← Back to Blog
Cloudflare Security Configuration Guide 2026
Cloudflare provides enterprise-grade protection against DDoS attacks, malicious bots, web application attacks, and SSL/TLS threats. Proper configuration significantly improves website security, performance, and availability.
Recommended Architecture
Internet
↓
Cloudflare DNS + WAF + DDoS Protection
↓
Nginx Proxy Manager / Web Server
↓
Application Server
↓
Database
1. Enable Cloudflare Proxy
- Enable Orange Cloud Proxy for public websites.
- Hide origin server IP address.
- Use Cloudflare as the public entry point.
- Reduce direct attacks on the origin server.
2. Configure SSL/TLS
- Use Full (Strict) SSL mode.
- Install valid certificates on the origin server.
- Enable Automatic HTTPS Rewrites.
- Enable Always Use HTTPS.
Recommended:
SSL/TLS Mode = Full (Strict)
Minimum TLS Version = TLS 1.2
3. Enable HSTS
- Enable HTTP Strict Transport Security.
- Force encrypted connections.
- Protect against SSL stripping attacks.
Max Age = 6 Months or Higher
Include Subdomains = Enabled
Preload = Enabled
4. Configure Web Application Firewall (WAF)
- Enable Cloudflare Managed Rules.
- Enable OWASP Rulesets.
- Enable SQL Injection Protection.
- Enable Cross-Site Scripting (XSS) Protection.
5. Enable Bot Protection
- Enable Bot Fight Mode.
- Enable Super Bot Fight Mode (if available).
- Block malicious automated traffic.
- Reduce scraping activity.
6. Configure Security Headers
Recommended HTTP Response Headers:
Strict-Transport-Security
X-Frame-Options
X-Content-Type-Options
Referrer-Policy
Permissions-Policy
Content-Security-Policy
7. Protect Origin Server
- Allow only Cloudflare IP ranges.
- Block direct access to origin.
- Restrict management interfaces.
- Use firewall ACLs.
8. Enable Rate Limiting
- Protect login pages.
- Prevent brute-force attacks.
- Reduce bot abuse.
- Limit API abuse.
Example:
URI: /login
Requests:
10 requests / minute
Action:
Block
9. DNS Security Best Practices
- Enable DNSSEC.
- Remove unused DNS records.
- Use proxied records where possible.
- Monitor DNS changes.
10. Cache Configuration
- Enable Browser Cache.
- Cache static content.
- Use Smart Tiered Cache.
- Optimize image delivery.
11. Monitor Security Events
- Review WAF events daily.
- Monitor blocked requests.
- Track bot activity.
- Investigate unusual traffic patterns.
12. Recommended Security Settings
| Setting |
Recommendation |
| SSL Mode |
Full (Strict) |
| TLS Version |
1.2 or Higher |
| WAF |
Enabled |
| Bot Fight Mode |
Enabled |
| DNSSEC |
Enabled |
| HSTS |
Enabled |
| Always HTTPS |
Enabled |
Cloudflare + Nginx Proxy Manager
- Proxy DNS through Cloudflare.
- Use Let's Encrypt certificates.
- Configure CSP headers.
- Enable HSTS.
- Monitor access logs.
- Protect the NPM admin interface.
Conclusion
A properly configured Cloudflare deployment provides multiple layers of protection including DDoS mitigation, WAF protection, bot management, SSL enforcement, and performance optimization. Combined with a hardened origin server, Cloudflare forms a powerful security perimeter for modern web applications.
Author: Nageshwar Rao
Network Security Engineer | Cyber Security Consultant