User Documentation

Set up your Cloudflare CDN

Sign up for Upsun

Get your free trial by clicking the link below.

Get your Upsun free trial

You can use a CDN to deliver your site’s content to users more quickly.

Before you begin Anchor to this heading

You need:

  • An up-and-running project
  • A Cloudflare CDN subscription

1. Avoid double-caching Anchor to this heading

To avoid stale content that can’t be cleared, avoid using Cloudflare with HTTP caching.

For routes where Cloudflare is used, disable HTTP caching using the following configuration:

    type: upstream
        enabled: false

2. Set up your Cloudflare CDN Anchor to this heading

To properly configure your Cloudflare CDN, see the Cloudflare official documentation on how to get started. Then set up a custom domain. To get the DNS challenge to succeed, have your CDN point to your project’s target URL.

3. Handle apex domains Anchor to this heading

To start routing client traffic through Cloudflare, you need to create CNAME records for your domain names through your DNS provider.

But CNAME records can’t point to apex domains. As a workaround, Cloudflare offers CNAME flattening.

4. Mitigate security risks Anchor to this heading

Like all networks exposed to the internet, your origin server may become the target of security attacks. The best way to protect your site from threats like on-path attacks, spoofing attacks, or credential stuffing, is to configure mutual TLS (mTLS).

mTLS not only has both parties in a connection authenticate each other through the TLS protocol. It also ensures that requests can’t be sent directly to the origin server ( Instead, requests must transit through Cloudflare first.

If you can’t use mTLS, you can still take the following measures to protect your site from on-path attacks:

  1. Enable full strict SSL/TLS encryption.
    Any communication between a client and Cloudflare or between Cloudflare and your server is then encrypted through HTTPS. In addition, Cloudflare checks that your server’s TLS certificate was issued by a trusted certificate authority. This confirms the client is truly communicating with your server.

  2. Enable HTTP strict transport security (HSTS).
    This ensures that your HTTPS connections can’t be downgraded to HTTP.

Is this page helpful?