Cloudflare API token leak + rotation (2026-07-06)
CF API token leak + rotation — 2026-07-06
Incident
Token cfut_REDACTED_LEAKED_TOKEN hardcoded at scripts/cf_cleanup.py:13. Pushed to public workspace. Scrubbed to env var read (os.environ["CF_API_TOKEN"]).
Token ID: 5ccddd54b26ac5e5d8bcb0c5747d44a8.
Status at rotation time
- File cleaned: yes (
scripts/cf_cleanup.py:14reads env). - No other files in workspace contain the token (
grep -rconfirmed). - Token still active on Cloudflare as of 2026-07-06 (verify endpoint returned
active).
Rotation steps (user action required)
- Open https://dash.cloudflare.com/profile/api-tokens
- Find token id
5ccddd54b26ac5e5d8bcb0c5747d44a8(or by prefix — recover from prior git-history commit259e164). - Click Roll (rotate) or Delete.
- Create replacement token with same permissions (Pages + DNS edit for
oriz.in). - Update
.env.encwith new token, re-encrypt, push. sops -d .env.enc > .envlocally to refresh.
Prevention
- Pre-commit hook:
gitleaksortrufflehogscanning forcfut_*pattern. - Rule
rules/security/no-hardcoded-secrets— all secrets via sops+age. - Never
os.environ.get("TOKEN", "<default>")with a real fallback.
Git history purge (if needed)
Public workspace commit still carries the token in history. Options:
git filter-repo --replace-textto redact.bfg --replace-textalternative.- Assume compromised regardless — rotate is the only real fix.