Cloudflare Config Guide
DNS Record Types
| Record | Purpose | Example | Proxy? |
|---|---|---|---|
| A | IPv4 address | example.com โ 1.2.3.4 | Yes (orange cloud) |
| AAAA | IPv6 address | example.com โ 2001:db8::1 | Yes |
| CNAME | Alias to another hostname | www โ example.com | Yes |
| MX | Mail exchange | 10 mail.example.com | No (DNS-only) |
| TXT | Verification, SPF, DKIM | v=spf1 include:... -all | No |
| NS | Nameservers (auto-set by CF) | ken.ns.cloudflare.com | No |
Cache Control
| Setting | Behavior | Recommended For |
|---|---|---|
| Cache Level: Standard | Caches based on file extension | Default setting |
| Cache Level: Cache Everything | Caches all content including HTML | Fully static sites |
| Edge Cache TTL: 1 day | How long CF keeps the cache | Static assets (override origin headers) |
| Browser Cache TTL: 4 hours | Cache-Control: max-age sent to browsers | Balance freshness vs performance |
| Bypass Cache (Cookie) | Don't cache if cookie present | WordPress, logged-in users |
Cloudflare Workers
// Basic Worker โ intercept and modify response
export default {
async fetch(request, env, ctx) {
const url = new URL(request.url);
// A/B test routing
if (url.pathname === '/') {
const group = Math.random() < 0.5 ? 'a' : 'b';
url.pathname = `/variants/${group}`;
return fetch(url.toString(), request);
}
// Add security headers to all responses
const response = await fetch(request);
const newHeaders = new Headers(response.headers);
newHeaders.set('X-Frame-Options', 'DENY');
newHeaders.set('X-Content-Type-Options', 'nosniff');
newHeaders.set('Referrer-Policy', 'strict-origin-when-cross-origin');
return new Response(response.body, {
status: response.status,
headers: newHeaders
});
}
};
// KV storage
const value = await env.MY_KV.get("key");
await env.MY_KV.put("key", "value", { expirationTtl: 3600 });
// wrangler.toml
// name = "my-worker"
// compatibility_date = "2024-01-01"
// [[kv_namespaces]]
// binding = "MY_KV"
// id = "abc123"
SSL/TLS & Security Settings
| Setting | Recommendation | Notes |
|---|---|---|
| SSL Mode | Full (Strict) | Validates origin cert; requires valid cert on origin |
| HSTS | Enable with 6-month max-age | Forces HTTPS; enable includeSubDomains carefully |
| Min TLS Version | TLS 1.2 | Drop TLS 1.0/1.1 for PCI compliance |
| Always Use HTTPS | Enabled | 301 redirect HTTP โ HTTPS |
| Bot Fight Mode | Enabled (free) | Blocks known bad bots |
| WAF Managed Rules | Enable OWASP core ruleset | Blocks SQLi, XSS, etc. (Pro+) |