docs icon indicating copy to clipboard operation
docs copied to clipboard
verified publisher icon statamic

Cloudflare guide

Open duncanmcclean opened this issue 2 months ago • 6 comments

  • How to configure SSL properly (trusted proxies?)
  • Cloudflare OWASP Core Ruleset - sometimes blocks requests to /cp/assets (discord conversation)

duncanmcclean avatar Nov 06 '25 17:11 duncanmcclean

@duncanmcclean I'll work on an article that documents our ideal Cloudflare setup. Will ping you here when ready.

adnankussair avatar Nov 06 '25 19:11 adnankussair

Hi there - should you need help or input please feel free to tell me (I'm the one who had the issue). But it seems Adnan is on it 💪.

bastihilger avatar Nov 07 '25 09:11 bastihilger

@duncanmcclean @adnankussair @bastihilger I actually just solved this for a client on a Statamic site using CloudFlare Pro. I'm happy to provide the working solution if you guys want?

Short version for anyone reading this is OWASP Rules are outdated, both IRL and in CloudFlare so it doesn't see "PUT" request method as a real method and blocks it (Disable: 911100: Method is not allowed by policy). You can still use OWASP but you have to disable that check.

I have only tested in production using PL1 paranoia level.

For SSL, I always run Full or Full (Strict).

And Cloudflare Managed Ruleset is very useful too out of the box (no changes needed), highly recommend using this (on all sites) from a security perspective - generally they release about a 30 day lag of vulnerabilities so it's a nice layer of protection.

jonathan-bird avatar Nov 17 '25 01:11 jonathan-bird

Also if you want to take it to the next level and setup Rate limiting, I basically setup the rate limit to match incoming requests except for if URI Path doesn't contain:

  • /build/assets
  • /favicon
  • /cp (you can modify this one to be specific)
  • /cdn-cgi/rum
  • /!/nocache

This helps ensure CloudFlare basically count each page load as 1 rather than end up being rate limited on 2 pages because it's loaded 30 assets and you only allow 50 requests for example.

jonathan-bird avatar Nov 17 '25 01:11 jonathan-bird

@jonathan-bird Thanks for sharing this. When I write this up, I’ll definitely cover rate limiting and the WAF rules. I’m also planning to dive into some of the more advanced setup pieces like Authenticated Origin Pulls and locking down the origin so it can’t be accessed directly by IP. A lot of people miss that step and never get the full value of the Cloudflare proxy. I’ll also go into how we manage header rules in Cloudflare.

There is a lot to love about Cloudflare beyond Statamic protection, including Zaraz, DMARC tools, and the Zero Trust stack. I’m planning to break everything out across a series of articles.

If there is anything you think I should make sure to cover, just let me know. Will post the draft here to get some feedback before publishing it.

adnankussair avatar Nov 17 '25 02:11 adnankussair

Ah yes great idea with that. I haven't dived into that area before, I usually do that on the server-level.

Looking forward to reading it all! I use Cloudflare Pro for most of my Laravel & Statamic sites, so I'm keen to see what areas I can improve on.

jonathan-bird avatar Nov 17 '25 02:11 jonathan-bird