Overview
Cloudflare sits in front of the origin and absorbs the traffic. Free plan covers DNS, a global CDN, TLS, basic WAF, and analytics. Paid features kick in for image transformations, Argo routing, and advanced bot management. For most sites, the free plan is enough; the value is in turning the right toggles on.
Proxy records you want cached or protected
Records show as orange-cloud (proxied) or grey-cloud (DNS only). Proxy by default, then grey-cloud the exceptions.
- Orange-cloud apex and
www. Cloudflare terminates TLS, caches static assets, and hides the origin IP. - Grey-cloud mail records (
MX, mail subdomains). Cloudflare does not proxy SMTP; proxying these breaks delivery. - Grey-cloud verification records (TXT for Vercel, Google, ACME challenges). The verifier needs the raw value.
For DNS hosted elsewhere, see namecheap-dns and consider delegating nameservers to Cloudflare to enable proxying.
Set SSL/TLS mode to Full strict, never Flexible
Four modes exist. Use exactly one.
- Off: no TLS. Never.
- Flexible: visitor to Cloudflare encrypted, Cloudflare to origin in plaintext. Looks secure, is not. Login forms leak on the back leg. Never use this.
- Full: TLS end to end, but Cloudflare accepts any cert at the origin, including self-signed. Acceptable for transitional setups.
- Full (strict): TLS end to end, with origin cert validated. The only correct setting for production.
Issue an origin certificate from Cloudflare for the origin if Let’s Encrypt is awkward (port 80 closed, internal-only DNS). It is free and valid for 15 years on the Cloudflare edge.
Drive cache and redirects through Rules
The Rules engine replaces the older Page Rules. Use it for cache overrides, redirects, security headers, and request modification.
- Cache Rules: pin specific paths to “cache everything” or set a TTL. Override the default cache for
/api/*to “bypass cache.” - Redirect Rules: send
wwwto apex, send legacy paths to new ones, force HTTPS (also covered by the global “Always Use HTTPS” toggle). - Transform Rules: add response headers (
Strict-Transport-Security,X-Content-Type-Options,Permissions-Policy) without touching the origin.
Source-control the rule definitions in Terraform if the site has more than a handful. Drift on a rule that disables cache for the whole origin is hard to spot.
Workers run code at the edge
Workers are V8 isolates that run on every Cloudflare PoP. Use them for:
- Auth gates, A/B routing, geolocation-based redirects.
- API responses small enough to fit a 10 ms CPU budget on the free plan.
- Scheduled cron triggers (
cronsinwrangler.toml) for periodic jobs without running a server.
Workers KV is an eventually-consistent key-value store with single-digit-millisecond reads at the edge. Use it for feature flags, session caches, and rate-limit counters. Reach for D1 (SQLite) or R2 (object storage) when KV does not fit.
Pages hosts static sites without a build server
Cloudflare Pages competes with github-pages and vercel for static hosting. Strengths: unlimited bandwidth, generous build minutes, per-PR previews, native Workers integration.
Use Pages when the site is static and the team already lives in Cloudflare. Use GitHub Pages when the project is small and the repo is the source of truth. Use Vercel when the framework is Next.js and ISR is in play.
Turn on the free protections
The toggles that pay for themselves in five minutes.
- Always Use HTTPS: redirects HTTP to HTTPS at the edge.
- Automatic HTTPS Rewrites: rewrites mixed-content links.
- Bot Fight Mode: blocks the noisiest scraping bots without affecting humans. Free.
- Managed Challenges (Security level: Medium): hands a challenge to suspicious requests instead of blocking outright. Lower false-positive rate than the old CAPTCHA.
- Analytics: free and privacy-respecting. Useful as a sanity check against application-level metrics.