Skip to main content

Cloudflare Free Tier for Indie Sites: 30-Minute Setup + 5 Security Rules

Jun 22, 2026

The day after SoseCore went live, the logs filled with scraper traffic: ColoCrossing in Buffalo, Google Cloud Platform in Iowa, OVH in France. Same pattern from every datacenter you'd expect — one IP, one hit on the homepage, no engagement, gone. Background noise that any indie site collects within hours of going public.

Cloudflare's free tier blocks most of it. Setup takes thirty minutes including DNS propagation. This guide walks through every step from "no Cloudflare account" to "five WAF rules running and bots filtered" — tested on SoseCore as the example. Free tier handles unlimited bandwidth, basic DDoS protection, SSL certificates, and the bot filtering that matters for indie scale.

If your site does under 100,000 visits per month, Free tier is enough. Pro at $25/month becomes worth it later for Image Resizing and Super Bot Fight Mode — but not now.

Why Cloudflare free tier (and when it isn't enough)

The Free plan delivers four things indie sites actually need:

  • DDoS protection — automatic, no configuration needed, unlimited capacity
  • Bot Fight Mode — blocks known bot networks, datacenter traffic, and headless browsers without proper credentials
  • Free SSL certificates — Universal SSL for your domain plus first-level subdomains, auto-renewed
  • Performance basics — Auto Minify (HTML/CSS/JS), Brotli compression, Early Hints, HTTP/3

What Free doesn't include: Image Resizing (Pro), Super Bot Fight Mode with ML detection (Pro), advanced rate limiting beyond basic IP rules (Business), and 24/7 chat support (Pro/Business). At indie scale none of these matter.

The single hard limit of Free that bites at scale: 5 custom WAF rules. For our purposes that's exactly the right number — five focused rules covering 80% of indie-site security needs.

Pre-flight checklist

Before starting, confirm three things — saves you backing out mid-setup:

  1. You have registrar access — login to wherever you bought the domain (Namecheap, GoDaddy, Reg.ru, Hostinger, etc.). You'll change nameservers there.
  2. You know your current SSL state — open https://yoursite.com. Green lock = Let's Encrypt or paid SSL on server. No lock = no SSL configured. This determines the SSL/TLS mode below.
  3. You list all your subdomains — write down everything: www, mail, blog, api, anything live. Cloudflare's auto-scan misses some.

If email runs on the same domain, list the mail service too (Google Workspace, Zoho, self-hosted). Mail records need careful handling below.

The 30-minute setup

Step 1: Sign up + add site (3 minutes)

Go to dash.cloudflare.com/sign-up. Email + password, verify the email link they send. Once logged in:

  1. Click + Add a Site in the top nav
  2. Type your domain (e.g. sosecore.com) — bare domain only, no https://, no trailing slash
  3. Click Continue

Step 2: Pick Free plan (1 minute)

You'll see four plan tiers. Scroll to Free $0 at the bottom, select it, click Continue. The other plans pitch themselves but you don't need them yet.

Step 3: DNS records scan + manual review (5-10 minutes)

Cloudflare auto-imports your current DNS records. Compare against the registrar's DNS panel side-by-side. Anything Cloudflare missed, add manually via + Add Record.

Critical proxy setting on each record:

  • 🟠 Proxied (orange cloud) — for web traffic A/AAAA/CNAME records. This is what enables Cloudflare's CDN, SSL, and security features.
  • DNS only (grey cloud) — for MX (email), TXT (SPF, DKIM, domain verification), and any subdomain that should bypass Cloudflare.

The most common breakage point: someone orange-clouds an MX record. Email immediately stops working. MX records always grey cloud.

Same for TXT records used for domain verification (Google Search Console, Google Workspace, anti-spam SPF/DKIM/DMARC). Always grey cloud.

Click Continue when records look complete.

Step 4: Nameserver switch at registrar (5 minutes)

Cloudflare shows two nameservers like kara.ns.cloudflare.com and walt.ns.cloudflare.com. Each Cloudflare account gets unique nameservers — use what they show you, not what's in this article.

Where to change nameservers at popular registrars:

  • Namecheap → Domain List → Manage → Nameservers section → "Custom DNS" → paste both
  • GoDaddy → My Products → Domains → click your domain → DNS → Nameservers → Change → "I'll use my own"
  • Reg.ru → Услуги → Домены → click your domain → DNS-серверы → Указать свои
  • Hostinger → Hosting → Domains → click your domain → DNS / Nameservers → Change Nameservers
  • Porkbun → Domain Management → click your domain → Authoritative Nameservers → edit

Save the change. Email Cloudflare when both nameservers are updated — actually they auto-detect within minutes.

Step 5: Wait for activation (5-60 minutes)

DNS propagation usually takes 5-30 minutes from Cloudflare's side. Cloudflare emails you "Status: Active" when it's done. While waiting, you can configure settings — they apply once active.

Verify propagation in terminal:

dig yoursite.com NS
# Should return *.ns.cloudflare.com (your assigned ones)

Step 6: SSL/TLS mode (CRITICAL — wrong choice breaks site)

Dashboard → SSL/TLS → Overview. Pick mode based on what's on your server right now:

If your server has... Pick mode Why
Let's Encrypt or any SSL cert Full (strict) End-to-end encryption, cert validated
SSL cert but self-signed Full End-to-end encryption, cert not validated
No SSL configured Flexible Cloudflare↔User encrypted, Cloudflare↔Server plain HTTP
Anything else Don't pick Off Off disables HTTPS entirely — bad

Then SSL/TLS → Edge Certificates → toggle ON:

  • Always Use HTTPS — auto HTTP→HTTPS redirect
  • Automatic HTTPS Rewrites — fixes mixed content warnings
  • HSTS — only after confirming everything works for a week (it's irreversible for 6+ months)

5 WAF rules that block 80% of indie-site bot traffic

The Free plan allows 5 custom WAF rules. With careful selection, these five cover the bot patterns indie sites see most often. Add via Security → WAF → Custom rules → + Create rule.

Rule 1: Challenge datacenter IPs

The pattern from SoseCore's logs: single hits to / from ColoCrossing, GCP, AWS, OVH, DigitalOcean. These are scrapers, not users. Real users almost never browse from datacenter IPs.

Field: AS Num
Operator: is in
Value: 36352, 396982, 15169, 16509, 14061, 16276, 20473

(36352 = ColoCrossing, 396982 = ColoCrossing,
 15169 = Google Cloud, 16509 = Amazon AWS,
 14061 = DigitalOcean, 16276 = OVH, 20473 = Choopa/Vultr)

Action: Managed Challenge

Use Managed Challenge not Block — some legitimate traffic (server-rendering services, monitoring tools) does come from these networks. Challenge lets them through if they pass.

Rule 2: Challenge missing User-Agent

Every real browser sends a User-Agent header. Scrapers using curl, wget, or python-requests without setting one don't.

Field: User Agent
Operator: equals
Value: (empty string)

Action: Block

Block (not challenge) here because there's no legitimate reason for an empty User-Agent on production traffic.

Rule 3: Challenge known scraper User-Agents

Some scrapers don't hide what they are. Block them by name.

Field: User Agent
Operator: contains
Value: python-requests
Or: contains "Go-http-client"
Or: contains "scrapy"
Or: contains "PostmanRuntime" (during prod, not staging)
Or: contains "wget"
Or: contains "curl"

Action: Managed Challenge

Use OR conditions to combine in a single rule. Managed Challenge instead of Block lets legitimate uses through (some monitoring tools embed these strings).

Rule 4: Rate limit aggressive paths

Login forms, search endpoints, and API routes are favorite targets for credential stuffing and abuse. Cap them per-IP.

Field: URI Path
Operator: contains
Value: /login
Or: contains /api/
Or: contains /search

Action: Block
Threshold: 30 requests per minute per IP
Duration: 10 minutes

30 per minute is generous for legitimate use, brutal for credential stuffing. Adjust threshold based on your actual traffic patterns after a week of monitoring.

Rule 5: Geo-block sanctioned regions

Depending on your jurisdiction, some countries are legally off-limits. Even if not, certain regions account for most spam/abuse without bringing real customer traffic.

Field: Country
Operator: is in
Value: KP, IR, SY  (always-sanctioned)
Optional add: CN, RU  (if no real customers there)

Action: Block

Don't block at the geographic level blindly — check your analytics first. If 5% of legitimate purchases come from a region, blocking it is a self-inflicted wound.

Speed wins to enable while you're here

Three free settings to enable in Speed → Optimization:

  • Auto Minify: HTML, CSS, JS — strips comments and whitespace
  • Brotli compression: ON — better than gzip for text content
  • Early Hints: ON — speeds up LCP by sending resource hints early

Skip Rocket Loader on Free — it sometimes breaks complex JavaScript apps. Test before enabling.

Under Caching → Configuration:

  • Browser Cache TTL: 4 hours (default is fine)
  • Caching Level: Standard
  • Don't enable "Cache Everything" — dynamic pages (carts, checkout, dashboards) will cache user A's content and serve it to user B. Disaster.

Verification after setup

Run these five checks before considering setup complete:

  1. Nameservers active: dig yoursite.com NS shows *.ns.cloudflare.com
  2. Cloudflare proxying: dig yoursite.com A shows Cloudflare IP (104.x.x.x or 172.x.x.x), not your real server IP
  3. HTTPS works: open https://yoursite.com → green lock, no warnings
  4. Email works: send test email to yourself, confirm delivery
  5. Site renders: open in incognito, navigate 5 pages, confirm no errors

If anything broke: most likely culprit is SSL mode (wrong choice gives 521 errors) or an MX record orange-clouded by accident. Fix the specific issue rather than disabling Cloudflare wholesale.

Monitoring after setup

Visit Security → Events weekly to see what's being blocked. Patterns to look for:

  • Sudden spike in challenges: usually a scraper running a campaign, your rules are working
  • Many same-IP attempts: targeted attack, consider adding the IP to a manual block list
  • Real users being challenged: a rule is too aggressive, tune the threshold

The dashboard also shows top countries, top User-Agents, and top URLs hit. After a month, you'll know exactly what bots target your specific site and can refine the five WAF rules accordingly.

Final reality check

Cloudflare Free tier blocks the most obvious 70-80% of bot traffic. Determined attackers using rotating residential proxies, captcha-solving services, and properly-randomized User-Agents will get through — that's what Pro and Business tiers exist for.

For an indie marketplace handling under 100k visits per month, Free is the right choice. Upgrade when your traffic numbers justify the $25/month Pro plan, not before. The bot fog you're seeing now is the cost of being public — Cloudflare just trims it to a manageable level.

Set up today. Check the Security Events panel in a week. You'll see the noise drop by an order of magnitude without any of your real users being affected.

Comments (0)

No comments yet

Be the first to share your thoughts!

Please log in to leave a comment.

Your Cart

We use cookies

We use cookies to operate the Marketplace and, with your consent, to measure traffic (Google Analytics) and personalize ads (Facebook Pixel). Read our Privacy Policy.

Cookie preferences

Choose which cookie categories you accept. Necessary cookies are always on because the Marketplace cannot operate without them. You can change these settings any time via the "Cookie preferences" link in the footer.

Necessary
Always on

Session, login, CSRF protection, cart contents. Required for the site to function.

Functional

Language preference, theme, recently viewed items.

Analytics

Google Analytics 4 — anonymized traffic and usage statistics. Helps us improve the Marketplace.

Marketing

Facebook Pixel — conversion tracking for advertising campaigns on Facebook and Instagram.