Skip to main content
ZZeriFlowv2.0
Back to blog
April 28, 2026|8 min read|Antoine Duno

Cloudflare Security Settings: The Complete Configuration Guide

Cloudflare security settings can dramatically reduce your attack surface — but only if configured correctly. This guide walks through every critical option, from SSL/TLS mode to WAF rules, so your site is protected end-to-end.

ZeriFlow Team

1,457 words

Cloudflare Security Settings: The Complete Configuration Guide

Cloudflare security settings are the first line of defense for millions of websites, yet most site owners leave critical protections disabled or misconfigured. This guide covers every essential setting — SSL/TLS Full Strict mode, Web Application Firewall rules, DNSSEC, Bot Fight Mode, and Always HTTPS redirects — with practical, step-by-step instructions you can follow right now.

Scan your site with ZeriFlow to see your current security posture before you start, so you can track every improvement you make.

SSL/TLS Mode: Why Full Strict Is the Only Acceptable Choice

Cloudflare offers four SSL/TLS modes: Off, Flexible, Full, and Full (Strict). Many tutorials recommend Full without explaining the difference — and that difference is critical.

  • Flexible: Traffic between Cloudflare and your origin server is unencrypted. An attacker with access to your hosting provider's network can read every request.
  • Full: Cloudflare encrypts traffic to your origin but does not validate the certificate. A self-signed or expired certificate is accepted — leaving you open to man-in-the-middle attacks at the origin level.
  • Full (Strict): Cloudflare encrypts traffic AND validates your origin certificate against a trusted CA or Cloudflare's own Origin CA. This is the only mode that provides genuine end-to-end security.

How to configure Full Strict: 1. Log into the Cloudflare dashboard and select your domain. 2. Navigate to SSL/TLS → Overview. 3. Select Full (Strict). 4. If your origin does not have a valid certificate, go to SSL/TLS → Origin Server and create a free Cloudflare Origin CA certificate — valid for up to 15 years. 5. Install that certificate on your origin server (Nginx, Apache, or your hosting panel).

Common mistake to avoid: Switching to Full Strict before installing a valid origin certificate will break your site. Always install the origin certificate first, then change the mode.

Web Application Firewall (WAF): Enabling Managed Rules

The Cloudflare WAF inspects incoming HTTP requests and blocks known attack patterns — SQL injection, cross-site scripting (XSS), remote file inclusion, and more. On free plans, the WAF is limited but still valuable. On Pro and above, managed rulesets from Cloudflare and OWASP become available.

Free plan WAF setup: 1. Go to Security → WAF. 2. Enable the WAF toggle. 3. Under Managed Rules, activate the Cloudflare Free Managed Ruleset. 4. Set the action to Block for high-confidence rules and Challenge for medium-confidence ones.

Pro/Business plan additions: - Enable the OWASP Core Ruleset — this is the industry standard for blocking common web attacks. - Review the Paranoia Level: Level 1 catches the most obvious attacks with fewest false positives; Level 3–4 is aggressive and may require tuning. - Create custom WAF rules to block traffic from specific countries, ASNs, or user agents if you see targeted attack patterns in your logs.

Rate limiting (available on all plans): 1. Go to Security → WAF → Rate Limiting Rules. 2. Create a rule: if requests from a single IP exceed X per minute on /login or /api/*, apply a Challenge or Block action. 3. A threshold of 10–20 requests per minute on authentication endpoints is a reasonable starting point.

DNSSEC: Protecting Your Domain From Cache Poisoning

DNS cache poisoning attacks redirect users to malicious servers by injecting fake DNS records into resolvers. DNSSEC (Domain Name System Security Extensions) prevents this by cryptographically signing your DNS records.

Enabling DNSSEC on Cloudflare: 1. Go to DNS → Settings. 2. Click Enable DNSSEC. 3. Cloudflare generates a DS (Delegation Signer) record — copy the values shown. 4. Log into your domain registrar and add the DS record to your domain's settings. The exact steps vary by registrar (GoDaddy, Namecheap, Google Domains, etc.), but the field labels — Key Tag, Algorithm, Digest Type, Digest — are universal. 5. Propagation takes 24–48 hours. You can verify using dig DS yourdomain.com @8.8.8.8 or an online DNSSEC checker.

Why this matters: Without DNSSEC, any resolver between your user and Cloudflare could theoretically be poisoned to redirect traffic. With DNSSEC, any unsigned or incorrectly signed response is rejected automatically.

Bot Fight Mode: Stopping Credential Stuffing and Scraping

Bot Fight Mode detects and challenges bots that use headless browsers or scripted HTTP clients. It is free and takes 30 seconds to enable.

  1. 1Go to Security → Bots.
  2. 2Toggle Bot Fight Mode to On.

For Pro plans and above, Super Bot Fight Mode adds: - Detection of definitely automated traffic (served a JavaScript challenge or blocked outright). - Detection of likely automated traffic (served a managed challenge). - An allow-list for verified good bots (Googlebot, Bingbot, etc.) so SEO is unaffected.

Considerations: Bot Fight Mode can occasionally affect legitimate API clients or monitoring tools. If you run uptime checks or CI/CD pipelines that make HTTP requests to your domain, add those IP addresses to a WAF bypass rule before enabling the feature.

Always HTTPS: Eliminating Plaintext Connections

Even with SSL configured, users who type your domain without https:// or follow an old HTTP link will initially connect unencrypted. Always HTTPS redirects every HTTP request to HTTPS automatically.

  1. 1Go to SSL/TLS → Edge Certificates.
  2. 2Toggle Always Use HTTPS to On.
  3. 3Also enable Automatic HTTPS Rewrites — this updates mixed-content references in your HTML (images, scripts loaded over HTTP) to use HTTPS, preventing browser security warnings even if your origin serves some resources over HTTP.

HSTS (HTTP Strict Transport Security): For even stronger protection, go to SSL/TLS → Edge Certificates → HTTP Strict Transport Security (HSTS) and configure: - Max Age: 6 months minimum (31536000 seconds for one year recommended). - Include subdomains: Yes, if all your subdomains are HTTPS-ready. - Preload: Only enable after testing — HSTS preloading is very difficult to reverse.

Verifying Your Configuration With ZeriFlow

After making these changes, it is essential to verify that they are actually working as expected. Misconfigured redirects, missing headers, or incorrect certificate chains can still leave gaps even after following these steps to the letter.

Run a free ZeriFlow scan on your domain to get an instant report covering: - SSL certificate validity and chain completeness - HSTS header presence and max-age value - Security headers (CSP, X-Frame-Options, X-Content-Type-Options) - HTTP to HTTPS redirect behavior - Mixed content detection - DNSSEC validation status

ZeriFlow runs 80+ automated security checks and gives you a prioritized list of remaining issues, so you know exactly what to fix next.

FAQ

### Q: What happens if I enable Full Strict without a valid origin certificate? A: Your site will display a 526 error (Invalid SSL Certificate) to all visitors. Always install a valid certificate on your origin — use Cloudflare's free Origin CA — before switching to Full Strict mode.

### Q: Does enabling the WAF slow down my site? A: The WAF inspection adds a few microseconds of latency at most. The performance impact is negligible compared to the protection provided. Cloudflare's WAF operates on its global edge network, not on your origin server.

### Q: Can DNSSEC break my site? A: DNSSEC itself does not affect how your site loads. However, if you add incorrect DS records at your registrar, DNS resolution can fail. Always copy the DS record values exactly from the Cloudflare dashboard, and verify propagation before considering the setup complete.

### Q: Does Bot Fight Mode block Googlebot? A: No. Super Bot Fight Mode automatically allows verified bots like Googlebot, Bingbot, and other legitimate crawlers. Regular Bot Fight Mode uses behavioral fingerprinting to distinguish bots from crawlers without blocking SEO-critical traffic.

### Q: How often should I review my WAF rules? A: Review your WAF logs at least monthly. Look for patterns — repeated blocks from specific IPs or countries, or high volumes of a specific attack type — and create custom rules to address them. Cloudflare also updates its managed rulesets automatically, so new CVEs are often covered within hours of disclosure.

Conclusion

Cloudflare security settings are powerful, free, and ready to configure right now. Start with SSL/TLS Full Strict and Always HTTPS — these two changes alone eliminate the most common attack vectors against web applications. Add DNSSEC and Bot Fight Mode for defense in depth, and tune your WAF rules based on actual traffic patterns.

The single biggest mistake is assuming the default settings are sufficient. They are not. Cloudflare ships with conservative defaults to avoid breaking sites — not to maximize security.

Scan your site on ZeriFlow after completing this guide. The free report will confirm what is working, surface anything you missed, and give you a security score you can track over time as your configuration matures.

Ready to check your site?

Run a free security scan in 30 seconds.

Scan now — freeSee plans

Related articles

Keep reading

April 28, 2026

CSRF Attack Prevention: The Complete Developer Guide

April 28, 2026

Clickjacking Prevention: X-Frame-Options, CSP & UI Redressing

April 28, 2026

Directory Traversal Attacks: How They Work and How to Prevent Them