Cloudflare Security Documentation

Edge security hardening for Cloudflare zones. Standard configurations, validation commands, and hardening patterns for WAF, DNS, TLS, and Zero Trust.

Hardening Order

Harden a zone in this sequence. Each step builds on the previous.

1
DNS + DNSSEC Zone migration, record cleanup, DNSSEC activation
2
SSL/TLS Full (Strict), origin certs, HSTS, min TLS 1.2
3
WAF Managed rules, OWASP CRS, custom rules
4
Access Identity-aware app protection, IdP integration

Guides

Standard hardening patterns for each Cloudflare capability. Start with the checklist, then go deep per topic.

Hardening Checklist

Zone-level security checklist. Validate your configuration against baseline expectations.

View guide →

WAF Configuration

Managed rulesets, OWASP CRS tuning, custom rules, and exception management.

View guide →

DNS and DNSSEC

Zone setup, record hygiene, DNSSEC activation, and subdomain audit.

View guide →

SSL/TLS and Origin Protection

Full (Strict) mode, origin certificates, HSTS, and Authenticated Origin Pulls.

View guide →

Cloudflare Access

Identity-aware application access, IdP integration, and policy configuration.

View guide →

Edge Security Flow

How Cloudflare processes a request through the security stack:

DNS
Resolution DNSSEC Validation
TLS
Edge Termination Certificate Check
WAF
Managed Rules Custom Rules Rate Limits
Origin
Authenticated Pulls Full (Strict)