercel dashboardNamed users + IdP MFA
Neon PostgreSQL web consoleNamed users + IdP MFA
Sentry dashboardNamed users + IdP MFA
Internal tooling / admin UIsNamed users + IdP MFA

Access Policy Structure

Policy: PensionsPortal.ie Admins
  Include: Email ends in @137th.ai
  Require: Multi-factor authentication
  Session duration: 8 hours
Access tokens are short-lived. Sessions expire after 8 hours of inactivity.

TLS Configuration

Cloudflare enforces:
  • Minimum TLS version: TLS 1.2
  • TLS mode: Full (Strict) — origin certificate validation is enforced
  • Automatic HTTPS Rewrites: enabled — HTTP requests are upgraded to HTTPS
  • HSTS: enabled via application headers (see Security Headers)

Cloudflare Tunnel (Optional)

For origin server protection, a Cloudflare Tunnel (cloudflared) can be used to connect Vercel to Cloudflare without exposing a public IP. In the current deployment, Vercel’s edge network serves as the origin and Cloudflare proxies via DNS.

Monitoring

Cloudflare Analytics provides:
  • Real-time WAF block events and rule match details
  • Bot score distribution
  • Origin error rates (5xx responses from Vercel)
  • Bandwidth and request volume trends
Alerts are configured in Cloudflare for:
  • Spike in WAF block rate (possible attack)
  • Origin error rate exceeding 5% (application health issue)
  • DDoS attack detection