Remote OpenClaw
Menu

cloudflare-mcp

pocc/cloudflare-mcp
5 starsMITCommunity

Install to Claude Code

This server doesn't publish a one-line install command. Follow the setup in the source repository.

Summary

A high-performance MCP server providing AI assistants with read-only access to the Cloudflare ecosystem. Query your entire Cloudflare infrastructure using natural language through Claude, Cursor, or any MCP-compatible client.

README.md

Cloudflare MCP API Server (Enterprise Edition)

![Security: FedRAMP High](./docs/SECURITY_REVIEW.md) ![Tools: 354](#api-coverage) ![NIST 800-53](./docs/SECURITY_FIXES.md) ![License: MIT](./LICENSE)

A high-performance Model Context Protocol (MCP) server providing AI assistants with read-only access to the Cloudflare ecosystem. Query your entire Cloudflare infrastructure using natural language through Claude, Cursor, or any MCP-compatible client. Inspired by mcp-server-cloudflare.

Security-First Design

This server implements NIST 800-53 Rev. 5 controls for FedRAMP High environments:

| Control | Implementation | File | |---------|----------------|------| | AU-12 (Audit Generation) | All API calls logged with sensitive data redaction | src/audit-logger.ts | | SC-5 (DoS Protection) | Token bucket rate limiting (100 burst, 10/sec) | src/rate-limiter.ts | | SI-10 (Input Validation) | Zod schemas + GraphQL mutation blocking | src/graphql-validator.ts | | SI-11 (Error Handling) | Safe error messages, no stack traces | src/api-client.ts | | IA-5(7) (Token Protection) | XOR obfuscation in memory | src/api-client.ts |

Why Use This?

  • Infrastructure discovery: "What DNS records exist across all my zones?"
  • Security audits: "Which zones don't have WAF enabled?" or "Show me all rate limiting rules"
  • Troubleshooting: "What are the SSL settings for example.com?"
  • Documentation: Generate configuration reports by asking questions
  • Learning: Explore your Cloudflare setup without memorizing API endpoints

Features

  • 354 read-only tools covering the entire Cloudflare API surface (as of 2026-02-05)
  • Zero write operations - cannot modify any configurations (safe to use)
  • Natural language queries - ask questions, get answers
  • Built-in security - rate limiting, audit logging, token protection

API Coverage

| Category | Examples | |----------|----------| | Core | Accounts, Zones, DNS, Settings | | Security | WAF, Firewall, Bot Management, Page Shield, DDoS | | SSL/TLS | Certificates, Universal SSL, Custom Certs, mTLS | | Performance | Argo, Cache, Load Balancing, Waiting Rooms | | Zero Trust | Access Apps, Gateway, Devices, Tunnels, DEX | | Developer Platform | Workers, Pages, D1, R2, KV, Queues, Durable Objects | | Analytics | Dashboard, GraphQL, Audit Logs | | Enterprise | Cloudforce One, Magic Transit, Spectrum, Custom Hostnames |

Quick Start

1. Install

git clone https://github.com/pocc/cloudflare-mcp.git
cd cloudflare-mcp
npm install
npm run build

2. Create API Token

  1. Go to Cloudflare Dashboard → API Tokens
  2. Click Create Token
  3. Use Custom Token with read-only permissions:
  • Account Settings: Read
  • Zone: Read
  • Zone Settings: Read
  • DNS: Read
  • SSL and Certificates: Read
  • Firewall Services: Read
  • Analytics: Read
  • Access: Apps and Policies: Read
  • Worker Scripts: Read
  • Load Balancers: Read
  • (add more as needed for your use case)

3. Configure Your MCP Client

Claude Desktop

Add to ~/Library/Application Support/Claude/claude_desktop_config.json (macOS) or %APPDATA%\Claude\claude_desktop_config.json (Windows):

{
  "mcpServers": {
    "cloudflare": {
      "command": "node",
      "args": ["/path/to/cloudflare-mcp/dist/index.js"],
      "env": {
        "CLOUDFLARE_API_TOKEN": "your-api-token-here"
      }
    }
  }
}

Cursor / Other MCP Clients

CLOUDFLARE_API_TOKEN="your-token" node dist/index.js

Example Queries

Once connected, ask natural language questions:

Discovery

  • "List all my zones and their status"
  • "What Workers do I have deployed?"
  • "Show me all Access applications"

Security Audit

  • "Which zones have bot management enabled?"
  • "What WAF rules are configured on example.com?"
  • "List all rate limiting rules across my account"
  • "Show audit logs from the last 24 hours filtered by user@example.com"

Troubleshooting

  • "What are the SSL settings for example.com?"
  • "Is Argo Smart Routing enabled on my zones?"
  • "What DNS records exist for api.example.com?"
  • "Show me the load balancer configuration for production"

Zero Trust

  • "List all Cloudflare Tunnel connections"
  • "What Access policies protect my apps?"
  • "Show Gateway network policies"
  • "What devices are registered in my Zero Trust org?"

Security

| Feature | Description | |---------|-------------| | Read-Only | Cannot create, update, or delete any resources | | Rate Limited | Built-in token bucket (100 burst, 10/sec) | | Audit Logged | All API calls logged with sensitive data redacted | | Token Protected | API token XOR-obfuscated in memory | | Input Validated | Zod schemas + GraphQL query validation |

Best Practices:

  • Use the principle of least privilege when creating tokens
  • Never commit tokens to version control
  • Rotate tokens periodically

Documentation

| Document | Description | |----------|-------------| | Architecture | Technical design and data flow | | API Reference | Complete list of 354 tools | | Security Review | FedRAMP compliance details | | Security Fixes | NIST control implementations |

Contributing

See CONTRIBUTING.md for guidelines.

License

MIT

Related MCP servers

Browse all →

AWS MCP Servers

awslabs/mcp

9,330 starsOpen

Azure MCP

Azure/azure-mcp

1,219 starsOpen

Cloudflare MCP

cloudflare/mcp-server-cloudflare

3,890 starsOpen

Heroku MCP

heroku/heroku-mcp-server

78 starsOpen

Apify MCP

apify/actors-mcp-server

Browser & ScrapingOpen

Axiom MCP

axiomhq/mcp-server-axiom

61 starsOpen

Browse

MCP servers by category

Other2643AI & ML2284Search2091Developer Tools1127Vector & Memory1121Cloud & DevOps721Files & Docs719Databases704Finance & Payments701Browser & Scraping485Communication418Productivity355