Using Cloudflare

From Spiffy Stores Knowledge Base

Revision as of 23:44, 30 November 2025 by Admin (talk | contribs) (Created page with "= Using Cloudflare With Your Store: Important Security Requirements = If you choose to place your store behind Cloudflare, it is important to understand how Cloudflare change...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Using Cloudflare With Your Store: Important Security Requirements

If you choose to place your store behind Cloudflare, it is important to understand how Cloudflare changes the way requests reach your site. Cloudflare acts as a reverse proxy, which means all traffic to your store first passes through Cloudflare’s network before reaching our servers.

This setup provides benefits such as improved performance, caching, and basic DDoS protection. However, Cloudflare does not automatically block malicious requests such as SQL injection attempts or bot-driven attacks. Customers who enable Cloudflare must configure Cloudflare’s security tools to ensure that harmful traffic is stopped before it reaches their store.

This article explains why these additional steps are required and the settings we recommend.

Why Cloudflare affects request filtering

When Cloudflare is enabled:

  • All incoming connections come from Cloudflare IP addresses rather than the visitor’s true IP.
  • Attackers can send forged headers such as "X-Forwarded-For" to disguise their actual address.
  • Our firewall cannot identify or block the true source of the attack because Cloudflare sits in front of us.
  • Our logs may show fake IP addresses supplied by the attacker.

Because of these behaviours, our firewall can only block Cloudflare’s IP ranges, not individual attackers. Security decisions must be enforced within Cloudflare before the request reaches our servers.

Cloudflare does not filter malicious requests by default

Cloudflare’s default configuration includes:

  • Reverse proxy and caching
  • Basic DDoS protection
  • TLS termination

However it does not automatically block:

  • SQL injection attempts
  • Path traversal or remote file inclusion
  • Script injection
  • Malicious bots and crawlers
  • Requests with forged IP headers

These protections require additional configuration in Cloudflare’s dashboard.

Required Cloudflare settings for secure operation

If you decide to use Cloudflare, we strongly recommend enabling the following features.

1. Enable the Cloudflare Web Application Firewall (WAF)

Pro, Business and Enterprise plans include Cloudflare’s Managed Rules.

Turn on:

  • OWASP ModSecurity Core Ruleset
  • Cloudflare SQL Injection rules
  • Cloudflare XSS and RFI rules

These rules block common attacks before they reach our servers.

2. Create custom Firewall Rules

Customers on all plans, including Free, can create simple rules such as blocking requests that contain:

  • Semicolons
  • SQL keywords such as "union", "select", "sleep"
  • Path traversal sequences such as "../"

These rules stop most low-level automated attacks.

3. Limit or rate-limit high-risk URLs

Pages such as /search, /cart, /login, and admin endpoints should be protected with rate limits to prevent abuse.

4. Enable Bot Protection

Turn on Bot Fight Mode or Super Bot Fight Mode to stop unwanted scraping and automated probing.

5. Keep your DNS mode set to "Proxied"

Only proxied records (orange cloud) pass through Cloudflare’s security layer. DNS records set to "DNS only" bypass Cloudflare entirely.

Our responsibility vs your responsibility

Spiffy Stores provides secure hosting, Firewalls, and intrusion protection. However, when you choose to insert a third-party proxy such as Cloudflare between your customers and your store, Cloudflare becomes responsible for processing and filtering incoming traffic.

Cloudflare must therefore be configured correctly by you, the site owner. If Cloudflare is misconfigured, malicious traffic may be passed directly through to your store.

If we detect malicious behaviour and attacks originating from the Cloudflare network, we will be forced to block those parts of the Cloudflare network. Unfortunately this may result in blocks that affect legitimate traffic, but in this instance we have no other option. Cloudflare acts as a magnifier for these attacks as traffic from a relatively small number of IP addresses may be spread across a far wider range of Cloudflare addresses, making it more difficult to control such traffic.

We are unable to configure or manage Cloudflare settings on your behalf.

Summary

Cloudflare is a powerful tool, but it must be configured properly. The default settings do not automatically block SQL injection, bot attacks or forged request headers. To ensure your store remains secure:

  • Enable Cloudflare’s WAF and Managed Rules
  • Add custom firewall rules for common attack patterns
  • Use Bot Protection
  • Keep traffic proxied through Cloudflare

If you have further questions about how Cloudflare interacts with your store, please contact our support team.

Retrieved from "http://www.spiffystores.com.au/kb/index.php?title=Using_Cloudflare&oldid=10160"