Secure your application
Learning path
Learn more about the tools Cloudflare offers to protect your website against malicious traffic and bad actors.
This learning path contains 8 modules and should take you around 6 hours and 45 minutes.
Step 1 - Concepts
~30 mins
Learn the fundamentals of website security.
Feel free to skip if you have a technical background.
Feel free to skip if you have a technical background.
Step 2 - Before you begin
~30 mins
Before you can secure your site, make sure you have already added that site to Cloudflare.
Step 3 - Account security
~15 mins
Make sure your Cloudflare account is protected from takeover or compromise.
Step 4 - General security — Minimal setup
~60 mins
Take a few simple steps to make sure your application is protected from a broad array of threats.
Contains 5 units
- Customize SSL/TLS protection
- Set up your Web Application Firewall (WAF) For customers on a Pro plan or above, Cloudflare offers several managed rulesets as part of the Web Application Firewall (WAF).
- Proxy your DNS records As long as your traffic is proxied by Cloudflare, Cloudflare automatically protects your application from DDoS attacks.
- Enable DNSSEC
- Enable the Cloudflare Security Center Our Security Center scans your application to identify potential security risks and provide recommended next steps.
Step 5 - Customize Web Application Firewall (WAF)
~120 mins
Use a variety of rules to customize the behavior of your application's firewall. This step may require detailed analysis of your application traffic.
Contains 6 units
- Exceptions Skip the execution of WAF managed rulesets or some of their rules.
- Custom Rules Block, challenge, or skip security features for specific requests based on several characteristics (user agent, cookies, referrer, and more).
- Rate Limiting Rules Define rate limits for requests matching an expression and the action to perform when those rate limits are reached.
- IP Access Rules Block, challenge, or allow requests based on IP address, IP range, country, or ASN.
- User Agent Blocking Rules Block or challenge specific requests based on the associated user agent value.
- Zone Lockdown rules For customers on a Pro plan or higher, specify a list of IP addresses, CIDR ranges, or networks that are allowed to access a particular domain, subdomain, or URL.
Step 6 - Customize other security settings
~120 mins
Update various settings to further refine how your application processes incoming traffic. This step may require detailed analysis of your application traffic.
Contains 9 units
- Enable bot protection There are some nuances to how bot protection works, so you may want to review our plans pages before enabling.
- Customize DDoS protection
- Customize security level Use the IP reputation of a visitor to determine whether to present a Managed Challenge page.
- Customize challenge passage Specify the length of time that a visitor can access your website after completing a security challenge.
- Enable Privacy Pass Reduce the number of challenges presented to visitors using the Privacy Pass browser extension.
- Browser Integrity Check Browser Integrity Check evaluates incoming HTTP headers based on known threats — such as requests with a missing or non-standard user agent — and present a challenge page if needed.
- Create Forwarding URLs Prevent access to specific URLs, request schemes, file types, subdomains, or directories by redirecting users to a safe location.
- Token Authentication Restrict access to documents, files, and media.
- I'm Under Attack Mode I'm Under Attack Mode performs additional security checks to help mitigate Layer 7 DDoS attacks. This feature should be used as a last resort when your application is under attack.
Step 7 - Explore dedicated security products
~30 mins
Cloudflare offers several dedicated products to increase the security of your website and underlying infrastructure.
Contains 5 units
- Page Shield Monitor third-party scripts on your application and receive notifications when they have been compromised or are exhibiting malicious behavior.
- API Shield Protect your API from malicious traffic by enforcing schema validation, detecting abuse patterns, and more.
- Magic Firewall Use Cloudflare’s firewall-as-a-service (FWaaS) to protect office networks and cloud infrastructure with advanced, scalable protection.
- Magic Transit Delivers network functions at Cloudflare scale — DDoS protection, traffic acceleration, and much more from every Cloudflare data center — for on-premise, cloud-hosted, and hybrid networks.
- Magic Wan Securely connect any traffic source - data centers, offices, devices, cloud properties - to Cloudflare’s network and configure routing policies to get the bits where they need to go, all within one SaaS solution.