Disclosure: When you purchase a service or a product through our links, we may earn a commission. Read more...

Last updated:

A QUICK GUIDE TO SETUP CLOUDFLARE

SIGNUP

Step 1 - Fill in your e-mail, strong password and "Create Account".

Cloudflare Signup Create Account

Step 2 - Fill in your website address and "Add Site".

Cloudflare Signup Add Site

Step 3 - You can tell Cloudflare to scan your website's existing DNS records. Click "Next".

Cloudflare Signup Next

Step 4 - Please choose your plan. Start with "Basic" and upgrade whenever you need. You can "Learn more" or click on "Confirm Plan".

Cloudflare Signup Select Plan

Step 5 - Now you need to double check that all required DNS records are listed for your domain. Don't worry you can modify DNS records afterwards when there's a urgent need for that. When you are confident enough, please "Continue", otherwise consult with professionals.

Cloudflare Signup DNS Confirm

Step 6 - Now you need to change the nameservers at your domain registrar by pointing your domain to Cloudflare. When you don't know where to start you can check "I Need Help Changing My Nameservers". You can find over 30 step-by-step guides for most popular registrars to change the nameservers. Meanwhile you can "Continue".

Cloudflare Signup Change Nameservers

Step 7 - Now you need to just wait. It may take up-to 24 hours after you have changed the nameserver's DNS records. You will receive an e-mail after your website has become active on Cloudflare. Simple!

Cloudflare Signup Complete Nameserver Setup

Step 8 - Make sure your domain status have changed to "Pending Nameserver Update" to "Active".

Cloudflare Signup Website Status

Step 9 - There is only one last thing to do. Please check your inbox and click on the confirmation e-mail link. Done? Congratiolations, you have successfully signed up! Please proceed with setting up Cloudflare.

Cloudflare Signup Verified

CRYPTO SETTINGS

SSL

Encrypt communication to and from your website using SSL. By default CloudFlare provides universal SSL certificates when SSL is turned on. I strongly suggest to order dedicated certificate(s).

NB! Make sure that when using „Full (strict)“ option you have a valid certificate installed on your origin server.

Cloudflare Crypto SSL Setting

Edge Certificates

Manage and purchase SSL certificates that will be served to your web visitors.

Plans:

  • Basic – includes Cloudflare Universal SSL certificate pack.
  • Business – enables feature to upload any SSL certificates.

You can order dedicated certificate with custom hostnames.

Cloudflare Crypto Edge Certificates Setting

Always Use HTTPS

Redirect all requests with scheme HTTP to HTTPS. This applies to all HTTP requests to the zone. Strongly suggesting to turn this feature on to force clients to use secure connection.

NB! Your origin server must support HTTPS connection first.

Cloudflare Always Use HTTPS Setting

Authenticated Origin Pulls

TLS client certificate presented for authentication on origin pull. This feature helps to verify whether incoming requests are originated from the Cloudflare network only.

NB! Setting this directive may require VPS or Dedicated hosting solution.

Cloudflare Crypto Authenticated Origin Pulls Setting
Apache
SSLVerifyClient require
SSLVerifyDepth 1
SSLCACertificateFile /path/to/origin-pull-ca.pem
Nginx
ssl_client_certificate /path/to/origin-pull-ca.crt;
ssl_verify_client on;

Minimum TLS Version

Only allow HTTPS connections from visitors that support the selected TLS protocol version or newer. Suggesting to allow TLS protocol since TLS 1.1 and disallow TLS 1.2 after March 2020.

Cloudflare Crypto Minimum TLS Setting

Onion Routing

Onion Routing allows routing traffic from legitimate users on the Tor network through Cloudflare’s onion services rather than exit nodes, thereby improving privacy of the users and enabling more fine-grained protection. Doesn’t make any harm to turn this feature on.

Cloudflare Crypto Onion Routing Setting

TLS 1.3

Enable the latest version of the TLS protocol for improved security and performance. Strongly suggesting to enable this feature as roughly 30% of the traffic is using already TLS 1.3.

Cloudflare Crypto TLS 1.3 Version Setting

Automatic HTTPS Rewrites

Automatic HTTPS Rewrites helps fix mixed content by changing HTTP to HTTPS for all resources or links on your web site that can be served with HTTPS. Strongly suggesting to turn this feature on to avoid browser’s „mixed content“ errors when usage of HTTP and HTTPS is mixed within the website.

Cloudflare Crypto Automatic HTTPS Rewrites Setting

Disable Universal SSL

Disabling Universal SSL removes any currently active Universal SSL certificates for your zone from the edge and prevents any future Universal SSL certificates from being ordered. If there are no dedicated certificates or custom certificates uploaded for the domain, visitors will be unable to access the domain over HTTPS.

NB! Make sure that you install a new dedicated SSL certificate before disabling Universal SSL certificate.

Cloudflare Crypto Disable Universal Certificate Setting


FIREWALL SETTINGS

[Managed Rules] Web Application Firewall (WAF)

Provides enhanced security through a built-in ruleset to stop a wide range of application attacks. WAF blocks requests that contain malicious content and provides strong security without impacting performance. You will get protection for common attacks like cross-site scripting, SQL injections and many more.

NB! Strongly suggesting to turn this feature on to activate security packages like OWASP, Cloudflare Rules and any custom rules.

Pro Plan

Cloudflare Web Application Firewall Setting

[Managed Rules] Cloudflare Managed Ruleset

Cloudflare's Managed Ruleset has been created by Cloudflare security engineers, and is designed to provide fast and performant protection for your applications. Cloudflare's Managed Ruleset is updated and improved on a frequent basis to cover new vulnerabilities and to improve false positive rates.

NB! Strongly recommended to enable at least „Cloudflare specials“ and when using WordPress „Cloudflare Php“ and „Cloudflare WordPress“ should be also enabled.

Pro Plan

Cloudflare Firewall Managed Ruleset Setting

[Managed Rules] Package: OWASP ModSecurity Core Rule Set

Covers OWASP Top 10 vulnerabilities, and more. I strongly do recommend to turn on the most OWASP rules when your website e.g. online store collects and stores some valuable data desired by the hackers.

NB! When running WordPress website „OWASP Slr Et WordPress Attacks“ ruleset is a must to turn on.

Pro Plan

Cloudflare Firewall OWASP Ruleset Setting

[Settings] Security Level

Adjust your website’s Security Level to determine which visitors will receive a challenge page.

NB! When running website containing customer's data you should set this setting at least to "Medium".

Cloudflare Firewall Security Level Setting

[Settings] Challenge Passage

Specify how long a visitor with a bad IP reputation is allowed access to your website after completing a challenge. After the Challenge Passage TTL expires, the visitor in question will have to pass a new Challenge.

Cloudflare Firewall Challenge Passage Setting

[Settings] Browser Integrity Check

Evaluate HTTP headers from your visitors browser for threats. If a threat is found a block page will be delivered.

NB! This may block access to your API. You can selectively enable or disable this feature for any part of your domain using page rules.

Cloudflare Firewall Browser Integrity Check Setting

[Settings] Privacy Pass Support

Privacy Pass is a browser extension developed by the Privacy Pass Team to improve the browsing experience for your visitors. Enabling Privacy Pass will reduce the number of CAPTCHAs shown to your visitors.

NB! This works only for the websites using Cloudflare

Cloudflare Firewall Privacy Pass Support Setting


SPEED SETTINGS

Auto Minify

Reduce the file size of source code on your website.

NB! Purge cache to have your change take effect immediately.

Cloudflare Speed Auto Minify Setting

Polish

Improve image load time by optimizing images hosted on your domain. Optionally, the WebP image codec can be used with supported clients for additional performance benefits.

NB! Purge cache to have your change take effect immediately.

Pro Plan

Cloudflare Speed Polish Setting

Brotli

Speed up page load times for your visitor’s HTTPS traffic by applying Brotli compression.

Cloudflare Speed Brotli Setting

Rocket Loader™

Improve the paint time for pages that include Javascript. You can have Rocket Loader ignore individual scripts by adding the data-cfasync="false" attribute to the relevant script tag, for example:

<script data-cfasync="false" src="/path-to-your-javascript.js"></script>

Cloudflare Speed Rocket Loader Setting


CACHING SETTINGS

Purge Cache

Clear cached files to force Cloudflare to fetch a fresh version of those files from your web server. You can purge files selectively or all at once.

NB! Purging the cache may temporarily degrade performance for your website and increase load on your origin.

Cloudflare Caching Purge Cache Setting

Caching Level

Determine how much of your website’s static content you want to cache. Increased caching can speed up page load time. You can set cache static content according to these levels:

  • No Query String - only delivers files from cache when there is no query string.
  • Ignore Query String - delivers the same resource to everyone independent of the query string.
  • Standard - delivers a different resource each time the query string changes.
Cloudflare Caching Caching Level Setting

Browser Cache Expiration

Determine the length of time Cloudflare instructs a visitor’s browser to cache files. During this period, the browser loads the files from its local cache, speeding up page loads. It's up to you how long you set the cache period. Set it to longer period when your website's content doesn't change that often.

Cloudflare Caching Browser Cache Expiration Setting

Always Online™

If your server goes down, Cloudflare will serve your website’s static pages from their cache.

Cloudflare Caching Always Online Setting

Development Mode

Temporarily (lasts for three hours) bypass cache allowing you to see changes to your origin server in realtime.

NB! Enabling this feature can significantly increase origin server load. Development mode does not purge the cache so files will need to be purged after development mode expires.

Cloudflare Caching Development Mode Setting