Protect your origin server
Receiving too many requests can be bad for your origin. These requests might increase latency for visitors, incur higher costs — particularly for cloud-based machines — and could knock your application offline.
Select a plan to see how Cloudflare can help you protect your origin:
Secure origin connections
When you secure origin connections, it prevents attackers from discovering and overloading your origin server with requests.
- Proxy records (when possible): Set up to hide your origin IP addresses and provide DDoS protection. As part of this, you should at your origin to prevent requests from being blocked.
- Review DNS-only records: Audit existing DNS-only records (
TXT, and more) to make sure they do not contain origin IP information.
- Evaluate mail infrastructure: If possible, do not host a mail service on the same server as the web resource you want to protect, since emails sent to non-existent addresses get bounced back to the attacker and reveal the mail server IP.
- Rotate origin IPs: Once , rotate your origin IPs, as DNS records are in the public domain. Historical records are kept and would contain IP addresses prior to joining Cloudflare.
Cloudflare Tunnel (HTTP / WebSockets)
HTTP Basic Authentication
Only allow traffic with specific (and secret) HTTP headers.
- Security: Moderately secure.
- Availability: All customers.
- Requires more configuration efforts on application- and server-side to accept those headers.
- Basic authentication is vulnerable to replay attacks. Because basic authentication does not encrypt user credentials, it is important that traffic always be sent over an encrypted SSL session.
JSON Web Tokens (JWT) Validation
Authenticated Origin Pulls
Cloudflare Tunnel (SSH / RDP)
Allowlist Cloudflare IP addresses
Cloudflare Network Interconnect
Monitor origin health
For passive monitoring, for Origin Error Rate Alerts to receive alerts when your origin returns 5xx codes above a configurable threshold and Passive Origin Monitoring to see when Cloudflare is unable to reach your origin for a few minutes.For more active monitoring, set up for your origin.
Zero Downtime Failover
If you have another A or AAAA record in your Cloudflare DNS or your Cloudflare Load Balancer provides another origin in the same pool, Zero-Downtime Failover automatically retries requests to your origin even before a Load Balancing decision is made.