Skip to content
BlurFirst

How to Blur the Cloudflare Dashboard During Screen Sharing (Hide Domains, IPs & Keys)

7 min read

Walking through Cloudflare on a call? Here's how to hide your account email and ID, the list of domains you run, origin server IPs in DNS records, API tokens, WAF rules and analytics before you share your screen.

To hide domains, IPs and keys in the Cloudflare dashboard during a screen share, blur the sensitive items in the page before you present — the account email and account ID, the list of domains you manage, the origin server IPs in your DNS records, and any API tokens. BlurFirst paints each blur into the page as real pixels, so it survives Zoom, Google Meet, Microsoft Teams, Loom, OBS and even a screenshot of the shared feed.

Cloudflare is a browser-based dashboard, and the single most sensitive screen is DNS: the A/AAAA records expose the real origin IP addresses that Cloudflare exists to hide, and putting them on a call undoes that protection. Lean on anchored region blurs for the account chrome and box- or element-blur the DNS content records. Start blurring with Ctrl/⌘ ⇧ Y and keep the panic hotkey Ctrl/⌘ ⇧ H ready.

What the Cloudflare dashboard puts on screen

  • Account email and account ID — your login email in the top-right menu and the Account ID on the overview and API pages, which identify the account.
  • Domains and zones — the site list on the dashboard home names every domain you run — a map of your whole footprint, including staging and client sites.
  • Origin server IPs — the A/AAAA records under DNS > Records expose the real origin IPs behind the proxy; showing them lets an attacker bypass Cloudflare and hit the origin directly. This is the highest-risk item on the page.
  • API tokens and Global API Key — under My Profile > API Tokens, the Global API Key and any token values; the Global API Key grants full account access.
  • WAF and firewall rules — the expressions under Security > WAF reveal how you filter traffic and can hint at what you're defending against.
  • Analytics figures — request volume, bandwidth, cache ratio and threat counts under Analytics that disclose your traffic and scale.
  • R2 and Workers secrets — bucket names and access keys for R2, and environment variables or secrets bound to Workers.

Blur the Cloudflare dashboard step by step

  1. 1

    Open the section you'll present

    Navigate to DNS, Security or the exact page before the call, so you never open My Profile > API Tokens live with the Global API Key on screen.

  2. 2

    Box-blur the account email and site list

    Drag a box over the top-right account menu (your email) and, on the home screen, over the list of domains so your footprint stays hidden. The anchored region blur keeps covering that chrome as the dashboard re-renders.

  3. 3

    Element-blur the DNS content column

    On DNS > Records, element-blur the Content column so origin IPs in A/AAAA records are hidden while record names and types stay readable, or box-blur the whole content column at once.

  4. 4

    Run Scan for emails and keys

    One click runs Scan (Pro), which detects email and API-key patterns locally and blurs them across the API Tokens and profile pages. IP addresses, zone names and the Account ID aren't detected as patterns, so cover those with a box or element blur yourself.

  5. 5

    Keep panic ready for tokens and rules

    If a token value or a firewall rule appears unexpectedly, press Ctrl/⌘ ⇧ H to blur the whole page instantly, then reveal only what's safe.

Sensitive itemWhere it appearsBest gesture
Account email + IDTop-right menu, overviewBox-blur the account chrome
Domain / zone listDashboard homeBox-blur the site list
Origin IPs (A/AAAA)DNS > RecordsElement/box-blur the Content column
API tokens + Global API KeyMy Profile > API TokensElement blur; don't reveal live
WAF rules + analyticsSecurity > WAF, AnalyticsBox-blur rules and charts
What to hide in the Cloudflare dashboard, and how.

Why proxying your origin doesn't help on a live share

Cloudflare's whole value on the network is hiding your origin IP behind its proxy so attackers can't reach your server directly. But the dashboard shows you that origin IP in plain text in the DNS record — and the moment it's on a screen share or in a recording, the protection is gone: anyone who saw it can point traffic straight at the origin and bypass Cloudflare entirely. Access controls and 2FA gate who can log in; they don't govern what a viewer reads on your screen. Blurring works at the presentation layer, so the origin IP, your domain list and your tokens stay hidden from the audience no matter what your account can see. If an origin IP was exposed, tighten origin firewall rules or consider changing it.

Save your Cloudflare blurs for next time

If you administer Cloudflare regularly, set the structural blurs once and let BlurFirst Pro's per-site auto-apply re-apply them whenever you open dash.cloudflare.com. Your boxes over the account menu and the site list come back automatically and survive the dashboard's re-rendering as you move between DNS, Security and Analytics. The profile stores only a CSS selector for each region, never the IPs, domains or tokens inside it.

Frequently asked questions

Why is showing an origin IP such a big deal?

Cloudflare protects your server by proxying traffic so attackers only ever see Cloudflare's IPs, not your origin. The A/AAAA records in your DNS page show the real origin IP. If that appears on a call or recording, someone can send traffic straight to the origin and bypass Cloudflare's WAF and DDoS protection, so blur the DNS Content column before you present.

Can I hide the domain list but still show the settings?

Yes. Box-blur the list of sites on the dashboard home, then navigate into the one domain you're demoing. The settings pages stay visible while the rest of your footprint stays hidden.

Does Scan find Cloudflare API tokens?

Scan detects API-key and email patterns locally and blurs many of them across the API Tokens and profile pages. IP addresses, zone names and the Account ID aren't recognised patterns, so cover those with a box or element blur, and never click a token's reveal control live.

If an origin IP or token was already shown, is blurring enough?

Blurring protects future calls and screenshots of the shared feed, but it can't recall what already leaked. If an origin IP was exposed, tighten origin firewall rules or change the IP; if a token or Global API Key was shown, roll it in My Profile immediately.

Does anything I blur leave my browser?

No. BlurFirst runs entirely in the browser and its only network request is a license check. Scan runs locally, so your IPs, domains and keys never leave the page.

Blur it before you share it.

Hide any field, region or message on a page before your next call. Nothing you blur leaves your browser.

Add to Chrome