Cloudflare Hardening

Configure WAF and rate-limits for public reliability APIs.

Cloudflare Hardening Checklist

FakeMCP manages edge protections through infra automation.

Primary commands:

pnpm infra:bootstrap
pnpm infra:deploy
pnpm infra:check

Managed protections (idempotent upserts)

WAF managed ruleset execution for the production zone.
Zone rate-limit rules for:
- /mcp
- /scenario
- /v1/scenario
- /v1/suites
- /v1/runs
- /v1/replays
- /v1/conformance

Default thresholds in config:

/mcp*: 300 req / 60s
/scenario*: 120 req / 60s
Reliability routes: 90 req / 60s
Mitigation timeout: 60s

All rule ownership is tagged with fakemcp:auto metadata for safe repeat upserts.

Route ownership enforcement

infra:deploy and infra:check enforce:

API routes -> fakemcp-mcp
fakemcp.com/* fallback -> fakemcp-web

Notes

App-level token-bucket limits remain enabled in @fakemcp/mcp.
No staging profile is defined in this launch track.