Adopting a strong security posture for your Cloudflare account is an important step toward ensuring your website’s overall safety. Two-factor authentication (2FA) improves account security by requiring a second piece of information to validate your identity when logging in.
Follow these instructions to enable 2FA by enrolling through your preferred mobile authentication application. Save a copy of the recovery codes in a safe location to avoid locking yourself out of your account.
Manage your notifications to define what you want to be warned about and how. We recommend enabling:
When you use Cloudflare DNS, all DNS queries for your domain are answered by our global Anycast network. DNS records help communicate information about your domain to visitors and other web services.
With Cloudflare DNS, you can manage all of your records for your website in the DNS tab — watch a Cloudflare dashboard walkthrough of the available options.
An orange cloud symbol means traffic to that hostname is running through Cloudflare. This enables features such as hiding your origin IP, caching, SSL, and Web Application Firewall. We recommend enabling the orange cloud for A, AAAA, and CNAME records.
A grey cloud means that Cloudflare will announce those records in DNS, but all traffic will be routed to your origin instead of through Cloudflare. This is useful in a few contexts such as records other than A, AAAA, or CNAME, if you are trying to validate a service with a record or non-web traffic, including mail and FTP. If you run into issues with a record on Cloudflare, you can pause Cloudflare for the record by grey clouding it on the DNS tab.
If you experience issues with undeliverable emails after onboarding, grey cloud the DNS records used to receive mail on the DNS tab. The default configuration allows only proxying of HTTP traffic and will break mail traffic.
Cloudflare offers many features to detect and block malicious traffic. However, if malicious users find the origin IP of your server, which is where your actual resources are hosted, they may be able to send traffic or attacks directly to the servers.
Consider taking steps to keep from leaking this information:
DNSSEC creates a secure domain name system by adding cryptographic signatures to existing DNS records. These digital signatures are stored in DNS name servers alongside common record types like A, AAAA, MX, and CNAME.
By checking its associated signature, you can verify that a requested DNS record comes from its authoritative name server and was not altered en route, as opposed to a fake record injected in an on-path attack.
We highly recommend enabling DNSSEC to add a layer of authentication on top of your DNS for domains on Cloudflare.
SSL certificates encrypt user information and keep users secure on the Internet. Manually configuring SSL requires several steps, however, and misconfigurations can prevent users from reaching your website.
With Cloudflare, become HTTPS-enabled with the click of a button. We offer edge certificates and origin server certificates.
By deploying a Web Application Firewall (WAF), you can decide whether to allow types of incoming and outgoing traffic via a set of rules (often called policies). WAFs protect against attacks such as SQL injection attacks, cross-site scripting, and cross-site forgery.
Our WAF provides automatic protection and the flexibility to create custom rules:
When using managed rulesets:
These important features help protect your site and ensure content is up to date.
For example, if you are updating an election results page with resources we automatically cache every 20 minutes, set the Edge Cache TTL to 20 minutes, with Browser Cache TTL around 1 minute so users have fresh data. Or, you can manually purge the cache by file URL or hostname every time you update the file.