Skip to content

LeakedCredentialCheck

Source: src/Cloudflare/LeakedCredentialCheck/LeakedCredentialCheck.ts

The Leaked Credential Checks setting of a Cloudflare zone (/zones/{zone_id}/leaked-credential-checks).

Leaked credential detection scans incoming requests for authentication credentials previously seen in known breach compilations, populating the cf.waf.credential_check.* ruleset fields that WAF rules can act on (e.g. force a password reset on a leaked-credential login). The check is a zone singleton — it always exists (default enabled: false), so this resource never creates or deletes anything physical. Reconcile sets the flag when the observed value differs from the desired one; destroy restores the value the setting had before Alchemy first managed it (captured as initialEnabled).

Leaked-credential detection is available on all plans. Custom detection locations (see {@link LeakedCredentialDetection}) are plan-gated separately.

Only one LeakedCredentialCheck resource per zone makes sense — two instances managing the same zone would fight over the singleton.

Managing the check

Section titled “Managing the check”

Enable Leaked Credential Checks on a zone

const zone = yield* Cloudflare.Zone("Site", { name: "example.com" });


yield* Cloudflare.LeakedCredentialCheck("Lcc", {
  zoneId: zone.zoneId,
});

Explicitly pin the check off

yield* Cloudflare.LeakedCredentialCheck("Lcc", {
  zoneId: zone.zoneId,
  enabled: false,
});