Cloudflare Docs
Visit Cloudflare Fundamentals on GitHub
Set theme to dark (⇧+D)

Secure your website

Cloudflare offers several tools to protect your website against malicious traffic and bad actors.

​​ Account protection options

For recommendations about how to protect your Cloudflare account, refer to Account Security.

​​ Zone protection options

​​ Default protection

As long as your traffic is proxied by Cloudflare, Cloudflare automatically protects your application from DDoS attacks.

Cloudflare also issues and renews free, unshared, publicly trusted SSL/TLS certificates to all Cloudflare domains.

​​ One-click protection

For customers on a Pro plan or above, Cloudflare offers several Managed Rulesets as part of the Web Application Firewall (WAF).

All customers have access to the Cloudflare Security Center, which helps identify potential security risks and helps mitigate them with suggested actions.

All customers also have the options to adjust the following Security settings:

​​ Protection with minimal setup

Based on additional knowledge about your website traffic and requirements, you can also:

​​ Dedicated products

Cloudflare also offers dedicated products to increase the security of your website and underlying infrastructure:

  • API Shield: Protect your API from malicious traffic by enforcing schema validation, detecting abuse patterns, and more.
  • Magic Firewall: Use Cloudflare’s firewall-as-a-service (FWaaS) to protect office networks and cloud infrastructure with advanced, scalable protection.
  • Magic Transit: Delivers network functions at Cloudflare scale — DDoS protection, traffic acceleration, and much more from every Cloudflare data center — for on-premise, cloud-hosted, and hybrid networks.
  • Magic WAN: Securely connect any traffic source - data centers, offices, devices, cloud properties - to Cloudflare’s network and configure routing policies to get the bits where they need to go, all within one SaaS solution.
  • Page Shield: Monitor third-party scripts on your application and receive notifications when they have been compromised or are exhibiting malicious behavior.