Web Development

Discover Cloudflare: Enhance Website Security with our Recommended Service

Austin Drummond
Austin Drummond
Director of Development

Why Cloudflare?

We’ve been encouraging our clients to start utilizing a service called Cloudflare, which is a security-focused service offering a very generous free tier. We’ve been using ourselves here at Reusser for quite a while, and we continue to be impressed with it every day.

Below are a number of benefits included in the free plan:

DSC 6404 websize 1

Security

Free SSL/TLS Certificates

Once you point your name servers to Cloudflare, you can start proxying the traffic to your site through Cloudflare. Once this is enabled, this is what unlocks the power of the Cloudflare platform to really start protecting your site. After the proxy has been enabled, you can start forcing your site to serve over HTTPS and force HTTP redirects to ensure all traffic is encrypted to your site. Paying for HTTPS certificates is a thing of the past, and was one of the key reasons to use Cloudflare a decade ago.

Note: Even if you don’t use Cloudflare, but host with us, we still offer free SSL certificates provided by Let’s Encrypt. It’s just a few more steps to setup!

Web Application Firewall

Out of the box, Cloudflare gives your 5 WAF rules to be used to prevent malicious users from interacting with you in negative ways, or at all. The rules are flexible enough to set up rules based on IP addresses, almost any HTTP attribute, and even something called a Threat Score, which Cloudflare will rate the traffic coming on several factors. The rules will allow you to block, allow, or require a Managed Challenge, which is a huge improvement over traditional CAPTCHAs

Paying for one of the higher tiers of Cloudflare unlocks a list of Managed Rules that can be continuously updated and block common exploits like SQL injection and Cross-Site Scripting (XSS) attacks. They even offer OWASP Core Rulesets, which help mitigate against the number of web application security risks including the OWASP Top 10.

DDoS Protection

Cloudflare also offers a base amount of unmetered Distributed Denial of Service (DDoS) attack protection, which is a common threat on the internet. Cloudflare's DDoS protection mitigates these attacks by distributing traffic across their vast network, effectively absorbing malicious traffic and allowing legitimate traffic to reach your server. This is an essential security feature to keep your website available and responsive.

They even have a toggle switch to enable “Under Attack Mode” when your site is encountering a significant amount

Domain Name Registration

One of the more recent offerings is the ability to move your current (and buy new) domain name registrations to Cloudflare. The simple answer to why one would do this would be Cloudflare offers no markup on the fees associated with registering the domain name. You pay the same costs charged by registry operators and by ICANN. This dramatically simplifies the number of services and fees you have to pay to keep your domain operating smoothly and securely. Feel free to read more about it here.

Note: Cloudflare doesn’t support every TLD through their Registrar, despite supporting them in their Name Servers. They support over 200 of the most common TLDs, like .com, .org and .net. If you have any questions about this, you can find some more information here.

DMARC Management

One feature currently in Beta is DMARC management. DMARC is an important part of having a proper email configuration, as it allows email operators to flag and report malicious imposters who are trying to forge emails as if they were someone with access to an email account from your domain. By enabling Cloudflare DMARC management, they will automatically process and display the reports provided by email operators (like Gmail, Outlook, iCloud, or Zoho).

Access

Team Members with Role-based Access Control

One of our least favorite things is when clients have to share their credentials with us in order for us to access their accounts. In fact, we instinctively only use services where team access is available. Cloudflare offers the ability to invite you to be a part of another Cloudflare accounts team. This allows us to maintain our own credentials, without the need to share with each sensitive information.

We encourage all customers to create and own the Cloudflare account, as that’s no different from controlling the domain name registrar account.

When you invite us, or others, to join your Cloudflare account, you will be able to restrict permissions by assigning the relevant roles to each new member you invite. You can also change these roles after the team member has joined, so don’t sweat it if you start out with a role of the least capabilities.

Enforce 2FA

In addition to having team access, Cloudflare also provides Multi-Factor Authentication via Security or Mobile apps, like Google Authenticator or 1Password. We encourage everyone to enable MFA on all accounts you can, but especially your domain name-related services. Having weak passwords combined with no MFA is just a disaster waiting to happen. Lastly, Cloudflare offers the ability to enable enforcing MFA across all team members associated with your Cloudflare account.

Performance

CDN

One of the headlining features provided by Cloudflare is the Content Delivery Network, or CDN for short. This allows your site to be cached on servers all over the world, enabling lightning-fast response teams across the globe. It also offers the ability to purge the cache from the network.

Cloudflare operates a wide range of data centers around the world, ensuring that your content can be delivered as fast as possible to your site visitors.

Analytics

One pain point we experience annually is what new measures are major OS and browser vendors taking to reduce our ability to measure our site’s analytics. While we appreciate the privacy-focused efforts of our overlords, it does come at the expense of reduced, even non-existent analytics. Especially when visitors have ad-blocking extensions installed on their browsers. With Cloudflare, all the traffic is first-party traffic to your domain, and a lot can be inferred from basic traffic to your site. Additionally, you will also have access to reliable traffic statistics and logs to understand patterns and spikes on your site. Cloudflare Analytics is enabled without ever needing to include any tracking pixels in your site and is transparent to the end user. They do offer lightweight JavaScript-based tracking pixels to get access to even more data. They even email you weekly with Traffic Insights for your domain(s) proxied through Cloudflare.

DNS Management

Most of the time, this is a free service provided by your domain name registrar, such as GoDaddy, Name Cheap, or Hover. When you point your domain name’s nameservers to Cloudflare, you unlock a whole new set of benefits ranging from performance to security.

When setting up the domain name on Cloudflare, they automatically scan your DNS for most of the basic entries, such as A records for your website's common subdomains and other various email-related DNS records. However, we usually require clients to send (or let us access) an export of their current DNS Zone to ensure everything is migrated properly.

Once the DNS records are set up, it’s as simple as changing the name servers in the admin of your domain name’s registrar, which can take 24-48 hours. We typically recommend clients migrate to Cloudflare several weeks before making any significant changes to their website, just to isolate the number of changes and to let DNS settings propagate throughout the internet without a hitch.

Note: Changing your nameserver can be a big shift from the IT perspective, but it is a clear benefit over the basic offering provided by most registrars.

Why is this not paid?

Cloudflare operates its business like a lot of other SaaS products. They offer a free tier to get their customer hooked and hope they eventually upgrade to a paid plan. One key difference is the free plan will get you pretty far without ever needing to pay. I would guess over 80% of our clients stay on the free plan indefinitely.

We will go over just a few of our favorite paid services.

R2

Cloudflare R2 offers a very compelling competitor to AWS S3 Object Storage protocol, aka Simple Storage Service. AWS continues to be a leader in this area, by defining the S3 protocol and offering excellent service. However, despite being the leader, S3 does introduce some variability in monthly costs by charging for both storage and transfer fees, leading to unpredictable costs at times. Cloudflare recognized an opportunity in the market and created a service called Really Requestable. Their R2 service directly competes with S3 by not charging for egress bandwidth, but instead only charging for storage and API calls. This eliminates a surprising amount of fees associated with Cloudflare. Once again, R2 has a pretty compelling offering when it comes to pricing, but the reality is the majority of our clients never exceed the free tier. The only time you can expect to pay will be if your site is heavy with uploads or imagery large in size. Even still, it’s relatively inexpensive to utilize the paid services provided by R2. See here for more information on pricing and how much cost can be saved by switching to R2.

In addition to R2, paying gets you access to more advanced analytics, managed WAF rule sets, and more. The above list is barely scratching the surface of what Cloudflare offers. They offer KV storage, cloud functions, and even Zero Trust access tools.



Read more about Cloudflare and its benefits here: https://www.cloudflare.com/plans/

View how fast your site can be here: https://reusser.com/

Ready to migrate your domain to Cloudflare? Create a ticket here to get started: https://helpdesk.reusser.com