Website security
Dig into the details of how Cloudflare products protect your assets and choose which security settings are right for you.
Account security
Adopting a strong security posture for your Cloudflare account is an important step toward ensuring your website’s overall safety. Two-factor authentication (2FA) improves account security by requiring a second piece of information to validate your identity when logging in.
Follow these instructions to enable 2FA by enrolling through your preferred mobile authentication application. Save a copy of the recovery codes in a safe location to avoid locking yourself out of your account.
Notifications
Manage your notifications to define what you want to be warned about and how. We recommend enabling:
- Passive Origin Monitoring Alerts: Get notified when your origin web server is unreachable from our edge network for at least 5 minutes so you can quickly fix the issue.
- HTTPS DDoS Alerts: Sign up for a real-time email when Cloudflare automatically detects and mitigates a DDoS attack that targets your Internet property.
- Security Events Alert: Receive an alert within two hours of any spike of firewall-related events across all Cloudflare services that generate related log entries.
Manage DNS records
When you use Cloudflare DNS, all DNS queries for your domain are answered by our global Anycast network. DNS records help communicate information about your domain to visitors and other web services.
With Cloudflare DNS, you can manage all of your records for your website in the DNS tab — watch a Cloudflare dashboard walkthrough of the available options.
Orange cloud vs. grey cloud
An orange cloud symbol means traffic to that hostname is running through Cloudflare. This enables features such as hiding your origin IP, caching, SSL, and Web Application Firewall. We recommend enabling the orange cloud for A, AAAA, and CNAME records.
A grey cloud means that Cloudflare will announce those records in DNS, but all traffic will be routed to your origin instead of through Cloudflare. This is useful in a few contexts such as records other than A, AAAA, or CNAME, if you are trying to validate a service with a record or non-web traffic, including mail and FTP. If you run into issues with a record on Cloudflare, you can pause Cloudflare for the record by grey clouding it on the DNS tab.
If you experience issues with undeliverable emails after onboarding, grey cloud the DNS records used to receive mail on the DNS tab. The default configuration allows only proxying of HTTP traffic and will break mail traffic.
Hide your origin IP address
Cloudflare offers many features to detect and block malicious traffic. However, if malicious users find the origin IP of your server, which is where your actual resources are hosted, they may be able to send traffic or attacks directly to the servers.
Consider taking steps to keep from leaking this information:
- Review DNS records for your zone(s). If possible, keep all your subdomains on Cloudflare and check for SPF and TXT records for origin information.
- Do not host a mail service on the same server as the web resource you want to protect, since emails sent to non-existent addresses get bounced back to the attacker and reveal the mail server IP.
- Ensure your web server does not connect to arbitrary addresses provided by users.
- Once onboarded, rotate your origin IPs, as DNS records are in the public domain. Historical records are kept and would contain IP addresses prior to joining Cloudflare.
Enable DNSSEC
DNSSEC creates a secure domain name system by adding cryptographic signatures to existing DNS records. These digital signatures are stored in DNS name servers alongside common record types like A, AAAA, MX, and CNAME.
By checking its associated signature, you can verify that a requested DNS record comes from its authoritative name server and was not altered en route, as opposed to a fake record injected in an on-path attack.
We highly recommend enabling DNSSEC to add a layer of authentication on top of your DNS for domains on Cloudflare.
Enable SSL encryption
SSL certificates encrypt user information and keep users secure on the Internet. Manually configuring SSL requires several steps, however, and misconfigurations can prevent users from reaching your website.
With Cloudflare, become HTTPS-enabled with the click of a button. We offer edge certificates and origin server certificates.
- Edge Certificates: By default, we issue and renew free, unshared, publicly trusted SSL certificates to all Cloudflare domains. Your domain should automatically receive its Universal SSL certificate within 24 hours of domain activation. We recommend enabling either Full or Full (strict) as the settings to ensure data confidentiality on your site.
- Origin Certificate Authority (CA): Use these certificates to encrypt traffic between Cloudflare and your origin web server. Once deployed, these certificates are compatible with Strict SSL mode.
Get protected with a WAF
By deploying a Web Application Firewall (WAF), you can decide whether to allow types of incoming and outgoing traffic via a set of rules (often called policies). WAFs protect against attacks such as SQL injection attacks, cross-site scripting, and cross-site forgery.
Our WAF provides automatic protection and the flexibility to create custom rules:
- Rate limiting rules: Define rate limits for incoming requests matching an expression and the action to take when those limits are reached.
- WAF Managed Rulesets: Enable the pre-configured policies to get immediate protection, including from advanced zero-day vulnerabilities.
- Exposed Credential Checks: Monitor and block the use of stolen/exposed credentials for account takeover.
- Firewall Analytics: Investigate security threats, then tailor your security configurations based on the activity log.
WAF configuration tips
When using managed rulesets:
- Only enable rule groups that correspond to your technology stack. For example, if you use WordPress, enable the Cloudflare WordPress group. You also have the ability to craft custom rules.
- We recommend turning on the WAF and enabling Cloudflare Specials to automatically protect against the latest attack vectors.
Learn the basics of caching
Caching is the process of storing copies of files in a temporary storage location so they can be accessed quickly. Web browsers cache HTML files, JavaScript, and images for fast load times; DNS servers cache DNS records for faster lookups; and CDN servers cache content to reduce latency.
- Learn about our default cache behavior.
- For caching HTML, you can use Cloudflare Cache Rules to set rules on how to cache dynamic content.
Understanding Browser Cache TTL and Edge Cache TTL
These important features help protect your site and ensure content is up to date.
- Edge Cache TTL (Time to Live) specifies how long to cache a resource on our edge network. You can configure how long we keep the cached resource before asking the origin for it again.
- Browser Cache TTL sets the expiration for resources cached in a visitor’s browser.
For example, if you are updating an election results page with resources we automatically cache every 20 minutes, set the Edge Cache TTL to 20 minutes, with Browser Cache TTL around 1 minute so users have fresh data. Or, you can manually purge the cache by file URL or hostname every time you update the file.