Optimizing the User Experience in Magento

Magento powers over $50 billion dollars in gross transactions annually. Learn how Page Rules enables you to enhance user experience and increase conversions by customizing Cloudflare to optimize the performance, security and reliability of your Magento website.

To purchase Page Rules, visit the Cloudflare dashboard.


In the above video you will learn how to:

  • Increase security and performance by enforcing secure domain connections
  • Protect your SEO by defining a canonical version of your domain
  • Ensure operational excellence in critical admin areas
  • Reduce bandwidth utilization and server load with advanced caching capabilities
  • Harden security to protect your users and site administrators from attack
  • Extend caching capabilities to serve more content from the cloud
  • Optimize performance with HTTP/2 and aggressive caching strategies
  • Enhance the reliability of critical domain assets with Always Online functionality

Video Transcript

Magento powers over $50 billion dollars in gross transactions annually. With Page Rules you can customize Cloudflare to optimize the performance, security and reliability of your Magento website enhancing your visitor’s user experience and increasing conversions.

Increase Security & Performance

For online retailers, SSL is not only critical for protecting sensitive information and increasing customer confidence, but SSL is also required to take advantage of performance enhancing technologies like HTTP/2 and Server Push, and it can have a positive impact on your SEO ranking as well.

SSL is enabled by default in the Crypto section of Cloudflare. While this enables your online store to take advantage of SSL, Page Rules allows you to enforce all visitors to connect to your domain securely.

To accomplish this, once you’ve enabled any mode of SSL, create a Page Rule for HTTP that includes an asterisk before and after your domain, and select “Add a Setting” > Always Use HTTPS.

This URL pattern that includes HTTP, with an asterisk before and after your domain ensures that any subdomains, directories or query strings referencing your domain will be forced over HTTPS.

Once you click Save and Deploy, new and returning visitors attempting to connect to your domain over HTTP will be redirected to HTTPS. Keep in mind that this option should generally be the first rule you set in Page Rules. Unless you have a special case, be sure to reorder this rule to appear at the top of your set.

Standardize URL & Protect Your SEO

To maintain consistency when linking internally as well as avoid duplicate content penalties that can dilute your search ranking, Page Rules allows you to define the canonical version of your domain with 301 Forwarding.

If you want to define www as the canonical version of your domain, create a Page Rule that includes the following:

Add your domain excluding the protocol scheme, which will cover both HTTP and HTTPS.

The Forwarding URL setting is selected with 301 - Permanent Redirect option. From an SEO standpoint, 301 redirects will pass the ranking power to the redirected page.

You’ll notice that my destination URL includes a secure protocol scheme and I’m using a $1 for the directory to match the asterisk in the URL pattern. 1 corresponds to the first asterisk in the URL string from left to right. If I had an asterisk before the domain and wanted to match it, I would use $2 instead of one.

Once I hit Save and Deploy, my URL will be redirecting accordingly.

User-Friendly URLs

With Page Rules, you can redirect URLs in a number of ways both internally and externally. In these example I’m using 301 - Permanent Redirect to create a user-friendly URL for specific search results.

Using a 302 - Temporary Redirect, in the following 3 examples I’m using my domain to redirect to various social media properties.

Ensure Proper Operations & Harden Security

Certain sections of Magento have very different security and performance requirements than your public facing pages. Page Rules allows you to target these areas with very specific settings.

To protect my admin area, I’m targeting the admin directory with an asterisk without the forward slash. This pattern not only targets the main directory, but it also includes any subdirectories and query strings as well. To increase security, I’ve set the Security Level to High. Security Level controls how high a client Threat Score must be for a client will encounter a challenge page. Threat Scores are derived from our IP Reputation database and assigned to clients that attempt to connect to a resource on your domain. I’ve set the Cache Level to Bypass so Cloudflare will not cache any of the content within this section. I’ve also disabled any Apps and Performance settings that may conflict with some of the unique functionality within this area.

My user area includes a number of different URLs as shown here. These URLs can be found by logging into Magento as a regular user and clicking around the various links in the user area. To increase security, I set the Security Level to High. To ensure smooth operations I’ve set the Cache Level to Bypass so Cloudflare will not cache any of the content within this section. I’ve also disabled any Performance settings that may conflict with some of the unique functionality of this area.

Finally, to ensure that my cron runs properly and is not an eligible target for attack, I’ve set the Security Level to High, Cache Level to Bypass and disabled any Performance features.

Increasing Performance While Decreasing Bandwidth Usage

By default, Cloudflare caches the most popular types of static assets. With Page Rules you can access advanced caching options that allow you to significantly reduce how much bandwidth your server uses. In this example I’m targeting all of the contents of my pub/media area.

Edge Cache TTL instructs Cloudflare on how often to request new content from your server. Since items in my pub/media folder will rarely change, I’ve set a very long Edge Cache TTL of a month. This means Cloudflare will only request a fresh copy of the assets from my server after an entire month as passed.

If a resource were to change in this area and I wanted to force a refresh before the set TTL time, the Purge Cache feature in the Caching section of the dashboard gives me the ability to force the refresh of a specific file or directory.

Browser Cache TTL instructs the user’s browser how often it should attempt to request new content from Cloudflare’s edge. Browser Cache TTL can be used in conjunction with aggressive cache settings to make sure your visitors are getting the content you intended on delivering. In general, 4 hours is a good default setting. In this example I’ve set the TTL for an entire day since I’m not worried about the contents changing frequently.

Enhancing the Reliability of Important Pages

There may be certain areas on your domain that rarely change and are critical to your organization. For these types of pages I want to make sure they’re always available, regardless of what is going on with my server. For these sort of pages, I’ve applied the following rules:

By enabling Always Online, Cloudflare will serve pages from cache so visitors still see the content regardless if my origin server were to go down.

Browser Cache TTL has been set to 1 day. Since my pages are heavily reliant on static content, the Cache Level is set to Cache Everything to make sure that all of the content, including the HTML is preserved in cache. Finally, I set an aggressive Edge Cache TTL to a week, which instructs Cloudflare to only request new versions of the content from my origin server after a month. To avoid email harvesters and bots from adding my address their spam lists, I’ve enabled Email Obfuscation on public facing pages that include an email address. Email Obfuscation will encrypt email addresses on your web page from bots while keeping them visible to humans, resulting in no visible changes to your website for visitors.

Once enabled, while I can see the email address as a human visitor, when I view the source code I can see that the email is obfuscated, protected from malicious crawlers.


The number of Page Rules available to your domain is limited by plan type. If you need more Page Rules, Cloudflare now offers you the ability to purchase more Page Rules a la carte. Be sure to visitor our plans page for more information at: www.cloudflare.com/plans