With 200+ POPs (Points of Presence) across the globe, Cloudflare is one of the most popular CDN.
This tutorial will recommend some of the Best Cloudflare Settings to get maximum optimization and security advantage from Cloudflare.
I assume that you have already created an account with Cloudflare and connected your domain name.
If not yet, head over to Cloudflare creates an account to give a performance boost to your website.
- Best Cloudflare Settings We Recommend
- Cloudflare Analytics
- Cloudflare DNS
- Cloudflare SSL/TLS
- SSL/TLS Recommender (Beta)
- Always Use HTTPS
- HTTP Strict Transport Security (HSTS)
- Minimum TLS Version
- Opportunistic Encryption
- TLS 1.3
- Automatic HTTPS Rewrites
- Certificate Transparency Monitoring (Beta)
- Cloudflare Firewall
- Cloudflare Speed
- Cloudflare Caching
- Cloudflare Network
- Cloudflare Scrape Shield
Best Cloudflare Settings We Recommend
So, let us get started to optimize your Cloudflare settings.
Once you logged in to your Cloudflare account and click on the domain name you have added, you see the Overview Page.
In this Overview tab, you can summarize your domain’s performance, such as Analytics.
Quick Actions like Purge Cache, toggle Development Mode On and Off are also presented here.
These are the Cloudflare Menu structure.
Now we are going to tap the Analytics tab.
Analytics tab contains read-only data like Number of Requests Through Cloudflare, Unique Visitors you had in a timeframe, Web Traffic Requests by Country.
You don’t have any settings to update here.
DNS Management page in Cloudflare is one of the critical pages in your Cloudflare account.
All the DNS related settings are here.
You can add, modify and delete DNS zones such as A, CNAME, MX, TXT.
DNSSEC protects against forged DNS answers.
DNSSEC protected zones are cryptographically signed to ensure the DNS records received are identical to the DNS records published by the domain owner.
- Enable DNSSEC
Cloudflare redesigned their SSL/TSL page recently.
You can now easily understand the different SSL/TLS encryption mode Cloudflare offers now.
This setting is under the Overview tab.
- Select Full (strict)
SSL/TLS Recommender (Beta)
To check if your website can use a more secure SSL/TLS mode, enable the SSL/TLS Recommender. You can then receive an email with Cloudflare’s recommendation.
- On SSL/TLS Recommender
Always Use HTTPS
This setting is now under the Edge Certificates tab. Redirect all requests with scheme HTTP to HTTPS. This applies to all HTTP requests to the zone.
- On Always Use HTTPS
HTTP Strict Transport Security (HSTS)
Having an HSTS enforce web security policy for your website.
At Rovity, we enable HSTS to all the domains serves through our network.
You may not enable HSTS in your Cloudflare account if your domain is hosted with us.
- Enable HSTS
The Enable HSTS button will give you a Change HSTS Settings page.
These are the recommended settings.
- Enable HSTS (Strict-Transport-Security)
- Max Age Header (max-age): 12 months
- Apply HSTS policy to subdomains (includeSubDomains)
- No-Sniff Header
Minimum TLS Version
Only allow HTTPS connections from visitors that support the selected TLS protocol version or newer. Major browsers such as IE 11, Opera Mini, and UC Browser for Android won’t support TLS 1.3.
Unless you are sure that your visitors will only use modern browsers like Firefox, Chrome, Opera, I recommend you to switch to TLS 1.2.
- TLS 1.2
Opportunistic Encryption allows browsers to benefit from the improved performance of HTTP/2 by letting them know that your site is available over an encrypted connection. Browsers will continue to show HTTP in the address bar, not HTTPS.
- On Opportunistic Encryption
Enable the latest version of the TLS protocol for improved security and performance.TLS 1.3 is the newest, fastest, and most secure version of the TLS protocol.
SSL/TLS is the protocol that encrypts communication between users and your website.
By turning on the TLS 1.3 feature, traffic to and from your website will be served over the TLS 1.3 protocol when supported by clients.
So, you don’t need to worry about compatibility issues.
- On TLS 1.3
Automatic HTTPS Rewrites
Automatic HTTPS Rewrites helps fix mixed content by changing HTTP to HTTPS for all resources or links on your web site that can be served with HTTPS.
- On Automatic HTTPS Rewrites
Certificate Transparency Monitoring (Beta)
Receive an email when a Certificate Authority issues a certificate for your domain. Certificate Transparency Monitoring is a Beta feature currently.
- On Certificate Transparency Monitoring
Under the Firewall menu, there are many security-related settings you can change.
Click on the Settings menu on the right side. There we can adjust the settings.
Adjust your website’s Security Level to determine which visitors will receive a challenge page.
Cloudflare offers different Security Levels to stop threatening visitors.
The visitors will see this page for up to five seconds.
The Security Level you choose will determine which Cloudflare will present visitors with a challenge page.
We recommend starting at Medium. If you are experiencing a DDoS attack or similar flood of useless traffic, switch to I’m Under Attack!
Bot Fight Mode
This is now moved to Tools tab.
Challenge requests matching patterns of known bots before they can access your site. Requests matching Cloudflare-identified, non-legitimate automated traffic patterns will be challenged or blocked by Cloudflare.
- On Bot Fight Mode
Start with 30 minutes and adjust based on your needs.
- 30 minutes
Browser Integrity Check
Evaluate HTTP headers from your visitor’s browser for threats. If a threat is found, Cloudflare will deliver a block page.
- On Browser Integrity Check
Privacy Pass Support
Privacy Pass is a browser extension developed by the Privacy Pass Team to improve your visitors’ browsing experience. Enabling Privacy Pass will reduce the number of CAPTCHAs shown to your visitors.
- On Privacy Pass Support
Under the Speed menu, we have the Optimization and Browser Insights tab.
Let us now head over to the Optimization tab.
Reduce the file size of source code on your website. Enable all of them.
Speed up page load times for your visitor’s HTTPS traffic by applying Brotli compression. Rovity now supports Brotli across our servers, so you might not need to enable this.
- On Brotli
- On Rocket Loader
AMP Real URL
Display your site’s actual URL on your AMP pages instead of the traditional Google AMP cache URL.
- On AMP Real URL
You can find out how fast your web pages load by enabling Browser Insights. This setting is under the Browser Insights tab.
- On Browser Insights
This page contains one of the magical settings.
You can manage caching settings for your website on this page’s Configuration tab.
You can Clear cached files to force Cloudflare to fetch the new version of those files from your web server.
These are not settings you set and forgot. You may use this often.
Custom Purge will clear files selectively. Purge Everything will clear all at once.
Determine how much of your website’s static content you want Cloudflare to cache. Increased caching can speed up page load time.
- Select Standard
Browser Cache TTL
Determine the length of time Cloudflare instructs a visitor’s browser to cache files. During this period, the browser loads the files from its local cache, speeding up page loads.
- Select 1 year
CSAM Scanning Tool (Beta)
The Child Sexual Abuse Material (CSAM) Scanning Tool allows website owners to proactively identify and take action on CSAM located on their website.
Enabling this service will alert you of any image files that match known CSAM and that have been uploaded to your website.
So you can take immediate action. CSAM Scanning Tool is beneficial when you allow visitors to upload content to your websites.
CSAM Scanning Tool is currently in Beta.
- On CSAM Scanning Tool
Keep your website online for visitors when your origin server is unavailable. Always Online serves limited copies of web pages to users instead of errors when your server is unreachable.
An updated version of Always Online uses the Internet Archive’s Wayback Machine to serve more comprehensive snapshots than previously available.
- On Always Online
You can temporarily bypass the Cloudflare cache allowing you to see changes to your origin server in realtime.
Toggling Development Mode is helpful when you are actively developing or debugging your website.
Here you can manage network settings for your website. This page is another crucial section that affects your performance, so please look carefully.
Cloudflare will accelerates your website with HTTP/2. Rovity now offers HTTP/3 across our servers, so you might not need to enable this.
- On HTTP/2
HTTP/3 (with QUIC)
Accelerates HTTP requests by using QUIC, which provides encryption and performance improvements compared to TCP and TLS.
Rovity now offers HTTP/3 across our servers, so you might not need to enable this.
- On HTTP/3 (with QUIC)
0-RTT Connection Resumption
Improves performance for clients who have previously connected to your website.
- On 0-RTT Connection Resumption
Enable IPv6 support and gateway.
- On IPv6 Compatibility
Allow WebSockets connections to your origin server.
- On WebSockets
Include the country code of the visitor location with all requests to your website.
- On IP Geolocation
Cloudflare Scrape Shield
Cloudflare’s Scrape Shield protects content on your site.
Email Address Obfuscation
Display obfuscated email addresses on your website to prevent harvesting by bots and spammers, without visible changes to human visitors’ address.
- On Email Address Obfuscation
Automatically hide specific content from disreputable visitors.
- On Server-side Excludes
That’s the end of this massive list of Cloudflare performance and security optimization.
If you have any questions, feel free to add them in the comments box below.
Robust Global CDN with 49 PoPs
Tier 1 Network Partners. < 30ms Global Latency.
Get access to our vibrant CDN for FREE and have a blazing fast website next to your customers; wherever they live.
In India, we have PoPs in Bangalore, Mumbai, and New Delhi.
If you enjoyed this tutorial, then you’ll love Rovity and our fast-growing premium shared hosting on the cloud. Check our subscription plans.