← knowledge.oriz.in

Cloudflare API token leak + rotation (2026-07-06)

runbook securityincidentcloudflaresecretsrotation

CF API token leak + rotation — 2026-07-06

Incident

Token cfut_REDACTED_LEAKED_TOKEN hardcoded at scripts/cf_cleanup.py:13. Pushed to public workspace. Scrubbed to env var read (os.environ["CF_API_TOKEN"]).

Token ID: 5ccddd54b26ac5e5d8bcb0c5747d44a8.

Status at rotation time

Rotation steps (user action required)

  1. Open https://dash.cloudflare.com/profile/api-tokens
  2. Find token id 5ccddd54b26ac5e5d8bcb0c5747d44a8 (or by prefix — recover from prior git-history commit 259e164).
  3. Click Roll (rotate) or Delete.
  4. Create replacement token with same permissions (Pages + DNS edit for oriz.in).
  5. Update .env.enc with new token, re-encrypt, push.
  6. sops -d .env.enc > .env locally to refresh.

Prevention

Git history purge (if needed)

Public workspace commit still carries the token in history. Options: