Skip to main content

Cloudflare domain runbook — findmydata.io

Operating discipline and intended configuration for the findmydata.io domain (registered through Cloudflare). The first live changes were applied on 2026-07-15 to bring the canonical marketing site online via GitHub Pages — see the change log at the bottom. Any further change must be inspected first, applied reversibly, validated, and recorded there.

Guardrails (do not violate)

  • Inspect before changing. Read the current registrar, DNS, DNSSEC, SSL/TLS, email records (MX/SPF/DKIM/DMARC), redirects, Pages/Workers, Access policies, and WAF/security state before any edit.
  • Preserve registrar ownership, transfer lock, recovery contacts, nameservers, DNSSEC, and email delivery unless a specific, understood change is required.
  • Never transfer the domain, purchase paid services to complete a task, weaken account/security settings, expose secrets, publish an unrestricted dev environment, or commit browser sessions / API tokens / origin credentials / zone secrets to the repository.
  • Reversible + logged. Every DNS/application/access change gets a change-log row (below) with purpose, validation, and rollback. Prefer least-privileged, scoped API tokens if automation is later added.
  • Confirmation required. Live changes to a production domain are outward- facing; make them only with explicit per-change approval.

Intended host map (suggested; consolidate freely)

Reserve names and add them intentionally — not every host is needed on day one. Do not create app.findmydata.io (that would imply a shared SaaS data plane; the product is customer-hosted). See ADR-0015.

Live DNS records (as of 2026-07-15)

The site is hosted on GitHub Pages (repo clarkdickens/FindMyData, site/ published by .github/workflows/pages.yml), not Cloudflare Pages. To let GitHub issue and manage the Let’s Encrypt certificate for the apex, the records are DNS-only (grey cloud) — a deliberate deviation from the proxied posture in the intended host map below. GitHub Pages custom-domain verification requires the public A records to resolve to GitHub’s IPs, which Cloudflare proxying would mask.
  • docs. → Mintlify hosts the documentation site (repo clarkdickens/FindMyData, docs/ published via the Mintlify GitHub App on every push to main). The two TXT records prove ownership and let Mintlify’s Cloudflare-for-SaaS issue the TLS cert; the CNAME must stay DNS-only (proxying would mask the SaaS hostname).
  • account. → Fly.io hosts the live Account portal (app findmydata-account, image ghcr.io/clarkdickens/findmydata). Fly issues the TLS cert (Let’s Encrypt) once the hostname resolves, so the CNAME must stay DNS-only (Fly needs to see its own edge, not Cloudflare’s).
  • clerk. / accounts. / clkmail. / clk._domainkey / clk2._domainkey → Clerk are the 5 records for the Clerk production instance on findmydata.io (Frontend API, account portal, and email/DKIM). All DNS-only. They resolve correctly on public resolvers; Clerk’s own DNS verification is asynchronous and may lag — the portal keeps running on the Clerk development instance (via a Fly secrets override) until Clerk marks the domain verified. See deploy-fly.md.
  • Email: Google Workspace MX records (aspmx.l.google.com + alts) route mail for the domain (added by the owner for bob@findmydata.io). Leave untouched unless the mail setup is intentionally changed.
  • DNSSEC: not enabled at the zone (no DS record) — unchanged.
  • Optional future hardening: once GitHub’s cert is stable, the records may be switched to proxied (orange cloud) with SSL/TLS mode Full to gain Cloudflare’s WAF/CDN/DDoS edge. GitHub re-verifies the domain periodically, so test cert renewal after any such switch.

Intended edge security posture

  • SSL/TLS mode Full (strict); always-use-HTTPS; HSTS with a conservative max-age first, increased after validation; do not preload until confident.
  • Security headers via a Cloudflare rule/Worker: Content-Security-Policy (the marketing page is self-contained, so a strict default-src 'self' + img-src 'self' data: policy fits), X-Content-Type-Options: nosniff, Referrer-Policy: strict-origin-when-cross-origin, X-Frame-Options: DENY.
  • WAF managed rules on; rate limiting + Turnstile/bot protection on public registration, login, activation, support upload, and download endpoints when those exist.
  • dev.findmydata.io behind Cloudflare Access (identity-aware, MFA) — never relying on an obscure hostname.
  • Scope cookies to the smallest host/path; no wildcard .findmydata.io session cookie (design §10). Secure, HttpOnly, SameSite.

Validation checklist (run after any change)

  1. dig findmydata.io / dig www.findmydata.io resolve as intended.
  2. https://findmydata.io serves the marketing page over TLS; www 301-redirects.
  3. Security headers present (curl -I); HSTS as configured.
  4. dev. requires the Access identity; unauthenticated requests are challenged.
  5. Email deliverability unaffected (MX/SPF/DKIM/DMARC unchanged).
  6. Rollback verified: the previous record/rule values are recorded below.

Change log

Record every future change here.