Secure your application
Learning path
Learn more about the tools Cloudflare offers to protect your website against malicious traffic and bad actors.
Concepts
~30 mins
Learn the fundamentals of website security.
Feel free to skip if you have a technical background.
Before you begin
~30 mins
Before you can secure your site, make sure you have already added that site to Cloudflare.
Contains 1 units
Account security
~15 mins
Make sure your Cloudflare account is protected from takeover or compromise
General security — Minimal setup
~1 hour
Take a few simple steps to make sure your application is protected from a broad array of threats.
Contains 5 units
- Customize SSL/TLS protection
- Set up your Web Application Firewall (WAF)
For customers on a Pro plan or above, Cloudflare offers several Managed Rulesets as part of the Web Application Firewall (WAF).
- Proxy your DNS records
As long as your traffic is proxied by Cloudflare, Cloudflare automatically protects your application from DDoS attacks.
- Set up DNSSEC
- Enable the Cloudflare Security Center
Our Security Center scans your application to identify potential security risks and provide recommended next steps.
Customize Web Application Firewall (WAF)
~2 hours
Use a variety of rules to customize the behavior of your application’s firewall. This step may require detailed analysis of your application traffic.
Contains 6 units
- WAF Exceptions
Skip the execution of WAF Managed Rulesets or some of their rules.
- Firewall Rules
Block, challenge, or allow requests based on several characteristics (user agents, cookies, referrer, and more).
- Rate Limiting Rules
Define rate limits for requests matching an expression and the action to perform when those rate limits are reached.
- IP Access Rules
Block, challenge, or allow requests based on IP address, IP range, country, or ASN.
- User Agent Blocking Rules
Block or challenge specific requests based on the associated user agent value.
- Zone Lockdown rules
For customers on a Pro plan or higher, specify a list of IP addresses, CIDR ranges, or networks that are allowed to access a particular domain, subdomain, or URL.
Customize other security settings
~2 hours
Update various settings to further refine how your application processes incoming traffic. This step may require detailed analysis of your application traffic.
Contains 9 units
- Enable bot protection
There are some nuances to how bot protection works, so you may want to review our plans pages before enabling.
- Customize DDoS protection
- Customize security level
Use the IP reputation of a visitor to determine whether to present a Managed Challenge page.
- Customize challenge passage
Specify the length of time that a visitor can access your website after completing a security challenge.
- Enable Privacy Pass
Reduce the number of challenges presented to visitors using the Privacy Pass browser extension.
- Learn about Browser Integrity Check
Browser Integrity Check evaluates incoming HTTP headers based on known threats — such as requests with a missing or non-standard user agent — and present a challenge page if needed.
- Create Forwarding URLs
Prevent access to specific URLs, request schemes, file types, subdomains, or directories by redirecting users to a safe location.
- Token Authentication
Restrict access to documents, files, and media.
- Learn about I'm Under Attack Mode
I’m Under Attack Mode performs additional security checks to help mitigate Layer 7 DDoS attacks. This feature should be used as a last resort when your application is under attack.
Explore dedicated security products
~30 mins
Cloudflare offers several dedicated products to increase the security of your website and underlying infrastructure.
Contains 5 units
- Page Shield
Monitor third-party scripts on your application and receive notifications when they have been compromised or are exhibiting malicious behavior.
- API Shield
Protect your API from malicious traffic by enforcing schema validation, detecting abuse patterns, and more.
- Magic Firewall
Use Cloudflare’s firewall-as-a-service (FWaaS) to protect office networks and cloud infrastructure with advanced, scalable protection.
- Magic Transit
Delivers network functions at Cloudflare scale — DDoS protection, traffic acceleration, and much more from every Cloudflare data center — for on-premise, cloud-hosted, and hybrid networks.
- Magic Wan
Securely connect any traffic source - data centers, offices, devices, cloud properties - to Cloudflare’s network and configure routing policies to get the bits where they need to go, all within one SaaS solution.
Next steps
~30 mins