# Cloudflare Zone Security Policy Comparison Tool

A Python tool that fetches security policies from multiple Cloudflare zones and generates a comprehensive HTML report illustrating differences and deltas.

## What It Compares

| Category | API Phase / Endpoint | Details |
|----------|---------------------|---------|
| **WAF Custom Rules** | `http_request_firewall_custom` | Custom firewall rules, expressions, actions |
| **WAF Managed Rules** | `http_request_firewall_managed` | Managed ruleset deployments, overrides |
| **Rate Limiting Rules** | `http_ratelimit` | Rate limiting configurations |
| **DDoS L7 Protection** | `ddos_l7` | L7 DDoS protection rules |
| **Super Bot Fight Mode** | `http_request_sbfm` | Bot management rules |
| **Zone Security Settings** | `/zones/{id}/settings` | security_level, SSL/TLS, min_tls_version, HTTPS rewrites, browser check, challenge TTL, etc. |
| **IP Access Rules** | `/zones/{id}/firewall/access_rules` | IP allowlists, blocklists, challenges |
| **Page Rules** | `/zones/{id}/pagerules` | Legacy page rules |

## Prerequisites

- Python 3.8+
- `requests` library (auto-installed on first run)
- A Cloudflare API token with **Zone WAF Read** and **Zone Settings Read** permissions

### Recommended API Token Permissions

| Permission | Level | Required For |
|-----------|-------|-------------|
| Zone WAF Read | Zone | WAF rules, custom rules, managed rules |
| Zone Settings Read | Zone | Security settings comparison |
| Firewall Services Read | Zone | IP access rules |
| Zone Read | Zone | Zone listing and details |

## Usage

### Option 1: Compare all zones in an account

```bash
python cf_zone_security_compare.py --token YOUR_API_TOKEN --account ACCOUNT_ID
```

### Option 2: Compare specific zones

```bash
python cf_zone_security_compare.py --token YOUR_API_TOKEN --zones ZONE_ID_1,ZONE_ID_2,ZONE_ID_3
```

### Option 3: Use environment variable

```bash
export CLOUDFLARE_API_TOKEN=your_token
python cf_zone_security_compare.py --account ACCOUNT_ID
```

### Option 4: Use a config file

```bash
python cf_zone_security_compare.py --config config.json
```

**config.json:**
```json
{
    "api_token": "your_token_here",
    "account_id": "optional_account_id",
    "zone_ids": ["zone_id_1", "zone_id_2", "zone_id_3"],
    "output": "cbre_security_comparison.html"
}
```

### Additional Options

| Flag | Description |
|------|-------------|
| `--output FILE` | Custom output filename (default: timestamped) |
| `--json-dump` | Also export raw JSON data alongside the HTML report |

## Report Contents

The generated HTML report includes:

### Executive Summary
- Number of zones compared
- Total common rules across all zones
- Total deltas (differences) found
- Consistency score (percentage of rules identical across all zones)
- Number of setting differences

### Zone Overview
Per-zone breakdown of rule counts by category.

### Per-Category Comparison
For each security policy category:
- **✅ Identical rules** — present in all zones with the same configuration
- **⚠️ Divergent rules** — same expression but different action/config across zones
- **🔀 Partial coverage** — rules present in some zones but not all
- **🔶 Zone-specific rules** — rules unique to a single zone

Visual delta bars show the proportion of identical vs. different rules at a glance.

### Settings Diff Table
Side-by-side comparison of security settings across zones, highlighting differences.

### IP Access Rules
Cross-zone comparison of IP allowlists, blocklists, and challenge rules.

## Example Output

The report opens in any web browser and is fully self-contained (no external dependencies). It's also print-friendly for PDF export.

## Notes

- The tool uses read-only API calls — it never modifies any zone configuration
- Rate limiting is handled automatically (backs off on 429 responses)
- Phases that aren't configured on a zone are reported as empty (not errors)
- The report is a single self-contained HTML file with embedded CSS