Is my Cloudflare Setup safe?

Hey guys, I am completely new to all of this stuff.
I am hosting a Homeassistant server at home which I wanted to access from on the go. Therefore I bought myself a domain and setup cloudflare (Cloudflared in Home assistant) to be able to access it with a Cloudflare tunnel.

Since I´ve noticed that this website got quite a ton of traffic, I wanted to further secure it.

I firstly moved my Homeassist access to (imaginary) home.domain.com instead of domain.com. Since, in case i got it right, its harder to find subdomains than the real domain right?
Also, I´ve set SSL Client Certificates and setup WAF Custom Rules, in order to block all traffic outside my country + another rule to block all traffic which doesnt give a verified certificate.

Is this secure enough or am I missing something? I still got quite some Total Requests, however, I am not sure how to check, whether these requests are my own or not - is it somehow possible to see ALL traffic to my domain + subdomain and see, where its coming from (IPs)? If theres any improvements to be made, pls let me know!

grafik869×261 14.3 KB

By no means any expert in these areas, but I’m also using Cloudflare with my own domain. But what I’ve done apart from WAF and all that stuff is to use 2FA for the access of Home Assistant, actually a YubiKey as I prefer a physical device for that security layer. In addition to this I’ve also enabled the IP-ban to my configuration with login attempts threshold set to three.

This is totally fine. The traffic you are seeing is web crawlers, scanners etc. That is totally normal and nothing of concern. As long as you have a strong password for all your home assistant profiles (consider turning on 2FA) you are safe.
To get more insights into this traffic you are seeing you need a premium plan with cloudflare as far as I know.