Back to articles
InfrastructureFeb 20268 min

Cloudflare for production web applications: beyond the free tier defaults

Cloudflare's defaults are conservative. This covers cache rules, page rules, transform rules, Workers for edge logic, and the specific settings that reduced TTFB by 60% on a multilingual matrimony platform serving traffic across India.

Setting Cloudflare's proxy switch to yellow is only the first step. By default, Cloudflare treats dynamic endpoints conservatively, passing cookies and queries straight down to your origin server, which nullifies caching and exposes your system to severe database loads during traffic events.

Custom Cache Rule Engineering

To optimize latency, distinguish clearly between static application assets, semi-dynamic pages, and completely personalized routes. Create explicit Cloudflare Cache Rules to override the global Cache-Control headers of your application.

Cloudflare Cache Rule Expression
(http.request.uri.path starts_with "/assets/") or 
(http.request.uri.path starts_with "/fonts/") or 
(http.request.uri.path in {"/faq", "/about", "/terms"})

Action: Eligible for cache -> Override origin: Cache Level (Cache Everything)
Edge TTL: 1 month

Using this approach, we completely bypass the PHP execution engine for stable, content-heavy paths, lowering resource overhead on our central database.

Bypassing Origin Overhead

To maintain cache hit rates on query-parameterized views, strip irrelevant parameters at the edge before NGINX parses them. Query parameters used solely for frontend analytics (such as gclid, fbclid, and utm_ parameters) frequently create distinct cache keys for identical HTML content, causing unnecessary cache misses.

Cloudflare Transform Rule (Query String Rewrite)
Expression: http.request.uri.query contains "utm_"
Action: Rewrite to...
Path: http.request.uri.path
Query String: regex_replace(http.request.uri.query, "utm_[^&]+&?", "")

Edge Security Header Injection

Rather than burdening application layers with generating passive HTTP headers, inject strict security policies at the CDN edge using a lightweight Cloudflare Worker. This guarantees that headers are consistently set, even on cached static items.

cloudflare-worker.js
addEventListener('fetch', event => {
  event.respondWith(handleRequest(event.request))
})

async function handleRequest(request) {
  const response = await fetch(request)
  const newHeaders = new Headers(response.headers)

  // Enforce zero-trust security parameters at the edge
  newHeaders.set('Content-Security-Policy', "default-src 'self' https: 'unsafe-inline';")
  newHeaders.set('X-Frame-Options', 'DENY')
  newHeaders.set('X-Content-Type-Options', 'nosniff')
  newHeaders.set('Referrer-Policy', 'strict-origin-when-cross-origin')
  newHeaders.set('Strict-Transport-Security', 'max-age=63072000; includeSubDomains; preload')

  return new Response(response.body, {
    status: response.status,
    statusText: response.statusText,
    headers: newHeaders
  })
}
Written By
SK
Sagar Kapasi
Software Engineer

Sagar builds operational systems and developer hosting infrastructure from the ground up, specializing in Linux, PHP, and high-performance architectures.

Tags
CloudflarePerformanceCDNProduction