Summary
This gives Claude direct control over your Cloudflare infrastructure through the official API. You get 18 tools covering DNS records (create, update, delete A/AAAA/CNAME/MX/TXT), transform rules for header manipulation and URL rewrites, page rules for redirects and cache settings, and cache purging by URL, tag, or prefix. Security is front and center: your API token stays local via stdio transport, never touches third parties, and the codebase includes threat modeling docs and automated CVE scanning. Ships as a PyPI package or container built on minimal Hummingbird images. Reach for this when you need to let Claude manage your DNS, modify HTTP headers, or handle cache invalidation without leaving the terminal.
Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.
One time payment $9 →
Integrate web data into your AI product. One API to scrape website & brand data.
Get API Key Now →
Agent, run crypto. Access onchain data & trade routes via 1inch.
Install now →
On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.
Start earning →
MCP Cloudflare CrunchTools
A secure MCP (Model Context Protocol) server for Cloudflare DNS, Transform Rules, Page Rules, and cache management.
Overview
This MCP server is designed to be:
- Secure by default - Comprehensive threat modeling, input validation, and token protection
- No third-party services - Runs locally via stdio, your API token never leaves your machine
- Cross-platform - Works on Linux, macOS, and Windows
- Automatically updated - GitHub Actions monitor for CVEs and update dependencies
- Containerized - Available at
quay.io/crunchtools/mcp-cloudflarebuilt on Hummingbird Python base image
Naming Convention
| Component | Name |
|---|---|
| GitHub repo | crunchtools/mcp-cloudflare |
| Container | quay.io/crunchtools/mcp-cloudflare |
| Python package (PyPI) | mcp-cloudflare-crunchtools |
| CLI command | mcp-cloudflare-crunchtools |
| Module import | mcp_cloudflare_crunchtools |
Why Hummingbird?
The container image is built on the Hummingbird Python base image from Project Hummingbird, which provides:
- Minimal CVE exposure - Hummingbird images are built with a minimal package set, dramatically reducing the attack surface compared to general-purpose images
- Regular updates - Security patches are applied promptly, keeping CVE counts low
- Optimized for Python - Pre-configured Python environment with uv package manager for fast, reproducible builds
- Production-ready - Designed for production workloads with proper signal handling and non-root user defaults
This means your MCP server runs in a hardened environment with fewer vulnerabilities than typical Python container images
Features
Zone Management (2 tools)
list_zones- List all zones accessible by your API tokenget_zone- Get zone details by ID or domain name
DNS Records (5 tools)
list_dns_records- List DNS records with filteringget_dns_record- Get a single DNS recordcreate_dns_record- Create A, AAAA, CNAME, MX, TXT, NS, SRV, CAA recordsupdate_dns_record- Update existing recordsdelete_dns_record- Delete records
Transform Rules (6 tools)
list_request_header_rules/set_request_header_rules- Modify request headerslist_response_header_rules/set_response_header_rules- Modify response headerslist_url_rewrite_rules/set_url_rewrite_rules- URL path/query rewrites
Page Rules (4 tools)
list_page_rules- List all page rulescreate_page_rule- Create redirects, cache settings, SSL modesupdate_page_rule- Modify existing rulesdelete_page_rule- Remove rules
Cache Management (1 tool)
purge_cache- Purge by URL, tag, host, prefix, or everything
Installation
With uvx (Recommended)
uvx mcp-cloudflare-crunchtools
With pip
pip install mcp-cloudflare-crunchtools
With Container
podman run -e CLOUDFLARE_API_TOKEN=your_token \
quay.io/crunchtools/mcp-cloudflare
Configuration
Creating a Cloudflare API Token
-
Navigate to API Tokens
- Go to https://dash.cloudflare.com/profile/api-tokens
- Click "Create Token"
- Click "Get started" next to "Create Custom Token"
-
Configure Token Name
- Enter:
mcp-cloudflare-crunchtools
- Enter:
-
Configure Permissions
The Permissions section has three dropdowns per row:
- First dropdown: Resource type (
AccountorZone) - Second dropdown: Specific permission category
- Third dropdown: Access level (
ReadorEdit)
Click "+ Add more" to add each permission row. For full management, add:
Resource Permission Access Zone Zone Read Zone DNS Edit Zone Page Rules Edit Zone Transform Rules Edit Zone Cache Purge Purge - First dropdown: Resource type (
-
Configure Zone Resources
- First dropdown: Select "Include"
- Second dropdown: Select "All zones" or "Specific zone"
-
Configure Client IP Address Filtering (Optional)
- Click "Use my IP" button to restrict token to your current IP
-
Create and Copy Token
- Click "Continue to summary" → "Create Token"
- IMPORTANT: Copy the token immediately - it's only shown once!
Add to Claude Code
claude mcp add mcp-cloudflare-crunchtools \
--env CLOUDFLARE_API_TOKEN=your_token_here \
-- uvx mcp-cloudflare-crunchtools
Or for the container version:
claude mcp add mcp-cloudflare-crunchtools \
--env CLOUDFLARE_API_TOKEN=your_token_here \
-- podman run -i --rm -e CLOUDFLARE_API_TOKEN quay.io/crunchtools/mcp-cloudflare
Permission Sets by Use Case
Read-Only (viewing only)
| Resource | Permission | Access |
|---|---|---|
| Zone | Zone | Read |
| Zone | DNS | Read |
DNS Management Only
| Resource | Permission | Access |
|---|---|---|
| Zone | Zone | Read |
| Zone | DNS | Edit |
Full Management (all features)
| Resource | Permission | Access |
|---|---|---|
| Zone | Zone | Read |
| Zone | DNS | Edit |
| Zone | Page Rules | Edit |
| Zone | Transform Rules | Edit |
| Zone | Cache Purge | Purge |
Usage Examples
List Your Zones
User: List my Cloudflare zones
Assistant: [calls list_zones]
Create a DNS Record
User: Create an A record for www.example.com pointing to 192.168.1.1
Assistant: [calls create_dns_record with type=A, name=www, content=192.168.1.1]
Add Security Headers
User: Add X-Content-Type-Options: nosniff to all responses for zone abc123...
Assistant: [calls set_response_header_rules with appropriate rule]
Purge Cache
User: Purge the cache for https://example.com/styles.css
Assistant: [calls purge_cache with files=["https://example.com/styles.css"]]
Security
This server was designed with security as a primary concern. See SECURITY.md for:
- Threat model and attack vectors
- Defense in depth architecture
- Token handling best practices
- Input validation rules
- Audit logging
Key Security Features
-
Token Protection
- Stored as SecretStr (never accidentally logged)
- Environment variable only (never in files or args)
- Sanitized from all error messages
-
Input Validation
- Pydantic models for all inputs
- Allowlist for record types, actions
- Strict format validation for IDs
-
API Hardening
- Hardcoded API base URL (prevents SSRF)
- TLS certificate validation
- Request timeouts
- Response size limits
-
Automated CVE Scanning
- GitHub Actions scan dependencies weekly
- Automatic PRs for security updates
- Dependabot alerts enabled
Development
Setup
git clone https://github.com/crunchtools/mcp-cloudflare.git
cd mcp-cloudflare
uv sync
Run Tests
uv run pytest
Lint and Type Check
uv run ruff check src tests
uv run mypy src
Build Container
podman build -t mcp-cloudflare .
License
AGPL-3.0-or-later
Contributing
Contributions welcome! Please read SECURITY.md before submitting security-related changes.
Links
Featured
Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.
One time payment $9 →Integrate web data into your AI product. One API to scrape website & brand data.
Get API Key Now →Agent, run crypto. Access onchain data & trade routes via 1inch.
Install now →On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.
Start earning →Categories
Registryactive
Packagemcp-cloudflare-crunchtools
TransportSTDIO
UpdatedMar 2, 2026
