I have been using this simple bash script for a while for my DDNS needs. It is simple enough for quick deployment, and gets the job done. That is until Caddy2’s Cloudflare DNS provider moves away from Global API Key to API Token for the API access. This prompted me to rethink the security implications of using that script.
The Global API Key basically allows for *ALL* access to your entire Cloudflare account, which includes making changes to other domains under your account as well as your account settings. And this key is stored as plain-text within the script, to be placed on a server which you don’t have physical access — sounds a lot like the perfect recipe for a security nightmare. An API Token, on the other hand, is created with specific permissions. You can, for instance, create a Token that only has the permission to make changes to a specific domain, without the ability to add or delete anything.