--- title: Use cases description: Find which Cloudflare solutions solve your use case, from building new web apps to protecting and accelerating your existing apps and systems. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/use-cases/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Use cases Select a category below to find the Cloudflare solutions, features, and architecture patterns that apply to your use case. ## Build something new Deploy applications, APIs, and platforms on Cloudflare from the ground up. [Web sites or web apps](https://developers.cloudflare.com/use-cases/web-apps/) Build, deploy and secure full-stack applications globally with serverless compute and storage. [AI applications](https://developers.cloudflare.com/use-cases/ai/) Build and deploy AI-powered applications with inference, vector databases, and model gateways. [SaaS platforms](https://developers.cloudflare.com/use-cases/saas/) Build multi-tenant platforms with custom domains, isolated compute, and per-customer configuration. [APIs and microservices](https://developers.cloudflare.com/use-cases/apis/) Build, secure, and manage APIs with rate limiting, authentication, and observability. ## Secure and accelerate your applications Add Cloudflare to an existing application or infrastructure. [Protect your application](https://developers.cloudflare.com/use-cases/application-security/) Block attacks with application security, DDoS protection, and SSL/TLS encryption. [Accelerate content delivery](https://developers.cloudflare.com/use-cases/performance/) Speed up your applications with global caching, image optimization, and smart routing. [Implement company-wide security](https://developers.cloudflare.com/use-cases/company-security/) Protect employees, devices, and data with Zero Trust access, secure web gateway, and email security. [Deliver images or stream videos](https://developers.cloudflare.com/use-cases/media-streaming/) Deliver video, images, and rich media at scale with encoding, optimization, and global distribution. [Improve e-commerce security and performance](https://developers.cloudflare.com/use-cases/e-commerce/) Secure and accelerate online storefronts with caching, bot protection, and global delivery. --- ## More resources [Reference architectures](https://developers.cloudflare.com/reference-architecture/) Detailed diagrams and design patterns for enterprise deployments. [Learning paths](https://developers.cloudflare.com/learning-paths/) Structured, module-based guidance for specific workflows. [Tutorials](https://developers.cloudflare.com/tutorials/) Step-by-step guides to help you build with Cloudflare solutions. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/use-cases/","name":"Use cases"}}]} ``` --- --- title: Solution guides description: Cross-product guides that walk you through configuring Cloudflare products together to achieve a specific goal. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/use-cases/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Solution guides Each guide starts from your goal, identifies which Cloudflare products you need, and walks through setting them up. For more information about solution guides, refer to [Solution guide](https://developers.cloudflare.com/style-guide/documentation-content-strategy/content-types/solution-guide/). * [ Discover and secure your API endpoints (Free, Pro, and Business) ](https://developers.cloudflare.com/use-cases/solutions/discover-secure-api-endpoints/) * [ Enforce HTTPS and encrypt all traffic (Free, Pro, and Business) ](https://developers.cloudflare.com/use-cases/solutions/encrypt-all-keep-site-secure/) * [ Protect your forms from spam and abuse (Free, Pro, and Business) ](https://developers.cloudflare.com/use-cases/solutions/protect-sensitive-forms-fraud-abuse/) * [ Stop account takeover attacks (Free, Pro, and Business) ](https://developers.cloudflare.com/use-cases/solutions/stop-account-takeover-attacks/) * [ Stop malicious bots while allowing legitimate traffic (Free, Pro, and Business) ](https://developers.cloudflare.com/use-cases/solutions/stop-malicious-bots/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/use-cases/","name":"Use cases"}},{"@type":"ListItem","position":3,"item":{"@id":"/use-cases/solutions/","name":"Solution guides"}}]} ``` --- --- title: Discover and secure your API endpoints (Free, Pro, and Business) description: Block API abuse, restrict unauthorized access, and monitor endpoint traffic using layered Cloudflare security features. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/use-cases/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) ### Tags [ REST API ](https://developers.cloudflare.com/search/?tags=REST%20API)[ Security ](https://developers.cloudflare.com/search/?tags=Security) # Discover and secure your API endpoints (Free, Pro, and Business) Once your API is in production and receiving traffic, you need to decide which endpoints to protect first, what restrictions to apply, and how to monitor for abuse without blocking legitimate clients. This guide walks through that process in five stages: inventory your endpoints, enforce encrypted connections, restrict access to expected traffic patterns, block automated abuse, and monitor the results. The core workflow uses [Cloudflare Application Security](https://developers.cloudflare.com/waf/) (also known as Web Application Firewall or WAF) features, [SSL/TLS](https://developers.cloudflare.com/ssl/) settings, and [bot detection](https://developers.cloudflare.com/bots/), all available on Free, Pro, and Business plans. Enterprise callouts cover [API Shield](https://developers.cloudflare.com/api-shield/) capabilities for teams that need schema validation, JSON Web Token (JWT) validation, and sequence analysis. Note Most procedures in this guide are configured per domain or [zone](https://developers.cloudflare.com/fundamentals/concepts/accounts-and-zones/#zones). Select your domain in the Cloudflare dashboard before starting. ## Know what you are exposing Before configuring any security rules, build an inventory of your API endpoints. Without a complete list, you cannot target protections at the right paths or detect when an unknown endpoint starts receiving traffic. ### Audit your API surface manually 1. Review your application's routing configuration and list every endpoint with its HTTP method and expected parameters. AI-assisted endpoint discovery Consider using an AI agent to analyze the API routes exposed in your codebase and then generate an OpenAPI schema from the findings. 2. Categorize each endpoint by access level (public, authenticated, internal). Prioritize endpoints that accept file uploads, process payments, or return sensitive data. | Access level | Description | Example endpoints | | ----------------- | --------------------------------- | -------------------------- | | **Public** | No authentication required | /api/status, /api/products | | **Authenticated** | Require a token or session | /api/account, /api/orders | | **Internal** | Should not be publicly accessible | /api/admin, /api/debug | 3. Record the inventory in a spreadsheet or OpenAPI schema file for reference when writing rule expressions in later sections. If you already have an OpenAPI specification, you can use it directly with API Shield's schema validation (covered in the Enterprise callout below). API Shield Endpoint Discovery (Enterprise) API Shield can automatically discover API endpoints by analyzing your traffic patterns, surfacing endpoints you may not know are being called. This includes abandoned or undocumented endpoints (also known as shadow APIs) that may be unpatched and unmonitored. For more information, refer to [API Discovery](https://developers.cloudflare.com/api-shield/security/api-discovery/). ## Enforce HTTPS for all API traffic API requests carry credentials, tokens, and response data that attackers can intercept over unencrypted connections. Some API clients silently downgrade to HTTP if the server accepts it, sending sensitive data in plaintext. Enforcing HTTPS at the edge prevents this. ### Set your SSL/TLS encryption mode Set your encryption mode to **Full (Strict)** to encrypt traffic between visitors and Cloudflare and between Cloudflare and your origin server. This mode requires a valid certificate on your origin. 1. In the Cloudflare dashboard, go to the SSL/TLS **Overview** page. [ Go to **Overview** ](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls) 2. For **SSL/TLS encryption**, select **Full (Strict)**. For more information on encryption modes and their requirements, refer to [SSL/TLS encryption modes](https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/). ### Turn on Always Use HTTPS [Always Use HTTPS](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/always-use-https/) redirects all HTTP requests to HTTPS for every subdomain and host in your application. This prevents clients from accidentally sending API requests over unencrypted connections. Note If only some parts of your application support HTTPS, do not turn on Always Use HTTPS. Use a [single redirect](https://developers.cloudflare.com/rules/url-forwarding/single-redirects/) to redirect specific API paths instead. Refer to [Redirect admin area requests to HTTPS](https://developers.cloudflare.com/rules/url-forwarding/examples/redirect-admin-https/) for an example. 1. In the Cloudflare dashboard, go to the SSL/TLS **Overview** page. [ Go to **Overview** ](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls) 2. Verify that your [SSL/TLS encryption mode](https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/off/) is not set to **Off**. The Always Use HTTPS option is not visible when encryption is off. 3. Go to the **Edge Certificates** page. [ Go to **Edge Certificates** ](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates) 4. Turn on **Always Use HTTPS**. ### Set minimum TLS version to 1.2 Since APIs can carry sensitive information, like credentials and tokens, you want to select an appropriate minimum TLS version with this in mind. TLS 1.0 and 1.1 have known vulnerabilities. Setting the minimum to TLS 1.2 rejects connections from clients using older protocols. 1. In the Cloudflare dashboard, go to the **Edge Certificates** page. [ Go to **Edge Certificates** ](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates) 2. For **Minimum TLS Version**, select **TLS 1.2**. For more information, refer to [Minimum TLS Version](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/minimum-tls/). ### Disable Automatic HTTPS Rewrites for API-only domains [Automatic HTTPS Rewrites](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/automatic-https-rewrites/) changes HTTP links to HTTPS within HTML responses. For API endpoints that return JSON or other non-HTML content, this rewriting is unnecessary and can cause unexpected behavior if API clients follow rewritten URLs. If your domain serves only API traffic, turn off this setting. 1. In the Cloudflare dashboard, go to the **Edge Certificates** page. [ Go to **Edge Certificates** ](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates) 2. Turn off **Automatic HTTPS Rewrites**. Note If your domain serves both a website and an API, keep Automatic HTTPS Rewrites on for the website. The rewriting only applies to HTML responses, so JSON API responses are not affected. ## Restrict access to your API endpoints Legitimate API clients send predictable request patterns: specific HTTP methods, expected headers like `Content-Type: application/json`, and requests to documented paths. Application Security [custom rules](https://developers.cloudflare.com/waf/custom-rules/) let you block traffic that deviates from these patterns. [Rate limiting rules](https://developers.cloudflare.com/waf/rate-limiting-rules/) cap request volume per client to prevent abuse. ### Block requests missing expected headers API clients typically include a `Content-Type` header and may include an `Authorization` header or a custom API key header. Requests to your API paths that lack these headers are not from your expected clients. The following custom security rule blocks requests to `/api/` paths that are missing a `Content-Type` header. Adjust the path and header checks to match your API. * [ New dashboard ](#tab-panel-8668) * [ Old dashboard ](#tab-panel-8669) 1. In the Cloudflare dashboard, go to **Security** \> **Security rules**. [ Go to **Security rules** ](https://dash.cloudflare.com/?to=/:account/:zone/security/security-rules) 2. Select **Create rule** \> **Custom rules**. 3. Define the rule name. For example, `Block API requests missing Content-Type`. 4. In the expression editor, enter: ``` (starts_with(http.request.uri.path, "/api/") and not len(http.request.headers["content-type"][0]) > 0) ``` 5. For **Choose action**, select **Block**. 6. Select **Deploy**. 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com), and select your account and domain. 2. Go to **Security** \> **WAF** \> **Custom rules**. 3. Select **Create rule**. 4. Define the rule name. For example, `Block API requests missing Content-Type`. 5. In the expression editor, enter: ``` (starts_with(http.request.uri.path, "/api/") and not len(http.request.headers["content-type"][0]) > 0) ``` 6. For **Choose action**, select **Block**. 7. Select **Deploy**. ### Restrict HTTP methods per endpoint If your `/api/users` endpoint only accepts `GET` and `POST` requests, block all other HTTP methods on that path. This prevents attackers from probing with `PUT`, `DELETE`, or `PATCH` requests against endpoints that do not support them. * [ New dashboard ](#tab-panel-8670) * [ Old dashboard ](#tab-panel-8671) 1. In the Cloudflare dashboard, go to **Security** \> **Security rules**. [ Go to **Security rules** ](https://dash.cloudflare.com/?to=/:account/:zone/security/security-rules) 2. Select **Create rule** \> **Custom rules**. 3. Define the rule name. For example, `Block unexpected methods on /api/users`. 4. In the expression editor, enter: ``` (http.request.uri.path eq "/api/users" and http.request.method ne "GET" and http.request.method ne "POST") ``` Adjust the path and allowed methods to match your endpoint. 5. For **Choose action**, select **Block**. 6. Select **Deploy**. 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com), and select your account and domain. 2. Go to **Security** \> **WAF** \> **Custom rules** 3. Select **Create rule**. 4. Define the rule name. For example, `Block unexpected methods on /api/users`. 5. In the expression editor, enter: ``` (http.request.uri.path eq "/api/users" and http.request.method ne "GET" and http.request.method ne "POST") ``` Adjust the path and allowed methods to match your endpoint. 6. For **Choose action**, select **Block**. 7. Select **Deploy**. Repeat this pattern for each endpoint with restricted methods. You can combine multiple paths into a single rule using [or operators](https://developers.cloudflare.com/ruleset-engine/rules-language/operators/#logical-operators) if they share the same allowed methods. Tip Instead of manually creating rules for each endpoint, consider creating a single [fallthrough custom rule](https://developers.cloudflare.com/api-shield/security/schema-validation/#add-validation-by-adding-a-fallthrough-rule). You need to: 1. Add your API endpoints to Endpoint Management [from a schema](https://developers.cloudflare.com/api-shield/management-and-monitoring/endpoint-management/#add-endpoints-from-schema-validation) or [manually](https://developers.cloudflare.com/api-shield/management-and-monitoring/endpoint-management/#add-endpoints-manually). 2. Create a fallthrough rule that blocks requests that do not match a saved endpoint in [Endpoint Management](https://developers.cloudflare.com/api-shield/management-and-monitoring/endpoint-management/). ### Rate limit API endpoints API endpoints receive more targeted abuse than web pages because attackers can call them at machine speed without rendering a browser. Rate limiting caps the number of requests a single client can send within a time window. Create separate rate limiting rules for authenticated and unauthenticated endpoints. Unauthenticated endpoints (login, registration, password reset) need tighter limits because they are primary targets for [credential stuffing](https://developers.cloudflare.com/waf/detections/leaked-credentials/) and brute force attacks. The following example limits requests to `/api/auth/login` to 10 per minute per IP address. Adjust the path, request threshold, and period for your endpoints. * [ New dashboard ](#tab-panel-8674) * [ Old dashboard ](#tab-panel-8675) 1. In the Cloudflare dashboard, go to the **Security rules** page. [ Go to **Security rules** ](https://dash.cloudflare.com/?to=/:account/:zone/security/security-rules) 2. Select **Create rule** \> **Rate limiting rules**. 3. Enter a descriptive name. For example, `Rate limit login endpoint`. 4. In the **Field** drop-down, select **URI Path**. Set **Operator** to **equals** and **Value** to `/api/auth/login`. 5. Under **With the same characteristics**, add **IP**. 6. Under **When rate exceeds**, set **Requests** to `10` and **Period** to **1 minute**. 7. Under **Then take action**, select **Block**. 8. Set the **Duration** (mitigation timeout) to **1 minute**. 9. Select **Deploy**. 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), and select your account and zone. 2. Go to **Security** \> **WAF** \> **Rate limiting rules**. 3. Select **Create rule**. 4. Enter a descriptive name. For example, `Rate limit login endpoint`. 5. In the **Field** drop-down, select **URI Path**. Set **Operator** to **equals** and **Value** to `/api/auth/login`. 6. Under **With the same characteristics**, add **IP**. 7. Under **When rate exceeds**, set **Requests** to `10` and **Period** to **1 minute**. 8. Under **Then take action**, select **Block**. 9. Set the **Duration** (mitigation timeout) to **1 minute**. 10. Select **Deploy**. For more information on rate limiting parameters and counting characteristics, refer to [Rate limiting parameters](https://developers.cloudflare.com/waf/rate-limiting-rules/parameters/). Note Rate limiting rules may allow a small number of excess requests before enforcement starts, due to counter propagation delays across data centers. For more information, refer to [Request rate calculation](https://developers.cloudflare.com/waf/rate-limiting-rules/request-rate/). For an API-specific example using an API key as a counting characteristic, refer to [Rate limiting rule examples](https://developers.cloudflare.com/waf/rate-limiting-rules/use-cases/#example-2). Schema Validation and JWT Validation (Enterprise) API Shield can validate incoming requests against your OpenAPI schema, blocking requests with unexpected parameters, methods, or content types before they reach your origin. Upload your schema or let Cloudflare learn it from your traffic. For more information, refer to [Schema validation](https://developers.cloudflare.com/api-shield/security/schema-validation/). API Shield can also validate JSON Web Tokens (JWTs) at the edge, rejecting expired, tampered, or invalid tokens before requests reach your origin. This requires adding your JWT issuer's public keys and creating a validation rule. For more information, refer to [JSON Web Tokens validation](https://developers.cloudflare.com/api-shield/security/jwt-validation/). ## Protect against automated API abuse Bots call API endpoints at machine speed without browser overhead. Common automated attacks against APIs include credential stuffing against authentication endpoints, data scraping through listing endpoints, and inventory manipulation through cart or checkout endpoints. ### Turn on Bot Fight Mode (Free) Note If you are on a Cloudflare Pro or Business plan, go to the [next section](#create-exception-rules-for-legitimate-bot-clients-pro-business). You will configure Super Bot Fight Mode later. Bot Fight Mode challenges requests that match known bot patterns. It applies to your entire domain and is available on all plans at no additional cost. * [ New dashboard ](#tab-panel-8680) * [ Old dashboard ](#tab-panel-8681) 1. In the Cloudflare dashboard, go to the **Security Settings** page. [ Go to **Settings** ](https://dash.cloudflare.com/?to=/:account/:zone/security/settings) 2. Filter by **Bot traffic**. 3. Go to **Bot fight mode**. 4. Turn **Bot fight mode** on. 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/login), and select your account and domain. 2. Go to **Security** \> **Bots**. 3. For **Bot Fight Mode**, select **On**. Bot Fight Mode may interfere with legitimate automated traffic to your API, such as monitoring tools, CI/CD pipelines, or partner integrations. If you have legitimate bot clients, create an exception rule before turning on Bot Fight Mode (see the next section). For more information on Bot Fight Mode behavior and limitations, refer to [Bot Fight Mode](https://developers.cloudflare.com/bots/get-started/bot-fight-mode/). ### Create exception rules for legitimate bot clients (Pro, Business) If your API receives traffic from known automated clients (monitoring services, partner APIs, CI/CD systems), create a [custom security rule with the _Skip_ action](https://developers.cloudflare.com/waf/custom-rules/skip/) to exclude them from bot protections. Create the exception rule before turning on Super Bot Fight Mode in the next section. * [ New dashboard ](#tab-panel-8672) * [ Old dashboard ](#tab-panel-8673) 1. In the Cloudflare dashboard, go to **Security** \> **Security rules**. [ Go to **Security rules** ](https://dash.cloudflare.com/?to=/:account/:zone/security/security-rules) 2. Select **Create rule** \> **Custom rules**. 3. Define the rule name. For example, `Skip bot protections for monitoring service`. 4. Build an expression that matches your known bot traffic. For example, to skip protections for requests from a specific IP range with a known User-Agent: ``` (ip.src in {203.0.113.0/24} and http.user_agent contains "MonitoringBot") ``` Replace the IP range and User-Agent with values that match your legitimate bot clients. 5. For **Choose action**, select _Skip_ and then select **All Super Bot Fight Mode rules**. 6. Select **Deploy**. 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com), and select your account and domain. 2. Go to **Security** \> **WAF** \> **Custom rules** 3. Select **Create rule**. 4. Define the rule name. For example, `Skip bot protections for monitoring service`. 5. Build an expression that matches your known bot traffic. For example, to skip protections for requests from a specific IP range with a known User-Agent: ``` (ip.src in {203.0.113.0/24} and http.user_agent contains "MonitoringBot") ``` Replace the IP range and User-Agent with values that match your legitimate bot clients. 6. For **Choose action**, select _Skip_ and then select **All Super Bot Fight Mode rules**. 7. Select **Deploy**. Note Place exception rules above (before) enforcement rules in your rule list. Cloudflare evaluates custom rules in order, and the first matching rule with a terminating action stops evaluation. For more information, refer to [Rule execution order](https://developers.cloudflare.com/waf/concepts/#rule-execution-order). ### Configure Super Bot Fight Mode (Pro, Business) [Super Bot Fight Mode](https://developers.cloudflare.com/bots/get-started/super-bot-fight-mode/) provides granular controls that apply across your domain, allowing you to apply different actions to different bot types. Note If you are upgrading from Bot Fight Mode to Super Bot Fight Mode, you must disable Bot Fight Mode in your Bot settings. * Old dashboard: **Security** \> **Bots**, and select **Configure Bot Fight Mode**. * New dashboard: **Security** \> **Settings**. Filter by **Bot traffic** and turn **Bot fight mode** off. To configure Super Bot Fight Mode: * [ New dashboard ](#tab-panel-8682) * [ Old dashboard ](#tab-panel-8683) 1. In the Cloudflare dashboard, go to the **Security Settings** page. [ Go to **Settings** ](https://dash.cloudflare.com/?to=/:account/:zone/security/settings) 2. Filter by **Bot traffic**. 3. Go to **Super Bot fight mode**. 4. Turn **Super Bot fight mode** on. 5. Choose how your domain should respond to various types of traffic by selecting the associated edit icon: * For more details on verified bots, refer to [Verified Bots](https://developers.cloudflare.com/bots/concepts/bot/verified-bots/). * For more details on supported file types, refer to [Static resource protection](https://developers.cloudflare.com/bots/additional-configurations/static-resources/). * For more details on invisible code injection, refer to [JavaScript detections](https://developers.cloudflare.com/bots/additional-configurations/javascript-detections/). * For more details on WordPress optimization, refer to [Super Bot Fight Mode for WordPress](https://developers.cloudflare.com/bots/troubleshooting/wordpress-loopback-issue/). 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/login), and select your account and domain. 2. Go to **Security** \> **Bots**. 3. Select **Configure Super Bot Fight Mode**. 4. Choose how your domain should respond to various types of traffic: * For more details on verified bots, refer to [Verified Bots](https://developers.cloudflare.com/bots/concepts/bot/verified-bots/). * For more details on supported file types, refer to [Static resource protection](https://developers.cloudflare.com/bots/additional-configurations/static-resources/). * For more details on invisible code injection, refer to [JavaScript detections](https://developers.cloudflare.com/bots/additional-configurations/javascript-detections/). * For more details on WordPress optimization, refer to [Super Bot Fight Mode for WordPress](https://developers.cloudflare.com/bots/troubleshooting/wordpress-loopback-issue/). With Super Bot Fight Mode, you can configure different actions for different bot types: * Block or allow verified bots * Configure a separate action (allow, block, or challenge) for **Definitely automated traffic** ([bot score](https://developers.cloudflare.com/bots/concepts/bot-score/) of 1) * On Business plans and above: Configure a separate action for **Likely automated traffic** (bot score of 2-29) Super Bot Fight Mode applies domain-wide and does not support path-specific rules. If you need to apply different bot thresholds to different API paths, you need a [Bot Management](https://developers.cloudflare.com/bots/get-started/bot-management/) subscription (Enterprise). Bot score in custom rules (Enterprise) With a Bot Management subscription, you can write custom rules using `cf.bot_management.score` to set path-specific thresholds. For example, block requests with a bot score below 30 on `/api/auth` paths while allowing all scores on other API paths. For more information, refer to [Bot Management](https://developers.cloudflare.com/bots/get-started/bot-management/). ### Detect leaked credentials on login endpoints Application Security [leaked credentials detection](https://developers.cloudflare.com/waf/detections/leaked-credentials/) checks incoming requests for username and password combinations that appeared in known data breaches. Use this detection to rate limit or challenge requests containing compromised credentials on your authentication endpoints. Note Access to the `cf.waf.credential_check.username_and_password_leaked` field (User and Password Leaked) requires a Pro plan or above. If you are on a Free plan, use the `cf.waf.credential_check.password_leaked` field (Password Leaked) instead, which indicates whether the password detected in the request was previously leaked. The following rate limiting rule limits requests that contain a previously leaked username and password combination to 5 per minute per IP: | Setting | Value | | ------------------------ | -------------------------------------------------------- | | Expression | cf.waf.credential\_check.username\_and\_password\_leaked | | Counting characteristics | IP | | Requests per period | 5 requests / 1 minute | | Action | Block | For the full expression including account takeover (ATO) detection IDs, refer to [Example mitigation rules](https://developers.cloudflare.com/waf/detections/leaked-credentials/examples/). Sequence Analytics and sequence mitigation custom rules (Enterprise) API Shield tracks the order of API endpoint requests over time, grouping important user journeys (sequences) across your API. Sequences with high precedence scores indicate requests that are likely to occur together in order. Anomalous sequences may indicate automated abuse, such as a bot that calls `/auth`, then `/account`, then `/transfer` in rapid succession. For more information, refer to [Sequence Analytics](https://developers.cloudflare.com/api-shield/security/sequence-analytics/). Enterprise users with a Fraud Detection subscription can also create [sequence mitigation custom rules](https://developers.cloudflare.com/api-shield/security/sequence-mitigation/custom-rules/) to mitigate invalid sequences of API calls. ## Monitor your API traffic After deploying your security rules, review the results to identify false positives and tune your thresholds. False positives (legitimate clients being blocked) and false negatives (abuse getting through) both require adjustments. ### Review Security Events for API paths [Security Events](https://developers.cloudflare.com/waf/analytics/security-events/) shows every request that your rules matched, including the action taken and the rule that triggered it. Filter by your API path prefix to see what Cloudflare is blocking and why. * [ New dashboard ](#tab-panel-8676) * [ Old dashboard ](#tab-panel-8677) 1. In the Cloudflare dashboard, go to the **Analytics** page. [ Go to **Analytics** ](https://dash.cloudflare.com/?to=/:account/:zone/security/analytics) 2. Select the **Events** tab. 3. Add a filter for **URI Path** starts with `/api/`. 4. Review the events. Look for legitimate clients that are being blocked (false positives). Common indicators of false positives: * Requests from known partner IP addresses * Requests with valid API keys or authorization headers * Requests from monitoring services with known User-Agent strings 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), and select your account and zone. 2. Go to **Security** \> **Events**. 3. Add a filter for **URI Path** starts with `/api/`. 4. Review the events. Look for legitimate clients that are being blocked (false positives). Common indicators of false positives: * Requests from known partner IP addresses * Requests with valid API keys or authorization headers * Requests from monitoring services with known User-Agent strings If you find false positives, update your custom rules to exclude the affected traffic. Refer to the [exception rule procedure](#create-exception-rules-for-legitimate-bot-clients-pro-business) in an earlier section. ### Tune rate limiting thresholds Rate limiting thresholds that are too tight block legitimate clients. Thresholds that are too loose allow abuse. Review rate limiting events in [Security Events](https://developers.cloudflare.com/waf/analytics/security-events/) to find the right balance. * [ New dashboard ](#tab-panel-8678) * [ Old dashboard ](#tab-panel-8679) 1. In the Cloudflare dashboard, go to the **Analytics** page. [ Go to **Analytics** ](https://dash.cloudflare.com/?to=/:account/:zone/security/analytics) 2. Select the **Events** tab. 3. Filter by **Action** equals **Block** and **Service** equals **Rate limiting**. 4. Check whether blocked requests come from legitimate clients or abusive traffic. 5. If legitimate clients are being rate limited, edit the relevant rate limiting rule to increase the request threshold or widen the time period for the affected rule. 6. If abusive traffic is getting through, lower the rule threshold or narrow the time period. 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), and select your account and zone. 2. Go to **Security** \> **Events**. 3. Filter by **Action** equals **Block** and **Service** equals **Rate limiting**. 4. Check whether blocked requests come from legitimate clients or abusive traffic. 5. If legitimate clients are being rate limited, edit the relevant rate limiting rule to increase the request threshold or widen the time period for the affected rule. 6. If abusive traffic is getting through, lower the rule threshold or narrow the time period. Security Analytics rate analysis requires an Enterprise plan Enterprise customers can use the **Request rate analysis** tab in [Security Analytics](https://developers.cloudflare.com/waf/analytics/security-analytics/) to visualize request rate distributions and the **Log** action to observe rule matches without taking action. On other plans, estimate thresholds based on your expected traffic patterns. Refer to [Find an appropriate rate limit](https://developers.cloudflare.com/waf/rate-limiting-rules/find-rate-limit/) for the full methodology. ### Set up notifications for security event spikes Cloudflare Notifications can alert you when security event volume exceeds a threshold, indicating a potential attack or a misconfigured rule. 1. In the Cloudflare dashboard, go to the **Notifications** page. [ Go to **Notifications** ](https://dash.cloudflare.com/?to=/:account/notifications) 2. Select **Add**. 3. Filter by **WAF** and select **Security Events Alert**. 4. Define a name for the notification and the delivery method (email, webhook, or PagerDuty). 5. Next, configure the domains for which you want to receive notifications. You can also filter events by a targeted action (for example, **Block** or **Skip**). 6. Select **Create**. For the full list of available notification types, refer to [Available notifications](https://developers.cloudflare.com/notifications/notification-available/). Advanced security events notifications (Enterprise) Enterprise customers have access to the [Advanced Security Events Alert](https://developers.cloudflare.com/waf/reference/alerts/) notification type, which includes an additional filter for the app security services the alert should monitor. ## Related resources **Application Security** * [Custom rules](https://developers.cloudflare.com/waf/custom-rules/) — Create rules based on request attributes to block, challenge, or skip specific security features for targeted traffic * [Rate limiting rules](https://developers.cloudflare.com/waf/rate-limiting-rules/) — Define request rate thresholds per client and choose enforcement actions * [Rate limiting best practices](https://developers.cloudflare.com/waf/rate-limiting-rules/best-practices/) — Common rate limiting patterns for credential stuffing, API protection, and GraphQL * [Rate limiting rule examples](https://developers.cloudflare.com/waf/rate-limiting-rules/use-cases/) — Example rules with expressions for login pages, API keys, and complexity-based limiting * [Security features interoperability](https://developers.cloudflare.com/waf/feature-interoperability/) — How custom rules, rate limiting rules, Super Bot Fight Mode, and Managed Rules interact * [Leaked credentials detection](https://developers.cloudflare.com/waf/detections/leaked-credentials/) — Detect requests containing credentials from known data breaches * [Security Events](https://developers.cloudflare.com/waf/analytics/security-events/) — Review matched requests and rule actions **Bots** * [Bot Fight Mode](https://developers.cloudflare.com/bots/get-started/bot-fight-mode/) — Automatic challenge for requests matching known bot patterns (Free plan) * [Super Bot Fight Mode](https://developers.cloudflare.com/bots/get-started/super-bot-fight-mode/) — Granular bot controls including verified bot allowlisting (Pro, Business, Enterprise) * [Bot Management](https://developers.cloudflare.com/bots/get-started/bot-management/) — Bot score, detection IDs, and custom rule templates (Enterprise) * [Bot Management variables](https://developers.cloudflare.com/bots/reference/bot-management-variables/) — Fields available in rule expressions for bot detection (Enterprise) **SSL/TLS** * [Get started with SSL/TLS](https://developers.cloudflare.com/ssl/get-started/) — Edge certificates, encryption modes, and HTTPS enforcement * [Always Use HTTPS](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/always-use-https/) — Redirect all HTTP requests to HTTPS * [Minimum TLS Version](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/minimum-tls/) — Reject connections using older TLS protocols **API Shield (Enterprise)** * [API Shield overview](https://developers.cloudflare.com/api-shield/) — Discovery, schema validation, JWT validation, and sequence analytics for API security * [Get started with API Shield](https://developers.cloudflare.com/api-shield/get-started/) — Onboarding flow from session identifiers through schema validation * [API Discovery](https://developers.cloudflare.com/api-shield/security/api-discovery/) — Automatic endpoint discovery from traffic analysis * [Schema validation](https://developers.cloudflare.com/api-shield/security/schema-validation/) — Validate incoming requests against your OpenAPI schema * [JWT validation](https://developers.cloudflare.com/api-shield/security/jwt-validation/) — Verify JSON Web Tokens at the edge * [Sequence Analytics](https://developers.cloudflare.com/api-shield/security/sequence-analytics/) — Track and analyze API request sequences * [Volumetric Abuse Detection](https://developers.cloudflare.com/api-shield/security/volumetric-abuse-detection/) — Per-session, per-endpoint adaptive rate limiting * [Authentication Posture](https://developers.cloudflare.com/api-shield/security/authentication-posture/) — helps users identify authentication misconfigurations for APIs and alerts of their presence * [BOLA vulnerability detection](https://developers.cloudflare.com/api-shield/security/bola-vulnerability-detection/) — Detect endpoints at risk of Broken Object Level Authorization (BOLA) attacks * [Vulnerability Scanner](https://developers.cloudflare.com/api-shield/security/vulnerability-scanner/) — Test your API endpoints for common vulnerabilities ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/use-cases/","name":"Use cases"}},{"@type":"ListItem","position":3,"item":{"@id":"/use-cases/solutions/","name":"Solution guides"}},{"@type":"ListItem","position":4,"item":{"@id":"/use-cases/solutions/discover-secure-api-endpoints/","name":"Discover and secure your API endpoints (Free, Pro, and Business)"}}]} ``` --- --- title: Enforce HTTPS and encrypt all traffic (Free, Pro, and Business) description: Configure SSL/TLS encryption from edge to origin, redirect HTTP to HTTPS, and harden your HTTPS setup with HSTS and minimum TLS versions. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/use-cases/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Enforce HTTPS and encrypt all traffic (Free, Pro, and Business) HTTPS on Cloudflare involves two separate connections: visitor to Cloudflare, and Cloudflare to your origin server. Both must be encrypted for end-to-end security. This guide walks through five stages: 1. Configure your SSL/TLS encryption mode. 2. Redirect all HTTP requests to HTTPS. 3. Harden your HTTPS setup with minimum TLS versions and HSTS. 4. Monitor third-party scripts on your pages. 5. Verify your configuration. The core workflow is available on Free, Pro, and Business plans. Note Most procedures in this guide are configured per domain or [zone](https://developers.cloudflare.com/fundamentals/concepts/accounts-and-zones/#zones). Select your domain in the Cloudflare dashboard before starting. Client-Side Security is the exception: it is configured at the account level. ## Configure your SSL/TLS encryption mode Your SSL/TLS encryption mode controls how Cloudflare connects to your origin server. For end-to-end encryption, use **Full (strict)** — it encrypts both connections and verifies your origin certificate. For a detailed comparison of all available modes, refer to [Encryption modes](https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/). ### Check your current mode 1. In the Cloudflare dashboard, go to the **SSL/TLS Overview** page. [ Go to **Overview** ](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls) 2. Check the current encryption mode displayed on the page. * If the mode is already **Full (strict)**, skip to [Redirect all HTTP requests to HTTPS](#redirect-all-http-requests-to-https). * If the mode is not **Full (strict)**, continue below to install an origin certificate (if needed) and change the mode. ### Install a Cloudflare Origin CA certificate If your origin server does not have a valid SSL certificate, install a free Cloudflare Origin CA certificate. Origin CA certificates are valid for up to 15 years and are trusted by Cloudflare, which means you can set your encryption mode to Full (strict) after installing one. If your origin already has a valid certificate from a publicly trusted certificate authority, skip to [Set your encryption mode to Full (strict)](#set-your-encryption-mode-to-full-strict). #### 1\. Create an Origin CA certificate 1. Go to the **Origin Server** page. [ Go to **Origin Server** ](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/origin) 2. On the **Origin Certificates** tab, select **Create Certificate**. 3. Choose either: * **Generate private key and CSR with Cloudflare**: Private key type can be RSA or ECC. * **Use my private key and CSR**: Paste your Certificate Signing Request (CSR) into the text field. 4. List the hostnames (including wildcards) the certificate should protect with SSL encryption. The zone apex and first level wildcard hostname are included by default. 5. Choose a **Certificate Validity** period. 6. Select **Create**. 7. Choose the **Key Format**: * Servers using OpenSSL (such as Apache and NGINX) generally expect PEM files (Base64-encoded ASCII), but also work with binary DER files. * Servers using Windows and Apache Tomcat require PKCS#7 (a `.p7b` file). 8. Copy the signed **Origin Certificate** and **Private Key** into separate files. For security reasons, you cannot see the **Private Key** after you exit this screen. 9. Select **OK**. Note For details about working with certificates programmatically, refer to [API calls](https://developers.cloudflare.com/ssl/origin-configuration/origin-ca/#api-calls). #### 2\. Install the certificate on your origin server 1. Upload the Origin CA certificate to your origin web server. 2. Update your web server configuration to use the certificate. For server-specific installation instructions, refer to [Origin CA certificates](https://developers.cloudflare.com/ssl/origin-configuration/origin-ca/). 3. (Required for some servers) Upload the [Cloudflare CA root certificate](https://developers.cloudflare.com/ssl/origin-configuration/origin-ca/#cloudflare-origin-ca-root-certificate) to your origin server. 4. Enable SSL and port `443` at your origin web server. Note If you do not see your server listed, search the [DigiCert documentation ↗](https://www.digicert.com/search-results) or contact your hosting provider. ### Set your encryption mode to Full (strict) After installing a valid certificate on your origin server, set the encryption mode to **Full (strict)** by following the steps below. * [ Dashboard ](#tab-panel-8694) * [ API ](#tab-panel-8695) To change your encryption mode in the dashboard: 1. In the Cloudflare dashboard, go to the **SSL/TLS Overview** page. [ Go to **Overview** ](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls) 2. Choose an encryption mode. To adjust your encryption mode with the API, send a [PATCH](https://developers.cloudflare.com/api/resources/zones/subresources/settings/methods/edit/) request with `ssl` as the setting name in the URI path, and the `value` parameter set to your desired setting (`off`, `flexible`, `full`, `strict`, or `origin_pull`). Warning If your site shows a [526 error](https://developers.cloudflare.com/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/error-526/) after changing the encryption mode, your origin certificate may not meet the requirements for Full (strict). The certificate must be unexpired, issued by a trusted CA or Cloudflare Origin CA, and contain a Common Name (CN) or Subject Alternative Name (SAN) that matches your hostname. For redirect loop issues, refer to [ERR\_TOO\_MANY\_REDIRECTS](https://developers.cloudflare.com/ssl/troubleshooting/too-many-redirects/). ## Redirect all HTTP requests to HTTPS Even with an active edge certificate, visitors can still access resources over unsecured HTTP connections. Two settings work together to fix this: 1. Always Use HTTPS redirects HTTP requests to HTTPS 2. Automatic HTTPS Rewrites fixes mixed content references in your page HTML ### Turn on Always Use HTTPS Always Use HTTPS redirects all HTTP requests to HTTPS before they reach your origin. Note If only some parts of your application can support HTTPS traffic, do not turn on Always Use HTTPS. Use a [single redirect](https://developers.cloudflare.com/rules/url-forwarding/single-redirects/) to selectively redirect specific paths to HTTPS instead. Refer to [Redirect admin area requests to HTTPS](https://developers.cloudflare.com/rules/url-forwarding/examples/redirect-admin-https/) for an example. * [ Dashboard ](#tab-panel-8684) * [ API ](#tab-panel-8685) 1. In the Cloudflare dashboard, go to the **SSL/TLS Overview** page. [ Go to **Overview** ](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls) 2. Make sure that your [SSL/TLS encryption mode](https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/) is not set to **Off**. When the encryption mode is Off, the Always Use HTTPS option is not visible in the dashboard. 3. Go to the [**Edge Certificates** ↗](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates) page. 4. Turn on **Always Use HTTPS**. 1. Make sure that your [SSL/TLS encryption mode](https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/) is not set to **Off**. 2. Send a [PATCH](https://developers.cloudflare.com/api/resources/zones/subresources/settings/methods/edit/) request with `always_use_https` as the setting name in the URI path, and the `value` parameter set to `"on"`. ### Turn on Automatic HTTPS Rewrites Automatic HTTPS Rewrites prevents mixed content errors by rewriting HTTP resource URLs in your page HTML to HTTPS. This is useful for sites where you do not control all asset URLs, such as CMS-hosted content or embedded third-party resources. * [ Dashboard ](#tab-panel-8686) * [ API ](#tab-panel-8687) 1. In the Cloudflare dashboard, go to the **Edge Certificates** page. [ Go to **Edge Certificates** ](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates) 2. For **Automatic HTTPS Rewrites**, switch the toggle to **On**. Send a [PATCH](https://developers.cloudflare.com/api/resources/zones/subresources/settings/methods/edit/) request with `automatic_https_rewrites` as the setting name in the URI path, and the `value` parameter set to `"on"`. Note Automatic HTTPS Rewrites does not rewrite all HTTP URLs. Some passive content (such as images) may not be rewritten, which can still cause mixed content warnings. For details on how rewrites work and troubleshooting, refer to [Automatic HTTPS Rewrites](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/automatic-https-rewrites/) and [Mixed content errors](https://developers.cloudflare.com/ssl/troubleshooting/mixed-content-errors/). ## Harden your HTTPS configuration After your encryption mode is set and HTTP traffic is redirected, strengthen your configuration by setting a minimum TLS version, turning on HTTP Strict Transport Security (HSTS), and turning on TLS 1.3. ### Set your minimum TLS version TLS 1.0 and 1.1 have known vulnerabilities and are no longer considered secure. Setting the minimum TLS version to 1.2 blocks connections from clients using older protocols. For guidance on which version to choose, refer to [TLS protocols](https://developers.cloudflare.com/ssl/reference/protocols/). * [ Dashboard ](#tab-panel-8688) * [ API ](#tab-panel-8689) 1. In the Cloudflare dashboard, go to the **Edge Certificates** page. [ Go to **Edge Certificates** ](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates) 2. For **Minimum TLS Version**, select **TLS 1.2**. Send a [PATCH](https://developers.cloudflare.com/api/resources/zones/subresources/settings/methods/edit/) request with `min_tls_version` as the setting name in the URI path, and the `value` parameter set to `"1.2"`. Per-hostname minimum TLS version requires Advanced Certificate Manager To set minimum TLS versions for individual hostnames instead of the entire zone, refer to [Per-hostname setup](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/minimum-tls/#per-hostname). This requires an [Advanced Certificate Manager](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/) subscription. ### Turn on TLS 1.3 TLS 1.3 provides faster handshakes and improved security over TLS 1.2. * [ Dashboard ](#tab-panel-8690) * [ API ](#tab-panel-8691) 1. In the Cloudflare dashboard, go to the **Edge Certificates** page. [ Go to **Edge Certificates** ](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates) 2. For **TLS 1.3**, switch the toggle to **On**. Send a [PATCH](https://developers.cloudflare.com/api/resources/zones/subresources/settings/methods/edit/) request with `tls_1_3` as the setting name in the URI path, and the `value` parameter set to `"on"`. To also turn on 0-RTT (Zero Round Trip Time Resumption), set the value to `"zrt"`. ### Turn on HSTS HTTP Strict Transport Security (HSTS) adds a response header that tells browsers to connect to your site over HTTPS only, even if a link or redirect tries to send them over HTTP. HSTS protects against protocol downgrade attacks. Warning Only turn on HSTS after your HTTPS configuration is fully working and tested. If you remove HTTPS before disabling HSTS or before waiting for the duration of the original **Max Age Header**, your website becomes inaccessible to visitors for the Max Age Header duration or until you re-enable HTTPS. Refer to [HTTP Strict Transport Security (HSTS)](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/http-strict-transport-security/) before configuring. Before turning on HSTS, confirm these prerequisites: * HTTPS is enabled and working on your domain. * Your DNS records are set to [Proxied](https://developers.cloudflare.com/dns/proxy-status/). * You are not redirecting HTTPS to HTTP anywhere. * [ Dashboard ](#tab-panel-8692) * [ API ](#tab-panel-8693) 1. In the Cloudflare dashboard, go to the **Edge Certificates** page. [ Go to **Edge Certificates** ](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates) 2. For **HTTP Strict Transport Security (HSTS)**, select **Enable HSTS**. 3. Read the dialog and select **I understand**. 4. Select **Next**. 5. Configure the HSTS settings: * **Max Age Header**: Choose a duration (start with 6 months, increase to 12 months after confirming stability). * **Apply HSTS policy to subdomains (includeSubDomains)**: Turn on if all your subdomains support HTTPS. Subdomains without HTTPS become inaccessible when this is enabled. * **Preload**: Turn on only after setting Max Age Header to 12 months. Preload inclusion prevents downgrade attacks on the first visit. Submit your domain at [hstspreload.org ↗](https://hstspreload.org) after turning on preload. * **No-Sniff Header**: Sends the `X-Content-Type-Options: nosniff` header. Turn on to prevent browsers from MIME-type sniffing. 6. Select **Save**. Send a [PATCH](https://developers.cloudflare.com/api/resources/zones/subresources/settings/methods/edit/) request with `security_header` as the setting name in the URI path, and specify the `value` object that includes your HSTS settings. ### Review your cipher suites Cloudflare's default cipher suites provide strong encryption for most sites. You do not need to change them unless a security audit or compliance requirement specifies particular cipher configurations. For details on the default cipher suites and how to customize them, refer to [Cipher suites](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/). For compliance-specific cipher configurations, refer to [Customize cipher suites via API](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/api/). Custom cipher suites require Advanced Certificate Manager Customizing cipher suites requires an [Advanced Certificate Manager](https://developers.cloudflare.com/ssl/edge-certificates/advanced-certificate-manager/) subscription. The default cipher suites are applied automatically on all plans. ## Monitor third-party scripts with client-side security HTTPS encrypts data in transit, but third-party scripts loaded by your pages can still exfiltrate data from the browser. Client-side security monitors these scripts and alerts you to unexpected additions. ### Turn on script monitoring 1. In the Cloudflare dashboard, go to the Security **Settings** page. [ Go to **Settings** ](https://dash.cloudflare.com/?to=/:account/:zone/security/settings) 2. (Optional) Filter by **Client-side abuse**. 3. Turn on **Continuous script monitoring**. ### Review detected resources After turning on monitoring, it may take some time for Cloudflare to generate a list of detected scripts on your domain. 1. In the Cloudflare dashboard, go to the **Web assets** page. [ Go to **Web assets** ](https://dash.cloudflare.com/?to=/:account/:zone/security/web-assets) 2. Select the **Client-side resources** tab. 3. Review the list of detected scripts. Check for unknown or unexpected scripts from domains you do not recognize. Depending on your Cloudflare plan, you may also be able to review connections made by scripts and check them for malicious activity. For setup details, refer to [Get started with client-side security](https://developers.cloudflare.com/client-side-security/get-started/). Content security rules require Client-Side Security Advanced To block scripts not on your approved list, you can create content security rules that define an allowlist. This requires the Client-Side Security Advanced add-on. Refer to [Content security rules](https://developers.cloudflare.com/client-side-security/rules/) for setup instructions. ## Verify your configuration After completing the previous stages, verify that your HTTPS configuration works as expected. ### Use Automatic SSL/TLS Cloudflare's Automatic SSL/TLS analyzes your origin server and selects the most secure encryption mode your origin supports. If your zone uses Automatic SSL/TLS (the default for new zones), Cloudflare adjusts the mode automatically and will not downgrade to a less secure mode if your origin certificate expires. To check whether your zone uses Automatic SSL/TLS: 1. In the Cloudflare dashboard, go to the **SSL/TLS Overview** page. [ Go to **Overview** ](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls) 2. Check whether **Automatic SSL/TLS** or **Custom SSL/TLS** is selected. If Custom is selected and you want Cloudflare to manage the mode automatically, select **Automatic SSL/TLS**. Note The SSL/TLS Recommender is deprecated in favor of Automatic SSL/TLS. If you previously used the Recommender, Automatic SSL/TLS replaces it. Refer to [SSL/TLS Recommender](https://developers.cloudflare.com/ssl/origin-configuration/ssl-tls-recommender/) for migration details. ### Test with external tools Use [SSL Labs Server Test ↗](https://www.ssllabs.com/ssltest/) to verify your HTTPS configuration from outside the Cloudflare network. Enter your domain and review the report. An A or A+ grade indicates that your TLS configuration, certificate chain, and protocol support meet current security standards. To test supported TLS versions, attempt a request to your website or application while specifying a TLS version. For example, to test TLS 1.1, use the `curl` command below. Replace `www.example.com` with your Cloudflare domain and hostname. Terminal window ``` curl https://www.example.com -svo /dev/null --tls-max 1.1 ``` If the TLS version you are testing is blocked by Cloudflare, the TLS handshake is not completed and returns an error: `* error:1400442E:SSL routines:CONNECT_CR_SRVR_HELLO:tlsv1 alert` Note Local VPN or a device security client may prevent insecure connections using legacy protocols like TLS 1.0\. Make sure to disable such network or security client before running the test on your device. PCI DSS compliance For PCI DSS compliance, TLS 1.2 is the minimum required version. Refer to [PCI compliance and vulnerabilities mitigation](https://developers.cloudflare.com/ssl/reference/compliance-and-vulnerabilities/) for details. ## Related resources **SSL/TLS** * [Get started with SSL/TLS](https://developers.cloudflare.com/ssl/get-started/) — onboarding guide for edge certificates, encryption modes, and HTTPS enforcement * [Encryption modes](https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/) — detailed explanation of Off, Flexible, Full, and Full (strict) modes * [Cloudflare Origin CA](https://developers.cloudflare.com/ssl/origin-configuration/origin-ca/) — create free origin certificates trusted by Cloudflare * [Mixed content errors](https://developers.cloudflare.com/ssl/troubleshooting/mixed-content-errors/) — troubleshoot HTTP resources loaded on HTTPS pages * [ERR\_TOO\_MANY\_REDIRECTS](https://developers.cloudflare.com/ssl/troubleshooting/too-many-redirects/) — fix redirect loops caused by encryption mode misconfigurations **Client-side security** * [Get started with client-side security](https://developers.cloudflare.com/client-side-security/get-started/) — activate monitoring, review scripts, configure alerts, and create rules * [Client-side security and PCI DSS compliance](https://developers.cloudflare.com/client-side-security/reference/pci-dss/) — how client-side security maps to PCI DSS v4 requirements ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/use-cases/","name":"Use cases"}},{"@type":"ListItem","position":3,"item":{"@id":"/use-cases/solutions/","name":"Solution guides"}},{"@type":"ListItem","position":4,"item":{"@id":"/use-cases/solutions/encrypt-all-keep-site-secure/","name":"Enforce HTTPS and encrypt all traffic (Free, Pro, and Business)"}}]} ``` --- --- title: Protect your forms from spam and abuse (Free, Pro, and Business) description: Block spam submissions, fake account creation, and card testing on your web forms using a layered defense. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/use-cases/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Protect your forms from spam and abuse (Free, Pro, and Business) Contact, registration, and checkout forms are common targets for automated abuse. This guide covers form protection: verifying that visitors are human, limiting repeated submissions, and blocking known attack patterns. The core workflow uses features available on all plans. Pro and Business plan features are included as callouts. Note Most procedures in this guide are configured per domain or [zone](https://developers.cloudflare.com/fundamentals/concepts/accounts-and-zones/#zones). Select your domain in the Cloudflare dashboard before starting. Turnstile is the exception: widgets are configured at the account level. ## Add Turnstile to your forms Turnstile verifies visitors are human without visible challenges. This guide uses Managed mode, which automatically chooses between a non-interactive or checkbox challenge based on visitor risk level. For other widget modes, refer to [Widget types](https://developers.cloudflare.com/turnstile/concepts/widget/). Adding Turnstile involves three steps: create a widget in the dashboard, add the client-side snippet to your form page, and validate the token on your server before processing the submission. ### Create a Turnstile widget 1. In the Cloudflare dashboard, go to the **Turnstile** page. [ Go to **Turnstile** ](https://dash.cloudflare.com/?to=/:account/turnstile) 2. Select **Add widget**. 3. Fill out the required information: * **Widget name**: A descriptive name for your widget. * **Hostname management**: Domains where the widget will be used. * **Widget mode**: Choose from Managed, Non-Interactive, or Invisible. 4. (Optional) Configure **Pre-clearance support** for single-page applications. 5. Select **Create** to save your widget. 6. Copy your sitekey and secret key, and store the secret key securely. Store the sitekey and secret key. You will use the sitekey in the client-side snippet and the secret key for server-side validation. ### Add the client-side snippet Add the Turnstile script and widget `div` element to each form you want to protect. Replace `` with the sitekey from the previous step. ```
``` The widget renders in the form and generates a token when the visitor passes verification. The token is included in the form submission as the `cf-turnstile-response` field. ### Validate the token on your server Server-side validation is required. The client-side widget alone does not protect your forms because attackers can submit directly to your form endpoint. Tokens can only be validated once. Call the Siteverify API before processing any form submission: server.js ``` const SECRET_KEY = ""; async function validateTurnstile(token, remoteip) { try { const response = await fetch( "https://challenges.cloudflare.com/turnstile/v0/siteverify", { method: "POST", headers: { "Content-Type": "application/json" }, body: JSON.stringify({ secret: SECRET_KEY, response: token, remoteip: remoteip, }), }, ); const result = await response.json(); return result; } catch (error) { console.error("Turnstile validation error:", error); return { success: false, "error-codes": ["internal-error"] }; } } ``` Replace `""` with your Turnstile secret key. The endpoint returns a JSON object with a `success` field. Only process the form submission if `success` is `true`. For validation examples in PHP, Python, Java, and C#, refer to [Validate the token](https://developers.cloudflare.com/turnstile/get-started/server-side-validation/). ## Rate limit form submission endpoints Some abuse scripts skip the browser entirely and POST directly to your form endpoints. Application Security [rate limiting rules](https://developers.cloudflare.com/waf/rate-limiting-rules/) catch these requests because client-side verification only runs in a browser. ### Find your baseline request rate Before creating a rate limiting rule, check the normal submission rate for your form endpoints. Your rate limit threshold should be above this baseline to avoid blocking legitimate traffic. 1. In the Cloudflare dashboard, go to the **Analytics** page. [ Go to **Analytics** ](https://dash.cloudflare.com/?to=/:account/:zone/security/analytics) 2. In the **Traffic** tab, select a time period with non-peak traffic, or with the lowest visitor activity. 3. Use the **Add filter** button to narrow results to your form endpoint traffic. 4. Note the typical request rate per IP address. Your rate limit should be above this baseline. If you do not have enough traffic data to establish a baseline, start with a conservative threshold and adjust based on Security Events after deployment. Enterprise: Request rate analysis The **Request rate analysis** tab in Security Analytics displays request rate distributions for your top unique clients. For details, refer to [Find appropriate rate limit](https://developers.cloudflare.com/waf/rate-limiting-rules/find-rate-limit/). ### Create a rate limiting rule Create a rule that limits how many times a single IP address can submit to your form endpoint within a given period. Adjust the path, threshold, and period for your site. 1. In the Cloudflare dashboard, go to the **Security rules** page. [ Go to **Security rules** ](https://dash.cloudflare.com/?to=/:account/:zone/security/security-rules) 2. Select **Create rule** and choose **Rate limiting rules**. 3. Enter a name for the rule (for example, "Rate limit contact form submissions"). 4. Under **When incoming requests match**, select **Edit expression** and enter: `(http.request.uri.path eq "/contact" and http.request.method eq "POST")` Replace "/contact" with your form endpoint path. 5. Under **With the same characteristics**, verify that _IP_ is selected. On Free plans, this is preset to _IP_. 6. Under **When rate exceeds**, enter _5_ for **Requests** and select a value for **Period**. On Free plans, select _10 seconds_. Pro and above plans offer additional periods. For available values by plan, refer to [Rate limiting parameters](https://developers.cloudflare.com/waf/rate-limiting-rules/parameters/). 7. Under **Then take action**, select an action from the **Choose action** dropdown. On Free plans, select _Block_. On Pro and above, _Managed Challenge_ is recommended because it allows legitimate users who trigger the limit to pass by completing a challenge. 8. Under **For duration**, select a duration for the action. On Free plans, select _10 seconds_. Pro and above plans offer longer durations. This is how long the action applies after the rate limit is triggered. 9. Select **Deploy**. Note Rate limiting rule parameters (counting characteristics, periods, number of rules) vary by plan. For the full availability matrix, refer to [Rate limiting rules](https://developers.cloudflare.com/waf/rate-limiting-rules/#availability). ### Configure a custom response for blocked requests (Pro and above) Instead of showing the default Cloudflare error page when a rate limit is reached, you can configure a custom response. For details, refer to [Create a rate limiting rule in the dashboard](https://developers.cloudflare.com/waf/rate-limiting-rules/create-zone-dashboard/#configure-a-custom-response-for-blocked-requests). ## Add Application Security rules for known abuse patterns Rate limiting alone does not catch targeted attack patterns like SQL injection or cross-site scripting (XSS) in form fields. Application Security [custom rules](https://developers.cloudflare.com/waf/custom-rules/) and [managed rulesets](https://developers.cloudflare.com/waf/managed-rules/) let you block these specific patterns targeting your form endpoints. Custom rules run before rate limiting rules and managed rulesets in the [execution order](https://developers.cloudflare.com/waf/feature-interoperability/). ### Challenge non-bot requests to form endpoints Create a custom rule that challenges POST requests to your form endpoints from sources that are not verified bots. 1. In the Cloudflare dashboard, go to the **Security rules** page. [ Go to **Security rules** ](https://dash.cloudflare.com/?to=/:account/:zone/security/security-rules) 2. Select **Create rule** \> **Custom rules**. 3. Enter a name for the rule (for example, "Challenge spam form submissions"). 4. Under **When incoming requests match**, select **Edit expression** and enter: ``` (http.request.uri.path eq "/contact" and http.request.method eq "POST" and not cf.client.bot) ``` Replace `/contact` with your form endpoint path. The `not cf.client.bot` clause exempts verified bots (such as search engine crawlers) from the rule. 5. Under **Then take action**, select _Managed Challenge_. Start with _Managed Challenge_ to observe which requests are flagged before switching to _Block_. 6. Select **Deploy**. After deploying, review [Security Events](https://developers.cloudflare.com/waf/analytics/security-events/) to check whether the rule is matching legitimate traffic. If legitimate users are being challenged, narrow the expression or switch to a less aggressive action. Pro plans and above: Managed rulesets The [Cloudflare Managed Ruleset](https://developers.cloudflare.com/waf/managed-rules/reference/cloudflare-managed-ruleset/) protects against common web attack patterns, including form-based injection attacks (SQL injection, XSS). Verify the ruleset is deployed on the **Security rules** page under **Managed rules**. For plan availability, refer to [Managed Rules](https://developers.cloudflare.com/waf/managed-rules/#availability). ## Turn on bot protection Bot Fight Mode challenges requests that match known bot patterns across your entire domain. It is available on all plans and requires no configuration beyond turning it on. * [ New dashboard ](#tab-panel-8696) * [ Old dashboard ](#tab-panel-8697) 1. In the Cloudflare dashboard, go to the **Security Settings** page. [ Go to **Settings** ](https://dash.cloudflare.com/?to=/:account/:zone/security/settings) 2. Filter by **Bot traffic**. 3. Go to **Bot fight mode**. 4. Turn **Bot fight mode** on. 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/login), and select your account and domain. 2. Go to **Security** \> **Bots**. 3. For **Bot Fight Mode**, select **On**. Bot Fight Mode protects your entire domain without endpoint restrictions. You cannot create exceptions using custom rules to bypass Bot Fight Mode. Pro, Business, and Enterprise [Super Bot Fight Mode](https://developers.cloudflare.com/bots/get-started/super-bot-fight-mode/) provides more granular controls. You can configure how your domain responds to different categories of bot traffic (definitely automated, likely automated, verified bots) and create exceptions using custom rules with the Skip action. Enterprise customers with [Bot Management](https://developers.cloudflare.com/bots/get-started/bot-management/) can use `cf.bot_management.score` in custom rule expressions for path-specific bot protection. ## Monitor your form endpoints After deploying Turnstile, rate limiting rules, and Application Security rules, monitor your form endpoints to verify your rules are working and to detect new attack patterns. ### Review Security Events [Security Events](https://developers.cloudflare.com/waf/analytics/security-events/) shows requests that Cloudflare security products acted on or flagged, including blocks, challenges, and skips. Filter by your form endpoint paths to see what is being blocked and what is getting through. A high volume of blocked or challenged requests to your form paths confirms the rules are active. 1. In the Cloudflare dashboard, go to the **Analytics** page. [ Go to **Analytics** ](https://dash.cloudflare.com/?to=/:account/:zone/security/analytics) 2. Select the **Events** tab. 3. Use the **Add filter** button to narrow results to your form endpoint traffic. 4. Review the sampled logs. For each event, check: * **Action taken**: Whether the request was blocked, challenged, or allowed * **Source**: The rule or feature that triggered the action * **IP address**: Whether a single IP is generating many events * **URI path**: Whether requests target your form endpoints specifically If legitimate users are being challenged, narrow the rule expression or switch to a less aggressive action. ### Set up security event alerts Configure a notification to receive alerts when there is an unusual spike in security events on your domain. For alert types, trigger thresholds, and setup instructions, refer to [Alerts for security events](https://developers.cloudflare.com/waf/reference/alerts/). ### Turn on client-side resource monitoring If a third-party script is injected into your form page, it can exfiltrate submitted data, including payment information. Client-Side Security monitors third-party scripts on your pages for changes and potential supply chain attacks. To enable monitoring: 1. In the Cloudflare dashboard, go to the **Security Settings** page. [ Go to **Settings** ](https://dash.cloudflare.com/?to=/:account/:zone/security/settings) 2. (Optional) Filter by **Client-side abuse**. 3. Turn on **Continuous script monitoring**. After enabling, review detected scripts on the **Web assets** page under the **Client-side resources** tab to identify any unexpected scripts on your form pages. For the full setup workflow, refer to [Get started with client-side security](https://developers.cloudflare.com/client-side-security/get-started/). ## Related resources **Turnstile** * [Get started with Turnstile](https://developers.cloudflare.com/turnstile/get-started/) — create widgets, add the client snippet, and validate tokens * [Validate the token](https://developers.cloudflare.com/turnstile/get-started/server-side-validation/) — server-side validation examples in multiple languages * [Integrate Turnstile, WAF, and Bot Management](https://developers.cloudflare.com/turnstile/tutorials/integrating-turnstile-waf-and-bot-management/) — tutorial combining all three products for login protection **Application Security** * [Custom rules](https://developers.cloudflare.com/waf/custom-rules/) — create rules targeting specific request patterns * [Rate limiting rules](https://developers.cloudflare.com/waf/rate-limiting-rules/) — protect endpoints from high-volume abuse * [Security features interoperability](https://developers.cloudflare.com/waf/feature-interoperability/) — execution order and interaction between security features **Bots** * [Bot Fight Mode](https://developers.cloudflare.com/bots/get-started/bot-fight-mode/) — challenge requests matching bot patterns on Free plans * [Super Bot Fight Mode](https://developers.cloudflare.com/bots/get-started/super-bot-fight-mode/) — granular bot controls for Pro and above **Client-Side Security** * [Get started with client-side security](https://developers.cloudflare.com/client-side-security/get-started/) — enable monitoring and review detected scripts ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/use-cases/","name":"Use cases"}},{"@type":"ListItem","position":3,"item":{"@id":"/use-cases/solutions/","name":"Solution guides"}},{"@type":"ListItem","position":4,"item":{"@id":"/use-cases/solutions/protect-sensitive-forms-fraud-abuse/","name":"Protect your forms from spam and abuse (Free, Pro, and Business)"}}]} ``` --- --- title: Stop account takeover attacks (Free, Pro, and Business) description: Block credential stuffing and brute force attacks on login endpoints using a layered defense. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/use-cases/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Stop account takeover attacks (Free, Pro, and Business) When your site has login pages, you need to decide how to verify that visitors are human, how aggressively to limit failed attempts, and which request patterns to block. This guide covers five stages: enforce HTTPS, turn on bot protection, add [Turnstile](https://developers.cloudflare.com/turnstile/) to your login form, create Application Security [rate limiting rules](https://developers.cloudflare.com/waf/rate-limiting-rules/) and [custom rules](https://developers.cloudflare.com/waf/custom-rules/) for suspicious patterns, and monitor for ongoing attacks using [SSL/TLS](https://developers.cloudflare.com/ssl/) transport security and [Cloudflare bot solutions](https://developers.cloudflare.com/bots/). The core workflow covers features available on Free, Pro, and Business plans. Enterprise features such as leaked credentials custom detection locations and Bot Management custom rules are included as callouts. Note Most procedures in this guide are configured per domain or [zone](https://developers.cloudflare.com/fundamentals/concepts/accounts-and-zones/#zones). Select your domain in the Cloudflare dashboard before starting. Turnstile is the exception: widgets are configured at the account level. ## Enforce HTTPS to protect credentials in transit Credentials sent over plain HTTP are visible to anyone on the network path between the visitor and your origin server. Cloudflare [SSL/TLS](https://developers.cloudflare.com/ssl/) provides two settings that enforce HTTPS connections: [Always Use HTTPS](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/always-use-https/) and [HTTP Strict Transport Security (HSTS)](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/http-strict-transport-security/). For additional control over which encryption standards your domain accepts, refer to [Cipher suites](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/cipher-suites/). ### Turn on Always Use HTTPS Always Use HTTPS redirects all visitor requests from `http` to `https` for all subdomains and hosts. * [ Dashboard ](#tab-panel-8698) * [ API ](#tab-panel-8699) To enable **Always Use HTTPS** in the dashboard: 1. In the Cloudflare dashboard, go to the **SSL/TLS Overview** page. [ Go to **Overview** ](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls) 2. Make sure that your [SSL/TLS encryption mode](https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/off/) is not set to **Off**. When you set your encryption mode to **Off**, the **Always Use HTTPS** option will not be visible in your Cloudflare dashboard. 3. Go to the [**Edge Certificates** ↗](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates) page. 4. Turn on **Always Use HTTPS**. To enable or disable **Always Use HTTPS** with the API: 1. Make sure that your [SSL/TLS encryption mode](https://developers.cloudflare.com/ssl/origin-configuration/ssl-modes/off/) **is not** set to **Off**. 2. Send a [PATCH](https://developers.cloudflare.com/api/resources/zones/subresources/settings/methods/edit/) request with `always_use_https` as the setting name in the URI path, and the `value` parameter set to your desired setting (`"on"` or `"off"`). Note Cloudflare recommends not performing redirects at your origin web server, as this can cause [redirect loop errors](https://developers.cloudflare.com/ssl/troubleshooting/too-many-redirects/). Optional: HTTP Strict Transport Security (HSTS) For additional transport hardening, consider enabling HTTP Strict Transport Security (HSTS). HSTS tells browsers to only connect over HTTPS, preventing downgrade attacks on the initial request. HSTS is irreversible for the configured Max Age duration. If you later disable HTTPS, your site becomes inaccessible until the Max Age expires. Review the [HSTS requirements](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/http-strict-transport-security/#requirements) before turning it on. ## Turn on bot protection Cloudflare provides bot protection on all plans, with features that vary by plan tier. Turning on bot protection before configuring login-specific rules gives you a baseline filter against automated traffic across your entire domain. ### Bot Fight Mode (Free) Bot Fight Mode challenges requests that match known bot patterns. It applies to all traffic on your domain and cannot be customized with exceptions or path-specific rules. * [ New dashboard ](#tab-panel-8700) * [ Old dashboard ](#tab-panel-8701) 1. In the Cloudflare dashboard, go to the **Security Settings** page. [ Go to **Settings** ](https://dash.cloudflare.com/?to=/:account/:zone/security/settings) 2. Filter by **Bot traffic**. 3. Go to **Bot fight mode**. 4. Turn **Bot fight mode** on. 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/login), and select your account and domain. 2. Go to **Security** \> **Bots**. 3. For **Bot Fight Mode**, select **On**. Note Bot Fight Mode cannot be skipped by custom rules because it does not run inside the Ruleset Engine. If you need to exempt specific traffic (monitoring tools, partner APIs), upgrade to Super Bot Fight Mode on the Pro plan. ### Super Bot Fight Mode (Pro, Business, and Enterprise) Super Bot Fight Mode identifies traffic matching patterns of known bots, can challenge or block bots, and offers protection for static resources. You configure a separate action for each bot grouping: **Definitely automated**, **Likely automated**, and **Verified bots**. You can also [configure exceptions](https://developers.cloudflare.com/bots/get-started/super-bot-fight-mode/#configure-exceptions-to-super-bot-fight-mode) using Application Security [custom rules](https://developers.cloudflare.com/waf/custom-rules/) with the Skip action. Note If you are upgrading from Bot Fight Mode to Super Bot Fight Mode, you must disable Bot Fight Mode in your Bot settings. * Old dashboard: **Security** \> **Bots**, and select **Configure Bot Fight Mode**. * New dashboard: **Security** \> **Settings**. Filter by **Bot traffic** and turn **Bot fight mode** off. * [ New dashboard ](#tab-panel-8702) * [ Old dashboard ](#tab-panel-8703) 1. In the Cloudflare dashboard, go to the **Security Settings** page. [ Go to **Settings** ](https://dash.cloudflare.com/?to=/:account/:zone/security/settings) 2. Filter by **Bot traffic**. 3. Go to **Super Bot fight mode**. 4. Turn **Super Bot fight mode** on. 5. Choose how your domain should respond to various types of traffic by selecting the associated edit icon: * For more details on verified bots, refer to [Verified Bots](https://developers.cloudflare.com/bots/concepts/bot/verified-bots/). * For more details on supported file types, refer to [Static resource protection](https://developers.cloudflare.com/bots/additional-configurations/static-resources/). * For more details on invisible code injection, refer to [JavaScript detections](https://developers.cloudflare.com/bots/additional-configurations/javascript-detections/). * For more details on WordPress optimization, refer to [Super Bot Fight Mode for WordPress](https://developers.cloudflare.com/bots/troubleshooting/wordpress-loopback-issue/). 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/login), and select your account and domain. 2. Go to **Security** \> **Bots**. 3. Select **Configure Super Bot Fight Mode**. 4. Choose how your domain should respond to various types of traffic: * For more details on verified bots, refer to [Verified Bots](https://developers.cloudflare.com/bots/concepts/bot/verified-bots/). * For more details on supported file types, refer to [Static resource protection](https://developers.cloudflare.com/bots/additional-configurations/static-resources/). * For more details on invisible code injection, refer to [JavaScript detections](https://developers.cloudflare.com/bots/additional-configurations/javascript-detections/). * For more details on WordPress optimization, refer to [Super Bot Fight Mode for WordPress](https://developers.cloudflare.com/bots/troubleshooting/wordpress-loopback-issue/). For login protection, the following are recommended starting values. Adjust based on your traffic patterns. * **Definitely automated**: _Managed Challenge_. After reviewing Security Events to confirm the setting does not affect legitimate traffic, switch to _Block_. * **Likely automated**: _Managed Challenge_. * **Verified bots**: _Allow_. Warning If your organization also uses [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/), keep **Definitely Automated** set to **Allow**. Otherwise, tunnels might fail with a `websocket: bad handshake` error. [Custom rules](https://developers.cloudflare.com/waf/custom-rules/) are executed before Super Bot Fight Mode. To create exceptions for specific paths or traffic, create a custom rule with the [Skip action](https://developers.cloudflare.com/waf/custom-rules/skip/). The Skip action allows the request to bypass the Super Bot Fight Mode phase without terminating the request, enabling it to continue through the rest of the security stack. ## Protect your login form with Turnstile and rate limiting Two tools protect login endpoints from automated abuse, and they cover different attack vectors: * **[Turnstile](https://developers.cloudflare.com/turnstile/)** verifies that visitors are human without showing a CAPTCHA. It can be embedded into any website without sending traffic through Cloudflare. Use Turnstile to challenge automated form submissions. * **Application Security [rate limiting rules](https://developers.cloudflare.com/waf/rate-limiting-rules/)** define rate limits for requests matching an expression and the action to perform when those limits are reached. Use rate limiting to protect login endpoints from abuse, such as brute-force attacks. Both together provide the strongest coverage. Turnstile challenges automated submissions at the form level. Rate limiting catches high-volume attacks that bypass or do not encounter the form, such as direct `POST` requests to the endpoint. ### Add Turnstile to your login form Implementing Turnstile involves three steps: create a widget, add the client-side snippet to your login form, and validate the token on your server. Turnstile supports multiple [rendering methods](https://developers.cloudflare.com/turnstile/get-started/client-side-rendering/) including explicit and implicit rendering. You can also [inject Turnstile into HTML using a Cloudflare Worker](https://developers.cloudflare.com/workers/examples/turnstile-html-rewriter/) if you do not control the login form source code. #### 1\. Create a Turnstile widget Turnstile is configured at the account level. 1. In the Cloudflare dashboard, go to the **Turnstile** page. [ Go to **Turnstile** ](https://dash.cloudflare.com/?to=/:account/turnstile) 2. Select **Add widget**. 3. Fill out the required information: * **Widget name**: A descriptive name for your widget. * **Hostname management**: Domains where the widget will be used. * **Widget mode**: Choose from Managed, Non-Interactive, or Invisible. 4. (Optional) Configure **Pre-clearance support** for single-page applications. 5. Select **Create** to save your widget. 6. Copy your sitekey and secret key, and store the secret key securely. You need both the sitekey and secret key in the following steps. #### 2\. Add the client-side snippet Add the Turnstile script and widget container to your login form. Replace `` with the sitekey from the previous step. ```
``` The widget renders inside the `div` and produces a token when the visitor passes the challenge. When the form is submitted, a `cf-turnstile-response` token is included in the form data. #### 3\. Validate the token on your server Before processing the form submission, send the token to the Turnstile siteverify endpoint to confirm the visitor passed the challenge. server.js ``` const SECRET_KEY = ""; async function validateTurnstile(token, remoteip) { try { const response = await fetch( "https://challenges.cloudflare.com/turnstile/v0/siteverify", { method: "POST", headers: { "Content-Type": "application/json", }, body: JSON.stringify({ secret: SECRET_KEY, response: token, remoteip: remoteip, }), }, ); const result = await response.json(); return result; } catch (error) { console.error("Turnstile validation error:", error); return { success: false, "error-codes": ["internal-error"] }; } } ``` Replace `""` with your Turnstile secret key. The endpoint returns a JSON object with a `success` field. Only process the form submission if `success` is `true`. For additional fraud detection, Turnstile supports [Ephemeral IDs](https://developers.cloudflare.com/turnstile/tutorials/fraud-detection-with-ephemeral-ids/) that provide a unique, temporary identifier for each visitor session without storing personal data. For the complete response format, error codes, and examples in other languages, refer to [Validate the token](https://developers.cloudflare.com/turnstile/get-started/server-side-validation/). #### Test your implementation Turnstile provides test site keys that return predictable results without contacting the Siteverify API. * **Always passes**: Use site key `1x00000000000000000000AA` and secret key `1x0000000000000000000000000000000AA` to simulate a successful challenge. * **Always blocks**: Use site key `2x00000000000000000000AB` and secret key `2x0000000000000000000000000000000AA` to simulate a failed challenge. * **Forces interactive challenge**: Use site key `3x00000000000000000000FF` to test the interactive challenge flow. For the full list of test keys and expected behaviors, refer to [Test your Turnstile implementation](https://developers.cloudflare.com/turnstile/troubleshooting/testing/). ### Rate limit your login endpoint #### Create a rate limiting rule for your login endpoint The following example creates a rate limiting rule that issues a Managed Challenge after more than five POST requests to your login path from the same IP within one minute. Start with Managed Challenge rather than Block. Managed Challenge allows legitimate users who trigger the limit to pass by completing a challenge, while blocking automated traffic that cannot solve it. After monitoring [Security Events](https://developers.cloudflare.com/waf/analytics/security-events/) to confirm the rule is not producing false positives, switch to Block. Adjust the path (`/login`), threshold, and period for your site. Warning Managed Challenge and other [challenge types](https://developers.cloudflare.com/cloudflare-challenges/challenge-types/challenge-pages/) require an HTML response to render. They do not work for non-HTML responses such as AJAX/XHR requests, which are common on login endpoints that use single-page applications (SPAs) or API-based authentication. If your login flow uses AJAX, consider using [Turnstile Pre-Clearance](https://developers.cloudflare.com/turnstile/additional-configuration/pre-clearance-support/) instead. 1. In the Cloudflare dashboard, go to the **Security rules** page. [ Go to **Security rules** ](https://dash.cloudflare.com/?to=/:account/:zone/security/security-rules) 2. Select **Create rule** and choose **Rate limiting rules**. 3. Enter a name for the rule (for example, "Rate limit login endpoint"). 4. Under **When incoming requests match**, select **Edit expression** and enter: `http.host eq "example.com" and http.request.uri.path eq "/login" and http.request.method eq "POST"` Replace \`example.com\` with your domain and \`/login\` with your login endpoint path. 5. Under **With the same characteristics**, verify that _IP_ is selected. On Free plans, this is preset to _IP_. 6. Under **When rate exceeds**, enter _5_ for **Requests** and select a value for **Period**. On Free plans, select _10 seconds_. Pro and above plans offer additional periods. For available values by plan, refer to [Rate limiting parameters](https://developers.cloudflare.com/waf/rate-limiting-rules/parameters/). 7. Under **Then take action**, select an action from the **Choose action** dropdown. On Free plans, select _Block_. On Pro and above, _Managed Challenge_ is recommended because it allows legitimate users who trigger the limit to pass by completing a challenge. 8. Under **For duration**, select a duration for the action. On Free plans, select _10 seconds_. Pro and above plans offer longer durations. This is how long the action applies after the rate limit is triggered. 9. Select **Deploy**. Note (Optional) To count only failed login attempts instead of all matching requests, Business plan and above users can add a separate counting expression under **Increment counter when**: ``` http.request.uri.path eq "/login" and http.request.method eq "POST" and http.response.code in {401 403} ``` This counts requests based on the response status code. Successful logins (200) do not increment the counter. Advanced Rate Limiting (Enterprise) Enterprise customers with Advanced Rate Limiting can rate limit by characteristics beyond IP address, which is useful when attackers distribute attempts across many IP addresses. For available characteristics and plan availability, refer to [Rate limiting parameters](https://developers.cloudflare.com/waf/rate-limiting-rules/parameters/). #### Escalating rate limits for persistent attackers For sites that experience sustained credential stuffing campaigns, consider deploying multiple rate limiting rules with increasing severity. The [Rate limiting best practices](https://developers.cloudflare.com/waf/rate-limiting-rules/best-practices/) page describes an escalating penalty pattern that uses three rules: a short-window rule for quick bursts, a medium-window rule for slower distributed attacks, and a long-window rule that blocks persistent attackers from the entire domain. The counting expressions use response status codes, so successful logins do not count against the limit. Refer to the best practices page for the recommended thresholds and expression syntax. Note These example rules require a Business plan or above because they use counting expressions that reference HTTP response codes. ## Add Application Security rules for suspicious login patterns Application Security [custom rules](https://developers.cloudflare.com/waf/custom-rules/) and [traffic detections](https://developers.cloudflare.com/waf/detections/) give you additional signals beyond request rate to identify and act on suspicious login traffic. Detections populate request fields (such as leaked credential status and bot score) that your custom rules can then reference. ### Turn on leaked credentials detection Leaked credentials detection scans incoming login requests for usernames and passwords that appear in known data breach databases. Cloudflare hashes credentials before comparison and does not store plaintext passwords. When a match is found, the detection populates fields you can use in custom rules and rate limiting rules. The `cf.waf.credential_check.password_leaked` field is available on all plans. Note The `cf.waf.credential_check.username_and_password_leaked` field requires a Pro plan or above. On Free plans, the leaked credentials detection is enabled by default, and no action is required. On paid plans, you can turn on the detection in the Cloudflare dashboard, via API, or using Terraform. * [ New dashboard ](#tab-panel-8704) * [ Old dashboard ](#tab-panel-8705) * [ API ](#tab-panel-8706) * [ Terraform ](#tab-panel-8707) 1. In the Cloudflare dashboard, go to the Security **Settings** page. [ Go to **Settings** ](https://dash.cloudflare.com/?to=/:account/:zone/security/settings) 2. (Optional) Filter by **Detection tools**. 3. Turn on **Leaked credential detection**. 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), and select your account and domain. 2. Go to **Security** \> **Settings**. 3. Under **Incoming traffic detections**, turn on **Leaked credentials**. Use a `POST` request similar to the following: Required API token permissions At least one of the following [token permissions](https://developers.cloudflare.com/fundamentals/api/reference/permissions/)is required: * `Zone WAF Write` * `Account WAF Write` Set Leaked Credential Checks Status ``` curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/leaked-credential-checks" \ --request POST \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "enabled": true }' ``` Use the `cloudflare_leaked_credential_check` resource to enable leaked credentials detection for a zone. For example: ``` resource "cloudflare_leaked_credential_check" "zone_lcc_example" { zone_id = var.cloudflare_zone_id enabled = true } ``` After turning on the detection, your origin server can receive leaked credential status via the `Exposed-Credential-Check` request header. To forward this header, turn on the [Add leaked credentials checks header](https://developers.cloudflare.com/rules/transform/managed-transforms/reference/#add-leaked-credentials-checks-header) managed transform. Your origin can then trigger a password reset for affected users. Enterprise: Custom detection locations If your application uses non-standard credential field names, Enterprise customers can configure [custom detection locations](https://developers.cloudflare.com/waf/detections/leaked-credentials/#custom-detection-locations) to tell Cloudflare where to find usernames and passwords in HTTP requests. ### Create a skip rule for legitimate automated traffic Before deploying rules that challenge or block login traffic, create a skip rule that exempts known legitimate automated traffic. This prevents your monitoring tools, health checks, and partner integrations from being blocked by the rules that follow. 1. In the Cloudflare dashboard, go to the **Security rules** page. [ Go to **Security rules** ](https://dash.cloudflare.com/?to=/:account/:zone/security/security-rules) 2. Select **Create rule** and choose **Custom rules**. 3. Enter a name for the rule (for example, "Skip login rules for known clients"). 4. Select **Edit expression** and enter an expression that matches your legitimate automated traffic. For example, to skip verified bots and a specific monitoring service IP: ``` (cf.client.bot) or (ip.src eq 198.51.100.1) ``` Replace `198.51.100.1` with the IP address of your monitoring service. Add additional conditions for other known clients. 5. Under **Then take action**, select _Skip_. Under **WAF components to skip**, select the components that apply to your login protection rules (for example, **All remaining custom rules** and **All rate limiting rules**). 6. Select **Deploy**. 7. Under **Place at**, place the rule above your blocking and challenge rules. Custom rules execute in order, so the skip rule must come first. For more information about the Skip action and available skip options, refer to [Skip action](https://developers.cloudflare.com/waf/custom-rules/skip/). ### Block requests with suspicious headers Credential stuffing tools often send requests without standard browser headers or with known-bad User-Agent patterns. Create a custom rule that issues a Managed Challenge for POST requests to your login path where the User-Agent is empty. This targets direct POST requests from tools like `curl`, `python-requests`, or `undici` that do not set a User-Agent header. Note The Application Security Managed Ruleset includes rules for empty user-agents, but these are disabled by default and apply broadly. The custom rule below targets your login path specifically. 1. In the Cloudflare dashboard, go to the **Security rules** page. [ Go to **Security rules** ](https://dash.cloudflare.com/?to=/:account/:zone/security/security-rules) 2. Select **Create rule** and choose **Custom rules**. 3. Enter a name for the rule (for example, "Challenge empty UA on login"). 4. Select **Edit expression** and enter: ``` (http.request.uri.path eq "/login" and http.request.method eq "POST" and len(http.user_agent) eq 0) ``` Replace `/login` with your login endpoint path. 5. Under **Then take action**, select _Managed Challenge_. 6. Select **Deploy**. ### Create a rate limiting rule with leaked credentials Combine rate limiting with leaked credentials detection to throttle login attempts that use known-compromised passwords. This rule issues a Managed Challenge when the same IP sends more than three requests with leaked passwords within one minute. 1. On the **Security rules** page, select **Create rule** and choose **Rate limiting rules**. [ Go to **Security rules** ](https://dash.cloudflare.com/?to=/:account/:zone/security/security-rules) 2. Enter a name for the rule (for example, "Rate limit leaked credentials"). 3. Under **When incoming requests match**, enter the following expression: ``` http.request.uri.path eq "/login" and http.request.method eq "POST" and cf.waf.credential_check.password_leaked ``` Replace `/login` with your login endpoint path. 4. Under **With the same characteristics**, verify that _IP_ is selected. On Free plans, this is preset to _IP_. 5. Under **When rate exceeds**, enter _3_ for **Requests** and select a value for **Period**. On Free plans, select _10 seconds_. 6. Under **Then take action**, select an action. On Free plans, select _Block_. On Pro and above, _Managed Challenge_ is recommended. 7. Under **For duration**, select a duration for the action. On Free plans, select _10 seconds_. 8. Select **Deploy**. Enterprise: Bot Management Enterprise customers with Bot Management get additional tools for login protection: * **Custom rules with bot scores**: combine `cf.bot_management.score` with login path matching for precise control. Refer to [Custom rules for bot protection](https://developers.cloudflare.com/bots/additional-configurations/custom-rules/). * **Account takeover detections**: monitor suspicious login volume and failure rates using detection IDs in custom rules and rate limiting rules. Refer to [Account takeover detections](https://developers.cloudflare.com/bots/additional-configurations/detection-ids/account-takeover-detections/). * **Account Abuse Protection** (Early Access): detect account fraud patterns beyond credential stuffing. Refer to [Account Abuse Protection](https://developers.cloudflare.com/bots/account-abuse-protection/). ## Monitor for ongoing compromise attempts After deploying the rules and configurations from the previous sections, monitor your login endpoint to verify the rules are working and to detect new attack patterns. ### Review Security Events [Security Events](https://developers.cloudflare.com/waf/analytics/security-events/) shows requests that Cloudflare security products acted on or flagged, including blocks, challenges, and skips. 1. In the Cloudflare dashboard, go to the **Analytics** page. [ Go to **Analytics** ](https://dash.cloudflare.com/?to=/:account/:zone/security/analytics) 2. Select the **Events** tab. Review the **Sampled logs** to inspect individual requests. Each log entry shows the action taken, the rule that triggered, the source IP, user agent, URI path, and country. Use the **Add filter** button to narrow results by action, source IP, ASN, or other fields. Look for false positives — legitimate traffic that your rules incorrectly challenged or blocked. Common signs include: * Requests from known monitoring services or payment processors appearing in blocked events * High volumes of challenged requests from countries where you have real users * Rate limiting rules triggering on legitimate users during peak traffic If you see legitimate users being affected, adjust your rate limiting thresholds or add skip rules for specific IP ranges. ### Set up notifications for security event spikes (Business and Enterprise) Set up a **Security Events Alert** notification to receive alerts when security event volume spikes, giving you early warning of a new attack campaign. This notification is in the **WAF** category of the [Notifications](https://developers.cloudflare.com/notifications/) page. For setup instructions, refer to [Create a notification](https://developers.cloudflare.com/notifications/get-started/). Enterprise customers can use **Advanced Security Events Alert** for more granular filtering. ### Review bot traffic patterns (Pro and above) Bot traffic analytics show bot score distribution on your login endpoint over time. A sudden spike in low-score traffic (scores 1-29) on your login path is an early signal of a credential stuffing campaign. Cloudflare classifies bot traffic into categories based on bot scores and verification status: * **Verified bots**: Crawlers and services that Cloudflare has confirmed as legitimate, such as Googlebot, Bingbot, and uptime monitors. Cloudflare maintains a [verified bot list](https://developers.cloudflare.com/bots/concepts/bot/verified-bots/policy/) with strict requirements. * **Automated** (score 1): Cloudflare is quite certain the request is automated. * **Likely automated** (scores 2-29): Probably a bot. This category and Automated are the primary targets for security rules, including scrapers, credential stuffing tools, and spam submitters. * **Likely human** (scores 30-99): These requests appear to come from real users. Do not challenge or block this traffic. 1. In the Cloudflare dashboard, go to **Security** \> **Analytics** \> **Bot analysis**. 2. Review the traffic distribution across the bot score groupings above. If you see sustained automated traffic reaching your login endpoint despite the rules deployed in this guide, review the [Security features interoperability](https://developers.cloudflare.com/waf/feature-interoperability/) page to verify your rules are executing in the expected order, and consider adjusting thresholds. ## Related resources **Application Security** * [Rate limiting best practices](https://developers.cloudflare.com/waf/rate-limiting-rules/best-practices/) — recommended patterns for login protection and credential stuffing * [Custom rules](https://developers.cloudflare.com/waf/custom-rules/) — create rules using request fields including bot score and leaked credentials * [Leaked credentials detection](https://developers.cloudflare.com/waf/detections/leaked-credentials/) — scan incoming requests for credentials from known data breaches * [Security Events](https://developers.cloudflare.com/waf/analytics/security-events/) — review requests acted on by security products **Cloudflare Bots** * [Bot Fight Mode](https://developers.cloudflare.com/bots/get-started/bot-fight-mode/) — free bot protection that challenges known bot patterns * [Super Bot Fight Mode](https://developers.cloudflare.com/bots/get-started/super-bot-fight-mode/) — Pro and Business bot protection with configurable actions * [Bot Management](https://developers.cloudflare.com/bots/get-started/bot-management/) — Enterprise bot protection with ML-powered scoring and custom rules **Turnstile** * [Get started with Turnstile](https://developers.cloudflare.com/turnstile/get-started/) — create widgets and implement client-side and server-side validation * [Server-side validation](https://developers.cloudflare.com/turnstile/get-started/server-side-validation/) — validate Turnstile tokens on your server * [Turnstile Pre-Clearance](https://developers.cloudflare.com/turnstile/additional-configuration/pre-clearance-support/) — pre-clear visitors for SPA and AJAX login flows **SSL/TLS** * [Always Use HTTPS](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/always-use-https/) — redirect all HTTP requests to HTTPS * [HTTP Strict Transport Security (HSTS)](https://developers.cloudflare.com/ssl/edge-certificates/additional-options/http-strict-transport-security/) — prevent browser downgrade attacks with HSTS headers ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/use-cases/","name":"Use cases"}},{"@type":"ListItem","position":3,"item":{"@id":"/use-cases/solutions/","name":"Solution guides"}},{"@type":"ListItem","position":4,"item":{"@id":"/use-cases/solutions/stop-account-takeover-attacks/","name":"Stop account takeover attacks (Free, Pro, and Business)"}}]} ``` --- --- title: Stop malicious bots while allowing legitimate traffic (Free, Pro, and Business) description: Block malicious bots while allowing legitimate traffic using Bot Fight Mode, Turnstile, custom rules, and rate limiting on Free, Pro, and Business plans. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/use-cases/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Stop malicious bots while allowing legitimate traffic (Free, Pro, and Business) The right defense against malicious bot traffic depends on the traffic patterns on your site and your plan. This guide covers a layered approach using [Cloudflare Bots](https://developers.cloudflare.com/bots/), [Cloudflare Application Security](https://developers.cloudflare.com/waf/) (also known as Web Application Firewall or WAF), and [Turnstile](https://developers.cloudflare.com/turnstile/), from baseline protection to targeted custom rules. The core workflow uses features on Free, Pro, and Business plans, with callouts for Enterprise options. Note Most procedures in this guide are configured per domain or [zone](https://developers.cloudflare.com/fundamentals/concepts/accounts-and-zones/#zones). Select your domain in the Cloudflare dashboard before starting. Turnstile is the exception: widgets are configured at the account level. ## Review your bot traffic Before you change any bot settings, review your traffic data to understand what bots are doing on your site. ### Find your bot analytics [Bot analytics](https://developers.cloudflare.com/bots/bot-analytics/) show you how much of your traffic is automated, which pages bots target, and how Cloudflare scores each request. Bot Analytics requires a Business plan or above Bot score distribution data and detailed bot analytics are available on Business and Enterprise plans. Free and Pro plan users can review basic security metrics through [Security Events](https://developers.cloudflare.com/waf/analytics/security-events/). For full bot analytics capabilities, refer to [Bot Analytics](https://developers.cloudflare.com/bots/bot-analytics/). * [ New dashboard ](#tab-panel-8708) * [ Old dashboard ](#tab-panel-8709) 1. In the Cloudflare dashboard, go to the **Analytics** page. [ Go to **Analytics** ](https://dash.cloudflare.com/?to=/:account/:zone/security/analytics) 2. Select the **Bot analysis** tab. 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/login) and select your account and domain. 2. Go to **Security** \> **Bots**. Review the following: * **Bot score distribution chart**: Scores closer to 1 indicate automated traffic. Scores closer to 99 indicate human traffic. * **Top requested paths**: Which endpoints receive the most bot traffic. Login pages, API endpoints, and checkout flows are common targets. * **Traffic patterns**: Sudden spikes in low-score traffic, specific user agents appearing at high volume, or geographic concentration of requests can indicate bot activity worth investigating. ### Understand bot categories Cloudflare classifies bot traffic into categories based on bot scores and verification status: * **Verified bots**: Crawlers and services that Cloudflare has confirmed as legitimate, such as Googlebot, Bingbot, and uptime monitors. Cloudflare maintains a [verified bot list](https://developers.cloudflare.com/bots/concepts/bot/verified-bots/policy/) with strict requirements. * **Automated** (score 1): Cloudflare is quite certain the request is automated. * **Likely automated** (scores 2-29): Probably a bot. This category and Automated are the primary targets for security rules, including scrapers, credential stuffing tools, and spam submitters. * **Likely human** (scores 30-99): These requests appear to come from real users. Do not challenge or block this traffic. ## Block automated traffic with Bot Fight Mode [Bot Fight Mode](https://developers.cloudflare.com/bots/get-started/bot-fight-mode/) identifies requests that match known bot patterns and issues a computational challenge. It reduces automated traffic across your entire site without requiring you to write any rules. ### What Bot Fight Mode does Bot Fight Mode is included with Free plans. When enabled, it: * Identifies traffic matching patterns of known bots * Issues computationally expensive challenges in response to these bots * Protects entire domains without endpoint restrictions * Cannot be customized, adjusted, or reconfigured via custom rules * Cannot be bypassed with [custom rule](https://developers.cloudflare.com/waf/custom-rules/) Skip actions. If Bot Fight Mode challenges a request you want to allow, you can turn off Bot Fight Mode or upgrade to [Super Bot Fight Mode](https://developers.cloudflare.com/bots/get-started/super-bot-fight-mode/) for more granular control. For more details, refer to [Bot Fight Mode considerations](https://developers.cloudflare.com/bots/get-started/bot-fight-mode/#considerations). ### Turn on Bot Fight Mode (Free plan) * [ New dashboard ](#tab-panel-8722) * [ Old dashboard ](#tab-panel-8723) 1. In the Cloudflare dashboard, go to the **Security Settings** page. [ Go to **Settings** ](https://dash.cloudflare.com/?to=/:account/:zone/security/settings) 2. Filter by **Bot traffic**. 3. Go to **Bot fight mode**. 4. Turn **Bot fight mode** on. 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/login), and select your account and domain. 2. Go to **Security** \> **Bots**. 3. For **Bot Fight Mode**, select **On**. ### Enable Super Bot Fight Mode (Pro, Business, and Enterprise) Super Bot Fight Mode adds verified bot allowlisting, per-category actions, static resource protection, and JavaScript detections. Note If you are upgrading from Bot Fight Mode to Super Bot Fight Mode, you must disable Bot Fight Mode in your Bot settings. * Old dashboard: **Security** \> **Bots**, and select **Configure Bot Fight Mode**. * New dashboard: **Security** \> **Settings**. Filter by **Bot traffic** and turn **Bot fight mode** off. * [ New dashboard ](#tab-panel-8724) * [ Old dashboard ](#tab-panel-8725) 1. In the Cloudflare dashboard, go to the **Security Settings** page. [ Go to **Settings** ](https://dash.cloudflare.com/?to=/:account/:zone/security/settings) 2. Filter by **Bot traffic**. 3. Go to **Super Bot fight mode**. 4. Turn **Super Bot fight mode** on. 5. Choose how your domain should respond to various types of traffic by selecting the associated edit icon: * For more details on verified bots, refer to [Verified Bots](https://developers.cloudflare.com/bots/concepts/bot/verified-bots/). * For more details on supported file types, refer to [Static resource protection](https://developers.cloudflare.com/bots/additional-configurations/static-resources/). * For more details on invisible code injection, refer to [JavaScript detections](https://developers.cloudflare.com/bots/additional-configurations/javascript-detections/). * For more details on WordPress optimization, refer to [Super Bot Fight Mode for WordPress](https://developers.cloudflare.com/bots/troubleshooting/wordpress-loopback-issue/). 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com/login), and select your account and domain. 2. Go to **Security** \> **Bots**. 3. Select **Configure Super Bot Fight Mode**. 4. Choose how your domain should respond to various types of traffic: * For more details on verified bots, refer to [Verified Bots](https://developers.cloudflare.com/bots/concepts/bot/verified-bots/). * For more details on supported file types, refer to [Static resource protection](https://developers.cloudflare.com/bots/additional-configurations/static-resources/). * For more details on invisible code injection, refer to [JavaScript detections](https://developers.cloudflare.com/bots/additional-configurations/javascript-detections/). * For more details on WordPress optimization, refer to [Super Bot Fight Mode for WordPress](https://developers.cloudflare.com/bots/troubleshooting/wordpress-loopback-issue/). Plan availability Super Bot Fight Mode is available on Pro, Business, and Enterprise plans. Free plan users can use Bot Fight Mode for baseline protection. Enterprise customers who need machine learning-based bot scoring and custom allow/block rules can add [Bot Management](https://developers.cloudflare.com/bots/plans/bm-subscription/). Warning If your organization uses [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/), keep **Definitely Automated** set to **Allow** in Super Bot Fight Mode. Otherwise, tunnels might fail with a `websocket: bad handshake` error. ## Protect forms from automated abuse [Turnstile](https://developers.cloudflare.com/turnstile/) and Application Security [rate limiting rules](https://developers.cloudflare.com/waf/rate-limiting-rules/) protect form endpoints in different ways and work best together. ### Turnstile versus rate limiting Turnstile challenges suspected bots before they can submit a form (login, signup, contact, or checkout), without showing visitors a CAPTCHA. It can be embedded into any website without sending traffic through Cloudflare. Use Turnstile when you need to challenge automated form submissions. Rate limiting allows you to define rate limits for requests matching an expression and the action to perform when those limits are reached. Use rate limiting to protect endpoints from abuse, such as brute-force attacks on a login page or excessive API calls from a single client. Both together provide the strongest coverage. Turnstile challenges automated submissions at the form level. Rate limiting catches high-volume attacks that bypass or do not encounter the form, such as direct `POST` requests to the endpoint that skip the client-side widget. ### Add Turnstile to a form Adding Turnstile involves three steps: create a widget, add the client-side snippet, and validate the token on your server. #### 1\. Create a Turnstile widget Turnstile is configured at the account level. 1. In the Cloudflare dashboard, go to the **Turnstile** page. [ Go to **Turnstile** ](https://dash.cloudflare.com/?to=/:account/turnstile) 2. Select **Add widget**. 3. Fill out the required information: * **Widget name**: A descriptive name for your widget. * **Hostname management**: Domains where the widget will be used. * **Widget mode**: Choose from Managed, Non-Interactive, or Invisible. 4. (Optional) Configure **Pre-clearance support** for single-page applications. 5. Select **Create** to save your widget. 6. Copy your sitekey and secret key, and store the secret key securely. You need both the sitekey and secret key in the following steps. #### 2\. Add the client-side snippet Add the Turnstile script and widget container to your form HTML: ```
``` Replace `` with the sitekey from the previous step. The widget renders inside the `div` and produces a token when the visitor passes the challenge. #### 3\. Validate the token on your server Before processing the form submission, send the token to the Turnstile siteverify endpoint to confirm the visitor passed the challenge: Terminal window ``` curl https://challenges.cloudflare.com/turnstile/v0/siteverify \ --header "Content-Type: application/json" \ --data '{ "secret": "", "response": "" }' ``` Replace `` with your secret key and `` with the `cf-turnstile-response` value from the form submission. The endpoint returns a JSON object with a `success` field. Only process the form submission if `success` is `true`. For complete integration details, refer to [Turnstile get started](https://developers.cloudflare.com/turnstile/get-started/). ### Limit request volume on form endpoints with rate limiting For login endpoints, a tiered rate limiting approach works well alongside Turnstile. The following example from the [Rate limiting best practices](https://developers.cloudflare.com/waf/rate-limiting-rules/best-practices/) shows two rules that escalate the response based on the volume of failed attempts. Adjust the thresholds for your site's traffic patterns. Tiered rate limiting rules require a Business plan or above Rules that use counting expressions with response codes (such as counting only `401` and `403` responses) require a Business plan or above. On Free and Pro plans, you can create simpler rate limiting rules with IP-based counting. Refer to [Rate limiting rules](https://developers.cloudflare.com/waf/rate-limiting-rules/) for plan availability details. **Short-window rule:** Challenge an IP that sends too many failed login requests in a short window. * [ New dashboard ](#tab-panel-8712) * [ Old dashboard ](#tab-panel-8713) 1. In the Cloudflare dashboard, go to **Security** \> **Security rules**. [ Go to **Security rules** ](https://dash.cloudflare.com/?to=/:account/:zone/security/security-rules) 2. Select **Create rule** \> **Rate limiting rules**. 3. Enter a descriptive name in **Rule name**. 4. Under **If incoming requests match**, select **Edit expression** and enter: `http.request.uri.path eq "/login" and http.request.method eq "POST"` 5. Under **With the same characteristics**, select **IP**. 6. Enable **Use custom counting expression** and enter: `http.request.uri.path eq "/login" and http.request.method eq "POST" and http.response.code in {401 403}` 7. Under **When rate exceeds**, enter `4` requests per `1 minute`. 8. Under **Then take action**, select _Managed Challenge_. 9. Select **Deploy**. 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com), and select your account and domain. 2. Go to **Security** \> **WAF** \> **Rate limiting rules**. 3. Select **Create rule**. 4. Enter a descriptive name in **Rule name**. 5. Under **If incoming requests match**, select **Edit expression** and enter: `http.request.uri.path eq "/login" and http.request.method eq "POST"` 6. Under **With the same characteristics**, select **IP**. 7. Enable **Use custom counting expression** and enter: `http.request.uri.path eq "/login" and http.request.method eq "POST" and http.response.code in {401 403}` 8. Under **When rate exceeds**, enter `4` requests per `1 minute`. 9. Under **Then take action**, select _Managed Challenge_. 10. Select **Deploy**. **Long-window rule:** Block an IP that accumulates failed login attempts over a longer period. * [ New dashboard ](#tab-panel-8714) * [ Old dashboard ](#tab-panel-8715) 1. In the Cloudflare dashboard, go to **Security** \> **Security rules**. [ Go to **Security rules** ](https://dash.cloudflare.com/?to=/:account/:zone/security/security-rules) 2. Select **Create rule** \> **Rate limiting rules**. 3. Enter a descriptive name in **Rule name**. 4. Under **If incoming requests match**, select **Edit expression** and enter: `http.request.uri.path eq "/login" and http.request.method eq "POST"` 5. Under **With the same characteristics**, select **IP**. 6. Enable **Use custom counting expression** and enter: `http.request.uri.path eq "/login" and http.request.method eq "POST" and http.response.code in {401 403}` 7. Under **When rate exceeds**, enter `20` requests per `1 hour`. 8. Under **Then take action**, select _Block_ with a duration of `1 day`. 9. Select **Deploy**. 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com), and select your account and domain. 2. Go to **Security** \> **WAF** \> **Rate limiting rules**. 3. Select **Create rule**. 4. Enter a descriptive name in **Rule name**. 5. Under **If incoming requests match**, select **Edit expression** and enter: `http.request.uri.path eq "/login" and http.request.method eq "POST"` 6. Under **With the same characteristics**, select **IP**. 7. Enable **Use custom counting expression** and enter: `http.request.uri.path eq "/login" and http.request.method eq "POST" and http.response.code in {401 403}` 8. Under **When rate exceeds**, enter `20` requests per `1 hour`. 9. Under **Then take action**, select _Block_ with a duration of `1 day`. 10. Select **Deploy**. This pattern uses a counting expression that only counts `POST` requests returning authentication failure codes. Legitimate users who log in successfully on the first attempt never trigger the rule. Review the results in [Security Events](https://developers.cloudflare.com/waf/analytics/security-events/) to confirm the thresholds are not catching legitimate users. For the full tiered credential stuffing example with three rules, refer to [Rate limiting best practices](https://developers.cloudflare.com/waf/rate-limiting-rules/best-practices/). ## Target bot patterns with custom rules and rate limiting Application Security [custom rules](https://developers.cloudflare.com/waf/custom-rules/) and [rate limiting rules](https://developers.cloudflare.com/waf/rate-limiting-rules/) let you target specific traffic patterns that built-in bot protection does not catch. Cloudflare separates detection (scoring traffic) from mitigation (acting on those scores). You write rules that reference detection signals to decide what action to take. ### Block requests with missing or suspicious headers Legitimate browsers typically send headers like `User-Agent`, `Accept`, and `Accept-Language`. Many bots omit these headers or send non-browser values. A custom rule targeting requests with empty or suspicious headers catches bots that evade score-based detection. Before creating custom rules, review the built-in bot settings in **Security** \> **Settings** (filter by _Bot traffic_). These settings handle common scenarios like blocking AI crawlers, challenging automated traffic, and allowing verified bots without requiring you to write expressions. For the full list of built-in settings, refer to [Challenge bad bots](https://developers.cloudflare.com/waf/custom-rules/use-cases/challenge-bad-bots/). Plan availability Built-in bot settings are part of [Super Bot Fight Mode](https://developers.cloudflare.com/bots/get-started/super-bot-fight-mode/) (Pro and above). On Free plans, only the Bot Fight Mode toggle is available. [Custom rules](https://developers.cloudflare.com/waf/custom-rules/#availability) are available on all plans, with the number of rules increasing on higher plans. If the built-in settings do not cover your needs, create custom rules. Start by creating an exception for verified bots so they are protected before you deploy any blocking rules. Navigate to custom rules, then create both rules: * [ New dashboard ](#tab-panel-8716) * [ Old dashboard ](#tab-panel-8717) 1. In the Cloudflare dashboard, go to **Security** \> **Security rules**. [ Go to **Security rules** ](https://dash.cloudflare.com/?to=/:account/:zone/security/security-rules) 2. Select **Create rule** \> **Custom rules**. 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com), and select your account and domain. 2. Go to **Security** \> **WAF** \> **Custom rules**. 3. Select **Create rule**. **First, create a verified bot exception:** 1. Enter a descriptive name in **Rule name**. 2. Under **When incoming requests match**, select **Edit expression** and enter: `(cf.client.bot)` 3. Under **Then take action**, select _Skip_ from the **Choose action** dropdown. Then select **All remaining custom rules**. 4. Under **Place at**, select _First_ from the **Select order** dropdown so this rule executes before any blocking rules. 5. Select **Deploy**. This ensures verified bots (search engine crawlers, monitoring services) bypass your custom rules. If you have internal APIs, partner integrations, or monitoring tools that send automated traffic, create additional Skip rules for their IP addresses or user agents before deploying blocking rules. Review your expected automated traffic in [Security Events](https://developers.cloudflare.com/waf/analytics/security-events/) to identify what to allowlist. **Then, create a blocking rule:** 1. Select **Create rule**. 2. Enter a descriptive name in **Rule name**. 3. Under **When incoming requests match**, select **Edit expression** and enter: `(http.request.uri.path eq "/login" and http.request.method eq "POST")` 4. Under **Then take action**, select _Managed Challenge_ from the **Choose action** dropdown. 5. Under **Place at**, leave the **Select order** dropdown set to _Last_. This places the rule after the verified bot exception. 6. Select **Deploy**. 7. Review the results in [Security Events](https://developers.cloudflare.com/waf/analytics/security-events/). If the rule matches only bot traffic, edit the rule and change the action from _Managed Challenge_ to _Block_. For additional custom rule options including the visual field builder, refer to [Create a custom rule in the dashboard](https://developers.cloudflare.com/waf/custom-rules/create-dashboard/). If your bot traffic is concentrated from countries where you have no real users, you can combine geographic filters with the rules above. Add `ip.src.country` to your expression to restrict the rule to specific regions. For examples, refer to [Block traffic by geographical location](https://developers.cloudflare.com/waf/custom-rules/use-cases/block-by-geographical-location/). ### Protect high-frequency paths with rate limiting Beyond form endpoints, bots also target checkout flows, API endpoints, and other high-value paths. Rate limiting rules cap the number of requests a single client can make to these paths within a time window. The following example creates a rate limiting rule for a checkout endpoint. Adjust the path, rate, and action for your site. Rate limiting options vary by plan Available periods, actions, and counting options vary by plan. The example below uses a 1-minute period with Managed Challenge. Refer to [Rate limiting rules availability](https://developers.cloudflare.com/waf/rate-limiting-rules/#availability) for your plan's options. * [ New dashboard ](#tab-panel-8718) * [ Old dashboard ](#tab-panel-8719) 1. In the Cloudflare dashboard, go to **Security** \> **Security rules**. [ Go to **Security rules** ](https://dash.cloudflare.com/?to=/:account/:zone/security/security-rules) 2. Select **Create rule** \> **Rate limiting rules**. 3. Enter a descriptive name in **Rule name**. 4. Under **If incoming requests match**, select **Edit expression** and enter: `http.request.uri.path eq "/api/checkout" and http.request.method eq "POST"` 5. Under **With the same characteristics**, select **IP**. 6. Under **When rate exceeds**, enter `10` requests per `1 minute`. 7. Under **Then take action**, select _Managed Challenge_. 8. Select **Deploy**. 9. Review the results in [Security Events](https://developers.cloudflare.com/waf/analytics/security-events/). If the rule matches only bot traffic, edit the rule and change the action to _Block_ if needed. 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com), and select your account and domain. 2. Go to **Security** \> **WAF** \> **Rate limiting rules**. 3. Select **Create rule**. 4. Enter a descriptive name in **Rule name**. 5. Under **If incoming requests match**, select **Edit expression** and enter: `http.request.uri.path eq "/api/checkout" and http.request.method eq "POST"` 6. Under **With the same characteristics**, select **IP**. 7. Under **When rate exceeds**, enter `10` requests per `1 minute`. 8. Under **Then take action**, select _Managed Challenge_. 9. Select **Deploy**. 10. Review the results in [Security Events](https://developers.cloudflare.com/waf/analytics/security-events/). If the rule matches only bot traffic, edit the rule and change the action to _Block_ if needed. For additional patterns and thresholds, refer to [Rate limiting best practices](https://developers.cloudflare.com/waf/rate-limiting-rules/best-practices/). Security Analytics rate analysis requires an Enterprise plan Enterprise customers can use the **Request rate analysis** tab in Security Analytics to visualize request rate distributions and the **Log** action to observe rule matches without taking action. On other plans, estimate thresholds based on your expected traffic patterns. Refer to [Find an appropriate rate limit](https://developers.cloudflare.com/waf/rate-limiting-rules/find-rate-limit/) for the full methodology. Enterprise Bot Management: bot score in custom rules Enterprise customers with [Bot Management](https://developers.cloudflare.com/bots/plans/bm-subscription/) can reference the `cf.bot_management.score` field in custom rule expressions for granular control over bot traffic. Bot Management assigns a score from 1 to 99 to each request, where lower scores indicate more automated behavior. Refer to [Bot scores](https://developers.cloudflare.com/bots/concepts/bot-score/) and [Bot Management variables](https://developers.cloudflare.com/bots/reference/bot-management-variables/) for details. ## Verify and tune your rules After you deploy bot protection rules, use [Security Events](https://developers.cloudflare.com/waf/analytics/security-events/) to verify they are working as intended and adjust thresholds based on the results. ### Check Security Events Security Events displays requests that Cloudflare security products acted on or flagged, including blocks, challenges, and flags. * [ New dashboard ](#tab-panel-8710) * [ Old dashboard ](#tab-panel-8711) 1. In the Cloudflare dashboard, go to the **Analytics** page. [ Go to **Analytics** ](https://dash.cloudflare.com/?to=/:account/:zone/security/analytics) 2. Select the **Events** tab. 1. In the Cloudflare dashboard, go to **Security** \> **Events**. Review the **Sampled logs** to inspect individual requests. Each log entry shows the action taken, the rule that triggered, the source IP, user agent, URI path, and country. Available dashboard sections vary by plan. Refer to [Security Events availability](https://developers.cloudflare.com/waf/analytics/security-events/#availability) for your plan's features. Look for false positives (legitimate traffic that your rules incorrectly challenged or blocked). Common signs include: * Requests from known monitoring services or payment processors appearing in blocked events * User agents matching legitimate browsers but receiving challenges * High volumes of challenged requests from countries where you have real users For rules using the Managed Challenge action, check the [challenge solve rate (CSR)](https://developers.cloudflare.com/cloudflare-challenges/reference/challenge-solve-rate/). A low CSR likely indicates the rule is effectively filtering automated traffic rather than legitimate users. [Bot Fight Mode](https://developers.cloudflare.com/bots/get-started/bot-fight-mode/) and [Super Bot Fight Mode](https://developers.cloudflare.com/bots/get-started/super-bot-fight-mode/) are aggressive by design. False positives are expected, especially in the first few days after turning them on. The key difference between the two is how you handle exceptions: * **Bot Fight Mode** (Free) cannot be bypassed with custom rule Skip actions. You can turn off Bot Fight Mode or upgrade to Super Bot Fight Mode for more control. * **Super Bot Fight Mode** (Pro and above) can be bypassed with custom rules using the Skip action, giving you more flexibility to create exceptions. For more information on handling false positives, refer to [False positives](https://developers.cloudflare.com/bots/troubleshooting/false-positives/). ### Adjust your rules After reviewing Security Events, adjust your rules based on the results. **Scenario 1: Your monitoring tools or services are being blocked.** Internal monitoring tools, health check services, or partner APIs appear in blocked events. The fix depends on which feature is blocking them: * If [Super Bot Fight Mode](https://developers.cloudflare.com/bots/get-started/super-bot-fight-mode/) (Pro and above) is blocking the traffic, create a custom rule with a Skip action matching the tool IP address or user agent: 1. Go to the **Security rules** page. [ Go to **Security rules** ](https://dash.cloudflare.com/?to=/:account/:zone/security/security-rules) 2. Select **Create rule** \> **Custom rules**. 3. Enter a descriptive name. 4. Under **When incoming requests match**, select **Edit expression** and enter: `(ip.src eq 192.0.2.1)` (replace with your tool's IP address). 5. Under **Then take action**, select _Skip_. Then select **All Super Bot Fight Mode rules**. 6. Select **Deploy**. * If [Bot Fight Mode](https://developers.cloudflare.com/bots/get-started/bot-fight-mode/) (Free) is blocking the traffic, turn off Bot Fight Mode or upgrade to [Super Bot Fight Mode](https://developers.cloudflare.com/bots/get-started/super-bot-fight-mode/) for granular exception rules. For details on Skip action configuration, refer to [Configure a rule with the Skip action](https://developers.cloudflare.com/waf/custom-rules/skip/). **Scenario 2: Malicious traffic is still getting through.** Bot activity appears in Security Events that your current rules do not catch. Bots that stay under rate limits or evade single-signal rules require combining multiple signals. For example, to challenge `POST` requests to `/login` that are not from verified bots: * [ New dashboard ](#tab-panel-8720) * [ Old dashboard ](#tab-panel-8721) 1. In the Cloudflare dashboard, go to **Security** \> **Security rules**. [ Go to **Security rules** ](https://dash.cloudflare.com/?to=/:account/:zone/security/security-rules) 2. Select **Create rule** \> **Custom rules**. 3. Enter a descriptive name. 4. Under **When incoming requests match**, select **Edit expression** and enter: ``` (http.request.uri.path eq "/login" and http.request.method eq "POST" and not cf.client.bot) ``` 5. Under **Then take action**, select _Managed Challenge_. 6. Select **Deploy**. 7. Review the results in Security Events. If the rule matches only bot traffic, change the action to _Block_. 1. Log in to the [Cloudflare dashboard ↗](https://dash.cloudflare.com), and select your account and domain. 2. Go to **Security** \> **WAF** \> **Custom rules**. 3. Select **Create rule**. 4. Enter a descriptive name. 5. Under **When incoming requests match**, select **Edit expression** and enter: ``` (http.request.uri.path eq "/login" and http.request.method eq "POST" and not cf.client.bot) ``` 6. Under **Then take action**, select _Managed Challenge_. 7. Select **Deploy**. 8. Review the results in Security Events. If the rule matches only bot traffic, change the action to _Block_. For more expression fields and examples, refer to [Custom rules use cases](https://developers.cloudflare.com/waf/custom-rules/use-cases/). If bots are staying under your rate limiting thresholds, edit the rate limiting rule and reduce the request count or shorten the time window. Note Custom rules execute before Super Bot Fight Mode in the evaluation order. If a custom rule takes a terminating action (Block, Managed Challenge), the request does not reach Super Bot Fight Mode. Refer to [Security features interoperability](https://developers.cloudflare.com/waf/feature-interoperability/). Enterprise Bot Management Enterprise customers with [Bot Management](https://developers.cloudflare.com/bots/plans/bm-subscription/) can tune rules using the `cf.bot_management.score` field for more granular control. Refer to [Bot Management variables](https://developers.cloudflare.com/bots/reference/bot-management-variables/) for available fields. ## Related resources **Bots** * [Bot Fight Mode](https://developers.cloudflare.com/bots/get-started/bot-fight-mode/) — Baseline bot protection available on all plans * [Super Bot Fight Mode](https://developers.cloudflare.com/bots/get-started/super-bot-fight-mode/) — Granular bot controls for Pro, Business, and Enterprise plans * [Enterprise Bot Management](https://developers.cloudflare.com/bots/plans/bm-subscription/) — Machine learning-based bot scoring and behavioral analysis * [Bot Analytics](https://developers.cloudflare.com/bots/bot-analytics/) — Monitor bot traffic patterns across your domain **Application Security** * [Custom rules](https://developers.cloudflare.com/waf/custom-rules/) — Write targeted rules using traffic signals and bot scores * [Rate limiting rules](https://developers.cloudflare.com/waf/rate-limiting-rules/) — Control request volume to protect endpoints from abuse * [Security Events](https://developers.cloudflare.com/waf/analytics/security-events/) — Review and investigate mitigated requests **Turnstile** * [Turnstile](https://developers.cloudflare.com/turnstile/) — Free, privacy-preserving challenge for forms and user interactions ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/use-cases/","name":"Use cases"}},{"@type":"ListItem","position":3,"item":{"@id":"/use-cases/solutions/","name":"Solution guides"}},{"@type":"ListItem","position":4,"item":{"@id":"/use-cases/solutions/stop-malicious-bots/","name":"Stop malicious bots while allowing legitimate traffic (Free, Pro, and Business)"}}]} ``` --- --- title: Application security description: Protect web applications and APIs with Cloudflare Application security (WAF), DDoS protection, bot security, API Shield, and client-side security. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/use-cases/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Application security Protect your website or application from attacks, bots, and abuse. Cloudflare's application security (also known as Web Application Firewall or WAF) blocks SQL injection, XSS, and OWASP Top 10 vulnerabilities. DDoS Protection mitigates volumetric and application-layer attacks automatically. Bot Security uses machine learning to score every request. API Shield validates API traffic against your OpenAPI specification. Client-side security monitors third-party scripts for malicious behavior. * [ Block application attacks ](https://developers.cloudflare.com/use-cases/application-security/block-attacks/) * [ Mitigate DDoS attacks ](https://developers.cloudflare.com/use-cases/application-security/ddos/) * [ Stop malicious bots ](https://developers.cloudflare.com/use-cases/application-security/bots/) * [ Protect against client-side threats ](https://developers.cloudflare.com/use-cases/application-security/client-side/) * [ Secure API endpoints ](https://developers.cloudflare.com/use-cases/application-security/api-endpoints/) ## Architecture patterns ### Web application security Protect a website or web application from common attacks: * **SSL/TLS** encrypts all traffic between visitors and Cloudflare * **Security rules** managed rulesets block SQL injection, XSS, and OWASP Top 10 vulnerabilities * **DDoS Protection** mitigates volumetric and application-layer attacks automatically * **Bot Security** scores every request and blocks automated threats ### API security Secure Application Programming Interface (API) endpoints with schema enforcement and authentication: * **API Shield** validates requests against your OpenAPI specification * **Rate Limiting** prevents abuse with per-endpoint request limits * **mTLS** authenticates known clients with mutual TLS certificates ### Client-side defense Protect visitors from threats that execute in the browser: * **Client-side security** monitors third-party scripts loading on your pages * **Turnstile** replaces CAPTCHAs on forms with a privacy-preserving challenge * **Content security rules** block requests from known malicious sources --- ## Prerequisites * A [Cloudflare account ↗](https://dash.cloudflare.com/sign-up). * A domain [added to Cloudflare](https://developers.cloudflare.com/fundamentals/manage-domains/add-site/). All solutions in this use case require your domain's DNS records to be proxied through Cloudflare so that traffic passes through Cloudflare's network before reaching your origin. --- ## Related resources [Security best practices](https://developers.cloudflare.com/learning-paths/application-security/) Structured learning path for application security. [Security Analytics](https://developers.cloudflare.com/waf/analytics/) Analyze security events and fine-tune your configuration. [Security case studies](https://www.cloudflare.com/case-studies/) Explore how companies secure their applications with Cloudflare. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/use-cases/","name":"Use cases"}},{"@type":"ListItem","position":3,"item":{"@id":"/use-cases/application-security/","name":"Application security"}}]} ``` --- --- title: Secure API endpoints description: Protect APIs with schema validation, rate limiting, and authentication. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/use-cases/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Secure API endpoints API endpoints are vulnerable to schema violations, abuse, and unauthorized access. Cloudflare API Shield validates requests against your OpenAPI specification, and mutual TLS (mTLS) authenticates known clients with certificates. ## Solutions ### API Shield Discover, secure, and monitor your APIs. [Learn more about API Shield](https://developers.cloudflare.com/api-shield/). * **API discovery** \- Automatically identify API endpoints in your traffic, including undocumented ones * **Schema validation** \- Reject requests that do not conform to your OpenAPI specification * **Sequence mitigation** \- Detect and block API abuse patterns such as out-of-order requests ### mTLS Mutual TLS client certificate authentication. [Learn more about mTLS](https://developers.cloudflare.com/ssl/client-certificates/). * **mTLS authentication** \- Require client certificates for machine-to-machine API access ## Get started 1. [API Shield get started](https://developers.cloudflare.com/api-shield/get-started/) 2. [Set up mTLS](https://developers.cloudflare.com/ssl/client-certificates/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/use-cases/","name":"Use cases"}},{"@type":"ListItem","position":3,"item":{"@id":"/use-cases/application-security/","name":"Application security"}},{"@type":"ListItem","position":4,"item":{"@id":"/use-cases/application-security/api-endpoints/","name":"Secure API endpoints"}}]} ``` --- --- title: Block application attacks description: Protect against SQL injection, XSS, and other OWASP Top 10 vulnerabilities. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/use-cases/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Block application attacks Web applications face constant threats from SQL injection, Cross-Site Scripting (XSS), and other Open Web Application Security Project (OWASP) Top 10 vulnerabilities. Cloudflare WAF managed rulesets block these attacks automatically, and rate limiting prevents brute force abuse. ## Solutions ### Application security (WAF) Get automatic protection from vulnerabilities and create your own custom rules. [Learn more about WAF](https://developers.cloudflare.com/waf/). * **Managed rulesets** \- Pre-configured rules covering OWASP Top 10 and emerging threats, updated by Cloudflare * **Zero-day protection** \- Rules are updated as new vulnerabilities are discovered, with no action required from you * **Custom rules** \- Block or challenge requests based on any request attribute including headers, cookies, and IP reputation ### Rate limiting Limit request rates based on flexible matching criteria. [Learn more about rate limiting](https://developers.cloudflare.com/waf/rate-limiting-rules/). * **Rate limiting** \- Prevent brute force attacks and Application Programming Interface (API) abuse with flexible per-endpoint request limits ## Get started 1. [Deploy WAF managed rulesets](https://developers.cloudflare.com/waf/managed-rules/deploy-zone-dashboard/) 2. [Create custom rules](https://developers.cloudflare.com/waf/custom-rules/create-dashboard/) 3. [Configure rate limiting rules](https://developers.cloudflare.com/waf/rate-limiting-rules/create-zone-dashboard/) For custom rules and rate limiting patterns specific to bot traffic, refer to [Stop malicious bots while allowing legitimate traffic (Free, Pro, and Business)](https://developers.cloudflare.com/use-cases/solutions/stop-malicious-bots/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/use-cases/","name":"Use cases"}},{"@type":"ListItem","position":3,"item":{"@id":"/use-cases/application-security/","name":"Application security"}},{"@type":"ListItem","position":4,"item":{"@id":"/use-cases/application-security/block-attacks/","name":"Block application attacks"}}]} ``` --- --- title: Stop malicious bots description: Detect and block automated threats while allowing legitimate traffic. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/use-cases/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Stop malicious bots Malicious bots perform credential stuffing, content scraping, and inventory hoarding. Cloudflare provides multiple tools to detect and block automated threats while allowing legitimate bots like search engine crawlers. For a step-by-step workflow that combines these tools into a layered defense, refer to [Stop malicious bots while allowing legitimate traffic](https://developers.cloudflare.com/use-cases/solutions/stop-malicious-bots/). ## Solutions ### Bot Fight Mode Baseline bot protection available on all plans, including Free. Challenges requests that match known bot patterns. [Learn more about Bot Fight Mode](https://developers.cloudflare.com/bots/get-started/bot-fight-mode/). ### Super Bot Fight Mode Granular bot controls for Pro plans and above. Allows verified bots, configures per-category actions, and extends protection to static resources. [Learn more about Super Bot Fight Mode](https://developers.cloudflare.com/bots/get-started/super-bot-fight-mode/). ### Bot Management Machine learning-powered bot detection for Enterprise with granular signal detections. Assigns a bot score from 1 (bot) to 99 (human) to every request, along with additional signals for more precise and customizable security rules. [Learn more about Bot Management](https://developers.cloudflare.com/bots/). ### Turnstile Privacy-preserving challenge for forms and user interactions. Available on all plans at no cost. [Learn more about Turnstile](https://developers.cloudflare.com/turnstile/). ### WAF custom rules Targeted rules that act on traffic signals including headers, request patterns, and [bot management variables](https://developers.cloudflare.com/bots/reference/bot-management-variables/). Available on all plans. [Learn more about custom rules](https://developers.cloudflare.com/waf/custom-rules/). ## Get started 1. [Stop malicious bots while allowing legitimate traffic](https://developers.cloudflare.com/use-cases/solutions/stop-malicious-bots/) — layered defense guide covering all products above 2. [Enable Bot Fight Mode](https://developers.cloudflare.com/bots/get-started/bot-fight-mode/) — quickest single step (Free plan) 3. [Add Turnstile to forms](https://developers.cloudflare.com/turnstile/get-started/) — protect login and signup forms ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/use-cases/","name":"Use cases"}},{"@type":"ListItem","position":3,"item":{"@id":"/use-cases/application-security/","name":"Application security"}},{"@type":"ListItem","position":4,"item":{"@id":"/use-cases/application-security/bots/","name":"Stop malicious bots"}}]} ``` --- --- title: Protect against client-side threats description: Monitor and control third-party scripts running on your site. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/use-cases/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Protect against client-side threats Third-party scripts on your site can be compromised to exfiltrate data or inject malicious code. Cloudflare's client-side security (previously known as Page Shield) monitors every JavaScript resource loading on your pages, detects suspicious behavior, and helps you manage Content Security Policies (CSPs). ## Solutions ### Client-side security Monitor and control third-party scripts and outbound connections on your pages. [Learn more about client-side security](https://developers.cloudflare.com/client-side-security/). * **Script monitoring** \- Track every JavaScript resource loading on your pages, including third-party scripts * **Malicious script detection** \- Receive alerts when scripts exhibit suspicious behavior such as data exfiltration patterns * **Connection monitoring** \- See which external endpoints scripts are sending data to * **CSP management** \- Generate and manage Content Security Policies (CSPs) based on observed script behavior ## Get started 1. [Enable Client-side security](https://developers.cloudflare.com/client-side-security/get-started/) 2. [Review detected scripts](https://developers.cloudflare.com/client-side-security/detection/monitor-connections-scripts/) 3. [Configure rules](https://developers.cloudflare.com/client-side-security/rules/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/use-cases/","name":"Use cases"}},{"@type":"ListItem","position":3,"item":{"@id":"/use-cases/application-security/","name":"Application security"}},{"@type":"ListItem","position":4,"item":{"@id":"/use-cases/application-security/client-side/","name":"Protect against client-side threats"}}]} ``` --- --- title: Mitigate DDoS attacks description: Mitigate DDoS attacks automatically with no caps on attack size, no manual intervention, and no extra cost. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/use-cases/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Mitigate DDoS attacks Distributed Denial of Service (DDoS) attacks can take your application offline by flooding it with traffic. Cloudflare DDoS Protection mitigates these attacks automatically at the network edge, with no caps on attack size or duration and no manual intervention required. ## Solutions ### DDoS Protection Automatic mitigation of volumetric and application-layer DDoS attacks. [Learn more about DDoS Protection](https://developers.cloudflare.com/ddos-protection/). * **Always-on protection** \- Attacks are mitigated automatically with no manual intervention required * **Unlimited mitigation** \- No caps on attack size or duration * **Layer 3/4 protection** \- Block network-layer floods and amplification attacks at the network edge ## Get started 1. [DDoS protection overview](https://developers.cloudflare.com/ddos-protection/) 2. [Configure DDoS managed rulesets](https://developers.cloudflare.com/ddos-protection/managed-rulesets/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/use-cases/","name":"Use cases"}},{"@type":"ListItem","position":3,"item":{"@id":"/use-cases/application-security/","name":"Application security"}},{"@type":"ListItem","position":4,"item":{"@id":"/use-cases/application-security/ddos/","name":"Mitigate DDoS attacks"}}]} ``` --- --- title: Performance description: Accelerate websites and applications with Cloudflare CDN caching, image optimization, smart routing, load balancing, and web analytics. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/use-cases/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Performance Accelerate websites and applications with Cloudflare CDN (Content Delivery Network) caching, image optimization, smart routing, load balancing, and web analytics. * [ Cache content globally ](https://developers.cloudflare.com/use-cases/performance/caching/) * [ Optimize images ](https://developers.cloudflare.com/use-cases/performance/image-optimization/) * [ Accelerate connections ](https://developers.cloudflare.com/use-cases/performance/connections/) * [ Optimize web assets ](https://developers.cloudflare.com/use-cases/performance/web-assets/) * [ Balance traffic across origins ](https://developers.cloudflare.com/use-cases/performance/load-balancing/) * [ Monitor performance ](https://developers.cloudflare.com/use-cases/performance/monitoring/) ## Prerequisites * A [Cloudflare account ↗](https://dash.cloudflare.com/sign-up). * A domain [added to Cloudflare](https://developers.cloudflare.com/fundamentals/manage-domains/add-site/) with DNS records proxied through Cloudflare's network. Caching, image optimization, speed optimizations, Argo Smart Routing, and Load Balancing all operate at the edge and require traffic to pass through Cloudflare. * Web Analytics can be added to any site without a proxied domain by [adding the JavaScript snippet](https://developers.cloudflare.com/web-analytics/get-started/) to your pages directly. --- ## Related resources [Performance best practices](https://developers.cloudflare.com/learning-paths/optimize-site-speed/) Structured learning path for site optimization. [Cache Analytics](https://developers.cloudflare.com/cache/performance-review/cache-analytics/) Analyze cache hit rates and optimize caching. [Performance case studies](https://www.cloudflare.com/case-studies/) Explore how companies accelerate their applications with Cloudflare. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/use-cases/","name":"Use cases"}},{"@type":"ListItem","position":3,"item":{"@id":"/use-cases/performance/","name":"Performance"}}]} ``` --- --- title: Cache content globally description: Reduce origin load and latency by caching static and dynamic content at 300+ Cloudflare edge locations. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/use-cases/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Cache content globally Every request that reaches your origin server adds latency and costs. Cloudflare Cache serves static and dynamic content globally, reducing round-trip times for visitors and offloading traffic from your origin. ## Solutions ### Cache Cache content at Cloudflare's global network of edge locations. [Learn more about Cache](https://developers.cloudflare.com/cache/). * **Global distribution** \- Content cached in 300+ edge locations so visitors are served from the location nearest to them * **Reduced latency** \- Cache hits are served directly from the edge, eliminating round-trips to your origin * **Customizable cache rules** \- Create rules that change how Cloudflare caches content, or transforms requests * **Origin offload** \- Regional cache tiers intercept repeated requests before they reach your origin server * **Persistent caching** \- Long-tail content that would normally expire is kept in durable storage, reducing origin fetches for infrequently accessed assets ## Get started 1. [Configure Cache Rules](https://developers.cloudflare.com/cache/how-to/cache-rules/) 2. [Enable Tiered Cache](https://developers.cloudflare.com/cache/how-to/tiered-cache/) 3. [Set up Cache Reserve](https://developers.cloudflare.com/cache/advanced-configuration/cache-reserve/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/use-cases/","name":"Use cases"}},{"@type":"ListItem","position":3,"item":{"@id":"/use-cases/performance/","name":"Performance"}},{"@type":"ListItem","position":4,"item":{"@id":"/use-cases/performance/caching/","name":"Cache content globally"}}]} ``` --- --- title: Accelerate connections description: Reduce latency with Argo Smart Routing, HTTP/3, and Early Hints asset preloading. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/use-cases/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Accelerate connections Network congestion and suboptimal routing between your origin and visitors add latency. Cloudflare Argo Smart Routing uses real-time network telemetry to route requests through the fastest paths, while Early Hints preloads assets before the full HTML response arrives. ## Solutions ### Argo Smart Routing Route traffic through the fastest paths across Cloudflare's network. [Learn more about Argo Smart Routing](https://developers.cloudflare.com/argo-smart-routing/). * **Smart routing** \- Automatically route requests through uncongested network paths, reducing latency between edge and origin * **Optimized paths** \- Real-time network telemetry selects the fastest available route for each request ### Speed Improve the performance of your website or web application. [Learn more about Speed](https://developers.cloudflare.com/speed/). * **Faster handshakes** \- Assess the performance of your website and gain recommendations on how to optimize your website ### Early Hints Preload assets before the HTML response arrives. [Learn more about Early Hints](https://developers.cloudflare.com/speed/optimization/content/early-hints/). * **Asset preloading** \- Send `103 Early Hints` responses so browsers start fetching assets before the full HTML arrives ## Get started 1. [Enable Argo Smart Routing](https://developers.cloudflare.com/argo-smart-routing/get-started/) 2. [Enable HTTP/3](https://developers.cloudflare.com/speed/optimization/protocol/http3/) 3. [Enable Early Hints](https://developers.cloudflare.com/speed/optimization/content/early-hints/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/use-cases/","name":"Use cases"}},{"@type":"ListItem","position":3,"item":{"@id":"/use-cases/performance/","name":"Performance"}},{"@type":"ListItem","position":4,"item":{"@id":"/use-cases/performance/connections/","name":"Accelerate connections"}}]} ``` --- --- title: Optimize images description: Reduce page load times by compressing, resizing, and converting images to WebP and AVIF automatically. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/use-cases/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Optimize images Images are often the largest assets on a page and the biggest contributor to slow load times. Cloudflare Images resizes and converts images on-the-fly to modern formats like WebP and AVIF, while Polish compresses existing images without visible quality loss. ## Solutions ### Images Transform, optimize, and deliver images at scale. [Learn more about Images](https://developers.cloudflare.com/images/). * **Modern formats** \- Automatically serve WebP or AV1 Image File Format (AVIF) to supported browsers, falling back gracefully for others * **Responsive images** \- Resize and transform images on-the-fly via URL parameters without pre-generating variants ### Polish Automatic image compression without quality loss. [Learn more about Polish](https://developers.cloudflare.com/images/polish/). * **Automatic compression** \- Reduce image file sizes through lossless or lossy compression without visible quality loss ### Speed Improve page load performance with built-in optimizations. [Learn more about Speed](https://developers.cloudflare.com/speed/). * **Lazy loading** \- Defer loading of off-screen images to improve initial page load and Core Web Vitals ## Get started 1. [Images get started](https://developers.cloudflare.com/images/get-started/) 2. [Enable Polish](https://developers.cloudflare.com/images/polish/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/use-cases/","name":"Use cases"}},{"@type":"ListItem","position":3,"item":{"@id":"/use-cases/performance/","name":"Performance"}},{"@type":"ListItem","position":4,"item":{"@id":"/use-cases/performance/image-optimization/","name":"Optimize images"}}]} ``` --- --- title: Balance traffic across origins description: Distribute traffic across multiple servers for reliability and performance. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/use-cases/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Balance traffic across origins If a single origin server handles all your traffic, any failure or overload takes your application offline. Cloudflare's load balancing distributes traffic across multiple origins with health checks and automatic failover. ## Solutions ### Load balancing Distribute traffic across origins with health checks and failover. [Learn more about load balancing](https://developers.cloudflare.com/load-balancing/). * **Traffic distribution** \- Spread incoming load across multiple origin servers using weighted or latency-based policies * **Failover** \- Reroute traffic to healthy origins instantly when a server fails its health check * **Geographic steering** \- Route users to the nearest or best-performing origin based on latency or geography ### Health checks Monitor origin server health and availability. [Learn more about health checks](https://developers.cloudflare.com/health-checks/). * **Health monitoring** \- Continuously probe origins and automatically remove unhealthy servers from rotation ## Get started 1. [Create a load balancer](https://developers.cloudflare.com/load-balancing/get-started/) 2. [Configure health checks](https://developers.cloudflare.com/health-checks/get-started/) 3. [Set up steering policies](https://developers.cloudflare.com/load-balancing/understand-basics/traffic-steering/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/use-cases/","name":"Use cases"}},{"@type":"ListItem","position":3,"item":{"@id":"/use-cases/performance/","name":"Performance"}},{"@type":"ListItem","position":4,"item":{"@id":"/use-cases/performance/load-balancing/","name":"Balance traffic across origins"}}]} ``` --- --- title: Monitor performance description: Track real user metrics and identify performance issues. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/use-cases/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Monitor performance Understanding how real visitors experience your site requires metrics from actual sessions, not synthetic tests. Cloudflare Web Analytics collects Core Web Vitals and performance data from 100% of page views without cookies or sampling. ## Solutions ### Web Analytics Privacy-first, cookie-free analytics for websites. [Learn more about Web Analytics](https://developers.cloudflare.com/web-analytics/). * **Real user metrics** \- Performance data collected from actual visitor sessions, not synthetic tests * **Core Web Vitals** \- Track Largest Contentful Paint (LCP), Interaction to Next Paint (INP), and Cumulative Layout Shift (CLS) scores across your real user base * **No sampling** \- 100% of page views are measured without cookies, consent banners, or data sampling ### Observatory Run performance tests and get optimization recommendations. [Learn more about Observatory](https://developers.cloudflare.com/speed/observatory/). * **Performance testing** \- Run on-demand speed tests and receive prioritized optimization recommendations ## Get started 1. [Enable Web Analytics](https://developers.cloudflare.com/web-analytics/get-started/) 2. [Run a speed test](https://developers.cloudflare.com/speed/observatory/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/use-cases/","name":"Use cases"}},{"@type":"ListItem","position":3,"item":{"@id":"/use-cases/performance/","name":"Performance"}},{"@type":"ListItem","position":4,"item":{"@id":"/use-cases/performance/monitoring/","name":"Monitor performance"}}]} ``` --- --- title: Optimize web assets description: Speed up page rendering by minifying HTML, CSS, and JavaScript and loading third-party scripts server-side. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/use-cases/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Optimize web assets Unoptimized HTML, CSS, and JavaScript increase page weight and slow down rendering. Cloudflare Speed automatically minifies and compresses these assets, while Zaraz loads third-party analytics and marketing tags server-side to avoid blocking page rendering. ## Solutions ### Speed Improve the performance of your website or web application. [Learn more about Speed](https://developers.cloudflare.com/speed/). * **Minification** \- Remove whitespace and unnecessary characters from HTML, CSS, and JavaScript automatically * **Compression** \- Brotli and Gzip compression applied to all text-based assets at the edge * **Core Web Vitals** \- Improve Largest Contentful Paint (LCP), Interaction to Next Paint (INP), and Cumulative Layout Shift (CLS) scores by deferring non-critical scripts and optimizing asset delivery ### Zaraz Server-side loading of third-party tools to improve performance and privacy. [Learn more about Zaraz](https://developers.cloudflare.com/zaraz/). * **Third-party optimization** \- Load analytics, marketing tags, and other third-party tools through Cloudflare without blocking page rendering ## Get started 1. [Enable Speed optimizations](https://developers.cloudflare.com/speed/optimization/) 2. [Zaraz get started](https://developers.cloudflare.com/zaraz/get-started/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/use-cases/","name":"Use cases"}},{"@type":"ListItem","position":3,"item":{"@id":"/use-cases/performance/","name":"Performance"}},{"@type":"ListItem","position":4,"item":{"@id":"/use-cases/performance/web-assets/","name":"Optimize web assets"}}]} ``` --- --- title: Company security description: Secure employees, devices, and data with Cloudflare Zero Trust access, secure web gateway, email security, and data loss prevention. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/use-cases/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Company security Protect employees, devices, and data with Zero Trust access, secure web gateway, and email security. Cloudflare Access and Tunnel replace VPNs with identity-verified, per-request access to internal applications. Gateway filters DNS and HTTP traffic to block threats. DLP prevents sensitive data from leaving your network. Email Security stops phishing, BEC, and malware. DMARC management prevents domain spoofing. * [ Access internal applications securely ](https://developers.cloudflare.com/use-cases/company-security/employee-access/) * [ Secure your company's Internet access ](https://developers.cloudflare.com/use-cases/company-security/internet-access/) * [ Stop email phishing attacks ](https://developers.cloudflare.com/use-cases/company-security/email-security/) * [ Prevent data loss ](https://developers.cloudflare.com/use-cases/company-security/data-loss-prevention/) * [ Ensure device endpoint security ](https://developers.cloudflare.com/use-cases/company-security/device-security/) ## Architecture patterns ### VPN replacement Replace traditional VPNs with Zero Trust access to internal applications: * **Cloudflare Tunnel** connects internal apps to Cloudflare without opening inbound firewall ports * **Access** verifies identity and device posture on every request * **Cloudflare One client** routes device traffic through Cloudflare's network ### Secure web gateway Filter and inspect Internet-bound traffic from employees: * **Gateway** applies DNS and HTTP filtering policies to block threats and enforce acceptable use * **Browser Isolation** executes risky web content in a remote browser * **DLP** inspects outbound traffic for sensitive data patterns ### Email threat protection Stop phishing, malware, and spoofing before they reach the inbox: * **Email Security** scans inbound messages for phishing, Business Email Compromise (BEC), and malicious attachments * **DMARC management** enforces email authentication and prevents domain spoofing --- ## Prerequisites * A [Cloudflare account ↗](https://dash.cloudflare.com/sign-up). * A [Cloudflare One organization](https://developers.cloudflare.com/cloudflare-one/setup/) created in the Cloudflare dashboard. Access, Gateway (Secure Web Gateway), Data Loss Prevention (DLP), Cloud Access Security Broker (CASB), Browser Isolation, and Device Posture all operate within Cloudflare One. --- ## Related resources [Cloudflare One documentation](https://developers.cloudflare.com/cloudflare-one/) Complete documentation for Zero Trust and Secure Access Service Edge (SASE). [Email Security documentation](https://developers.cloudflare.com/email-security/) Complete documentation for email threat protection. [Zero Trust case studies](https://www.cloudflare.com/case-studies/?product=Zero+Trust) Explore how enterprises implement Zero Trust with Cloudflare. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/use-cases/","name":"Use cases"}},{"@type":"ListItem","position":3,"item":{"@id":"/use-cases/company-security/","name":"Company security"}}]} ``` --- --- title: Prevent data loss description: Protect sensitive data from exfiltration with DLP and CASB. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/use-cases/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Prevent data loss Sensitive data — Personally Identifiable Information (PII), payment card numbers, health records — can leave your network through employee uploads, SaaS misconfigurations, or compromised applications. Cloudflare One detects sensitive data patterns in traffic and blocks exfiltration in real time. ## Solutions ### Cloudflare One Secure your organization with a cloud security platform that replaces legacy perimeters with Cloudflare's global network. [Learn more about Cloudflare One](https://developers.cloudflare.com/cloudflare-one/). * **Data detection** \- Identify sensitive data patterns — Personally Identifiable Information (PII), Payment Card Industry (PCI), Protected Health Information (PHI), and custom patterns — in traffic flowing through Gateway * **Inline protection** \- Block uploads or transfers of sensitive data in real time before they leave the network * **SaaS visibility** \- Discover which SaaS applications employees are using, including unsanctioned shadow IT * **Posture management** \- Identify misconfigurations and overly permissive sharing settings across connected SaaS apps ## Get started 1. [Configure DLP policies](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/) 2. [Set up CASB integrations](https://developers.cloudflare.com/cloudflare-one/cloud-and-saas-findings/) 3. [Create Gateway HTTP policies for DLP](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/use-cases/","name":"Use cases"}},{"@type":"ListItem","position":3,"item":{"@id":"/use-cases/company-security/","name":"Company security"}},{"@type":"ListItem","position":4,"item":{"@id":"/use-cases/company-security/data-loss-prevention/","name":"Prevent data loss"}}]} ``` --- --- title: Ensure device endpoint security description: Verify device posture before granting access. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/use-cases/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Ensure device endpoint security Granting access to corporate applications without verifying device health creates risk. Cloudflare One checks OS version, disk encryption, and antivirus status before allowing a device to connect, and integrates with CrowdStrike, SentinelOne, and other Endpoint Detection and Response (EDR) tools. ## Solutions ### Cloudflare One Secure your organization with a cloud security platform that replaces legacy perimeters with Cloudflare's global network. [Learn more about Cloudflare One](https://developers.cloudflare.com/cloudflare-one/). * **Posture checks** \- Verify OS version, disk encryption status, and antivirus presence before granting access * **Endpoint integration** \- Pull real-time device health signals from CrowdStrike, SentinelOne, and other Endpoint Detection and Response (EDR) tools * **Conditional access** \- Gate application access on device posture results, so only healthy devices can connect ### Cloudflare One client Device agent that routes traffic through Cloudflare's network. [Learn more about Cloudflare One client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/). * **Always-on protection** \- Route device traffic through Cloudflare One at all times, enforcing Gateway policies regardless of network ## Get started 1. [Deploy the Cloudflare One client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) 2. [Configure device posture checks](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/) 3. [Add posture checks to Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/use-cases/","name":"Use cases"}},{"@type":"ListItem","position":3,"item":{"@id":"/use-cases/company-security/","name":"Company security"}},{"@type":"ListItem","position":4,"item":{"@id":"/use-cases/company-security/device-security/","name":"Ensure device endpoint security"}}]} ``` --- --- title: Stop email phishing attacks description: Protect your organization from email-based threats with advanced email security. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/use-cases/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Stop email phishing attacks Email is the most common vector for phishing, Business Email Compromise (BEC), and malware delivery. Cloudflare Email Security scans inbound messages to block these threats before they reach the inbox, and DMARC management prevents domain spoofing. ## Solutions ### Email security Detect and block email-based threats including phishing, BEC, and malware. [Learn more about Email security](https://developers.cloudflare.com/email-security/). * **Phishing protection** \- Block sophisticated phishing attacks including credential harvesting and impersonation * **BEC prevention** \- Detect Business Email Compromise (BEC) attempts using behavioral analysis * **Malware scanning** \- Inspect attachments and links to stop malware before it reaches the inbox ### DMARC management Prevent email spoofing and improve deliverability. [Learn more about DMARC management](https://developers.cloudflare.com/dmarc-management/). * **Brand protection** \- Prevent domain spoofing by enforcing Domain-based Message Authentication, Reporting and Conformance (DMARC) policy and monitoring email sources ## Get started 1. [Deploy Email security](https://developers.cloudflare.com/email-security/deployment/) 2. [Set up DMARC management](https://developers.cloudflare.com/dmarc-management/enable/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/use-cases/","name":"Use cases"}},{"@type":"ListItem","position":3,"item":{"@id":"/use-cases/company-security/","name":"Company security"}},{"@type":"ListItem","position":4,"item":{"@id":"/use-cases/company-security/email-security/","name":"Stop email phishing attacks"}}]} ``` --- --- title: Access internal applications securely description: Implement Zero Trust access to internal applications without the complexity of VPNs. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/use-cases/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Access internal applications securely Traditional VPNs grant broad network access, create bottlenecks, and are difficult to scale. Cloudflare replaces VPNs with Zero Trust access — verifying identity and device posture on every request — using Cloudflare Tunnel, Access, and the Cloudflare One client. ## Solutions ### Cloudflare One Secure your organization with a cloud security platform that replaces legacy perimeters with Cloudflare's global network. [Learn more about Cloudflare One](https://developers.cloudflare.com/cloudflare-one/). * **Zero Trust access** \- Verify identity and device posture on every request before granting access to internal applications * **Granular policies** \- Control access by user, group, device posture, and location with per-application rules ### Cloudflare Tunnel Connect infrastructure to Cloudflare without opening inbound firewall ports. [Learn more about Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/). * **No network exposure** \- Internal apps remain private; Tunnel creates an outbound-only connection with no inbound firewall changes ### Cloudflare One client Securely route traffic through Cloudflare's network. [Learn more about Cloudflare One client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/). * **Better performance** \- Lower latency than traditional VPN architectures, as traffic routes through Cloudflare's global network rather than backhauling to a central data center ## Get started ### Access internal applications securely * [Secure a private web app](https://developers.cloudflare.com/cloudflare-one/setup/secure-private-apps/private-web-app/) * [Set up clientless SSH](https://developers.cloudflare.com/cloudflare-one/setup/secure-private-apps/clientless-ssh/) * [Set up in-browser RDP](https://developers.cloudflare.com/cloudflare-one/setup/secure-private-apps/in-browser-rdp/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/use-cases/","name":"Use cases"}},{"@type":"ListItem","position":3,"item":{"@id":"/use-cases/company-security/","name":"Company security"}},{"@type":"ListItem","position":4,"item":{"@id":"/use-cases/company-security/employee-access/","name":"Access internal applications securely"}}]} ``` --- --- title: Secure your company's Internet access description: Protect users from threats on the Internet with Gateway DNS and HTTP filtering. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/use-cases/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Secure your company's Internet access Employees browsing the Internet encounter malware, phishing, and data exfiltration risks. Cloudflare Gateway filters DNS and HTTP traffic to block threats and enforce acceptable use policies, while browser isolation executes risky content in a remote browser. ## Solutions ### Gateway Secure web gateway with DNS, HTTP, and network filtering. [Learn more about Gateway](https://developers.cloudflare.com/cloudflare-one/traffic-policies/). * **Threat protection** \- Block malware, phishing, and command-and-control domains at the DNS and HTTP layers * **Content filtering** \- Enforce acceptable use policies by blocking categories of domains across the organization * **Data protection** \- Inspect HTTP traffic and prevent sensitive data from being uploaded to unauthorized destinations ### Cloudflare One Secure your organization with a cloud security platform that replaces legacy perimeters with Cloudflare's global network. [Learn more about Cloudflare One](https://developers.cloudflare.com/cloudflare-one/). * **Browser isolation** \- Execute risky web content in a remote browser, keeping malware away from user devices ## Get started 1. [Set up Gateway DNS filtering](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/) 2. [Configure HTTP inspection](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/) 3. [Deploy Browser Isolation](https://developers.cloudflare.com/cloudflare-one/remote-browser-isolation/setup/) ### Secure your company's Internet access * [Device to network](https://developers.cloudflare.com/cloudflare-one/setup/replace-vpn/device-to-network/) * [Device to device](https://developers.cloudflare.com/cloudflare-one/setup/replace-vpn/device-to-device/) * [Network to network](https://developers.cloudflare.com/cloudflare-one/setup/replace-vpn/network-to-network/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/use-cases/","name":"Use cases"}},{"@type":"ListItem","position":3,"item":{"@id":"/use-cases/company-security/","name":"Company security"}},{"@type":"ListItem","position":4,"item":{"@id":"/use-cases/company-security/internet-access/","name":"Secure your company's Internet access"}}]} ``` --- --- title: Web sites and web apps description: Build and deploy full-stack web applications on Cloudflare with Workers, D1, KV, R2, Durable Objects, and Queues. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/use-cases/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Web sites and web apps Build and deploy full-stack web applications globally with serverless compute, storage, and instant deployments. Cloudflare Workers runs your frontend and backend logic at the edge. D1 provides a serverless SQL database. KV stores key-value data globally. R2 provides S3-compatible object storage with zero egress fees. Durable Objects coordinates real-time state. Queues handles background processing. * [ Deploy frontend applications ](https://developers.cloudflare.com/use-cases/web-apps/deploy-frontend/) * [ Build serverless backends ](https://developers.cloudflare.com/use-cases/web-apps/serverless-backends/) * [ Store application data ](https://developers.cloudflare.com/use-cases/web-apps/store-data/) * [ Add real-time features ](https://developers.cloudflare.com/use-cases/web-apps/real-time/) * [ Optimize performance ](https://developers.cloudflare.com/use-cases/web-apps/performance/) * [ Secure your application ](https://developers.cloudflare.com/use-cases/web-apps/security/) ## Architecture patterns ### Full-stack application Build a complete application with frontend and backend: * **Workers** serves your frontend assets (React, Vue, Astro, and similar frameworks) and handles Application Programming Interface (API) routes * **D1** stores application data * **R2** stores user uploads and assets ### Real-time collaborative app Build multiplayer or collaborative features: * **Durable Objects** coordinates state and WebSocket connections * **Workers** handles HTTP requests and routing * **KV** caches frequently accessed data * **Queues** processes background tasks ### Static site with dynamic features Add interactivity to static content: * **Workers** serves static HTML/CSS/JavaScript (JS) and handles form submissions and API calls * **KV** stores form data and user preferences * **R2** stores uploaded files --- ## Prerequisites ### Create a new application * A [Cloudflare account ↗](https://dash.cloudflare.com/sign-up). * [Node.js ↗](https://nodejs.org/) (version 16.17.0 or later) installed on your machine. * [Wrangler](https://developers.cloudflare.com/workers/wrangler/install-and-update/) installed. Wrangler is the CLI for creating, testing, and deploying Workers projects. ### Use an existing application * A [Cloudflare account ↗](https://dash.cloudflare.com/sign-up). * A domain [added to Cloudflare](https://developers.cloudflare.com/fundamentals/manage-domains/add-site/) with DNS records proxied through Cloudflare. This is required for security features (SSL/TLS, Application security), caching, and performance optimizations. * [Node.js ↗](https://nodejs.org/) (version 16.17.0 or later) and [Wrangler](https://developers.cloudflare.com/workers/wrangler/install-and-update/) if you plan to add Workers-based functionality to your existing application. --- ## Related resources [Workers documentation](https://developers.cloudflare.com/workers/) Complete documentation for building and deploying applications on Cloudflare. [Developer platform tutorials](https://developers.cloudflare.com/workers/tutorials/) Step-by-step guides for building on Cloudflare. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/use-cases/","name":"Use cases"}},{"@type":"ListItem","position":3,"item":{"@id":"/use-cases/web-apps/","name":"Web sites and web apps"}}]} ``` --- --- title: Deploy frontend applications description: Deploy React, Vue, Astro, and other frontend frameworks globally with Git-triggered builds and preview URLs. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/use-cases/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Deploy frontend applications Deploying a frontend application with React, Vue, Astro, or any other framework requires a platform that handles builds, previews, and global distribution. Cloudflare Workers deploys your frontend to 300+ edge locations with automatic builds triggered on push to GitHub or GitLab. ## Solutions ### Workers Build and deploy serverless applications on Cloudflare's global network. [Learn more about Workers](https://developers.cloudflare.com/workers/). * **Git integration** \- Automatic deployments triggered on push to GitHub or GitLab * **Preview deployments** \- Every pull request gets a unique URL for review before merging * **Global distribution** \- Static assets and server-side logic served from 300+ edge locations * **Full-stack support** \- Serve frontend assets and handle Application Programming Interface (API) routes from a single deployment ## Get started 1. [Workers get started](https://developers.cloudflare.com/workers/get-started/) 2. [Configure custom domains](https://developers.cloudflare.com/workers/configuration/routing/custom-domains/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/use-cases/","name":"Use cases"}},{"@type":"ListItem","position":3,"item":{"@id":"/use-cases/web-apps/","name":"Web sites and web apps"}},{"@type":"ListItem","position":4,"item":{"@id":"/use-cases/web-apps/deploy-frontend/","name":"Deploy frontend applications"}}]} ``` --- --- title: Optimize performance description: Accelerate your application with caching, smart routing, and edge optimization. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/use-cases/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Optimize performance Slow page loads increase bounce rates and reduce conversions. Cloudflare accelerates your application with edge caching, Argo Smart Routing to avoid congested network paths, and automatic asset optimization that improves Core Web Vitals scores. ## Solutions ### Cache Cache content at Cloudflare's global network of edge locations. [Learn more about Cache](https://developers.cloudflare.com/cache/). * **Edge caching** \- Serve responses from the nearest Cloudflare location to reduce latency and origin load ### Argo Smart Routing Route traffic through the fastest paths across Cloudflare's network. [Learn more about Argo Smart Routing](https://developers.cloudflare.com/argo-smart-routing/). * **Smart routing** \- Automatically avoid congested network paths between edge and origin ### Speed Automatic optimizations for HTML, CSS, JavaScript, and fonts. [Learn more about Speed](https://developers.cloudflare.com/speed/). * **Asset optimization** \- Automatic minification of HTML, CSS, and JavaScript plus Brotli compression * **Core Web Vitals** \- Improve Largest Contentful Paint (LCP), Interaction to Next Paint (INP), and Cumulative Layout Shift (CLS) scores with built-in optimizations ### Workers Build and deploy serverless applications on Cloudflare's global network. [Learn more about Workers](https://developers.cloudflare.com/workers/). * **Edge logic** \- Run custom performance optimizations at the edge, such as HTML rewriting and dynamic content assembly, without round-trips to your origin ## Get started 1. [Configure Cache Rules](https://developers.cloudflare.com/cache/how-to/cache-rules/) 2. [Enable Argo Smart Routing](https://developers.cloudflare.com/argo-smart-routing/get-started/) 3. [Enable Speed optimizations](https://developers.cloudflare.com/speed/optimization/) 4. [Rewrite HTML at the edge with HTMLRewriter](https://developers.cloudflare.com/workers/runtime-apis/html-rewriter/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/use-cases/","name":"Use cases"}},{"@type":"ListItem","position":3,"item":{"@id":"/use-cases/web-apps/","name":"Web sites and web apps"}},{"@type":"ListItem","position":4,"item":{"@id":"/use-cases/web-apps/performance/","name":"Optimize performance"}}]} ``` --- --- title: Add real-time features description: Build interactive applications with WebSockets, real-time collaboration, and live updates. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/use-cases/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Add real-time features Real-time features, such as live chat, collaborative editing, and multiplayer interactions, require persistent connections and strongly consistent state. Cloudflare Durable Objects maintain WebSocket connections and coordinate shared state, while Queues handle background event processing. ## Solutions ### Durable Objects Stateful objects with strongly consistent storage and coordination. [Learn more about Durable Objects](https://developers.cloudflare.com/durable-objects/). * **WebSocket support** \- Maintain persistent connections and broadcast messages across clients in real time * **Collaborative editing** \- Build multiplayer and co-editing experiences with strongly consistent shared state * **Strong consistency** \- Coordinate state across many concurrent connections with transactional guarantees ### Queues Reliable message queuing and background processing for Workers. [Learn more about Queues](https://developers.cloudflare.com/queues/). * **Event processing** \- Handle webhooks and background jobs reliably without blocking the main request path ## Get started 1. [Durable Objects get started](https://developers.cloudflare.com/durable-objects/get-started/) 2. [WebSocket connections with Durable Objects](https://developers.cloudflare.com/durable-objects/examples/websocket-hibernation-server/) 3. [Queues get started](https://developers.cloudflare.com/queues/get-started/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/use-cases/","name":"Use cases"}},{"@type":"ListItem","position":3,"item":{"@id":"/use-cases/web-apps/","name":"Web sites and web apps"}},{"@type":"ListItem","position":4,"item":{"@id":"/use-cases/web-apps/real-time/","name":"Add real-time features"}}]} ``` --- --- title: Secure your application description: Protect your web application from attacks, bots, and abuse. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/use-cases/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Secure your application Web applications face threats at every layer: unencrypted traffic, injection attacks, DDoS floods, credential stuffing bots, and malicious third-party scripts. Cloudflare provides defense in depth from automatic SSL/TLS encryption through application security, DDoS protection, bot scoring, and client-side script monitoring. ## Solutions ### SSL/TLS Encrypt all traffic with free, automatic SSL certificates. [Learn more about SSL/TLS](https://developers.cloudflare.com/ssl/). * **Automatic HTTPS** \- Free Universal SSL certificates provisioned and renewed automatically ### Application security Get automatic protection from vulnerabilities and create your own custom rules. [Learn more about Application security](https://developers.cloudflare.com/waf/). * **Attack protection** \- Application security's managed rulesets block SQL injection, Cross-Site Scripting (XSS), and Open Web Application Security Project (OWASP) Top 10 vulnerabilities ### DDoS protection Automatic mitigation of volumetric and application-layer DDoS attacks. [Learn more about DDoS protection](https://developers.cloudflare.com/ddos-protection/). * **DDoS mitigation** \- Always-on layer 3/4 and layer 7 Distributed Denial of Service (DDoS) protection included at no extra cost ### Bot security Machine learning powered bot detection with granular control over bot traffic. [Learn more about Bot security](https://developers.cloudflare.com/bots/). * **Bot defense** \- Stop credential stuffing and content scraping with ML-powered bot scoring ### Turnstile Privacy-preserving CAPTCHA alternative for forms and user interactions. [Learn more about Turnstile](https://developers.cloudflare.com/turnstile/). * **Form protection** \- Privacy-preserving CAPTCHA alternative for login and signup forms ### Client-side security Monitor and control third-party scripts and outbound connections on your pages. [Learn more about Client-side security](https://developers.cloudflare.com/client-side-security/). * **Script security** \- Detect and block malicious third-party JavaScript injections ## Get started 1. [Enable SSL/TLS](https://developers.cloudflare.com/ssl/get-started/) 2. [Configure Application Security managed rules](https://developers.cloudflare.com/waf/managed-rules/deploy-zone-dashboard/) 3. [Add Turnstile to forms](https://developers.cloudflare.com/turnstile/get-started/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/use-cases/","name":"Use cases"}},{"@type":"ListItem","position":3,"item":{"@id":"/use-cases/web-apps/","name":"Web sites and web apps"}},{"@type":"ListItem","position":4,"item":{"@id":"/use-cases/web-apps/security/","name":"Secure your application"}}]} ``` --- --- title: Build serverless backends description: Deploy backend code globally with automatic scaling, fast startup times, and scheduled tasks. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/use-cases/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Build serverless backends Running backend code on traditional servers requires provisioning capacity, managing scaling, and accepting cold starts. Cloudflare Workers runs your server-side code at the edge with fast startup, automatic scaling, and global distribution across 300+ locations. ## Solutions ### Workers Build and deploy serverless applications on Cloudflare's global network. [Learn more about Workers](https://developers.cloudflare.com/workers/). * **Global deployment** \- Code runs at the Cloudflare location nearest to each user automatically * **Fast startup** \- V8 isolates start in milliseconds with no warm-up period, avoiding the cold start delays of container-based platforms * **Auto-scaling** \- Handle traffic spikes without provisioning or configuration ### Cron Triggers Schedule Workers to run on a recurring basis. [Learn more about Cron Triggers](https://developers.cloudflare.com/workers/configuration/cron-triggers/). * **Scheduled tasks** \- Run Workers on a fixed schedule for background jobs and periodic tasks ### Queues Reliable message queuing and background processing for Workers. [Learn more about Queues](https://developers.cloudflare.com/queues/). * **Async processing** \- Reliably process background jobs and webhooks without blocking request handling ## Get started 1. [Workers get started](https://developers.cloudflare.com/workers/get-started/) 2. [Configure Cron Triggers](https://developers.cloudflare.com/workers/configuration/cron-triggers/) 3. [Queues get started](https://developers.cloudflare.com/queues/get-started/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/use-cases/","name":"Use cases"}},{"@type":"ListItem","position":3,"item":{"@id":"/use-cases/web-apps/","name":"Web sites and web apps"}},{"@type":"ListItem","position":4,"item":{"@id":"/use-cases/web-apps/serverless-backends/","name":"Build serverless backends"}}]} ``` --- --- title: Store application data description: Persist data with serverless databases, key-value storage, and object storage. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/use-cases/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Store application data Web applications need different storage types for different workloads — relational data, key-value lookups, file uploads, and real-time state. Cloudflare provides serverless storage options including D1 (SQL), KV (key-value), R2 (object storage), and Durable Objects (strongly consistent state). ## Solutions ### D1 Serverless SQL database built on SQLite, with global read replication. [Learn more about D1](https://developers.cloudflare.com/d1/). * **SQL database** \- Full Structured Query Language (SQL) with global read replication built on SQLite ### KV Globally distributed key-value storage for low-latency reads. [Learn more about KV](https://developers.cloudflare.com/kv/). * **Key-value storage** \- Fast globally-distributed reads for configuration, sessions, and cached data ### R2 S3-compatible object storage with zero egress fees. [Learn more about R2](https://developers.cloudflare.com/r2/). * **Object storage** \- Store user-uploaded files and assets with no egress fees ### Durable Objects Stateful objects with strongly consistent storage and coordination. [Learn more about Durable Objects](https://developers.cloudflare.com/durable-objects/). * **Real-time state** \- Strongly consistent coordination for collaborative features and live data ## Get started 1. [D1 get started](https://developers.cloudflare.com/d1/get-started/) 2. [KV get started](https://developers.cloudflare.com/kv/get-started/) 3. [R2 get started](https://developers.cloudflare.com/r2/get-started/) 4. [Durable Objects get started](https://developers.cloudflare.com/durable-objects/get-started/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/use-cases/","name":"Use cases"}},{"@type":"ListItem","position":3,"item":{"@id":"/use-cases/web-apps/","name":"Web sites and web apps"}},{"@type":"ListItem","position":4,"item":{"@id":"/use-cases/web-apps/store-data/","name":"Store application data"}}]} ``` --- --- title: APIs and microservices description: Build, protect, and monitor APIs with Cloudflare Workers, API Shield, rate limiting, mTLS, and Logpush. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/use-cases/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # APIs and microservices Build, secure, and manage Application Programming Interfaces (APIs) with rate limiting, authentication, and observability. Cloudflare Workers deploys API handlers globally with automatic scaling. API Shield validates requests against your OpenAPI specification. Rate Limiting prevents abuse. mTLS authenticates machine-to-machine communication. Cloudflare Tunnel and Access secure internal microservices. Logpush and Workers Analytics Engine provide monitoring. * [ Deploy APIs at the edge ](https://developers.cloudflare.com/use-cases/apis/deploy-apis/) * [ Protect your APIs ](https://developers.cloudflare.com/use-cases/apis/protect-apis/) * [ Connect your internal network services ](https://developers.cloudflare.com/use-cases/apis/internal-services/) * [ Monitor your APIs ](https://developers.cloudflare.com/use-cases/apis/monitor-apis/) ## Architecture patterns ### Secure API gateway Protect your APIs with defense in depth: * **API Shield** validates requests against your OpenAPI schema * **Security rules** managed rulesets block SQL injection, XSS, and OWASP Top 10 vulnerabilities * **Rate Limiting** prevents abuse and Distributed Denial of Service (DDoS) attacks * **mTLS** (mutual TLS) authenticates known clients with certificates ### Edge-native APIs Build APIs that run entirely on Cloudflare: * **Workers** handles request routing and business logic * **D1** or **KV** stores application data * **Queues** handles async processing and webhooks ### Microservices mesh Connect and secure internal services: * **Cloudflare Tunnel** exposes services without public IPs * **Access** enforces identity-based policies between services * **Workers** acts as an API gateway for external consumers --- ## Prerequisites ### Create a new application * A [Cloudflare account ↗](https://dash.cloudflare.com/sign-up). * [Node.js ↗](https://nodejs.org/) (version 16.17.0 or later) installed on your machine. * [Wrangler](https://developers.cloudflare.com/workers/wrangler/install-and-update/) installed. ### Use an existing application * A [Cloudflare account ↗](https://dash.cloudflare.com/sign-up). * A domain [added to Cloudflare](https://developers.cloudflare.com/fundamentals/manage-domains/add-site/) with DNS records proxied through Cloudflare. This is required for API Shield, rate limiting, and application security. * For securing internal services with Cloudflare Tunnel and Access: a [Cloudflare One organization](https://developers.cloudflare.com/cloudflare-one/setup/) created in the Cloudflare dashboard. --- ## Related resources [API Shield documentation](https://developers.cloudflare.com/api-shield/) Complete documentation for API discovery, schema validation, and security. [Workers examples](https://developers.cloudflare.com/workers/examples/) Code examples for building APIs with Workers. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/use-cases/","name":"Use cases"}},{"@type":"ListItem","position":3,"item":{"@id":"/use-cases/apis/","name":"APIs and microservices"}}]} ``` --- --- title: Deploy APIs at the edge description: Deploy globally distributed APIs that scale automatically with no servers to manage. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/use-cases/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Deploy APIs at the edge Deploying APIs on traditional infrastructure means managing servers, configuring regions, and provisioning for traffic spikes. Cloudflare Workers runs your API handlers in 300+ locations worldwide with automatic scaling and fast startup times. ## Solutions ### Workers Build and deploy serverless applications on Cloudflare's global network. [Learn more about Workers](https://developers.cloudflare.com/workers/). * **Global deployment** \- API handlers run in 300+ Cloudflare locations worldwide with no regional configuration * **Auto-scaling** \- Handle traffic spikes without provisioning servers or setting capacity limits ### Queues Reliable message queuing and background processing for Workers. [Learn more about Queues](https://developers.cloudflare.com/queues/). * **Async processing** \- Offload webhook delivery and background jobs without blocking the API response ### D1 and Durable Objects Serverless SQL database built on SQLite, with global read replication ([learn more about D1](https://developers.cloudflare.com/d1/)). Stateful objects with strongly consistent storage and coordination ([learn more about Durable Objects](https://developers.cloudflare.com/durable-objects/)). * **Integrated storage** \- Structured Query Language (SQL) database and strongly consistent state storage available as Worker bindings ## Get started 1. [Workers get started](https://developers.cloudflare.com/workers/get-started/) 2. [D1 get started](https://developers.cloudflare.com/d1/get-started/) 3. [Queues get started](https://developers.cloudflare.com/queues/get-started/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/use-cases/","name":"Use cases"}},{"@type":"ListItem","position":3,"item":{"@id":"/use-cases/apis/","name":"APIs and microservices"}},{"@type":"ListItem","position":4,"item":{"@id":"/use-cases/apis/deploy-apis/","name":"Deploy APIs at the edge"}}]} ``` --- --- title: Connect your internal network services description: Expose internal APIs and microservices securely without opening inbound firewall ports. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/use-cases/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Connect your internal network services Internal services and microservices often need to communicate without exposing endpoints to the public Internet. Cloudflare Tunnel creates outbound-only connections with no inbound firewall rules, while Access enforces Zero Trust policies for every request between services. ## Solutions ### Cloudflare Tunnel Connect infrastructure to Cloudflare without opening inbound firewall ports. [Learn more about Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/). * **No public exposure** \- Internal Application Programming Interfaces (APIs) remain private; Tunnel establishes an outbound-only connection with no inbound firewall rules needed ### Access Zero Trust access control for applications and infrastructure. [Learn more about Access](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/). * **Zero Trust policies** \- Verify identity and enforce per-service policies for every request between services * **Centralized policy management** \- Manage access rules for all internal services from a single control plane ### Service Tokens Non-interactive credentials for machine-to-machine authentication. [Learn more about Service Tokens](https://developers.cloudflare.com/cloudflare-one/access-controls/service-credentials/service-tokens/). * **Service-to-service auth** \- Authenticate internal services with non-interactive credentials managed in Cloudflare One ## Get started 1. [Create a Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/get-started/) 2. [Cloudflare Access get started](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) 3. [Create service tokens](https://developers.cloudflare.com/cloudflare-one/access-controls/service-credentials/service-tokens/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/use-cases/","name":"Use cases"}},{"@type":"ListItem","position":3,"item":{"@id":"/use-cases/apis/","name":"APIs and microservices"}},{"@type":"ListItem","position":4,"item":{"@id":"/use-cases/apis/internal-services/","name":"Connect your internal network services"}}]} ``` --- --- title: Monitor your APIs description: Monitor API traffic, discover undocumented endpoints, and track custom business metrics. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/use-cases/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Monitor your APIs Understanding how your APIs are used — request volume, latency, error rates, and undocumented endpoints — is essential for reliability and security. Cloudflare API Shield Analytics discovers endpoints from observed traffic, Logpush streams logs to your analytics platform, and Workers Analytics Engine tracks custom business metrics. ## Solutions ### API Shield Analytics Discover endpoints and monitor API traffic patterns. [Learn more about API Shield Analytics](https://developers.cloudflare.com/api-shield/security/api-discovery/). * **API discovery** \- Automatically find undocumented endpoints from observed traffic * **Traffic analysis** \- Understand request volume, latency, and usage patterns per endpoint ### Logpush Stream logs from Cloudflare products to external destinations. [Learn more about Logpush](https://developers.cloudflare.com/logs/). * **Log export** \- Stream detailed API request logs to your Security Information and Event Management (SIEM) system, data warehouse, or analytics platform ### Workers Analytics Engine Store and query time-series analytics data from Workers. [Learn more about Workers Analytics Engine](https://developers.cloudflare.com/analytics/analytics-engine/). * **Custom metrics** \- Track business-specific Key Performance Indicators (KPIs) such as per-customer usage and error rates ## Get started 1. [API Shield get started](https://developers.cloudflare.com/api-shield/get-started/) 2. [Configure Logpush](https://developers.cloudflare.com/logs/logpush/) 3. [Workers Analytics Engine get started](https://developers.cloudflare.com/analytics/analytics-engine/get-started/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/use-cases/","name":"Use cases"}},{"@type":"ListItem","position":3,"item":{"@id":"/use-cases/apis/","name":"APIs and microservices"}},{"@type":"ListItem","position":4,"item":{"@id":"/use-cases/apis/monitor-apis/","name":"Monitor your APIs"}}]} ``` --- --- title: Protect your APIs description: Secure APIs against abuse and injection attacks with schema validation, rate limiting, mTLS, and WAF rules. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/use-cases/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Protect your APIs APIs are exposed to abuse, injection attacks, and unauthorized access. Cloudflare provides defense in depth with API Shield schema validation, per-endpoint rate limiting, mutual TLS (mTLS) client authentication, and security rules. ## Solutions ### API Shield Discover, secure, and monitor your APIs. [Learn more about API Shield](https://developers.cloudflare.com/api-shield/). * **Schema validation** \- Reject requests that do not conform to your OpenAPI specification before they reach your origin ### Rate Limiting Limit request rates based on flexible matching criteria. [Learn more about Rate Limiting](https://developers.cloudflare.com/waf/rate-limiting-rules/). * **Rate limiting** \- Prevent abuse and volumetric attacks with per-IP or per-API-key request limits ### mTLS Mutual TLS client certificate authentication. [Learn more about mTLS](https://developers.cloudflare.com/ssl/client-certificates/). * **Client authentication** \- Require mutual TLS certificates for machine-to-machine communication ### Application Security Get automatic protection from vulnerabilities and create your own custom rules. [Learn more about Application Security](https://developers.cloudflare.com/waf/). * **Attack protection** \- Application security's managed rulesets block SQL injection, Cross-Site Scripting (XSS), and other injection attacks ### Access Zero Trust access control for applications and infrastructure. [Learn more about Access](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/). * **Identity providers** \- Integrate with Okta, Azure AD, Google Workspace, and other identity providers (IdPs) to gate API access * **Service tokens** \- Issue long-lived credentials for machine-to-machine authentication between services ### Workers Build and deploy serverless applications on Cloudflare's global network. [Learn more about Workers](https://developers.cloudflare.com/workers/). * **JWT validation** \- Verify and decode JSON Web Tokens (JWTs) at the edge before requests reach your backend * **Custom auth logic** \- Build any authentication scheme — API keys, Hash-based Message Authentication Code (HMAC) signatures, custom headers — directly at the edge ## Get started 1. [API Shield get started](https://developers.cloudflare.com/api-shield/get-started/) 2. [Configure rate limiting rules](https://developers.cloudflare.com/waf/rate-limiting-rules/) 3. [Set up mTLS authentication](https://developers.cloudflare.com/ssl/client-certificates/) 4. [Configure applications with Cloudflare Access](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/) 5. [Service tokens](https://developers.cloudflare.com/cloudflare-one/access-controls/service-credentials/service-tokens/) 6. [Workers get started](https://developers.cloudflare.com/workers/get-started/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/use-cases/","name":"Use cases"}},{"@type":"ListItem","position":3,"item":{"@id":"/use-cases/apis/","name":"APIs and microservices"}},{"@type":"ListItem","position":4,"item":{"@id":"/use-cases/apis/protect-apis/","name":"Protect your APIs"}}]} ``` --- --- title: SaaS platforms description: Build multi-tenant SaaS platforms with Cloudflare SSL for SaaS, Workers for Platforms, and per-tenant storage. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/use-cases/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # SaaS platforms Build multi-tenant platforms with custom domains, isolated compute, and per-customer configuration. Cloudflare SSL for SaaS provisions and renews SSL certificates for every customer hostname. Workers for Platforms runs customer code in isolated V8 environments. D1, KV, and R2 provide per-tenant data storage. Workers Analytics Engine and Logpush track usage for billing and compliance. * [ Customer domains with SSL for SaaS ](https://developers.cloudflare.com/use-cases/saas/custom-domains/) * [ Enable customer code deployment ](https://developers.cloudflare.com/use-cases/saas/code-deployment/) * [ Store and isolate customer data ](https://developers.cloudflare.com/use-cases/saas/data-isolation/) * [ Protect your platform ](https://developers.cloudflare.com/use-cases/saas/protect-platform/) * [ Observe customer usage and billing ](https://developers.cloudflare.com/use-cases/saas/usage-analytics/) ## Architecture patterns ### Custom domains with SSL Allow customers to use their own domains with automatic certificate management: * **SSL for SaaS** provisions and renews certificates for every custom hostname * **Cloudflare for Platforms** routes customer domains to your platform with per-tenant configuration ### Multi-tenant compute Let customers deploy their own code on your platform: * **Workers for Platforms** runs customer code in isolated V8 environments * **Dispatch namespaces** route requests to the correct tenant Worker based on hostname or path * **SSL for SaaS** handles custom domains for each tenant ### Full multi-tenant platform Combine custom domains, tenant compute, and isolated storage: * **SSL for SaaS** manages customer hostnames and certificates * **Workers for Platforms** runs per-tenant application logic * **D1** or **KV** stores per-tenant data with database-level or key-prefix isolation * **R2** stores per-tenant files and assets --- ## Prerequisites ### Create a new application * A [Cloudflare account ↗](https://dash.cloudflare.com/sign-up). * A domain [added to Cloudflare](https://developers.cloudflare.com/fundamentals/manage-domains/add-site/) for your platform (for example, `yourplatform.com`). SSL for SaaS uses this as the provider domain against which customer custom hostnames are issued. Refer to [Enable Cloudflare for SaaS](https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/start/enable/). * A [Workers Paid plan](https://developers.cloudflare.com/workers/platform/pricing/) for Workers for Platforms. Dispatch namespaces, which route requests to customer-specific Workers, are not available on the free tier. * [Node.js ↗](https://nodejs.org/) (version 16.17.0 or later) and [Wrangler](https://developers.cloudflare.com/workers/wrangler/install-and-update/) installed. ### Use an existing application * A [Cloudflare account ↗](https://dash.cloudflare.com/sign-up). * A domain [added to Cloudflare](https://developers.cloudflare.com/fundamentals/manage-domains/add-site/) for your platform. This is your domain, not your customers' domains. SSL for SaaS issues customer custom hostnames against this provider domain. Refer to [Enable Cloudflare for SaaS](https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/start/enable/). * [Node.js ↗](https://nodejs.org/) (version 16.17.0 or later) and [Wrangler](https://developers.cloudflare.com/workers/wrangler/install-and-update/) if you plan to add Workers for Platforms or manage bindings programmatically. --- ## Related resources [SSL for SaaS documentation](https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/) Complete documentation for managing custom hostnames and certificates. [Workers for Platforms](https://developers.cloudflare.com/cloudflare-for-platforms/workers-for-platforms/) Let customers deploy their own code on your platform. [SaaS case studies](https://www.cloudflare.com/case-studies/) Explore how SaaS companies build on Cloudflare. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/use-cases/","name":"Use cases"}},{"@type":"ListItem","position":3,"item":{"@id":"/use-cases/saas/","name":"SaaS platforms"}}]} ``` --- --- title: Enable customer code deployment description: Let your customers deploy their own code on your platform with isolated execution environments. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/use-cases/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Enable customer code deployment SaaS platforms often need to let customers run their own code — custom logic, integrations, webhooks — without compromising tenant isolation or platform stability. Cloudflare Workers for Platforms runs each customer's code in a separate V8 isolate with dispatch routing based on hostname, path, or header. ## Solutions ### Workers for Platforms Deploy isolated Workers execution environments for your customers. [Learn more about Workers for Platforms](https://developers.cloudflare.com/cloudflare-for-platforms/workers-for-platforms/). * **Tenant isolation** \- Each customer's code runs in a separate V8 isolate with no shared memory between tenants * **Custom logic** \- Customers can deploy their own Workers to extend or customize your platform's behavior * **Dispatch routing** \- Route incoming requests to the correct customer Worker based on hostname, path, or header * **Observability** \- Tail Workers capture logs and errors across all tenant code from a single integration ## Get started 1. [Workers for Platforms get started](https://developers.cloudflare.com/cloudflare-for-platforms/workers-for-platforms/get-started/) 2. [Configure Dispatch Namespaces](https://developers.cloudflare.com/cloudflare-for-platforms/workers-for-platforms/configuration/dynamic-dispatch/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/use-cases/","name":"Use cases"}},{"@type":"ListItem","position":3,"item":{"@id":"/use-cases/saas/","name":"SaaS platforms"}},{"@type":"ListItem","position":4,"item":{"@id":"/use-cases/saas/code-deployment/","name":"Enable customer code deployment"}}]} ``` --- --- title: Customer domains with SSL for SaaS description: Allow your customers to use their own domains with your platform, complete with automatic SSL certificates. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/use-cases/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Customer domains with SSL for SaaS SaaS customers expect to use their own domains (for example, `app.theirdomain.com`) instead of a subdomain on your platform. Cloudflare SSL for SaaS provisions and renews SSL certificates automatically for every custom hostname, with no manual steps or customer action required. ## Solutions ### Cloudflare for Platforms Extend Cloudflare's network and services to your customers. [Learn more about Cloudflare for Platforms](https://developers.cloudflare.com/cloudflare-for-platforms/). * **Custom domains** \- Customers bring their own domains and have them route to your platform with per-tenant configuration ### SSL for SaaS Provision and manage SSL certificates for custom customer domains. [Learn more about SSL for SaaS](https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/). * **Automatic SSL** \- Certificates provisioned and renewed automatically for every customer domain with no manual steps * **No customer action required** \- Cloudflare can complete domain validation without requiring action from the customer * **Scale** \- Support thousands of custom hostnames per domain without additional per-hostname infrastructure ## Get started 1. [SSL for SaaS get started](https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/start/getting-started/) 2. [Create custom hostnames](https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/domain-support/create-custom-hostnames/) 3. [Validate certificates](https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/issue-and-validate/validate-certificates/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/use-cases/","name":"Use cases"}},{"@type":"ListItem","position":3,"item":{"@id":"/use-cases/saas/","name":"SaaS platforms"}},{"@type":"ListItem","position":4,"item":{"@id":"/use-cases/saas/custom-domains/","name":"Customer domains with SSL for SaaS"}}]} ``` --- --- title: Store and isolate customer data description: Isolate customer data in a multi-tenant SaaS platform using per-tenant databases, object storage, and key-value stores. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/use-cases/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Store and isolate customer data Multi-tenant platforms need to store customer data with appropriate isolation — per-tenant databases, separate object storage, or row-level separation. Cloudflare provides serverless storage options that support tenant isolation at the database, bucket, or key-prefix level. ## Solutions ### D1 Serverless SQL database built on SQLite, with global read replication. [Learn more about D1](https://developers.cloudflare.com/d1/). * **Database per tenant** \- Create isolated D1 databases per customer for complete data separation, or use row-level isolation in a shared database ### R2 S3-compatible object storage with zero egress fees. [Learn more about R2](https://developers.cloudflare.com/r2/). * **Object storage** \- Store customer files and assets per tenant using prefix or bucket-level isolation, with no egress fees ### Durable Objects Stateful objects with strongly consistent storage and coordination. [Learn more about Durable Objects](https://developers.cloudflare.com/durable-objects/). * **Real-time coordination** \- Manage stateful workflows and provide strong consistency for multi-tenant operations ### KV Globally distributed key-value storage for low-latency reads. [Learn more about KV](https://developers.cloudflare.com/kv/). * **Edge configuration** \- Store per-tenant settings, feature flags, and session data at the edge for low-latency reads ## Get started 1. [D1 get started](https://developers.cloudflare.com/d1/get-started/) 2. [R2 get started](https://developers.cloudflare.com/r2/get-started/) 3. [Durable Objects get started](https://developers.cloudflare.com/durable-objects/get-started/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/use-cases/","name":"Use cases"}},{"@type":"ListItem","position":3,"item":{"@id":"/use-cases/saas/","name":"SaaS platforms"}},{"@type":"ListItem","position":4,"item":{"@id":"/use-cases/saas/data-isolation/","name":"Store and isolate customer data"}}]} ``` --- --- title: Protect your platform description: Secure your SaaS platform and your customers' data. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/use-cases/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Protect your platform SaaS platforms are high-value targets because a single breach can expose data across all tenants. Cloudflare's managed rulesets protect your platform and customer endpoints, rate limiting prevents any single tenant from degrading service for others, and Cloudflare One gates admin tools behind Zero Trust policies. ## Solutions ### Application security Get automatic protection from vulnerabilities and create your own custom rules. [Learn more about Application security](https://developers.cloudflare.com/waf/). * **Platform protection** \- Application security's managed rulesets block common attacks against your platform and your customers' endpoints * **API protection** \- Secure platform Application Programming Interfaces (APIs) with security rules and per-API-key rate limits ### Rate limiting Limit request rates based on flexible matching criteria. [Learn more about Rate limiting](https://developers.cloudflare.com/waf/rate-limiting-rules/). * **Per-tenant limits** \- Apply rate limits per customer identifier to prevent one tenant from degrading service for others ### Cloudflare One Secure your organization with a cloud security platform that replaces legacy perimeters with Cloudflare's global network. [Learn more about Cloudflare One](https://developers.cloudflare.com/cloudflare-one/). * **Admin security** \- Gate internal dashboards and admin tools behind Zero Trust identity policies ## Get started 1. [Deploy application security managed rulesets](https://developers.cloudflare.com/waf/managed-rules/deploy-zone-dashboard/) 2. [Configure rate limiting rules](https://developers.cloudflare.com/waf/rate-limiting-rules/) 3. [Cloudflare Access get started](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/use-cases/","name":"Use cases"}},{"@type":"ListItem","position":3,"item":{"@id":"/use-cases/saas/","name":"SaaS platforms"}},{"@type":"ListItem","position":4,"item":{"@id":"/use-cases/saas/protect-platform/","name":"Protect your platform"}}]} ``` --- --- title: Observe customer usage and billing description: Track usage across tenants for billing, optimization, and insights. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/use-cases/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Observe customer usage and billing Usage-based billing and per-tenant performance monitoring require detailed analytics broken down by customer. Cloudflare Workers Analytics Engine tracks request counts, latency, and bytes per tenant ID, while Logpush exports detailed logs for compliance and audit trails. ## Solutions ### Workers Analytics Engine Store and query time-series analytics data from Workers. [Learn more about Workers Analytics Engine](https://developers.cloudflare.com/analytics/analytics-engine/). * **Per-tenant metrics** \- Track request counts, latency, and bytes transferred broken down by tenant ID * **Billing data** \- Query usage data per customer to power usage-based billing calculations * **Performance insights** \- Identify which tenants are generating the most load or experiencing the most errors ### Logpush Stream logs from Cloudflare products to external destinations. [Learn more about Logpush](https://developers.cloudflare.com/logs/). * **Compliance logging** \- Export detailed logs to your Security Information and Event Management (SIEM) system or data warehouse for audit trails and enterprise compliance ## Get started 1. [Workers Analytics Engine get started](https://developers.cloudflare.com/analytics/analytics-engine/get-started/) 2. [Configure Logpush](https://developers.cloudflare.com/logs/logpush/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/use-cases/","name":"Use cases"}},{"@type":"ListItem","position":3,"item":{"@id":"/use-cases/saas/","name":"SaaS platforms"}},{"@type":"ListItem","position":4,"item":{"@id":"/use-cases/saas/usage-analytics/","name":"Observe customer usage and billing"}}]} ``` --- --- title: AI applications description: Build AI applications on Cloudflare with Workers AI inference, AI Gateway, Vectorize, and serverless storage. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/use-cases/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # AI applications Build and deploy AI applications on Cloudflare's global network with inference at the edge, vector databases, and model gateways. Workers AI runs Large Language Models (LLMs), text embeddings, image generation, and other models with pay-per-use pricing. AI Gateway proxies requests to OpenAI, Anthropic, and other providers with caching and unified analytics. Vectorize stores embeddings for Retrieval Augmented Generation (RAG) workflows. AI applications can present unique infrastructure challenges, such as unpredictable inference costs, latency-sensitive user experiences, and the need to work with multiple model providers. Cloudflare provides a complete platform for building AI applications that are fast, cost-effective, and globally distributed. * [ Build and run AI applications ](https://developers.cloudflare.com/use-cases/ai/build-and-run/) * [ Store and retrieve context ](https://developers.cloudflare.com/use-cases/ai/store-and-retrieve-context/) * [ Control costs and improve quality ](https://developers.cloudflare.com/use-cases/ai/control-costs/) ## Architecture patterns ### Retrieval Augmented Generation (RAG) Combine vector search with Large Language Model (LLM) inference to ground responses in your own data: * **Vectorize** stores embeddings of your knowledge base * **Workers** receives user queries and searches for relevant context * **Workers AI** or **AI Gateway** generates responses using retrieved context ### Multi-provider AI gateway Use AI Gateway to route requests across providers while maintaining a single interface: * **AI Gateway** proxies requests to OpenAI, Anthropic, or Workers AI * Built-in caching reduces costs for repeated queries * Unified logging and analytics across all providers ### Real-time AI features Deploy low-latency AI features directly at the edge: * **Workers** handles requests at the nearest Cloudflare location and runs inference via the Workers AI binding — no round-trips to origin servers * **KV** caches frequent responses to reduce inference calls and latency * **D1** stores session state and conversation history alongside the inference logic --- ## Prerequisites ### Create a new application * A [Cloudflare account ↗](https://dash.cloudflare.com/sign-up). * [Node.js ↗](https://nodejs.org/) (version 16.17.0 or later) installed on your machine. * [Wrangler](https://developers.cloudflare.com/workers/wrangler/install-and-update/) installed. Wrangler is the command-line interface (CLI) for deploying Workers and managing bindings. ### Use an existing application * A [Cloudflare account ↗](https://dash.cloudflare.com/sign-up). * [AI Gateway](https://developers.cloudflare.com/ai-gateway/) does not require a domain added to Cloudflare. You can place it in front of any existing AI provider (OpenAI, Anthropic, and others) by updating your API endpoint to route through AI Gateway. * If you plan to add Workers AI inference or Vectorize to an existing application, you also need [Node.js ↗](https://nodejs.org/) (version 16.17.0 or later) and [Wrangler](https://developers.cloudflare.com/workers/wrangler/install-and-update/) installed. --- ## Related resources [Workers AI models](https://developers.cloudflare.com/workers-ai/models/) Browse available models for text generation, embeddings, image generation, and more. [AI Gateway providers](https://developers.cloudflare.com/ai-gateway/usage/providers/) Connect to OpenAI, Anthropic, Google AI, and other providers through AI Gateway. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/use-cases/","name":"Use cases"}},{"@type":"ListItem","position":3,"item":{"@id":"/use-cases/ai/","name":"AI applications"}}]} ``` --- --- title: Build and run AI applications description: Build AI applications with serverless compute, edge inference, multi-provider gateways, and stateful coordination. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/use-cases/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Build and run AI applications To build and deploy an AI application, you need compute for application logic, a way to run inference, and a gateway to manage costs across providers. Cloudflare Workers hosts your application logic and serves your frontend. Workers AI runs inference at the edge with pay-per-use pricing. AI Gateway adds caching, rate limiting, and observability across OpenAI, Anthropic, and other providers. Durable Objects coordinate stateful workflows and multi-turn conversations. ## Solutions ### Workers Build and deploy serverless applications on Cloudflare's global network. [Learn more about Workers](https://developers.cloudflare.com/workers/). * **Streaming responses** \- Stream AI responses token-by-token as they generate, without buffering the full reply * **Full-stack deployment** \- Serve frontend and backend from a single deployment without managing separate infrastructure ### Workers AI Run inference on Cloudflare's global network via a Workers binding, with pay-per-use pricing. [Learn more about Workers AI](https://developers.cloudflare.com/workers-ai/). * **Global inference** \- Run models at the Cloudflare location nearest to the user, reducing round-trip latency * **Pay-per-use pricing** \- No GPU reservations or idle costs; pay only for tokens processed ### AI Gateway Proxy requests to any AI provider with caching, rate limiting, and unified analytics. [Learn more about AI Gateway](https://developers.cloudflare.com/ai-gateway/). * **Provider flexibility** \- Route requests to OpenAI, Anthropic, Workers AI, or any other provider through a single endpoint * **Unified observability** \- Track request volume, latency, costs, and errors across all providers in one place ### Durable Objects Stateful objects with strongly consistent storage and coordination. [Learn more about Durable Objects](https://developers.cloudflare.com/durable-objects/). * **Stateful workflows** \- Coordinate multi-step AI pipelines and maintain conversation state across requests ## Get started 1. [Workers AI get started](https://developers.cloudflare.com/workers-ai/get-started/) 2. [AI Gateway get started](https://developers.cloudflare.com/ai-gateway/get-started/) 3. [Durable Objects get started](https://developers.cloudflare.com/durable-objects/get-started/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/use-cases/","name":"Use cases"}},{"@type":"ListItem","position":3,"item":{"@id":"/use-cases/ai/","name":"AI applications"}},{"@type":"ListItem","position":4,"item":{"@id":"/use-cases/ai/build-and-run/","name":"Build and run AI applications"}}]} ``` --- --- title: Control costs and improve quality description: Reduce AI inference costs and improve reliability with response caching, rate limiting, and unified provider analytics. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/use-cases/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Control costs and improve quality AI inference costs can grow unpredictably as your application scales, especially when using multiple providers. Cloudflare AI Gateway caches identical queries to avoid redundant inference calls, applies rate limits per user or API key, and provides unified analytics across all providers. ## Solutions ### AI Gateway Cache responses, rate limit requests, and monitor usage across providers. [Learn more about AI Gateway](https://developers.cloudflare.com/ai-gateway/). * **Response caching** \- Cache identical queries so repeated prompts do not trigger a new inference call * **Rate limiting** \- Set request limits per user or Application Programming Interface (API) key to prevent abuse and control spending * **Unified analytics** \- Track usage, latency, and cost across all AI providers from one dashboard ### Workers Analytics Engine Store and query time-series analytics data from Workers. [Learn more about Workers Analytics Engine](https://developers.cloudflare.com/analytics/analytics-engine/). * **Custom metrics** \- Build AI-specific dashboards tracking tokens, latency distributions, and error rates ## Get started 1. [AI Gateway get started](https://developers.cloudflare.com/ai-gateway/get-started/) 2. [Configure caching](https://developers.cloudflare.com/ai-gateway/features/caching/) 3. [Workers Analytics Engine get started](https://developers.cloudflare.com/analytics/analytics-engine/get-started/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/use-cases/","name":"Use cases"}},{"@type":"ListItem","position":3,"item":{"@id":"/use-cases/ai/","name":"AI applications"}},{"@type":"ListItem","position":4,"item":{"@id":"/use-cases/ai/control-costs/","name":"Control costs and improve quality"}}]} ``` --- --- title: Store and retrieve context description: Store vector embeddings, conversation history, and application state for AI applications using serverless databases and object storage. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/use-cases/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Store and retrieve context AI applications need specialized storage for vector embeddings, conversation history, training data, and cached responses. Cloudflare Vectorize stores and queries embeddings for Retrieval Augmented Generation (RAG), D1 provides SQL storage for structured data, R2 stores documents and assets, and KV caches frequent responses at the edge. ## Solutions ### Vectorize Vector database for storing and querying embeddings. [Learn more about Vectorize](https://developers.cloudflare.com/vectorize/). * **Vector search** \- Store embeddings and find semantically similar content for Retrieval Augmented Generation (RAG) and recommendation features ### D1 Serverless SQL database built on SQLite, with global read replication. [Learn more about D1](https://developers.cloudflare.com/d1/). * **Structured storage** \- Structured Query Language (SQL) database for conversation history, user data, and application metadata ### R2 S3-compatible object storage with zero egress fees. [Learn more about R2](https://developers.cloudflare.com/r2/). * **Object storage** \- Store documents, training data, and generated assets with no egress fees ### KV Globally distributed key-value storage for low-latency reads. [Learn more about KV](https://developers.cloudflare.com/kv/). * **Edge caching** \- Cache frequent AI responses at the edge to reduce inference costs and latency ## Get started 1. [Vectorize get started](https://developers.cloudflare.com/vectorize/get-started/) 2. [D1 get started](https://developers.cloudflare.com/d1/get-started/) 3. [R2 get started](https://developers.cloudflare.com/r2/get-started/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/use-cases/","name":"Use cases"}},{"@type":"ListItem","position":3,"item":{"@id":"/use-cases/ai/","name":"AI applications"}},{"@type":"ListItem","position":4,"item":{"@id":"/use-cases/ai/store-and-retrieve-context/","name":"Store and retrieve context"}}]} ``` --- --- title: Media and streaming description: Deliver video, images, and media at scale with Cloudflare Stream, Images, R2, and global caching. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/use-cases/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Media and streaming Deliver video, images, and rich media at scale with encoding, optimization, and global distribution. Cloudflare Stream handles video upload, encoding, and adaptive bitrate delivery. Images transforms and optimizes images on-the-fly. R2 stores media files with zero egress fees. Cache serves content from 300+ edge locations. Hotlink Protection and signed URLs secure media from unauthorized access. * [ Upload, encode, and deliver videos ](https://developers.cloudflare.com/use-cases/media-streaming/video-delivery/) * [ Optimize and transform images for the web ](https://developers.cloudflare.com/use-cases/media-streaming/image-optimization/) * [ Store media at scale ](https://developers.cloudflare.com/use-cases/media-streaming/store-media/) * [ Cache and accelerate media delivery ](https://developers.cloudflare.com/use-cases/media-streaming/cache-delivery/) * [ Secure your content ](https://developers.cloudflare.com/use-cases/media-streaming/secure-content/) ## Architecture patterns ### Video platform Build a complete video hosting and delivery solution: * **Stream** handles upload, encoding, and adaptive bitrate delivery * **Stream Live** enables live streaming with automatic recording * **Signed URLs** protect content with token authentication ### Image optimization pipeline Serve optimized images without pre-generating variants: 1. **R2** stores original high-resolution images 2. **Images** transforms images on-the-fly based on URL parameters 3. **Workers** applies custom logic for format selection and caching ### User-generated content Handle media uploads from users at scale: 1. **R2** receives uploads directly via presigned URLs 2. **Workers** validates and processes uploaded content 3. **Stream** or **Images** optimizes media for delivery --- ## Prerequisites ### Create a new application * A [Cloudflare account ↗](https://dash.cloudflare.com/sign-up). Stream and R2 are account-level offerings. You do not need a domain added to Cloudflare to upload, encode, or store media. * For Image Transformations: enable the feature per domain from the [Transformations page ↗](https://dash.cloudflare.com/?to=/:account/images/transformations) in the dashboard. Refer to [Image Transformations](https://developers.cloudflare.com/images/optimization/transformations/overview/). ### Use an existing application * A [Cloudflare account ↗](https://dash.cloudflare.com/sign-up). * A domain [added to Cloudflare](https://developers.cloudflare.com/fundamentals/manage-domains/add-site/) with DNS records proxied through Cloudflare. This is required for CDN caching, image optimization (Polish), and cache rules. * For Image Transformations on an existing domain: enable the feature from the [Transformations page ↗](https://dash.cloudflare.com/?to=/:account/images/transformations) in the dashboard. Refer to [Image Transformations](https://developers.cloudflare.com/images/optimization/transformations/overview/). --- ## Related resources [Stream documentation](https://developers.cloudflare.com/stream/) Complete documentation for video upload, encoding, and delivery. [Images documentation](https://developers.cloudflare.com/images/) Complete documentation for image optimization and transformation. [Media case studies](https://www.cloudflare.com/case-studies/?industry=Media%20%26%20Entertainment) Explore how media companies use Cloudflare. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/use-cases/","name":"Use cases"}},{"@type":"ListItem","position":3,"item":{"@id":"/use-cases/media-streaming/","name":"Media and streaming"}}]} ``` --- --- title: Cache and accelerate media delivery description: Deliver media content from edge locations worldwide. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/use-cases/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Cache and accelerate media delivery Streaming video and serving images to a global audience requires low-latency delivery from locations close to each viewer. Cloudflare Cache serves media globally, and Argo Smart Routing ensures cache misses take the fastest path back to your origin. ## Solutions ### Cache Cache content at Cloudflare's global network of edge locations. [Learn more about Cache](https://developers.cloudflare.com/cache/). * **Global edge caching** \- Media content served from 300+ edge locations to reduce latency for global audiences * **Origin offload** \- Cached content is served directly from the edge, reducing origin bandwidth and compute costs * **Tiered caching** \- Regional cache tiers absorb repeated requests before they reach the origin, further reducing load ### Argo Smart Routing Route traffic through the fastest paths across Cloudflare's network. [Learn more about Argo Smart Routing](https://developers.cloudflare.com/argo-smart-routing/). * **Smart routing** \- Requests that miss cache are routed through the fastest available network paths to origin ## Get started 1. [Configure Cache Rules](https://developers.cloudflare.com/cache/how-to/cache-rules/) 2. [Enable Tiered Cache](https://developers.cloudflare.com/cache/how-to/tiered-cache/) 3. [Enable Argo Smart Routing](https://developers.cloudflare.com/argo-smart-routing/get-started/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/use-cases/","name":"Use cases"}},{"@type":"ListItem","position":3,"item":{"@id":"/use-cases/media-streaming/","name":"Media and streaming"}},{"@type":"ListItem","position":4,"item":{"@id":"/use-cases/media-streaming/cache-delivery/","name":"Cache and accelerate media delivery"}}]} ``` --- --- title: Optimize and transform images for the web description: Resize, crop, and convert images to WebP and AVIF on-the-fly with Cloudflare Images and Polish. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/use-cases/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Optimize and transform images for the web Serving images at multiple sizes and formats traditionally requires pre-generating variants for every resolution and device. Cloudflare Images transforms images on-the-fly via URL parameters — resizing, cropping, and converting to WebP or AVIF — while Polish compresses originals without visible quality loss. ## Solutions ### Images Transform, optimize, and deliver images at scale. [Learn more about Images](https://developers.cloudflare.com/images/). * **On-the-fly transformation** \- Resize, crop, and convert images by adding URL parameters — no pre-generated variants needed * **Modern formats** \- Automatically serve WebP or AV1 Image File Format (AVIF) to supported browsers, falling back to JPEG/PNG for others * **Responsive images** \- Generate size variants on demand for different screen sizes and pixel densities ### Polish Automatic image compression without quality loss. [Learn more about Polish](https://developers.cloudflare.com/images/polish/). * **Compression** \- Reduce image file sizes through lossless or lossy compression without visible quality loss ## Get started 1. [Images get started](https://developers.cloudflare.com/images/get-started/) 2. [Enable Polish](https://developers.cloudflare.com/images/polish/) 3. [Transform images via URL](https://developers.cloudflare.com/images/optimization/transformations/overview/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/use-cases/","name":"Use cases"}},{"@type":"ListItem","position":3,"item":{"@id":"/use-cases/media-streaming/","name":"Media and streaming"}},{"@type":"ListItem","position":4,"item":{"@id":"/use-cases/media-streaming/image-optimization/","name":"Optimize and transform images for the web"}}]} ``` --- --- title: Secure your content description: Protect media from unauthorized access and hotlinking. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/use-cases/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Secure your content Media assets are vulnerable to hotlinking, unauthorized downloads, and piracy. Cloudflare Hotlink Protection blocks other sites from embedding your media, Stream signed URLs provide time-limited access tokens, and Access gates premium content behind identity policies. ## Solutions ### Hotlink Protection Block unauthorized embedding of resources from external sites. [Learn more about Hotlink Protection](https://developers.cloudflare.com/waf/tools/scrape-shield/hotlink-protection/). * **Hotlink protection** \- Block other sites from embedding or hot-linking your images and video without permission ### Stream Live streaming with automatic recording and instant playback. [Learn more about Stream Live](https://developers.cloudflare.com/stream/stream-live/). * **Token authentication** \- Issue time-limited access tokens so only authorized viewers can access protected media ### Access Zero Trust access control for applications and infrastructure. [Learn more about Access](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/). * **Identity-based access** \- Gate premium or subscriber-only content behind Cloudflare Access identity policies ## Get started 1. [Enable Hotlink Protection](https://developers.cloudflare.com/waf/tools/scrape-shield/hotlink-protection/) 2. [Secure Stream videos with signed URLs](https://developers.cloudflare.com/stream/viewing-videos/securing-your-stream/) 3. [Cloudflare Access get started](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/use-cases/","name":"Use cases"}},{"@type":"ListItem","position":3,"item":{"@id":"/use-cases/media-streaming/","name":"Media and streaming"}},{"@type":"ListItem","position":4,"item":{"@id":"/use-cases/media-streaming/secure-content/","name":"Secure your content"}}]} ``` --- --- title: Store media at scale description: Store media files with zero egress fees using R2. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/use-cases/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Store media at scale Media files are large, and egress fees from traditional cloud storage can be significant at scale. Cloudflare R2 provides S3-compatible object storage with zero egress fees, and Workers lets you build custom processing pipelines for validation, transformation, and routing. ## Solutions ### R2 S3-compatible object storage with zero egress fees. [Learn more about R2](https://developers.cloudflare.com/r2/). * **Zero egress fees** \- No charges for data transferred out, regardless of volume * **S3 compatibility** \- Use any S3-compatible tool, SDK, or library without code changes * **Direct uploads** \- Issue presigned URLs so clients upload directly to R2 without routing through your servers ### Workers Build and deploy serverless applications on Cloudflare's global network. [Learn more about Workers](https://developers.cloudflare.com/workers/). * **Custom processing pipelines** \- Build media transformation, validation, and routing logic that runs at the edge ## Get started 1. [R2 get started](https://developers.cloudflare.com/r2/get-started/) 2. [Generate presigned URLs](https://developers.cloudflare.com/r2/api/s3/presigned-urls/) 3. [Workers get started](https://developers.cloudflare.com/workers/get-started/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/use-cases/","name":"Use cases"}},{"@type":"ListItem","position":3,"item":{"@id":"/use-cases/media-streaming/","name":"Media and streaming"}},{"@type":"ListItem","position":4,"item":{"@id":"/use-cases/media-streaming/store-media/","name":"Store media at scale"}}]} ``` --- --- title: Upload, encode, and deliver videos description: Build a complete video hosting and delivery solution with Cloudflare Stream. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/use-cases/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Upload, encode, and deliver videos Building a video platform requires upload handling, encoding to multiple resolutions, adaptive bitrate delivery, and global distribution. Cloudflare Stream handles all of this — upload, transcode, store, and deliver — with no video infrastructure to manage. ## Solutions ### Stream Upload, encode, store, and deliver video with adaptive bitrate streaming. [Learn more about Stream](https://developers.cloudflare.com/stream/). * **Automatic encoding** \- Videos transcoded to multiple resolutions and formats on upload with no infrastructure to manage * **Adaptive bitrate** \- HTTP Live Streaming (HLS) and Dynamic Adaptive Streaming over HTTP (DASH) automatically adjusts quality to match viewer bandwidth * **Global delivery** \- Video served directly from Cloudflare's edge network without a separate Content Delivery Network (CDN) ### Stream Live Live streaming with automatic recording and instant playback. [Learn more about Stream Live](https://developers.cloudflare.com/stream/stream-live/). * **Live streaming** \- Low-latency live video with automatic recording and instant playback after the stream ends ### RealtimeKit Add customizable live video and voice to web or mobile applications. [Learn more about RealtimeKit](https://developers.cloudflare.com/realtime/realtimekit/). * **Real-time communication** \- Add peer-to-peer video and audio directly to your application ## Get started 1. [Stream get started](https://developers.cloudflare.com/stream/get-started/) 2. [Set up Stream Live](https://developers.cloudflare.com/stream/stream-live/) 3. [Secure videos with signed URLs](https://developers.cloudflare.com/stream/viewing-videos/securing-your-stream/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/use-cases/","name":"Use cases"}},{"@type":"ListItem","position":3,"item":{"@id":"/use-cases/media-streaming/","name":"Media and streaming"}},{"@type":"ListItem","position":4,"item":{"@id":"/use-cases/media-streaming/video-delivery/","name":"Upload, encode, and deliver videos"}}]} ``` --- --- title: E-commerce description: Protect and accelerate online stores with Cloudflare WAF, DDoS protection, caching, image optimization, and Waiting Room. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/use-cases/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # E-commerce E-commerce applications require exceptional performance, security, and reliability. Cloudflare protects and accelerates online stores with application security against attacks, bot security against credential stuffing and fraud, cache and image optimization for fast global delivery of product pages, load balancing and Waiting Room for handling traffic spikes, and Zaraz for server-side analytics and marketing tags. * [ Protect your store ](https://developers.cloudflare.com/use-cases/e-commerce/protect/) * [ Accelerate your store's performance ](https://developers.cloudflare.com/use-cases/e-commerce/performance/) * [ Handle traffic at scale ](https://developers.cloudflare.com/use-cases/e-commerce/traffic-at-scale/) * [ Observe traffic patterns and analytics ](https://developers.cloudflare.com/use-cases/e-commerce/analytics/) ## Architecture patterns ### Self-hosted storefront Protect and accelerate a store running on your own infrastructure: * **SSL/TLS** encrypts all traffic between shoppers and your store * **Cache** serves static assets from 300+ edge locations * **Application security** blocks attacks before they reach your origin * **Images** optimizes product images on-the-fly ### SaaS-hosted storefront Add Cloudflare on top of a platform like Shopify, BigCommerce, or Salesforce Commerce Cloud: * **Cloudflare for SaaS** (Orange-to-Orange setup) layers your Cloudflare zone over your provider's existing Cloudflare configuration * **Application security** adds protection beyond what the platform provides * **Zaraz** loads analytics and marketing tags server-side to improve page speed ### High-traffic store Handle flash sales, seasonal peaks, and viral demand: * **Load Balancing** distributes traffic across multiple origin servers * **Waiting Room** queues excess visitors to prevent origin overload * **Cache** and **Argo Smart Routing** reduce origin load and improve response times * **Health Checks** detect unhealthy origins and reroute traffic automatically --- ## Prerequisites ### Create a new application * A [Cloudflare account ↗](https://dash.cloudflare.com/sign-up). * A domain [added to Cloudflare](https://developers.cloudflare.com/fundamentals/manage-domains/add-site/) with DNS records proxied through Cloudflare. All solutions in this use case require traffic to pass through Cloudflare's network. ### Use an existing application * A [Cloudflare account ↗](https://dash.cloudflare.com/sign-up). * A domain [added to Cloudflare](https://developers.cloudflare.com/fundamentals/manage-domains/add-site/) with DNS records proxied through Cloudflare's network. * If your store is hosted on a SaaS platform that already uses Cloudflare — such as [Shopify](https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/saas-customers/provider-guides/shopify/), [BigCommerce](https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/saas-customers/provider-guides/bigcommerce/), or [Salesforce Commerce Cloud](https://developers.cloudflare.com/cloudflare-for-platforms/cloudflare-for-saas/saas-customers/provider-guides/salesforce-commerce-cloud/) — follow the setup steps in the provider guide for your platform to add your own Cloudflare zone on top of your provider's existing configuration. --- ## Related resources [E-commerce case studies](https://www.cloudflare.com/case-studies/?industry=Ecommerce%20%26%20Retail) Explore how e-commerce companies use Cloudflare. [Reference architectures](https://developers.cloudflare.com/reference-architecture/) Detailed diagrams and design patterns for enterprise deployments. ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/use-cases/","name":"Use cases"}},{"@type":"ListItem","position":3,"item":{"@id":"/use-cases/e-commerce/","name":"E-commerce"}}]} ``` --- --- title: Observe traffic patterns and analytics description: Understand your traffic, identify issues, and optimize your store with Cloudflare analytics. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/use-cases/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Observe traffic patterns and analytics Understanding how shoppers experience your store — page load times, security events, and traffic patterns — requires analytics that do not slow down your site. Cloudflare Web Analytics collects real user metrics without cookies, Security Analytics shows WAF and bot activity, and Logpush exports logs for compliance. ## Solutions ### Web analytics Privacy-first, cookie-free analytics for websites. [Learn more about Web analytics](https://developers.cloudflare.com/web-analytics/). * **Real user metrics** \- Core Web Vitals and performance data collected from actual visitors without cookies or sampling ### Security analytics Analyze security events and fine-tune your Application Security configuration. [Learn more about Security analytics](https://developers.cloudflare.com/waf/analytics/). * **Security visibility** \- Understand application security rule triggers, bot activity patterns, and attack trends in one view ### Logpush Stream logs from Cloudflare products to external destinations. [Learn more about Logpush](https://developers.cloudflare.com/logs/). * **Compliance logging** \- Export detailed request logs to your Security Information and Event Management (SIEM) system or data warehouse for audit trails and forensic analysis ## Get started 1. [Enable Web Analytics](https://developers.cloudflare.com/web-analytics/get-started/) 2. [Configure Logpush](https://developers.cloudflare.com/logs/logpush/) 3. [Review Security Analytics](https://developers.cloudflare.com/waf/analytics/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/use-cases/","name":"Use cases"}},{"@type":"ListItem","position":3,"item":{"@id":"/use-cases/e-commerce/","name":"E-commerce"}},{"@type":"ListItem","position":4,"item":{"@id":"/use-cases/e-commerce/analytics/","name":"Observe traffic patterns and analytics"}}]} ``` --- --- title: Accelerate your store's performance description: Speed up an e-commerce store with edge caching, image optimization, asset minification, and server-side tag loading. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/use-cases/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Accelerate your store's performance Slow page loads directly reduce e-commerce conversion rates. Cloudflare accelerates your storefront with global edge caching, on-the-fly image optimization for product images, automatic asset minification, and server-side loading of analytics and marketing tags through Zaraz. ## Solutions ### Cache Cache content at Cloudflare's global network of edge locations. [Learn more about Cache](https://developers.cloudflare.com/cache/). * **Global content delivery** \- Static assets served from 300+ edge locations, reducing load times for international shoppers ### Images Transform, optimize, and deliver images at scale. [Learn more about Images](https://developers.cloudflare.com/images/). * **Image optimization** \- Automatic WebP/AV1 Image File Format (AVIF) conversion and on-the-fly responsive resizing for product images ### Speed Automatic optimizations for HTML, CSS, JavaScript, and fonts. [Learn more about Speed](https://developers.cloudflare.com/speed/). * **Core Web Vitals improvement** \- Faster Largest Contentful Paint (LCP), reduced Cumulative Layout Shift (CLS), and improved Interaction to Next Paint (INP) through automatic asset optimization ### Zaraz Server-side loading of third-party tools to improve performance and privacy. [Learn more about Zaraz](https://developers.cloudflare.com/zaraz/). * **Third-party script control** \- Load analytics, chat, and marketing tags through Cloudflare without blocking page rendering ### Workers Build and deploy serverless applications on Cloudflare's global network. [Learn more about Workers](https://developers.cloudflare.com/workers/). * **Edge logic** \- Run custom performance optimizations at the edge, such as HTML rewriting and dynamic content assembly, without round-trips to your origin ## Get started 1. [Configure Cache Rules](https://developers.cloudflare.com/cache/how-to/cache-rules/) 2. [Set up Cloudflare Images](https://developers.cloudflare.com/images/get-started/) 3. [Enable Speed optimizations](https://developers.cloudflare.com/speed/optimization/) 4. [Configure Zaraz](https://developers.cloudflare.com/zaraz/get-started/) 5. [Rewrite HTML at the edge with HTMLRewriter](https://developers.cloudflare.com/workers/runtime-apis/html-rewriter/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/use-cases/","name":"Use cases"}},{"@type":"ListItem","position":3,"item":{"@id":"/use-cases/e-commerce/","name":"E-commerce"}},{"@type":"ListItem","position":4,"item":{"@id":"/use-cases/e-commerce/performance/","name":"Accelerate your store's performance"}}]} ``` --- --- title: Protect your store description: Before driving traffic to your store, establish security controls to protect against attacks and fraud. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/use-cases/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Protect your store Online stores are targets for DDoS attacks, credential stuffing, payment fraud, and supply chain script injections. Cloudflare provides layered security — from SSL/TLS encryption and application security managed rulesets to bot detection and client-side script monitoring — that protects your store without adding friction for shoppers. ## Solutions ### SSL/TLS Encrypt all traffic with free, automatic SSL certificates. [Learn more about SSL/TLS](https://developers.cloudflare.com/ssl/). * **PCI DSS compliance support** \- Transport Layer Security (TLS) encryption and application security managed rulesets help meet Payment Card Industry (PCI) payment security requirements ### Application security Get automatic protection from vulnerabilities and create your own custom rules. [Learn more about application security](https://developers.cloudflare.com/waf/). ### DDoS protection Automatic mitigation of volumetric and application-layer DDoS attacks. [Learn more about DDoS protection](https://developers.cloudflare.com/ddos-protection/). * **HTTP DDoS protection** \- Automatic, always-on mitigation of HTTP flood attacks, cache-busting attacks, and application-layer Distributed Denial of Service (DDoS) attacks at layer 7\. No configuration required — active on all Cloudflare domains by default ### Bot security Machine learning powered bot detection with granular control over bot traffic. [Learn more about Bot security](https://developers.cloudflare.com/bots/). * **Credential stuffing protection** \- ML-powered bot detection blocks automated login and account takeover attacks ### Turnstile Privacy-preserving CAPTCHA alternative for forms and user interactions. [Learn more about Turnstile](https://developers.cloudflare.com/turnstile/). * **Payment form security** \- Privacy-preserving CAPTCHA alternative that protects checkout without adding user friction ### Client-side security Monitor and control third-party scripts and outbound connections on your pages. [Learn more about Client-side security](https://developers.cloudflare.com/client-side-security/). * **Supply chain protection** \- Detects malicious scripts injected by compromised third-party vendors (Magecart-style attacks) ## Get started 1. [Enable SSL/TLS](https://developers.cloudflare.com/ssl/get-started/) 2. [Configure Application Security managed rules](https://developers.cloudflare.com/waf/managed-rules/deploy-zone-dashboard/) 3. [Set up Bot security](https://developers.cloudflare.com/bots/get-started/) 4. [Add Turnstile to forms](https://developers.cloudflare.com/turnstile/get-started/) 5. [Enable Client-side security](https://developers.cloudflare.com/client-side-security/get-started/) ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/use-cases/","name":"Use cases"}},{"@type":"ListItem","position":3,"item":{"@id":"/use-cases/e-commerce/","name":"E-commerce"}},{"@type":"ListItem","position":4,"item":{"@id":"/use-cases/e-commerce/protect/","name":"Protect your store"}}]} ``` --- --- title: Handle traffic at scale description: Handle flash sales and traffic spikes for e-commerce stores with load balancing, visitor queuing, and smart routing. image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/use-cases/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Handle traffic at scale Flash sales, seasonal peaks, and viral moments can overwhelm your origin infrastructure. Cloudflare Load Balancing distributes traffic across multiple origins with automatic failover, Waiting Room queues excess visitors to prevent overload, and Argo Smart Routing reduces latency between edge and origin. ## Solutions ### Load balancing Distribute traffic across origins with health checks and automatic failover. [Learn more about Load balancing](https://developers.cloudflare.com/load-balancing/). * **Origin protection** \- Distribute traffic across origin servers and queue excess visitors to prevent overload during peak events * **Automatic failover** \- Health checks detect unhealthy origins and reroute traffic automatically ### Waiting Room Manage visitor queuing during traffic surges. [Learn more about Waiting Room](https://developers.cloudflare.com/waiting-room/). * **Flash sale readiness** \- Queue visitors fairly during extreme demand, preserving a consistent experience without crashing the site ### Argo Smart Routing Route traffic through the fastest paths across Cloudflare's network. [Learn more about Argo Smart Routing](https://developers.cloudflare.com/argo-smart-routing/). * **Reduced latency** \- Route requests through the fastest available network paths between edge and origin ## Get started 1. [Set up Load Balancing](https://developers.cloudflare.com/load-balancing/get-started/) 2. [Configure Waiting Room](https://developers.cloudflare.com/waiting-room/get-started/) 3. [Create Health Checks](https://developers.cloudflare.com/health-checks/get-started/) ## See also Cloudflare Smart Shield acts as an intermediate caching layer between Cloudflare's content delivery network and your origin server, consolidating multiple requests from various locations into a single request.[Learn more about Smart Shield](https://developers.cloudflare.com/smart-shield/). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/use-cases/","name":"Use cases"}},{"@type":"ListItem","position":3,"item":{"@id":"/use-cases/e-commerce/","name":"E-commerce"}},{"@type":"ListItem","position":4,"item":{"@id":"/use-cases/e-commerce/traffic-at-scale/","name":"Handle traffic at scale"}}]} ```