Core Setup

When you first add a domain to Cloudflare during your initial account setup, Cloudflare automatically scans for common DNS records to add to the Cloudflare DNS app. However, some DNS records may require manual configuration.

For visitor traffic to successfully reach your domain, the domain must have at least one A or AAAA record that points to the origin web server IP address or a CNAME record that points to the hostname of a hosting service.

Add an A, AAAA, or CNAME record for your domain by selecting ‘+Add records’ under the DNS tab and specifying the type, name, and IPv4 (or IPv6 address) in the appropriate fields. When a DNS record has been successfully added, the ‘Proxy status’ will show an orange cloud.

Need help? Follow our detailed instructions >

After your critical DNS records have been configured, MX and TXT records need to be authorized in order to set up email delivery and authentication for your domain. Both MX and TXT records can be added using the same fields as A, AAAA, and CNAME records.

For MX records: Add an MX record for your domain by selecting ‘+Add records’ under the DNS tab and specifying the type, name, mail server, and priority in the appropriate fields.

For TXT records: Add a TXT record for your domain by selecting ‘+Add records’ under the DNS tab and specifying the type, name, TTL, and content in the appropriate fields.

Need help? Follow our detailed instructions >

You may transfer an existing domain to Cloudflare with Cloudflare Registrar. Domains on Cloudflare are set to auto-renew by default, but may be manually renewed at any point.

In your Dashboard, select the domain you want to transfer to Cloudflare and navigate to the Overview tab. Under ‘Domain Registration,’ select “Manage Domains” and click on “Transfer to Cloudflare.” You will need to take the following three steps to complete the transfer:

1. Disable DNSSEC by removing the DS record at your current DNS host. Turn off DNSSEC within the Cloudflare Dashboard.
2. Ensure that your current domain is not scheduled to expire within the next 15 days, as it may take up to 15 days to successfully complete a domain transfer. If your domain expires before the transfer to Cloudflare is completed, follow these instructions.
3. Complete your domain transfer by following the instructions for Namecheap, GoDaddy, Network Solutions, 1&1, Enom, or any other domain registrar.

If you plan to initiate multiple domain transfers, notify your financial institution to avoid flagging the charges as fraudulent.

Registrar, pricing, and expiration date may vary by domain.

Need help? Follow our detailed instructions >

Global CDN caching: Cloudflare’s global CDN (Content Delivery Network) is a geographically-distributed group of servers that accelerates the delivery of HTML pages, JavaScript files, images, and other types of Internet content. By caching static resources with the Cloudflare CDN, you can reduce server load and bandwidth, with no extra charge for bandwidth spikes. For a list of all file extensions that are automatically cached by the Cloudflare CDN, see Understanding Cloudflare’s CDN. If you want to cache additional files with Cloudflare, see Customizing Cloudlfare’s cache.

HTTP/2: HTTP/2 is an upgraded HTTP protocol that has been optimized for the modern website. It enables servers to deliver more content than originally requested by a user, which speeds up page loads without the use of complicated hacks. HTTP/2 is enabled by default for all Cloudflare domains. It can be managed under the Network tab of your Dashboard. To learn more, see Understanding Cloudflare HTTP/2 and HTTP/3 Support.

There are three primary actions that allow you to customize your caching settings in the Dashboard: Purge Cache, Caching Level, and Browser Cache TTL.

• Purge Cache allows you to clear files from Cloudflare’s cache, either selectively (Custom Purge) or collectively (Purge Everything). Purging all cached resources may temporarily degrade your web performance and increase bandwidth and CPU, as it forces Cloudflare to retrieve a new version of these files from your origin server. Cloudflare recommendation: Custom Purge.

• Caching Level tells Cloudflare how much of your website’s static content needs to be cached. Typically, the more content you cache, the faster your web pages load. Cloudflare recommendation: Standard Caching Level.

• Browser Cache TTL tells Cloudflare how long to cache files in a visitor’s browser. The expiration time can be set to respect existing headers, or set for an amount of time that ranges from 30 minutes to 1 year. Be aware that while longer expiration times ensure faster load times for repeat visitors, they can subsequently trigger slower update times when these files are modified. You may also use Page Rules to allow a different cache expiration time for a specific path or resource.

Rocket Loader accelerates page load times by prioritizing website content over JavaScript. Once your web content (text, images, etc.) has loaded, it dynamically inserts the JavaScripts back into the page so the browser can load them. This drastically reduces the amount of time your users have to wait to see a webpage.

__Under the ‘Optimization’ tab of your Speed settings, toggle Rocket Loader by switching the setting to “On.” __

Need help? Follow our detailed instructions >

With 0-RTT Connection Resumption, returning users benefit from faster web performance by making their first requests before the TLS or QUIC connection is fully established. This ensures faster connection times and page loads, but also introduces a slight security risk as application data may be intercepted by an attacker. This feature is not enabled by default.

To enable 0-RTT Connection Resumption, navigate to the Network tab of your Dashboard and toggle the “On” setting.

Learn more about the risks of 0-RTT Connection Resumption >

Cloudflare’s ‘Always Online’ feature allows users to access your site even when your origin web server gets knocked offline. Cloudflare does this by caching a limited number of webpages that are always available to visitors. With the ‘Always On’ feature enabled, visitors will also see a green notification button allowing them to refresh the page for a live version.

Under the Caching tab at the top of the screen, turn on ‘Always Online’ by switching the setting to “On.”

Need help? Follow our detailed instructions >

DDoS Protection: Cloudflare automatically shields your site from network- and application-level DDoS attacks. There are five primary types of attacks Cloudflare helps mitigate: HTTP flood attacks, UDP flood attacks, SYN flood attacks, ACK flood attacks, and QUIC flood attacks. To learn how these attacks work, visit our DDoS Learning Center. Under attack? Learn how to respond to a DDoS attack.

Opportunistic Encryption: Opportunistic Encryption adds a layer of security to websites that have not migrated to HTTPS. When this feature is enabled, users will be able to access sites over an encrypted connection, but will continue to see “http” in the address bar. Opportunistic Encryption is not a substitute for HTTPS, which should be used when strong encryption and authentication are required.

TLS 1.3: TLS 1.3 is the latest version of the TLS protocol, which uses HTTPS to encrypt communications between a client and web server. TLS 1.3 offers several significant security and performance advantages over previous versions of TLS, including security patches for known vulnerabilities and decreased latency and load times.

Automatic HTTPS Rewrites: When you connect to your site over HTTPS, but see an information or warning icon in the URL instead of a lock icon, your site may be experiencing an issue with mixed content. With Automatic HTTPS Rewrites, Cloudflare can help keep your site secure by rewriting insecure HTTP resources and links as HTTPS resources and links. To learn more about the limitations of this feature, see Understanding Automatic HTTPS Rewrites.

Email Address Obfuscation: Scrape Shield is a free app that protects your domain from email spam and bandwidth abuse, while automatically hiding specific content on your site from suspicious visitors. Email Address Obfuscation is automatically enabled for your site under the Scrape Shield tab of your Dashboard.

DNSSEC authenticates your DNS so that users are always directed to your web server when they type your domain into a web browser. Without DNSSEC, your site may be vulnerable to on-path attacks and other types of DNS forgeries. There are two required steps to configure DNS:

1. Enable DNSSEC in the DNS settings of your Dashboard.
2. Add a DS record to your registrar.

Need help? Follow our detailed instructions >

Cloudflare Firewall Rules allow you to examine all incoming site traffic and approve, challenge, or block it based on custom criteria. By proactively inspecting your site traffic, you can create specific responses that will automatically anticipate and respond to threats. The Free Plan allows users to create and apply five (5) Firewall Rules to a domain.

Configure your Firewall Rules in the ‘Firewall Rules’ tab of your Firewall settings.

Each firewall rule triggers a specific action that will be performed when an incoming HTTP request matches the expression in the rule.

Need help? Follow our detailed instructions >

Cloudflare Page Rules gives you granular control over the performance and security settings for your domain. Using Page Rules, you can define URL patterns that automatically trigger certain actions, i.e. changing the SSL mode for your subdomains, applying Auto Minify to a set of URLs, and so on.

The Free Plan includes three Page Rules, with additional Page Rules available starting at $5/month.

Add a Page Rule by clicking ‘Create Page Rule’ in the Page Rules tab, then adding any desired settings to that rule. Page Rules are prioritized in descending order in the Cloudflare Dashboard, and should be ordered from most specific to least specific.

Learn more about recommended Page Rules for your site.

Need help? Follow our detailed instructions >

When other websites use your images without permission, your bandwidth consumption and costs may increase. Hotlink Protection allows other sites to download and view images from your domain, but prevents them from linking directly to your image resources. This feature supports the following file extensions: .gif, .ico, .jpg, jpeg, and .png.

To apply Hotlink Protection to your domain, navigate to the Scrape Shield tab of your Dashboard and toggle the feature by clicking “On.”