Cf
БесплатноНе проверенRead-only Cloudflare MCP server for SOC investigation, exposing Cloudflare services like WAF, bot management, analytics, and Zero Trust for querying and discove
Описание
Read-only Cloudflare MCP server for SOC investigation, exposing Cloudflare services like WAF, bot management, analytics, and Zero Trust for querying and discovery.
README
Read-only Cloudflare MCP server for SOC investigation agents (companion to
sumologic-mcp, flare-mcp, mcp-virustotal).
Exposes:
- Discovery — accounts, zones
- Rulesets & WAF — custom rules, rate-limit rules, managed rulesets
- Bot Management — config, Super Bot Fight Mode
- Analytics (GraphQL) — firewall events, HTTP requests, bot events, baseline traffic diff
- Cloudflare One / Zero Trust — Access apps & policies, Gateway rules, WARP devices, IdPs
- Logpush — job metadata
- Helpers — dashboard URL builder, wirefilter validator
v1 is strictly read-only. Every non-GET HTTP request is refused at the
client layer when CF_READ_ONLY=true (default).
Install
uv sync
Configure
Store your Cloudflare API token in the OS credential store (Windows Credential Manager / macOS Keychain / Linux Secret Service):
uv run cf-mcp-setup
Alternatively, set the CF_API_TOKEN environment variable in your MCP client
config — useful on headless Linux hosts where no keyring backend is available.
Required token scopes
Create an API token at https://dash.cloudflare.com/profile/api-tokens with at least these read permissions:
- Zone Read
- Zone WAF Read
- Account Rulesets Read
- Account Settings Read
- Bot Management Read
- Analytics Read (Account + Zone)
- Logs Read
- Access: Apps Read, Access: Policies Read
- Zero Trust: Gateway Read
Optional env vars
CF_ACCOUNT_ID— default account ID for account-scoped tools.CF_ZONE_ALLOWLIST— comma-separated zone names; zone-scoped tools refuse zones not in the list, even if the token has broader access.CF_READ_ONLY— defaults totrue; setfalseonly if a future v1.5 ships mutating tools and you've reviewed them.
MCP client config
Claude Desktop (claude_desktop_config.json)
{
"mcpServers": {
"cloudflare": {
"command": "uv",
"args": ["run", "--project", "/path/to/cf-mcp", "cf-mcp"],
"env": {
"CF_ACCOUNT_ID": "<your-account-id>",
"CF_ZONE_ALLOWLIST": "example.com,example.net"
}
}
}
}
Development
uv sync
uv run ruff check src tests
uv run mypy --strict src
uv run pytest tests/unit
CF_LIVE_TEST=true uv run pytest tests/integration
Architecture notes
- One async httpx client per process, shared across all tool calls.
- No retry on 429 — the agent decides;
retry_after_sis surfaced in the error envelope. Retry 502/503/504 with exponential backoff + jitter, max 3 attempts, ~10s total budget. - No internal rate-limit accountant — Cloudflare's edge and the agent are the only governors. REST quota is 1200/5min; GraphQL is a separate 300/5min.
- No cache in v1 — the
cache_metaenvelope field is reserved for v1.5. - Compact-mode by default — GraphQL tools return only dimensions + counts.
Detail drill-down via
verbose=trueoncf_query_firewall_events_rawandcf_query_http_requests_raw. - Hard ~20K-token response ceiling — exceeding tools return
response_too_largewith a hint, never silent truncation.
Response envelope
{
"data": {...},
"next_cursor": "v1.<base64>",
"cache_meta": {"hit": false, "age_s": 0, "ttl_s": 0},
"api_endpoint_called": "POST /graphql",
"correlation_id": "uuid",
"error": null
}
On error, data is null and error has:
{
"code": "rate_limited|auth|not_found|validation|upstream|response_too_large|read_only_violation|zone_not_allowed",
"http_status": 429,
"cf_errors": [{"code": 10000, "message": "..."}],
"retry_after_s": 30,
"hint": "narrow the time range or reduce limit"
}
Установка Cf
У этого сервера нет опубликованного пакета — он собирается из исходников. Открой репозиторий и следуй инструкции в README.
▸ github.com/wojtekkura/cf-mcpFAQ
Cf MCP бесплатный?
Да, Cf MCP бесплатный — установка в пару кликов через Unyly без оплаты.
Нужен ли API-ключ для Cf?
Нет, Cf работает без API-ключей и переменных окружения.
Cf — hosted или self-hosted?
Доступен hosted-вариант: Unyly запускает сервер в облаке, локальная установка не обязательна.
Как установить Cf в Claude Desktop, Claude Code или Cursor?
Открой Cf на unyly.org, выбери вкладку своего клиента (Claude Desktop, Claude Code, Cursor) и нажми Install — конфиг сгенерируется автоматически, без правки JSON.
Похожие MCP
GitHub
PRs, issues, code search, CI status
автор: GitHubFilesystem
Secure file operations with configurable access controls.
Memory
Knowledge graph-based persistent memory system.
Template MCP Server
A CLI tool to create a new Model Context Protocol server project with TypeScript support, dual transport options, and an extensible structure
автор: mcpdotdirectCompare Cf with
Не уверен что выбрать?
Найди свой стек за 60 секунд
Автор?
Embed-бейдж для README
Похожее
Все в категории development
