diff --git a/docs/images/providers/cloudflare-account-id-form.png b/docs/images/providers/cloudflare-account-id-form.png
new file mode 100644
index 0000000000..4175c44713
Binary files /dev/null and b/docs/images/providers/cloudflare-account-id-form.png differ
diff --git a/docs/images/providers/cloudflare-account-id.png b/docs/images/providers/cloudflare-account-id.png
new file mode 100644
index 0000000000..901d1e2659
Binary files /dev/null and b/docs/images/providers/cloudflare-account-id.png differ
diff --git a/docs/images/providers/cloudflare-api-email-form.png b/docs/images/providers/cloudflare-api-email-form.png
new file mode 100644
index 0000000000..7f9526e93c
Binary files /dev/null and b/docs/images/providers/cloudflare-api-email-form.png differ
diff --git a/docs/images/providers/cloudflare-auth-selection.png b/docs/images/providers/cloudflare-auth-selection.png
new file mode 100644
index 0000000000..4a8610f050
Binary files /dev/null and b/docs/images/providers/cloudflare-auth-selection.png differ
diff --git a/docs/images/providers/cloudflare-launch-scan.png b/docs/images/providers/cloudflare-launch-scan.png
new file mode 100644
index 0000000000..65b4acd99d
Binary files /dev/null and b/docs/images/providers/cloudflare-launch-scan.png differ
diff --git a/docs/images/providers/cloudflare-token-form.png b/docs/images/providers/cloudflare-token-form.png
new file mode 100644
index 0000000000..a147bcbfe2
Binary files /dev/null and b/docs/images/providers/cloudflare-token-form.png differ
diff --git a/docs/images/providers/cloudflare-token-permissions.png b/docs/images/providers/cloudflare-token-permissions.png
new file mode 100644
index 0000000000..49926f0415
Binary files /dev/null and b/docs/images/providers/cloudflare-token-permissions.png differ
diff --git a/docs/images/providers/cloudflare-token-save.png b/docs/images/providers/cloudflare-token-save.png
new file mode 100644
index 0000000000..641c46afb0
Binary files /dev/null and b/docs/images/providers/cloudflare-token-save.png differ
diff --git a/docs/images/providers/select-cloudflare-prowler-cloud.png b/docs/images/providers/select-cloudflare-prowler-cloud.png
new file mode 100644
index 0000000000..508f17d595
Binary files /dev/null and b/docs/images/providers/select-cloudflare-prowler-cloud.png differ
diff --git a/docs/user-guide/providers/cloudflare/authentication.mdx b/docs/user-guide/providers/cloudflare/authentication.mdx
index 8ee8b518cf..eedcd57a33 100644
--- a/docs/user-guide/providers/cloudflare/authentication.mdx
+++ b/docs/user-guide/providers/cloudflare/authentication.mdx
@@ -1,119 +1,130 @@
---
-title: 'Cloudflare Authentication in Prowler'
+title: "Cloudflare Authentication in Prowler"
---
-Prowler for Cloudflare supports the following authentication methods:
+import { VersionBadge } from "/snippets/version-badge.mdx"
-- [**API Token**](#api-token-recommended) (**Recommended**)
-- [**API Key and Email (Legacy)**](#api-key-and-email-legacy)
+
+
+Prowler for Cloudflare supports two authentication methods, both available in Prowler Cloud and Prowler CLI:
+
+- [**API Token**](#api-token-recommended) (**Recommended**) — Scoped, least-privilege access to specific permissions and zones.
+- [**API Key and Email**](#api-key-and-email-legacy) (**Legacy**) — Global access to the entire account using the Global API Key.
+
+
+**Use only one authentication method at a time.** If both API Token and API Key + Email are set, Prowler uses the API Token and logs an error about the conflict.
+
## Required Permissions
-Prowler requires read-only access to your Cloudflare zones and their settings. The following permissions are needed:
+Prowler requires read-only access to Cloudflare zones and their settings. The following permissions must be configured when creating the API Token:
-| Permission | Description |
-|------------|-------------|
-| `Zone:Read` | Read access to zone settings and configurations |
-| `Zone Settings:Read` | Read access to zone security settings (SSL/TLS, HSTS, etc.) |
-| `DNS:Read` | Read access to DNS records (for DNSSEC checks) |
+| Resource | Permission | Access | Description |
+|----------|------------|--------|-------------|
+| `Account` | `Account Settings` | `Read` | Required to list accounts and verify user identity |
+| `Zone` | `Zone` | `Read` | Required to list zones, rulesets, bot management, and SSL settings |
+| `Zone` | `Zone Settings` | `Read` | Required to read zone security settings (TLS, HSTS, WAF, etc.) |
+| `Zone` | `DNS` | `Read` | Required to read DNS records and DNSSEC status |
-Ensure your API Token or API Key has access to all zones you want to scan. If permissions are missing, some checks may fail or return incomplete results.
+Ensure the API Token has access to all zones targeted for scanning. Missing permissions may cause some checks to fail or return incomplete results.
+---
+
## API Token (Recommended)
-API Tokens are the recommended authentication method because they:
+User API Tokens are the recommended authentication method because they:
+
- Can be scoped to specific permissions and zones
- Are more secure than global API keys
- Can be easily rotated without affecting other integrations
-### Step 1: Create an API Token
+
+Create a **User API Token**, not an Account API Token. User API Tokens are created from the profile settings and offer finer permission control.
+
-1. **Log into Cloudflare Dashboard**
- - Go to [https://dash.cloudflare.com](https://dash.cloudflare.com) and sign in
+### Step 1: Create a User API Token
-2. **Navigate to API Tokens**
- - Click on your profile icon in the top right corner
- - Select **My Profile**
- - Click on the **API Tokens** tab
-
-3. **Create a Custom Token**
- - Click **Create Token**
- - Select **Create Custom Token** (at the bottom)
-
-4. **Configure Token Permissions**
-
- Give your token a descriptive name (e.g., "Prowler Security Scanner") and add the [required permissions](#required-permissions) listed above.
-
-5. **Set Zone Resources**
- - Under **Zone Resources**, select either:
- - **Include → All zones** (to scan all zones in your account)
+1. Log into the [Cloudflare Dashboard](https://dash.cloudflare.com).
+2. Click on the profile icon in the top right corner, then select "My Profile".
+3. Click on the **API Tokens** tab.
+4. Click **Create Token**, then select **Create Custom Token** at the bottom of the page.
+5. Configure the token with the following settings:
+ - **Token name:** A descriptive name (e.g., "Prowler Security Scanner")
+ - **Permissions:**
+ - `Account` — `Account Settings` — `Read`
+ - `Zone` — `Zone` — `Read`
+ - `Zone` — `Zone Settings` — `Read`
+ - `Zone` — `DNS` — `Read`
+ - **Zone Resources:** Select either:
+ - **Include → All zones** (to scan all zones in the account)
- **Include → Specific zone** (to limit access to specific zones)
-6. **Create and Copy Token**
- - Click **Continue to summary**
- - Review the permissions and click **Create Token**
- - **Copy the token immediately** - Cloudflare will only show it once
+ 
-### Step 2: Store the Token Securely
+6. Configure the **Account Resources** and **Zone Resources**, and optionally set a **TTL** for the token expiration. Click **Continue to summary**.
-Store your API token as an environment variable:
+ 
-```bash
-export CLOUDFLARE_API_TOKEN="your-api-token-here"
-```
+7. Review the permissions and click **Create Token**.
+8. Copy the token immediately.
-Never commit API tokens to version control or share them in plain text. Use environment variables or a secrets manager.
+Cloudflare only displays the token once. Copy it immediately and store it securely. If lost, a new token must be created.
+### Step 2: Provide the Token to Prowler
+
+- **Prowler Cloud:** Paste the token in the credentials form when configuring the Cloudflare provider.
+- **Prowler CLI:** Export the token as an environment variable:
+
+```console
+export CLOUDFLARE_API_TOKEN="your-api-token-here"
+prowler cloudflare
+```
+
+---
+
## API Key and Email (Legacy)
-API Keys provide full access to your Cloudflare account. While supported, this method is less secure than API Tokens because it grants broader permissions.
+API Keys provide full access to the Cloudflare account. While supported, this method is less secure than API Tokens because it grants broader permissions.
-### Step 1: Get Your API Key
+### Step 1: Get the Global API Key
-1. **Log into Cloudflare Dashboard**
- - Go to [https://dash.cloudflare.com](https://dash.cloudflare.com) and sign in
+1. Log into the [Cloudflare Dashboard](https://dash.cloudflare.com).
+2. Click on the profile icon in the top right corner, then select "My Profile".
+3. Click on the **API Tokens** tab.
+4. Scroll down to the **API Keys** section.
+5. Click **View** next to **Global API Key**.
+6. Enter the account password to reveal the key, then copy it.
-2. **Navigate to API Tokens**
- - Click on your profile icon in the top right corner
- - Select **My Profile**
- - Click on the **API Tokens** tab
+### Step 2: Provide the Credentials to Prowler
-3. **View Global API Key**
- - Scroll down to the **API Keys** section
- - Click **View** next to **Global API Key**
- - Enter your password to reveal the key
- - Copy the API key
+- **Prowler Cloud:** Enter the Global API Key and email in the credentials form when configuring the Cloudflare provider.
+- **Prowler CLI:** Export both values as environment variables:
-### Step 2: Store Credentials Securely
-
-Store both your API key and email as environment variables:
-
-```bash
+```console
export CLOUDFLARE_API_KEY="your-api-key-here"
export CLOUDFLARE_API_EMAIL="your-email@example.com"
+prowler cloudflare
```
-The email must be the same email address used to log into your Cloudflare account.
+The email must match the email address used to log into the Cloudflare account.
+---
+
## Best Practices
-### Security Recommendations
+- **Use API Tokens instead of API Keys** — Tokens can be scoped to specific permissions and zones.
+- **Use environment variables** — Never hardcode credentials in scripts or commands.
+- **Rotate credentials regularly** — Create new tokens periodically and revoke old ones.
+- **Use least privilege** — Only grant the minimum permissions needed for scanning.
+- **Monitor token usage** — Review the Cloudflare audit log for suspicious activity.
-- **Use API Tokens instead of API Keys** - Tokens can be scoped to specific permissions
-- **Use environment variables** - Never hardcode credentials in scripts or commands
-- **Rotate credentials regularly** - Create new tokens periodically and revoke old ones
-- **Use least privilege** - Only grant the minimum permissions needed
-- **Monitor token usage** - Review the Cloudflare audit log for suspicious activity
-
-
-**Use only one authentication method at a time.** If both API Token and API Key + Email are set, Prowler will use the API Token and log an error message.
-
+---
## Troubleshooting
@@ -123,20 +134,15 @@ This error occurs when using API Key authentication without providing the email
### "Authentication error" or "Permission denied"
-- Verify your API Token or API Key is correct and not expired
-- Check that your token has the [required permissions](#required-permissions)
-- Ensure your token has access to the zones you're trying to scan
+- Verify the API Token or API Key is correct and not expired.
+- Check that the token has the [required permissions](#required-permissions).
+- Ensure the token has access to the zones targeted for scanning.
### "Both API Token and API Key and Email credentials are set"
-This warning appears when all three environment variables are set:
-- `CLOUDFLARE_API_TOKEN`
-- `CLOUDFLARE_API_KEY`
-- `CLOUDFLARE_API_EMAIL`
+This warning appears when all three environment variables are set (`CLOUDFLARE_API_TOKEN`, `CLOUDFLARE_API_KEY`, `CLOUDFLARE_API_EMAIL`). To resolve, unset the credentials that are not needed:
-To resolve, unset the credentials you don't want to use:
-
-```bash
+```console
# To use API Token only (recommended)
unset CLOUDFLARE_API_KEY
unset CLOUDFLARE_API_EMAIL
@@ -144,3 +150,7 @@ unset CLOUDFLARE_API_EMAIL
# Or to use API Key and Email only
unset CLOUDFLARE_API_TOKEN
```
+
+### "Account not found" Error
+
+This error occurs when a specified `--account-id` is not accessible with the current credentials. Verify the Account ID is correct and that the credentials have access to the target account.
diff --git a/docs/user-guide/providers/cloudflare/getting-started-cloudflare.mdx b/docs/user-guide/providers/cloudflare/getting-started-cloudflare.mdx
index d3c916750e..2bc18bcca8 100644
--- a/docs/user-guide/providers/cloudflare/getting-started-cloudflare.mdx
+++ b/docs/user-guide/providers/cloudflare/getting-started-cloudflare.mdx
@@ -1,117 +1,165 @@
---
-title: 'Getting Started with Cloudflare'
+title: 'Getting Started With Cloudflare on Prowler'
---
-import { VersionBadge } from "/snippets/version-badge.mdx";
+import { VersionBadge } from "/snippets/version-badge.mdx"
-
-
-Prowler for Cloudflare allows you to scan your Cloudflare zones for security misconfigurations, including SSL/TLS settings, DNSSEC, HSTS, and more.
+Prowler for Cloudflare scans zones for security misconfigurations, including SSL/TLS settings, DNSSEC, HSTS, WAF rules, DNS records, and more.
## Prerequisites
-Before running Prowler with the Cloudflare provider, ensure you have:
+Set up authentication for Cloudflare with the [Cloudflare Authentication](/user-guide/providers/cloudflare/authentication) guide before starting either path:
-1. A Cloudflare account with at least one zone
-2. One of the following authentication methods configured (see [Authentication](/user-guide/providers/cloudflare/authentication)):
- - An **API Token** (recommended)
- - An **API Key + Email** (legacy)
+- Create a Cloudflare User API Token (recommended) or locate the Global API Key
+- Grant the required read-only permissions (`Account Settings:Read`, `Zone:Read`, `Zone Settings:Read`, `DNS:Read`)
+- Identify the Cloudflare Account ID to use as the provider identifier
-## Quick Start
+
+
+ Onboard Cloudflare using Prowler Cloud
+
+
+ Onboard Cloudflare using Prowler CLI
+
+
+
+## Prowler Cloud
+
+
+
+### Step 1: Locate the Account ID
+
+1. Log into the [Cloudflare Dashboard](https://dash.cloudflare.com).
+2. Select any zone in the target account.
+3. On the zone overview page, find the **Account ID** in the right sidebar under the "API" section.
+
+ 
+
+
+The Account ID is a 32-character hexadecimal string (e.g., `372e67954025e0ba6aaa6d586b9e0b59`). This value acts as the unique identifier for the Cloudflare account in Prowler Cloud.
+
+
+### Step 2: Open Prowler Cloud
+
+1. Go to [Prowler Cloud](https://cloud.prowler.com/) or launch [Prowler App](/user-guide/tutorials/prowler-app).
+2. Navigate to "Configuration" > "Cloud Providers".
+
+ 
+
+3. Click "Add Cloud Provider".
+
+ 
+
+4. Select "Cloudflare".
+
+ 
+
+5. Add the **Account ID** and an optional alias, then click "Next".
+
+ 
+
+### Step 3: Choose and Provide Authentication
+
+After the Account ID is in place, select the authentication method that matches the Cloudflare setup:
+
+
+
+#### User API Token Authentication (Recommended)
+
+1. Select **API Token**.
+2. Enter the **User API Token** created in the Cloudflare Dashboard.
+
+ 
+
+Use this method for scoped, least-privilege access. Full setup steps are in the [Authentication guide](/user-guide/providers/cloudflare/authentication#api-token-recommended).
+
+#### API Key and Email Authentication (Legacy)
+
+1. Select **API Key + Email**.
+2. Enter the **Global API Key**.
+3. Enter the **email address** associated with the Cloudflare account.
+
+ 
+
+For the complete setup workflow, follow the [Authentication guide](/user-guide/providers/cloudflare/authentication#api-key-and-email-legacy).
+
+### Step 4: Launch the Scan
+
+1. Review the summary.
+2. Click **Launch Scan** to start auditing Cloudflare.
+
+ 
+
+---
+
+## Prowler CLI
+
+
### Step 1: Set Up Authentication
-The recommended method is using an API Token via environment variable:
+Choose the matching method from the [Cloudflare Authentication](/user-guide/providers/cloudflare/authentication) guide:
-```bash
-export CLOUDFLARE_API_TOKEN="your-api-token-here"
-```
+- **User API Token** (recommended): Set `CLOUDFLARE_API_TOKEN`
+- **API Key + Email** (legacy): Set `CLOUDFLARE_API_KEY` and `CLOUDFLARE_API_EMAIL`
-Alternatively, use API Key + Email:
+### Step 2: Run the First Scan
-```bash
-export CLOUDFLARE_API_KEY="your-api-key-here"
-export CLOUDFLARE_API_EMAIL="your-email@example.com"
-```
+Run a baseline scan after credentials are configured:
-### Step 2: Run Prowler
-
-Run a scan across all your Cloudflare zones:
-
-```bash
+```console
prowler cloudflare
```
-That's it! Prowler will automatically discover all zones in your account and run security checks against them.
+Prowler automatically discovers all zones accessible with the provided credentials and runs security checks against them.
-## Authentication
+### Step 3: Filter the Scan Scope (Optional)
-Prowler reads Cloudflare credentials from environment variables. Set your credentials before running Prowler:
-
-**API Token (Recommended):**
-```bash
-export CLOUDFLARE_API_TOKEN="your-api-token-here"
-prowler cloudflare
-```
-
-**API Key + Email (Legacy):**
-```bash
-export CLOUDFLARE_API_KEY="your-api-key-here"
-export CLOUDFLARE_API_EMAIL="your-email@example.com"
-prowler cloudflare
-```
-
-## Filtering Zones
-
-By default, Prowler scans all zones accessible with your credentials:
-
-```bash
-prowler cloudflare
-```
+#### Filter by Zone
To scan only specific zones, use the `-f`, `--region`, or `--filter-region` argument:
-```bash
+```console
prowler cloudflare -f example.com
```
-You can specify multiple zones:
+Multiple zones can be specified:
-```bash
+```console
prowler cloudflare -f example.com example.org
```
-You can also use zone IDs instead of domain names:
+Zone IDs are also supported:
-```bash
+```console
prowler cloudflare -f 023e105f4ecef8ad9ca31a8372d0c353
```
-## Filtering Accounts
+#### Filter by Account
-By default, Prowler scans all accounts accessible with your credentials. If your API Token or API Key has access to multiple Cloudflare accounts, you can restrict the scan to specific accounts using the `--account-id` argument:
+To restrict the scan to specific accounts, use the `--account-id` argument:
-```bash
+```console
prowler cloudflare --account-id 372e67954025e0ba6aaa6d586b9e0b59
```
-You can specify multiple account IDs:
+Multiple account IDs can be specified:
-```bash
+```console
prowler cloudflare --account-id 372e67954025e0ba6aaa6d586b9e0b59 9a7806061c88ada191ed06f989cc3dac
```
-If any of the provided account IDs are not found among the accounts accessible with your credentials, Prowler will raise an error and stop execution.
+If any of the provided account IDs are not accessible with the current credentials, Prowler raises an error and stops execution.
-You can combine account and zone filtering to narrow the scan scope further:
+Account and zone filtering can be combined to narrow the scan scope further:
-```bash
+```console
prowler cloudflare --account-id 372e67954025e0ba6aaa6d586b9e0b59 -f example.com
```
-## Configuration
+### Step 4: Use a Custom Configuration (Optional)
Prowler uses a configuration file to customize provider behavior. The Cloudflare configuration includes:
@@ -123,10 +171,8 @@ cloudflare:
To use a custom configuration:
-```bash
+```console
prowler cloudflare --config-file /path/to/config.yaml
```
-## Next Steps
-
-- [Authentication](/user-guide/providers/cloudflare/authentication) - Detailed guide on creating API tokens and keys
+---