Is io.github.itunified-io/cloudflare safe to use?

io.github.itunified-io/cloudflare has no known CVEs as of the latest MCPpedia security scan. It does not require authentication, so any local process can connect — keep this in mind in shared environments.

How do I install io.github.itunified-io/cloudflare?

io.github.itunified-io/cloudflare can be installed by cloning its GitHub repository and following the setup instructions in the README.

What AI clients work with io.github.itunified-io/cloudflare?

io.github.itunified-io/cloudflare is compatible with Claude Desktop, Cursor, Claude Code, and most MCP clients that support stdio transport. It uses stdio transport.

mcp-cloudflare

Slim Cloudflare MCP Server for managing DNS, zones, tunnels, WAF, Zero Trust, and security via Cloudflare API v4.

No SSH. No shell execution. API-only. 3 runtime dependencies.

Features
Quick Start
HashiCorp Vault Integration (Optional)
Claude Code Integration
Configuration
Multi-Zone Support
Tools
Skills
Development
License

Features

75 tools across 11 domains:

DNS — Record management (A, AAAA, CNAME, MX, TXT, SRV, CAA, NS), batch operations
Zones — Zone listing, settings, SSL/TLS configuration, cache management
Tunnels — Cloudflare Tunnel creation, configuration, and ingress management
WAF — Ruleset management, custom firewall rules, rate limiting
Zero Trust — Access application CRUD (create/delete), policies (create/delete), identity providers (create/delete), Gateway status
Security — Security event analytics, IP access rules, DDoS configuration, Security Center insights
Workers KV — Namespace management, key-value read/write/delete, key listing
Workers — Script deployment, route management
Worker Secrets — Secret management (names only, values never exposed)
Worker Analytics — Invocation metrics, CPU time, error rates via GraphQL
R2 Storage — Bucket management, object listing and metadata, custom domains, location hints

Quick Start

npm install
cp .env.example .env   # Edit with your Cloudflare API token
npm run build
node dist/index.js     # stdio transport for MCP

HashiCorp Vault Integration (Optional)

mcp-cloudflare supports loading Cloudflare credentials from a central HashiCorp Vault instance at startup via AppRole authentication. This is optional — the server works fine with plain environment variables alone.

How It Works

On startup, if NAS_VAULT_ADDR is set the server performs an AppRole login, fetches the KV v2 secret at <mount>/data/cloudflare/api, and injects the values into the process environment before the MCP transport starts. The loader is fully opportunistic:

If NAS_VAULT_ADDR is unset, the loader is a silent no-op. No Vault calls are made and the server behaves exactly as before.
On any Vault error (network failure, bad credentials, missing secret path), a single-line warning is written to stderr and the server falls back to whatever environment variables are already set.
Secret values are never logged. Only the KV path name and a populated-count appear in stderr diagnostics.
Uses the built-in fetch (Node 20+) — no additional runtime dependencies.

Credential Precedence

Explicit env vars (CLOUDFLARE_API_TOKEN etc.) > Vault > error (missing creds)

If you set CLOUDFLARE_API_TOKEN directly, the Vault loader will not overwrite it. Vault only fills in credentials that are not already present in the environment.

Vault Environment Variables

Variable	Required	Description
`NA

... View full README on GitHub

io.github.itunified-io/cloudflare

Quick Install

Should you use this server?

Test This Server

Score Breakdown

MCPpedia Score

Security

Help improve this page

Reviews

Frequently Asked Questions

Similar servers

Observability Mcp

Mcp Server Kubernetes

io.github.xkumakichi/xaip-mcp-server

MCPpedia

Discussion