heri16 · February 5, 2025 11:19
diff --git a/ciphers.sh b/ciphers.sh
 #!/bin/sh
 CF_API_TOKEN="redacted"

 # check api token is valid
 curl -X GET "https://api.cloudflare.com/client/v4/accounts/8bb6305b489fc12377ff03ffbcbadbc6/tokens/verify" \
     -H "Authorization: Bearer $CF_API_TOKEN" \
     -H "Content-Type:application/json"

 # reset to defaults (includes weak ciphers)
 curl --request PATCH \
 "https://api.cloudflare.com/client/v4/zones/2dea2107afb949339781ab6da14cefc8/settings/ciphers" \
 --header "Authorization: Bearer $CF_API_TOKEN" \
 --header "Content-Type: application/json" \
 --data '{"value": []}'

 # set strong ciphers (removes weak ciphers)
 # requires $10/month Advanced Certificate Manager subscription
 curl --request PATCH \
 "https://api.cloudflare.com/client/v4/zones/2dea2107afb949339781ab6da14cefc8/settings/ciphers" \
 --header "Authorization: Bearer $CF_API_TOKEN" \
 --header "Content-Type: application/json" \
 --data '{"value": ["ECDHE-ECDSA-CHACHA20-POLY1305", "ECDHE-ECDSA-AES256-GCM-SHA384", "ECDHE-RSA-CHACHA20-POLY1305", "ECDHE-RSA-AES256-GCM-SHA384"]}'

 # set minimum tls version (TLS 1.3)
 curl --request PUT \
 "https://api.cloudflare.com/client/v4/zones/2dea2107afb949339781ab6da14cefc8/hostnames/settings/min_tls_version/api.cork.tech" \
 --header "Authorization: Bearer $CF_API_TOKEN" \
 --header "Content-Type: application/json" \
 --data '{"value": "1.3"}'

 # set minimum tls version (TLS 1.2)
 curl --request PUT \
 "https://api.cloudflare.com/client/v4/zones/2dea2107afb949339781ab6da14cefc8/hostnames/settings/min_tls_version/app.cork.tech" \
 --header "Authorization: Bearer $CF_API_TOKEN" \
 --header "Content-Type: application/json" \
 --data '{"value": "1.2"}'

 # override ciphers to strongest ciphers in TLS 1.2 (removes weak ciphers)
 curl --request PUT \
 "https://api.cloudflare.com/client/v4/zones/2dea2107afb949339781ab6da14cefc8/hostnames/settings/ciphers/app.cork.tech" \
 --header "Authorization: Bearer $CF_API_TOKEN" \
 --header "Content-Type: application/json" \
 --data '{"value": ["ECDHE-ECDSA-CHACHA20-POLY1305", "ECDHE-ECDSA-AES256-GCM-SHA384"]}'
	#!/bin/sh
	CF_API_TOKEN="redacted"

	# check api token is valid
	curl -X GET "https://api.cloudflare.com/client/v4/accounts/8bb6305b489fc12377ff03ffbcbadbc6/tokens/verify" \
	-H "Authorization: Bearer $CF_API_TOKEN" \
	-H "Content-Type:application/json"

	# reset to defaults (includes weak ciphers)
	curl --request PATCH \
	"https://api.cloudflare.com/client/v4/zones/2dea2107afb949339781ab6da14cefc8/settings/ciphers" \
	--header "Authorization: Bearer $CF_API_TOKEN" \
	--header "Content-Type: application/json" \
	--data '{"value": []}'

	# set strong ciphers (removes weak ciphers)
	# requires $10/month Advanced Certificate Manager subscription
	curl --request PATCH \
	"https://api.cloudflare.com/client/v4/zones/2dea2107afb949339781ab6da14cefc8/settings/ciphers" \
	--header "Authorization: Bearer $CF_API_TOKEN" \
	--header "Content-Type: application/json" \
	--data '{"value": ["ECDHE-ECDSA-CHACHA20-POLY1305", "ECDHE-ECDSA-AES256-GCM-SHA384", "ECDHE-RSA-CHACHA20-POLY1305", "ECDHE-RSA-AES256-GCM-SHA384"]}'

	# set minimum tls version (TLS 1.3)
	curl --request PUT \
	"https://api.cloudflare.com/client/v4/zones/2dea2107afb949339781ab6da14cefc8/hostnames/settings/min_tls_version/api.cork.tech" \
	--header "Authorization: Bearer $CF_API_TOKEN" \
	--header "Content-Type: application/json" \
	--data '{"value": "1.3"}'

	# set minimum tls version (TLS 1.2)
	curl --request PUT \
	"https://api.cloudflare.com/client/v4/zones/2dea2107afb949339781ab6da14cefc8/hostnames/settings/min_tls_version/app.cork.tech" \
	--header "Authorization: Bearer $CF_API_TOKEN" \
	--header "Content-Type: application/json" \
	--data '{"value": "1.2"}'

	# override ciphers to strongest ciphers in TLS 1.2 (removes weak ciphers)
	curl --request PUT \
	"https://api.cloudflare.com/client/v4/zones/2dea2107afb949339781ab6da14cefc8/hostnames/settings/ciphers/app.cork.tech" \
	--header "Authorization: Bearer $CF_API_TOKEN" \
	--header "Content-Type: application/json" \
	--data '{"value": ["ECDHE-ECDSA-CHACHA20-POLY1305", "ECDHE-ECDSA-AES256-GCM-SHA384"]}'