Cloudflare
Cloudflare setup, security and Workers
We set up Cloudflare as the edge platform it is — not just a CDN in front of your origin. WAF, Workers, R2, D1 and Pages configured, secured and monitored by people who've done it before.
What Cloudflare actually does
When the platform works for you
- WAF, Workers, R2 and Pages — from one platform
- Edge
- VPN replacement for internal dashboards
- Zero Trust
- EU data residency for most products
- GDPR
- Continuous configuration review and updates
- Audit
How we use Cloudflare
Cloudflare is more powerful than most realise.
Cloudflare is more powerful than most teams realise. Most of the customers we meet use 10% of the platform — DNS and a bit of CDN cache — and pay for the rest without seeing the value. We set Cloudflare up so the whole edge stack works for you: WAF, Bot Management, Workers for API routing, R2 for cheap object storage, and Zero Trust for internal access without a VPN.
We've configured Cloudflare for SaaS platforms, e-commerce, media sites and B2B portals. We know where the sharp edges are: which WAF rules break checkout, when Workers make sense over a regular backend, how to set up R2 correctly with presigned URLs without leaking keys. You don't get a checklist — you get a configuration that fits your actual traffic.
And we stick around. Cloudflare's platform changes quickly; new products (Hyperdrive, Vectorize, Containers) and new attack patterns appear continuously. We have an agreement with our customers to keep the configuration sharp — not just set it up and disappear.
What we deliver
The full edge stack, set up correctly.
DNS, WAF, Workers, R2, Pages and Zero Trust — as one coherent configuration.
DNS, security and WAF
Clean DNS migration without downtime, WAF rules tailored to your app, Bot Management against credential stuffing and scraping, and rate limiting that doesn't block legitimate users.
Cloudflare Workers and API routing
Edge functions for auth, A/B tests, geo-routing, image optimisation and lightweight API endpoints. We write them in TypeScript with tests and deploy via Wrangler in your CI.
R2, D1 and Hyperdrive
Object storage without egress fees (R2), serverless SQLite at the edge (D1), and connection pooling for your Postgres (Hyperdrive). Set up with a backup strategy and IaC.
Zero Trust and Access
Replace the VPN with Cloudflare Access in front of internal dashboards, Git servers and legacy apps. SSO via Microsoft, Google or Okta, with audit logging and device posture checks.
Cache strategy and performance
Correct cache configuration per route, image transformation, Argo Smart Routing, and analysis of what's actually hitting cache. We measure before and after — you get numbers, not marketing.
Migration from another CDN
Migration from Akamai, Fastly, AWS CloudFront or Imperva to Cloudflare without lost traffic. We plan the DNS cutover, run in parallel for a period, and monitor the rollout.
Things to know
Sharp edges of the Cloudflare platform.
Plan tier and pricing
Free and Pro cover many use cases, but Business or Enterprise is required for parts of WAF, Bot Management and a guaranteed SLA. We review your real needs — not a salesperson's checklist — and propose the lowest tier that covers them so you don't pay for unused features.
Workers vs. traditional backend
Workers are great for short, latency-sensitive logic (auth, routing, transformations). They're not the answer to everything: heavy database calls, long-running jobs and complex transactions belong on Vercel Functions, AWS Lambda or a regular server. We pick per use case.
WAF and false positives
An aggressive WAF can break checkout, file upload and admin panels. We always start in log-only mode, build an allowlist for your own flows, and turn blocking on once we know what the rules actually catch. It takes 2–4 weeks to do right — but it saves you a Black Friday where 30% of buyers get blocked.
Multi-cloud and lock-in
Cloudflare-specific features (Workers, R2, D1) create a mild lock-in. We design critical business logic to be portable — using open APIs where possible and keeping edge code thin. You shouldn't end up with an application that can only run in one place.
FAQ
What people usually ask.
We already use Cloudflare — can you just optimise it?
Yes. We typically start with a Cloudflare audit: we review zone settings, WAF rules, cache configuration, Workers and R2/D1 usage. You get a prioritised report of what can be tightened — security-wise, performance-wise and cost-wise — and you can choose to implement it yourself or have us do it.
Can you migrate us from AWS CloudFront or Fastly?
Yes, and we've done it several times. We plan the DNS cutover carefully (typically via gradual weighting on Route 53 or NS1), run in parallel for a period so we can roll back if something breaks, and monitor traffic, error rates and cache hits throughout. A typical migration takes 3–6 weeks from first conversation to fully rolled out.
When do Workers make sense instead of a server?
Workers are great for things that need to happen close to the user with low latency and no cold starts: auth checks, geo-routing, A/B test logic, image transformations and lightweight API endpoints. They're less suited to long-running operations, heavy database calls without Hyperdrive, or complex transactions involving multiple systems. We assess per use case and gladly mix.
Can you operate Cloudflare for us on an ongoing basis?
Yes. We offer a monthly operations agreement where we monitor errors, update WAF rules, maintain Workers, evaluate new Cloudflare products and report quarterly. It's typically cheaper than having an in-house Cloudflare specialist, and you benefit from the experience we get from every other platform we operate.
Is Cloudflare GDPR-compliant?
Yes, but it requires correct configuration. Cloudflare offers EU data residency for most products, and we set the zone up so data is processed within the EU where possible. We arrange the data processing agreement with Cloudflare and document the data flow. Note that some features (especially ML-based products) may still involve US infrastructure — we review this with you if you have strict requirements.
Related services
- VercelHosting, preview deploys and edge functions set up so Next.js delivers what Vercel promises.
- AWSECS, Lambda, RDS, S3 and VPC — designed, codified in Terraform and operated with observability from day one.
- Cloud migrationFrom on-prem, hosted servers or another cloud to a modern stack — without lost data and without long downtimes.
Ready to get started?
Let's have a no-pressure conversation.
We'll get back within one business day with concrete input — not a stock proposal.