Cloudflare Before You Need It
Our first production site went down. Not for long — long enough. We spent two hours diagnosing what turned out to be a traffic spike from a single Reddit post. Nothing malicious. Nothing unusual. Just more requests than the server expected, and nothing between the server and the internet to absorb them.
That was the last time we launched anything without Cloudflare in front of it.
What It Actually Does
Cloudflare sits between your domain and your server. Traffic comes in through their network, gets filtered and cached, and what remains reaches your origin. That layer does several things at once: it absorbs volumetric attacks before they touch your infrastructure, caches static content so your server handles fewer requests, terminates SSL so you do not manage certificates yourself, and gives you a dashboard with visibility into what is hitting your site.
The free tier covers all of that. There is no trial period. You do not need a credit card.
Setting It Up
The process is a nameserver change. You point your domain's nameservers to Cloudflare, move your DNS records into their dashboard, and traffic flows through them automatically. The nameserver change can take up to 48 hours to propagate across the internet. SSL provisioning happens during that window.
Do this before you launch, not after. Doing it after the site is live introduces a gap where your configuration is untested and your DNS is in transition. Doing it before costs 20 minutes and removes that risk entirely.
What the Free Tier Covers
DDoS mitigation handles most volumetric attacks automatically without any configuration from you. The CDN serves cached pages faster to visitors who are geographically distant from your server. Basic firewall rules let you block traffic by country, IP range, or user agent if you have a specific problem to address. The analytics show you request volume, cache hit rates, and threat activity over time.
The paid tiers add a full web application firewall, more granular rate limiting, and Workers — serverless compute that runs at Cloudflare's edge rather than your server. Most starting businesses do not need any of that. We have upgraded specific properties when we needed a specific capability. We have never upgraded because the free tier was insufficient in general.
What It Is Not
Cloudflare is not a substitute for a reliable host. It absorbs attacks and caches content, but if your server is offline, Cloudflare will serve cached pages where it has them and errors where it does not. The protection it provides is meaningful. It is not unlimited.
It also does not fix a slow application. If your server generates pages slowly, Cloudflare caches the result and serves it quickly to subsequent visitors. But the first request still hits your origin. Performance problems that originate in your code or your database are still your problems.
The Practical Case
We have put several dozen properties behind Cloudflare over the years. A few of them have absorbed real attack traffic. Most of them have never faced anything more serious than the occasional bot scan. The value for the ones that have never needed it is not zero: SSL termination, faster page loads from caching, and one dashboard across all of them are operationally useful regardless of threat activity.
The cost is twenty minutes and nothing else. Set it up before you launch.