DEV Community

Cover image for Protecting Your Website with Cloudflare: Security, Performance, and Reliability [Part 1]
Bemals Dvanitha
Bemals Dvanitha

Posted on

Protecting Your Website with Cloudflare: Security, Performance, and Reliability [Part 1]

#devops #security #cloudflare #webdev

cloudflare-article-main-image

  

Application availability and security are just as important in today's web infrastructure as application logic. Distributed denial-of-service attacks, abusive traffic, automated crawlers, and common web exploits can impair performance or completely stop services, even with well-configured servers and properly encrypted connections.

Operating as a security and performance layer between users and origin servers, Cloudflare is located at the network edge. It protects against large-scale DDoS attacks, malicious bots, and abusive request patterns by stopping traffic before it reaches your infrastructure. It also reduces latency through intelligent caching and worldwide content delivery.

Cloudflare provides a wide range of controls for contemporary threats in addition to standard CDN functionality. These include rate limiting to safeguard APIs and login endpoints, Turnstile for seamless human verification, AI-driven bot and crawler management, adaptive DDoS mitigation, and integrated defenses against frequent attacks like SQL injection, cross-site scripting, and credential abuse.

This post will discuss how a website can be strengthened against actual threats using Cloudflare. We'll concentrate on useful setups and essential features, such as DDoS defense, crawler control, Turnstile, rate limiting, caching techniques, and common attack prevention, demonstrating how they cooperate to lower attack surface while preserving user experience and performance.

   

Connecting Your Domain to Cloudflare via Nameserver Update

You must assign DNS authority by changing your domain's nameservers at the domain provider (such as GoDaddy or Namecheap) in order to put Cloudflare in front of your website. At this point, no DNS records have been changed; this is the only necessary adjustment.

The following steps avoid needless changes during onboarding and adhere to a safe, production-ready workflow.

  

1. Add Your Domain in Cloudflare

add-domain

From the Cloudflare dashboard, navigate to Domains → Onboard a domain and enter your existing domain name.

When prompted to import DNS configuration, select:

  • Manually enter DNS records (Advanced)

Even if you do not plan to add records immediately, this option gives you full control and avoids assumptions made by automated scans.

During onboarding, Cloudflare presents initial controls for AI crawlers and training bots.

You can:

  • Block AI training bots globally
  • Allow them selectively
  • Or leave them unblocked

This setting can be changed later and does not affect nameserver activation, but Cloudflare applies it once traffic starts passing through its network.

Continue with the setup.

domain-setup

  

2. Select a Cloudflare Plan

To continue, select the Free plan.
This plan already consists of:

  • DDoS defense at the network layer
  • DNS for Global Anycast
  • Caching and CDN
  • Basic bot detection and WAF
  • SSL for all

Later on, you can upgrade without having to switch nameservers once more.

paying-plan

  

3. Obtain Cloudflare Nameservers

Cloudflare will now assign two authoritative nameservers for your domain

nameserver-setup

These values are unique per domain.

At this point, Cloudflare will show the domain status as Pending until nameserver delegation is completed.

  

4. Replace Nameservers at Your Domain Provider (GoDaddy Example)

For GoDaddy, the process is:

  1. Open your domain settings
  2. Go to DNS / Nameservers
  3. Choose Custom nameservers
  4. Remove all existing nameserver entries
  5. Paste the two Cloudflare nameservers exactly as provided
  6. Save the changes

nameserver-godaddy

godaddy-confirm

  

5. Verify Nameserver Propagation

Nameserver changes require global propagation. To confirm progress, use:

whatsmydns.net

check-nameserver-records

  

6. Confirm Domain Activation in Cloudflare

Once propagation finishes:

  • Cloudflare will mark the domain as Active
  • DNS authority is fully delegated
  • Cloudflare now sits in front of your infrastructure

confirm-cloudflare

   

Creating DNS Records and Routing Traffic Through Cloudflare

Once your domain is Active in Cloudflare, Cloudflare is now the authoritative DNS provider. The next step is to create DNS records that point traffic to your application server.

In this setup, the origin server is an Amazon Web Services EC2 instance or any other vpc running NGINX.

  

Origin Server Setup (NGINX + SSL)

The EC2 instance runs NGINX as the web server and reverse proxy. SSL termination on the origin is handled using Certbot with Let’s Encrypt.

To avoid repeating implementation details, the full server-side setup—including:

  • NGINX installation
  • Reverse proxy configuration
  • SSL certificate issuance
  • Automatic renewal

—is covered in detail in the following article:

👉 Boost Your Website’s Security: NGINX and SSL Setup with Certbot Made Easy

🔗 full_guide_for_nginx_certbot_setup

This Cloudflare guide intentionally focuses on edge-level protection, while the linked article covers origin-level security.

  

Create DNS Records in Cloudflare

Navigate to:

Domain → DNS → Records

adding-a-records

This is where Cloudflare resolves hostnames to your origin server and determines whether traffic is proxied through its edge.

Example: Creating an A Record for an API or Application

Add a new record with the following values:

Type: A
Name: api        (or @ for root domain)
IPv4 address: <EC2_PUBLIC_IP>
Proxy status: Proxied (orange cloud enabled)
TTL: Auto
Enter fullscreen mode Exit fullscreen mode

setup-ssl

setup-ssl-2

Key points:

  • The Proxied status ensures traffic passes through Cloudflare
  • Cloudflare now hides the origin IP and applies security controls
  • Requests no longer reach the EC2 instance directly

Once saved, Cloudflare immediately begins routing traffic.

  

Verify DNS Propagation

To confirm the DNS record is resolving globally, use:

whatsmydns.net

confirm-a-records

  

Confirm Application Reachability

After DNS propagation completes, validate application access via HTTPS:

check-ssl

confirm-ssl

  

Architecture Overview and Design Rationale

By combining:

  • Cloudflare at the edge (DNS, DDoS, bot control, rate limiting)
  • NGINX on EC2 as the origin
  • End-to-end HTTPS via Certbot

You get:

  • Reduced attack surface
  • Hidden origin IP
  • Built-in DDoS mitigation
  • Secure, encrypted traffic from client to server

This separation keeps responsibilities clear and the system easier to maintain.

  

What’s Next

As this guide has grown to cover multiple layers of infrastructure—domain configuration, Cloudflare onboarding, DNS routing, and origin server setup—it makes sense to split the remaining topics into a follow-up article.

In Part 2, we’ll focus entirely on Cloudflare’s edge-level security and traffic controls, including:

  • AI Crawl Control and bot behavior management
  • Rate limiting for APIs and sensitive endpoints
  • Caching strategies to reduce origin load and improve latency
  • Turnstile for user-friendly request validation
  • Additional protections for common abuse and automated attacks

Top comments (0)