From be4bda801b464140e57311e11abc3d1ca01d0db7 Mon Sep 17 00:00:00 2001 From: Denise Pena Date: Wed, 17 Sep 2025 13:28:33 -0500 Subject: [PATCH 01/18] Added Surge Readiness learning path --- .../surge-readiness/concepts/custom-pages.mdx | 22 +++++ .../surge-readiness/concepts/index.mdx | 45 ++++++++++ .../surge-readiness/performance/analytics.mdx | 24 ++++++ .../surge-readiness/performance/caching.mdx | 86 +++++++++++++++++++ .../surge-readiness/performance/index.mdx | 8 ++ .../surge-readiness/performance/logs.mdx | 25 ++++++ .../security/block-agents-lock-zones.mdx | 23 +++++ .../security/confirm-account-security.mdx | 12 +++ .../security/control-domain-access.mdx | 62 +++++++++++++ .../security/control-incoming-requests.mdx | 31 +++++++ .../security/defend-content.mdx | 16 ++++ .../surge-readiness/security/index.mdx | 8 ++ .../security/prepare-for-surges.mdx | 19 ++++ .../security/secure-against-attacks.mdx | 14 +++ .../surge-readiness/support/index.mdx | 8 ++ .../surge-readiness/support/resources.mdx | 31 +++++++ .../learning-paths/surge-readiness.json | 8 ++ 17 files changed, 442 insertions(+) create mode 100644 src/content/docs/learning-paths/surge-readiness/concepts/custom-pages.mdx create mode 100644 src/content/docs/learning-paths/surge-readiness/concepts/index.mdx create mode 100644 src/content/docs/learning-paths/surge-readiness/performance/analytics.mdx create mode 100644 src/content/docs/learning-paths/surge-readiness/performance/caching.mdx create mode 100644 src/content/docs/learning-paths/surge-readiness/performance/index.mdx create mode 100644 src/content/docs/learning-paths/surge-readiness/performance/logs.mdx create mode 100644 src/content/docs/learning-paths/surge-readiness/security/block-agents-lock-zones.mdx create mode 100644 src/content/docs/learning-paths/surge-readiness/security/confirm-account-security.mdx create mode 100644 src/content/docs/learning-paths/surge-readiness/security/control-domain-access.mdx create mode 100644 src/content/docs/learning-paths/surge-readiness/security/control-incoming-requests.mdx create mode 100644 src/content/docs/learning-paths/surge-readiness/security/defend-content.mdx create mode 100644 src/content/docs/learning-paths/surge-readiness/security/index.mdx create mode 100644 src/content/docs/learning-paths/surge-readiness/security/prepare-for-surges.mdx create mode 100644 src/content/docs/learning-paths/surge-readiness/security/secure-against-attacks.mdx create mode 100644 src/content/docs/learning-paths/surge-readiness/support/index.mdx create mode 100644 src/content/docs/learning-paths/surge-readiness/support/resources.mdx create mode 100644 src/content/learning-paths/surge-readiness.json diff --git a/src/content/docs/learning-paths/surge-readiness/concepts/custom-pages.mdx b/src/content/docs/learning-paths/surge-readiness/concepts/custom-pages.mdx new file mode 100644 index 000000000000000..1b0bb0fb396fc79 --- /dev/null +++ b/src/content/docs/learning-paths/surge-readiness/concepts/custom-pages.mdx @@ -0,0 +1,22 @@ +--- +title: Custom pages +pcx_content_type: overview +sidebar: + order: 2 +--- + +Design your custom HTML page and host it online anywhere. Once published, Cloudflare will use the customized page instead of serving our standard page to your visitors. + +Note: We encourage you to customize every page to provide a consistent branding experience for your users. Origin Error pages can also be activated for 502,504, and 404 errors. + +Pages you can customize: + +- IP Block +- WAF Block +- 500 Class Errors +- 1000 Class Errors +- Always Online Error +- Basic Security Challenge +- WAF Challenge +- Country Challenge +- I'm Under Attack Mode Challenge \ No newline at end of file diff --git a/src/content/docs/learning-paths/surge-readiness/concepts/index.mdx b/src/content/docs/learning-paths/surge-readiness/concepts/index.mdx new file mode 100644 index 000000000000000..d93842a9f6024a4 --- /dev/null +++ b/src/content/docs/learning-paths/surge-readiness/concepts/index.mdx @@ -0,0 +1,45 @@ +--- +title: Prerequisites +pcx_content_type: overview +sidebar: + order: 1 +--- + +import { DashButton } from "~/components"; + +Reach out to your Customer Success Manager at least 30 days prior to the expected traffic surge to schedule a Security Optimization walkthrough with your Customer Solution Engineer. + +To learn more about our service offerings, refer to [Customer Success offerings](https://www.cloudflare.com/success-offerings/). + +## Register your users + +For the security and protection of your account, be sure to register all account users. + +1. In the Cloudflare dashboard, go to the **Manage Account** > **Members** page. + + + +2. Select more than one Super Administrator to ensure appropriate access when needed. + +Failure to register account users can create issues with our ticketing system. Unverified users who contact support will be funneled to the self-serve queue rather than the Enterprise queue which can result in long wait times. + +We strongly advise against credential-sharing which can jeopardize the trust and safety of your account. + +Note: Refer to [Manage members](/fundamentals/setup/manage-members/) to learn how to review and update registered account users. + +## Confirm user and domain administration + +- **Multi-User:** Provide role-based permissions to a group of users to better control the administration of your domains. Each user has their own role and limited API key. +- **Enforce 2FA:** Ensure your entire dashboard is secure by [enforcing 2-factor authentication](/fundamentals/setup/account/account-security/2fa/) for your organization. + - To disable 2FA, submit a support ticket and allow 1-2 business days to validate your request. +- **Leverage API Access:** Work easily with our system programmatically using our [API](https://api.cloudflare.com). + +## Additional items + +- Check when your [SSL Certificates expire (only custom and origin certificates)](/ssl/edge-certificates/custom-certificates/renewing/) + - Note: Certificates managed by Cloudflare are auto-renewed +- Review your Operational and Disaster recovery preparedness + - Enable Load Balancing with smart cache strategies: Use [Cloudflare Load Balancing](/reference-architecture/architectures/load-balancing) to distribute traffic across multiple healthy origins, and increase cache-hit ratios by leveraging [custom cache rules](/cache/performance-review/cache-analytics) and [edge compute](/learning/cdn/caching-static-and-dynamic-content) (e.g., Cloudflare Workers) to offload origin traffic during high-demand periods. + - Configure failover pools and back up DNS with a playbook: Set up [Cloudflare Load Balancer failover pools](/reference-architecture/architectures/load-balancing) to automatically redirect traffic to healthy origins if one fails. Export DNS records for safekeeping and prepare a clear [incident response plan](https://www.cloudflare.com/learning/performance/preventing-downtime) that includes steps for re-routing or recovery. +- Review and update your current users' access? +- Check your domain registry validity \ No newline at end of file diff --git a/src/content/docs/learning-paths/surge-readiness/performance/analytics.mdx b/src/content/docs/learning-paths/surge-readiness/performance/analytics.mdx new file mode 100644 index 000000000000000..5fb3612e8569c52 --- /dev/null +++ b/src/content/docs/learning-paths/surge-readiness/performance/analytics.mdx @@ -0,0 +1,24 @@ +--- +title: Analytics +pcx_content_type: overview +sidebar: + order: 4 +--- + +## Workers Analytics Engine + +Use the [Workers Analytics Engine](/analytics/analytics-engine/) to send unlimited-cardinality data from your Worker to a time-series database. Query it with SQL. + + +## Account and zone analytics + +Use [Account and zone analytics](/analytics/account-and-zone-analytics/) to provide details about the requests and traffic related to your Cloudflare accounts and zones. + + +## Cloudflare Network Analytics + +Use [Cloudflare Network Analytics](/analytics/network-analytics/) to Provide near real-time visibility into network and transport-layer traffic patterns and DDoS attacks. + +## GraphQL Analytics API + +Use the [GraphQL Analytics API](/analytics/graphql-api/) to provide\ all of your performance, security, and reliability data from one endpoint. Select exactly what you need, from one metric for a domain to multiple metrics aggregated for your account. \ No newline at end of file diff --git a/src/content/docs/learning-paths/surge-readiness/performance/caching.mdx b/src/content/docs/learning-paths/surge-readiness/performance/caching.mdx new file mode 100644 index 000000000000000..2a9e80c9b92b61c --- /dev/null +++ b/src/content/docs/learning-paths/surge-readiness/performance/caching.mdx @@ -0,0 +1,86 @@ +--- +title: Caching +pcx_content_type: overview +sidebar: + order: 2 +--- + +import { DashButton } from "~/components"; + +## Optimize caching + +By default, Cloudflare [caches static content](/cache/concepts/default-cache-behavior/) such as images, CSS, and JavaScript. However, you can extend Cloudflare caching to work with HTML by creating custom [Cache Rules](cache/how-to/cache-rules/). + + +### Cache more requests + +1. In the Cloudflare dashboard, go to the **Caching** > **Cache Rules** page. + + + +2. Select **Create rule**. +3. For When incoming requests match, enter either your entire website or a specific path on your application, based on the Hostname or URI Path. Refer to the [available fields](/cache/how-to/cache-rules/settings/#fields). +4. For Cache eligibility, define how these requests should be cached and for how long. Refer to the available [cache eligibility settings](/cache/how-to/cache-rules/settings/#eligible-for-cache-settings). +5. You can then monitor the effectiveness of your cache settings using [Cache Analytics](/cache/performance-review/cache-analytics/) and update your configuration according to our [Cache performance guide](/cache/performance-review/cache-performance/). + + +### Advanced cache optimizations + + + +* [Custom Cache Keys](/cache/how-to/cache-keys/) allows you to precisely set the cacheability setting for any resource. +* [Origin Cache Control](/cache/concepts/cache-control/) can be used to let the Cache-Control headers tell Cloudflare how to handle content from the origin server. + + +## Tiered Cache + +[Tiered Cache](/cache/how-to/tiered-cache/) uses the size of Cloudflare's network to reduce requests to customer origin servers by dramatically increasing cache hit ratios. + +It works by dividing Cloudflare's data centers into a hierarchy of lower-tiers and upper-tiers. If content is not cached in lower-tier data centers (generally the ones closest to a visitor), the lower-tier requests an upper-tier for the content. If the upper-tier does not have the content, only the upper-tier will initiate a request to the origin. This practice improves bandwidth efficiency by limiting the number of Cloudflare data centers that can ask the origin for content. + +Refer to [Enable Tiered Cache](/cache/how-to/tiered-cache/#enable-tiered-cache) to get started. + + +### Cache Reserve + +[Cache Reserve](/cache/advanced-configuration/cache-reserve/) is a large, persistent data store implemented on top of [R2](/r2/). + +With a single click in the dashboard, your cacheable content will be written to Cache Reserve. In the same way that Tiered Cache builds a hierarchy of caches between your visitors and your origin, Cache Reserve serves as the ultimate [upper-tier cache](/cache/how-to/tiered-cache/) that will reserve storage space for your assets for as long as you want. + +This ensures that your content is served from cache longer, shielding your origin from unneeded egress fees. + + +## Cloudflare Waiting Room + +[Cloudflare Waiting Room](/waiting-room/) allows you to route excess users of your website to a customized waiting room, helping preserve customer experience and protect origin servers from being overwhelmed with requests. + + +## Use Cloudflare IP addresses + +Take action to prevent attacks to your application during peak season by configuring your firewall to only accept traffic from Cloudflare IP addresses. By only allowing [Cloudflare IPs ↗](https://www.cloudflare.com/ips), you can prevent attackers from bypassing Cloudflare and sending requests directly to your origin. + +Refer to [Cloudflare IP addresses](/fundamentals/concepts/cloudflare-ip-addresses/) for more information. + + +## Monitor traffic + +You can use the Cloudflare dashboard to closely monitor the traffic on your domain and fine-tune your cache and security settings accordingly. + + +### Zone and Account analytics + +[Cloudflare zone analytics](/analytics/account-and-zone-analytics/zone-analytics/) gives you access to a wide range of metrics, collected at the website or domain level. + +[Cloudflare account analytics](/analytics/account-and-zone-analytics/account-analytics/) lets you access a wide range of aggregated metrics from all the sites under a specific Cloudflare account. + + +### Security Analytics and Security Events + +[Security Analytics](https://developers.cloudflare.com/waf/analytics/security-analytics/) displays information about all incoming HTTP requests for your domain, including requests not handled by Cloudflare security products. + +You can also use the [Security Events](/waf/analytics/security-events/) to review mitigated requests and tailor your security configurations. + + +### Cache Analytics + +You can use [Cache Analytics](/cache/performance-review/cache-analytics/) to improve site performance or reduce origin web server traffic. Cache Analytics helps determine if resources are missing from cache, expired, or ineligible for caching. \ No newline at end of file diff --git a/src/content/docs/learning-paths/surge-readiness/performance/index.mdx b/src/content/docs/learning-paths/surge-readiness/performance/index.mdx new file mode 100644 index 000000000000000..0e00503dc6ede01 --- /dev/null +++ b/src/content/docs/learning-paths/surge-readiness/performance/index.mdx @@ -0,0 +1,8 @@ +--- +title: Performance +pcx_content_type: overview +sidebar: + group: + hideIndex: true + order: 3 +--- \ No newline at end of file diff --git a/src/content/docs/learning-paths/surge-readiness/performance/logs.mdx b/src/content/docs/learning-paths/surge-readiness/performance/logs.mdx new file mode 100644 index 000000000000000..17cee892332609c --- /dev/null +++ b/src/content/docs/learning-paths/surge-readiness/performance/logs.mdx @@ -0,0 +1,25 @@ +--- +title: Logs +pcx_content_type: overview +sidebar: + order: 3 +--- + +## Logpush + +Use [Logpush](/logs/get-started/) to push your request or event logs to your cloud service provider using Logpush, which can be configured via the Cloudflare dashboard or API. + + +## Instant Logs + +Use [Instant Logs](/logs/instant-logs/) to view HTTP request logs instantly in the Cloudflare dashboard or the CLI. + + +## Logs Engine + +Use the [Logs Engine](/logs/r2-log-retrieval/) to store your logs in R2 and query them directly. + + +## Log Explorer + +Use the [Log Explorer](/log-explorer/) to store and explore your Cloudflare logs directly within the Cloudflare dashboard or API. \ No newline at end of file diff --git a/src/content/docs/learning-paths/surge-readiness/security/block-agents-lock-zones.mdx b/src/content/docs/learning-paths/surge-readiness/security/block-agents-lock-zones.mdx new file mode 100644 index 000000000000000..bf8e7106b47f060 --- /dev/null +++ b/src/content/docs/learning-paths/surge-readiness/security/block-agents-lock-zones.mdx @@ -0,0 +1,23 @@ +--- +title: Block user agents and lock zones +pcx_content_type: overview +sidebar: + order: 6 +--- + + +[User Agent (UA) Blocking](/waf/tools/user-agent-blocking/) rules match against specific User-Agent request headers sent by the browser or application accessing your site. UA rules are applied against the entire domain, and after a rule is triggered, you can decide which action to take against the visitor. + +Actions: + +- Block: Ensures that an IP address will never be allowed to access your site +-CAPTCHA Challenge: Rules will be shown a CAPTCHA before allowed access +- Javascript Challenge: Rules will be shown 5 second javascript confirmation + +## Zone Lockdown + +[Zone lockdown](/waf/tools/zone-lockdown/) rules allow you to define paths and only allow specific, trusted IPs to those paths. Any requests to those paths from non-whitelisted IPs will be automatically blocked with an 1106 HTTP code. This ability is particularly useful for locking down administrative or staging portions of your application. + +# Defend content with Scrape Shield + +Scrape Shield is a collection of settings meant to protect your site's content. diff --git a/src/content/docs/learning-paths/surge-readiness/security/confirm-account-security.mdx b/src/content/docs/learning-paths/surge-readiness/security/confirm-account-security.mdx new file mode 100644 index 000000000000000..91d3aea96840ac6 --- /dev/null +++ b/src/content/docs/learning-paths/surge-readiness/security/confirm-account-security.mdx @@ -0,0 +1,12 @@ +--- +title: Confirm account security +pcx_content_type: overview +sidebar: + order: 2 +--- + +import { DirectoryListing } from "~/components"; + +Review the list below for guidance on securing your account. + + \ No newline at end of file diff --git a/src/content/docs/learning-paths/surge-readiness/security/control-domain-access.mdx b/src/content/docs/learning-paths/surge-readiness/security/control-domain-access.mdx new file mode 100644 index 000000000000000..acbb6578b2c6bdf --- /dev/null +++ b/src/content/docs/learning-paths/surge-readiness/security/control-domain-access.mdx @@ -0,0 +1,62 @@ +--- +title: Control domain access +pcx_content_type: overview +sidebar: + order: 8 +--- + +[IP Access Rules](/waf/tools/ip-access-rules/) specify an action based on the origin of your user across a single domain or all of the domains in your account. + +IP Access Rules can be applied based on: + + + +* IPv4 address or range: Specified in CIDR notation as `/16` or `/24` +* IPv6 address or range: Specified in CIDR notation as `/32`, `/48`, `/64` +* ASN +* Country or the Tor network + + +:::note + +We recommend locking down your origin with an Access Control List (ACL) which only allows [Cloudflare IPs](http://www.cloudflare.com/ips). + +::: + +Actions: + +- Block: Ensures that an IP address will never be allowed to access your site. +- CAPTCHA Challenge: Rules will be shown a CAPTCHA before allowed access. +- Javascript Challenge: Rules will be shown a five second javascript confirmation. +- Allowlist: Ensures that an IP address will never be blocked from accessing your site. This supersedes any Cloudflare security profile. + +:::note + +Challenge Passage timeout applies to IP reputation, IUAM mode and user IP Firewall (CAPTCHA or JS Challenge): [cf_clearance cookie](/fundamentals/reference/policies-compliances/cloudflare-cookies/#additional-cookies-used-by-the-challenge-platform) is set with `Max-age=Challenge Passage`. +::: + +## Enable "I'm Under Attack" mode (IAUM) + +If you are under attack and have this feature enabled during the attack, visitors will receive an interstitial page for about five seconds while the traffic is analyzed to make sure it is a legitimate human visitor. The vast majority of Layer 7 attack scripts are defeated by IUAM and can be honed via Page Rules. + +Refer to [I'm Under Attack Mode](https://developers.cloudflare.com/fundamentals/reference/under-attack-mode/) for more information. + + +## Change Access Control List (ACL) + +An ACL refers to rules that are applied to port numbers or IP addresses that are available on a host permitting use of the service. When you only allow Cloudflare IPs, you eliminate threats attempting to attack your origin IP range. + +Refer to [Cloudflare IP Ranges](https://www.cloudflare.com/ips) for more information. + + +## Change Origin IPs and update Cloudflare DNS records + +If your origin is still being attacked, consider moving your Origin IPs and updating your Cloudflare DNS records. + +Refer to [Prevent DDoS attacks](/learning-paths/prevent-ddos-attacks/concepts/) for detailed guidance. + +:::note + +To learn about best practices for DDoS protection, review [Respond to DDoS attacks](/ddos-protection/best-practices/respond-to-ddos-attacks/). + +::: diff --git a/src/content/docs/learning-paths/surge-readiness/security/control-incoming-requests.mdx b/src/content/docs/learning-paths/surge-readiness/security/control-incoming-requests.mdx new file mode 100644 index 000000000000000..ea4e4953f4f1d52 --- /dev/null +++ b/src/content/docs/learning-paths/surge-readiness/security/control-incoming-requests.mdx @@ -0,0 +1,31 @@ +--- +title: Control incoming requests +pcx_content_type: overview +sidebar: + order: 3 +--- + +Use [Custom rules](/waf/custom-rules/) to allow you to control incoming traffic by filtering requests to a zone. They work as customized web application firewall (WAF) rules that you can use to perform actions like Block or Managed Challenge on incoming requests. + +UseWAF [Managed Rules](/waf/managed-rules/) to apply custom criteria for all incoming HTTP requests. + +## Understand hosting plan limits + +Cloudflare offsets most of the load to your website via caching and request filtering, but some traffic will still pass through to your origin. Knowing the limits of your hosting plan can help prevent a bottleneck from your host. + +Once you are aware of your plan limits, you can use [Rate Limiting](/waf/rate-limiting-rules/) to restrict how many times a requesting entity can make a request to your website. + +To help you define the best rate limiting setting for your use case, refer to [How Cloudflare determines the request rate article](/waf/rate-limiting-rules/request-rate/). + +## Security Models + +- Positive Security policy: Allow specific requests and deny everything else. +- Negative Security policy: Block specific requests and allow everything else. + +## Actions + +- Log: Test rule effectiveness before committing to a more severe action. +- Allow: Allow matching requests to access the site. +- Block: Block matching requests from accessing the site. +- CAPTCHA Challenge: Rules will be shown a CAPTCHA before proceeding. +- Javascript Challenge: Rules will be shown a five second Javascript confirmation before proceeding. diff --git a/src/content/docs/learning-paths/surge-readiness/security/defend-content.mdx b/src/content/docs/learning-paths/surge-readiness/security/defend-content.mdx new file mode 100644 index 000000000000000..eea8105c5f68f58 --- /dev/null +++ b/src/content/docs/learning-paths/surge-readiness/security/defend-content.mdx @@ -0,0 +1,16 @@ +--- +title: Defend content with Scrape Shield +pcx_content_type: overview +sidebar: + order: 7 +--- + +Scrape Shield is a collection of settings meant to protect your site's content. + +## Email Address Obfuscation + +[Email Address Obfuscation](/waf/tools/scrape-shield/email-address-obfuscation/) uses JavaScript to encrypt addresses and prevents harvesting by spammers and bots while keeping addresses easy to read and use for human visitors. + +## Hotlink Protection + +[Hotlink Protection](/waf/tools/scrape-shield/hotlink-protection/) prevents your images from being used by other sites, which can reduce the bandwidth consumed by your origin server. diff --git a/src/content/docs/learning-paths/surge-readiness/security/index.mdx b/src/content/docs/learning-paths/surge-readiness/security/index.mdx new file mode 100644 index 000000000000000..b9a6440c99bd598 --- /dev/null +++ b/src/content/docs/learning-paths/surge-readiness/security/index.mdx @@ -0,0 +1,8 @@ +--- +title: Security +pcx_content_type: overview +sidebar: + group: + hideIndex: true + order: 2 +--- \ No newline at end of file diff --git a/src/content/docs/learning-paths/surge-readiness/security/prepare-for-surges.mdx b/src/content/docs/learning-paths/surge-readiness/security/prepare-for-surges.mdx new file mode 100644 index 000000000000000..7531004ce77a21c --- /dev/null +++ b/src/content/docs/learning-paths/surge-readiness/security/prepare-for-surges.mdx @@ -0,0 +1,19 @@ +--- +title: Prepare for surges and mitigate DDoS attacks +pcx_content_type: overview +sidebar: + label: Prepare for surges and attacks + order: 4 +--- + +## Reduce server strain + +Utilize Cloudflare's [caching](/cache/) to enhance load times and reduce server strain. Also, features like the [Waiting Room](/waiting-room) and [Rate Limiting](/waf/rate-limiting-rules/) can be used to effectively manage excess demand and ensure a stable user experience. + +## Unlimited DDoS Protection + +Cloudflare's Advanced [DDoS protection](/ddos-protection/) is always on for Enterprise customers and is used to mitigate DDoS attacks of all forms and sizes including those that target UDP and ICMP protocols, as well as SYN/ACK, DNS amplification, SMURF, and Layer 7 attacks. + +## Browser Integrity Check + +[Browser Integrity Check](/waf/tools/browser-integrity-check/) looks for requests with HTTP headers commonly used by spammers, bots, and crawlers such as requests with a missing or non-standard user agent. If a threat is found, Cloudflare will present a challenge page before allowing access. This may affect your API and can be selectively disabled using Page Rules. diff --git a/src/content/docs/learning-paths/surge-readiness/security/secure-against-attacks.mdx b/src/content/docs/learning-paths/surge-readiness/security/secure-against-attacks.mdx new file mode 100644 index 000000000000000..facdea2bf42c0f6 --- /dev/null +++ b/src/content/docs/learning-paths/surge-readiness/security/secure-against-attacks.mdx @@ -0,0 +1,14 @@ +--- +title: Secure against attacks +pcx_content_type: overview +sidebar: + order: 5 +--- + +Review the different actions you can take to secure your website against attacks. + +## Orange cloud all proper subdomains + +When a subdomain is set to Proxied (also known as orange-clouded), Cloudflare proxying is active for that record will resolve to a Cloudflare IP. + +Refer to [Proxy status](/dns/proxy-status/) for more information. diff --git a/src/content/docs/learning-paths/surge-readiness/support/index.mdx b/src/content/docs/learning-paths/surge-readiness/support/index.mdx new file mode 100644 index 000000000000000..36be6210fe2d5c1 --- /dev/null +++ b/src/content/docs/learning-paths/surge-readiness/support/index.mdx @@ -0,0 +1,8 @@ +--- +title: Support +pcx_content_type: overview +sidebar: + group: + hideIndex: true + order: 4 +--- \ No newline at end of file diff --git a/src/content/docs/learning-paths/surge-readiness/support/resources.mdx b/src/content/docs/learning-paths/surge-readiness/support/resources.mdx new file mode 100644 index 000000000000000..d79579484976e0c --- /dev/null +++ b/src/content/docs/learning-paths/surge-readiness/support/resources.mdx @@ -0,0 +1,31 @@ +--- +title: Support resources +pcx_content_type: overview +sidebar: + order: 2 +--- + +import { Plan } from "~/components" + + +| Support type | Resource | +| ------------ | -------- | +| Self-serve questions | https://support.cloudflare.com
https://developers.cloudflare.com/fundamentals | +| Strategic guidance and best practices (proactive) | Reach out to your dedicated account team | +| Non-critical production issues (reactive) | - Email the 24/7 Enterprise Support team
- [Support portal](https://dash.cloudflare.com/?to=/:account/support)
- Dashboard chat | +| Critical issues such as attacks (reactive) | - Call the 24/7 Emergency Support line
- +1 (650)353-5922 (US)
- www.cloudflare.com/ecp/support (global lines)| + +:::note +For security reasons, Cloudflare Support only assists individuals whose email addresses are validated against the list of registered account contacts. Review and update all contacts accordingly in your Cloudflare Dashboard. +::: + +## Additional resources + +- For help with an issue, refer to [guidance for submitting support tickets](/support/contacting-cloudflare-support/). +- Reference our [Support Docs](/support/), including [Priority definitions](/support/contacting-cloudflare-support/#priority-definitions). +- Learn the basic countermeasures to [stop an ongoing DDoS attack](/ddos-protection/best-practices/respond-to-ddos-attacks/). +- Let [Cloudflare's Security Operations Center-as-a-Service (SOC)](https://www.cloudflare.com/soc-as-a-service/) monitor your environment for volumetric security threats and potential operational disruptions, perform analysis to identify attack vectors, and help you implement countermeasures to mitigate future incidents. +- If a customer has purchased Technical Account Management Service, utilize the [Technical Account Management Service](https://www.cloudflare.com/technical-account-management-service/) which operates as an extension of your team, as the Cloudflare support expert who knows your tech stack, unique infrastructure, and Cloudflare portfolio requirements. +- Learn [what's new](/www.cloudflare.com/whats-new/) and subscribe to product release email summaries. +- Read the [Cloudflare blog](https://blog.cloudflare.com/) for the latest announcements from Cloudflare. +- Refer to the [Cloudflare Community](https://community.cloudflare.com/) to seek advice and share insights about using Cloudflare with other Cloudflare users. \ No newline at end of file diff --git a/src/content/learning-paths/surge-readiness.json b/src/content/learning-paths/surge-readiness.json new file mode 100644 index 000000000000000..b12fdc72088096e --- /dev/null +++ b/src/content/learning-paths/surge-readiness.json @@ -0,0 +1,8 @@ +{ + "title": "Prepare for surges or spikes in web traffic", + "path": "/learning-paths/surge-readiness/concepts/", + "priority": 5, + "description": "Learn how to protect your website for potential surges or spikes in web traffic.", + "products": ["Cache", "WAF"], + "product_group": "Application security" +} From 71c0a5bdfc8ffb67ece3297ed9c578b78bd07086 Mon Sep 17 00:00:00 2001 From: Denise Pena Date: Wed, 17 Sep 2025 13:33:17 -0500 Subject: [PATCH 02/18] Added webinar link --- .../docs/learning-paths/surge-readiness/support/resources.mdx | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/content/docs/learning-paths/surge-readiness/support/resources.mdx b/src/content/docs/learning-paths/surge-readiness/support/resources.mdx index d79579484976e0c..456db16d83a75a2 100644 --- a/src/content/docs/learning-paths/surge-readiness/support/resources.mdx +++ b/src/content/docs/learning-paths/surge-readiness/support/resources.mdx @@ -28,4 +28,5 @@ For security reasons, Cloudflare Support only assists individuals whose email ad - If a customer has purchased Technical Account Management Service, utilize the [Technical Account Management Service](https://www.cloudflare.com/technical-account-management-service/) which operates as an extension of your team, as the Cloudflare support expert who knows your tech stack, unique infrastructure, and Cloudflare portfolio requirements. - Learn [what's new](/www.cloudflare.com/whats-new/) and subscribe to product release email summaries. - Read the [Cloudflare blog](https://blog.cloudflare.com/) for the latest announcements from Cloudflare. -- Refer to the [Cloudflare Community](https://community.cloudflare.com/) to seek advice and share insights about using Cloudflare with other Cloudflare users. \ No newline at end of file +- Refer to the [Cloudflare Community](https://community.cloudflare.com/) to seek advice and share insights about using Cloudflare with other Cloudflare users. +- [Maximize Revenue and Minimize Risk in Peak Season webinar](https://www.google.com/url?q=https://cloudflare.ondemand.goldcast.io/on-demand/28262595-9ddf-4e26-91bf-241117f4b5fe&sa=D&source=docs&ust=1758134183832896&usg=AOvVaw3-v4hp23nSzNj0s6j-xxyc) \ No newline at end of file From b10a0538a0f4c090cc1582d2d2d1988b3648d0d7 Mon Sep 17 00:00:00 2001 From: Denise Pena Date: Wed, 17 Sep 2025 15:25:51 -0500 Subject: [PATCH 03/18] Link fixes --- .../docs/learning-paths/surge-readiness/concepts/index.mdx | 6 +++--- .../learning-paths/surge-readiness/performance/caching.mdx | 2 +- .../learning-paths/surge-readiness/performance/logs.mdx | 2 +- .../learning-paths/surge-readiness/support/resources.mdx | 2 +- 4 files changed, 6 insertions(+), 6 deletions(-) diff --git a/src/content/docs/learning-paths/surge-readiness/concepts/index.mdx b/src/content/docs/learning-paths/surge-readiness/concepts/index.mdx index d93842a9f6024a4..9ee5502125543a5 100644 --- a/src/content/docs/learning-paths/surge-readiness/concepts/index.mdx +++ b/src/content/docs/learning-paths/surge-readiness/concepts/index.mdx @@ -25,12 +25,12 @@ Failure to register account users can create issues with our ticketing system. U We strongly advise against credential-sharing which can jeopardize the trust and safety of your account. -Note: Refer to [Manage members](/fundamentals/setup/manage-members/) to learn how to review and update registered account users. +Note: Refer to [Manage members](/fundamentals/manage-members/) to learn how to review and update registered account users. ## Confirm user and domain administration - **Multi-User:** Provide role-based permissions to a group of users to better control the administration of your domains. Each user has their own role and limited API key. -- **Enforce 2FA:** Ensure your entire dashboard is secure by [enforcing 2-factor authentication](/fundamentals/setup/account/account-security/2fa/) for your organization. +- **Enforce 2FA:** Ensure your entire dashboard is secure by [enforcing 2-factor authentication](/fundamentals/user-profiles/2fa/) for your organization. - To disable 2FA, submit a support ticket and allow 1-2 business days to validate your request. - **Leverage API Access:** Work easily with our system programmatically using our [API](https://api.cloudflare.com). @@ -39,7 +39,7 @@ Note: Refer to [Manage members](/fundamentals/setup/manage-members/) to learn ho - Check when your [SSL Certificates expire (only custom and origin certificates)](/ssl/edge-certificates/custom-certificates/renewing/) - Note: Certificates managed by Cloudflare are auto-renewed - Review your Operational and Disaster recovery preparedness - - Enable Load Balancing with smart cache strategies: Use [Cloudflare Load Balancing](/reference-architecture/architectures/load-balancing) to distribute traffic across multiple healthy origins, and increase cache-hit ratios by leveraging [custom cache rules](/cache/performance-review/cache-analytics) and [edge compute](/learning/cdn/caching-static-and-dynamic-content) (e.g., Cloudflare Workers) to offload origin traffic during high-demand periods. + - Enable Load Balancing with smart cache strategies: Use [Cloudflare Load Balancing](/reference-architecture/architectures/load-balancing) to distribute traffic across multiple healthy origins, and increase cache-hit ratios by leveraging [custom cache rules](/cache/performance-review/cache-analytics) and [edge compute](https://www.cloudflare.com/learning/cdn/caching-static-and-dynamic-content/) (e.g., Cloudflare Workers) to offload origin traffic during high-demand periods. - Configure failover pools and back up DNS with a playbook: Set up [Cloudflare Load Balancer failover pools](/reference-architecture/architectures/load-balancing) to automatically redirect traffic to healthy origins if one fails. Export DNS records for safekeeping and prepare a clear [incident response plan](https://www.cloudflare.com/learning/performance/preventing-downtime) that includes steps for re-routing or recovery. - Review and update your current users' access? - Check your domain registry validity \ No newline at end of file diff --git a/src/content/docs/learning-paths/surge-readiness/performance/caching.mdx b/src/content/docs/learning-paths/surge-readiness/performance/caching.mdx index 2a9e80c9b92b61c..58527ee182af40d 100644 --- a/src/content/docs/learning-paths/surge-readiness/performance/caching.mdx +++ b/src/content/docs/learning-paths/surge-readiness/performance/caching.mdx @@ -9,7 +9,7 @@ import { DashButton } from "~/components"; ## Optimize caching -By default, Cloudflare [caches static content](/cache/concepts/default-cache-behavior/) such as images, CSS, and JavaScript. However, you can extend Cloudflare caching to work with HTML by creating custom [Cache Rules](cache/how-to/cache-rules/). +By default, Cloudflare [caches static content](/cache/concepts/default-cache-behavior/) such as images, CSS, and JavaScript. However, you can extend Cloudflare caching to work with HTML by creating custom [Cache Rules](/cache/how-to/cache-rules/). ### Cache more requests diff --git a/src/content/docs/learning-paths/surge-readiness/performance/logs.mdx b/src/content/docs/learning-paths/surge-readiness/performance/logs.mdx index 17cee892332609c..708bbafa6bc5ddc 100644 --- a/src/content/docs/learning-paths/surge-readiness/performance/logs.mdx +++ b/src/content/docs/learning-paths/surge-readiness/performance/logs.mdx @@ -7,7 +7,7 @@ sidebar: ## Logpush -Use [Logpush](/logs/get-started/) to push your request or event logs to your cloud service provider using Logpush, which can be configured via the Cloudflare dashboard or API. +Use [Logpush](/logs/logpush/) to push your request or event logs to your cloud service provider using Logpush, which can be configured via the Cloudflare dashboard or API. ## Instant Logs diff --git a/src/content/docs/learning-paths/surge-readiness/support/resources.mdx b/src/content/docs/learning-paths/surge-readiness/support/resources.mdx index 456db16d83a75a2..cb05331da63aeed 100644 --- a/src/content/docs/learning-paths/surge-readiness/support/resources.mdx +++ b/src/content/docs/learning-paths/surge-readiness/support/resources.mdx @@ -26,7 +26,7 @@ For security reasons, Cloudflare Support only assists individuals whose email ad - Learn the basic countermeasures to [stop an ongoing DDoS attack](/ddos-protection/best-practices/respond-to-ddos-attacks/). - Let [Cloudflare's Security Operations Center-as-a-Service (SOC)](https://www.cloudflare.com/soc-as-a-service/) monitor your environment for volumetric security threats and potential operational disruptions, perform analysis to identify attack vectors, and help you implement countermeasures to mitigate future incidents. - If a customer has purchased Technical Account Management Service, utilize the [Technical Account Management Service](https://www.cloudflare.com/technical-account-management-service/) which operates as an extension of your team, as the Cloudflare support expert who knows your tech stack, unique infrastructure, and Cloudflare portfolio requirements. -- Learn [what's new](/www.cloudflare.com/whats-new/) and subscribe to product release email summaries. +- Learn [what's new](https://www.cloudflare.com/whats-new/) and subscribe to product release email summaries. - Read the [Cloudflare blog](https://blog.cloudflare.com/) for the latest announcements from Cloudflare. - Refer to the [Cloudflare Community](https://community.cloudflare.com/) to seek advice and share insights about using Cloudflare with other Cloudflare users. - [Maximize Revenue and Minimize Risk in Peak Season webinar](https://www.google.com/url?q=https://cloudflare.ondemand.goldcast.io/on-demand/28262595-9ddf-4e26-91bf-241117f4b5fe&sa=D&source=docs&ust=1758134183832896&usg=AOvVaw3-v4hp23nSzNj0s6j-xxyc) \ No newline at end of file From 6fcde4ab3f59af602ac98c65224ba5dc7825282d Mon Sep 17 00:00:00 2001 From: Denise Pena Date: Wed, 17 Sep 2025 15:30:48 -0500 Subject: [PATCH 04/18] Added external link to learning path --- ...ng-for-surges-or-spikes-in-web-traffic.mdx | 85 +------------------ 1 file changed, 2 insertions(+), 83 deletions(-) diff --git a/src/content/docs/fundamentals/performance/preparing-for-surges-or-spikes-in-web-traffic.mdx b/src/content/docs/fundamentals/performance/preparing-for-surges-or-spikes-in-web-traffic.mdx index c47f423aa0c5aa8..cce73798f3fecdf 100644 --- a/src/content/docs/fundamentals/performance/preparing-for-surges-or-spikes-in-web-traffic.mdx +++ b/src/content/docs/fundamentals/performance/preparing-for-surges-or-spikes-in-web-traffic.mdx @@ -1,86 +1,5 @@ --- -pcx_content_type: how-to +pcx_content_type: navigation title: Prepare for surges or spikes in web traffic - +external_link: /learning-paths/surge-readiness/concepts/ --- - -import { DashButton } from "~/components"; - -## Use Cloudflare Cache features to optimize caching - -By default, Cloudflare [caches static content](/cache/concepts/default-cache-behavior/) such as images, CSS, and JavaScript. However, you can extend Cloudflare caching to work with HTML by creating custom [Cache Rules](/cache/how-to/cache-rules/). - -### Cache more requests - -1. In the Cloudflare dashboard, go to the **Account home** page and select your account and domain. - - - -2. Go to **Caching** > **Cache Rules** and select **Create rule**. - -3. For **When incoming requests match**, enter either your entire website or a specific path on your application, based on the **Hostname** or **URI Path**. Refer to the [available fields](/cache/how-to/cache-rules/settings/#fields). - -4. For **Cache eligibility**, define how these requests should be cached and for how long. Refer to the available [cache eligibility settings](/cache/how-to/cache-rules/settings/#eligible-for-cache-settings). - -5. You can then monitor the effectiveness of your cache settings using [Cache Analytics](/cache/performance-review/cache-analytics/) and update your configuration according to our [Cache performance guide](/cache/performance-review/cache-performance/). - -### Advanced cache optimizations - -* [Custom Cache Keys](/cache/how-to/cache-keys/) allows you to precisely set the cacheability setting for any resource. - -* [Origin Cache Control](/cache/concepts/cache-control/) can be used to let the `Cache-Control` headers tell Cloudflare how to handle content from the origin server. - -### Use Tiered Cache - -[Tiered Cache](/cache/how-to/tiered-cache/) uses the size of Cloudflare's network to reduce requests to customer origin servers by dramatically increasing cache hit ratios. - -It works by dividing Cloudflare's data centers into a hierarchy of lower-tiers and upper-tiers. If content is not cached in lower-tier data centers (generally the ones closest to a visitor), the lower-tier requests an upper-tier for the content. If the upper-tier does not have the content, only the upper-tier will initiate a request to the origin. This practice improves bandwidth efficiency by limiting the number of Cloudflare data centers that can ask the origin for content. - -Refer to [Enable Tiered Cache](/cache/how-to/tiered-cache/#enable-tiered-cache) to get started. - -### Use Cache Reserve - -[Cache Reserve](/cache/advanced-configuration/cache-reserve/) is a large, persistent data store implemented on top of [R2](/r2/). - -With a single click in the dashboard, your cacheable content will be written to Cache Reserve. In the same way that Tiered Cache builds a hierarchy of caches between your visitors and your origin, Cache Reserve serves as the ultimate [upper-tier cache](/cache/how-to/tiered-cache/) that will reserve storage space for your assets for as long as you want. - -This ensures that your content is served from cache longer, shielding your origin from unneeded egress fees. - -## Understand the limits of your hosting plan - -Cloudflare offsets most of the load to your website via caching and request filtering, but some traffic will still pass through to your origin. Knowing the limits of your hosting plan can help prevent a bottleneck from your host.  - -Once you are aware of your plan limits, you can use [Rate Limiting](/waf/rate-limiting-rules/) to restrict how many times a requesting entity can make a request to your website. - -To help you define the best rate limiting setting for your use case, refer to [How Cloudflare determines the request rate article](/waf/rate-limiting-rules/request-rate/). - -## Cloudflare Waiting Room - -[Cloudflare Waiting Room](/waiting-room/) allows you to route excess users of your website to a customized waiting room, helping preserve customer experience and protect origin servers from being overwhelmed with requests. - -## Use Cloudflare IP addresses to your advantage - -Take action to prevent attacks to your application during peak season by configuring your firewall to only accept traffic from Cloudflare IP addresses. By only allowing [Cloudflare IPs](https://www.cloudflare.com/ips), you can prevent attackers from bypassing Cloudflare and sending requests directly to your origin. - -Refer to [Cloudflare IP addresses](/fundamentals/concepts/cloudflare-ip-addresses/) for more information. - -## Monitor traffic in your Cloudflare dashboard - -You can use the Cloudflare dashboard to closely monitor the traffic on your domain and fine-tune your cache and security settings accordingly. - -### Zone and Account analytics - -[Cloudflare zone analytics](/analytics/account-and-zone-analytics/zone-analytics/) gives you access to a wide range of metrics, collected at the website or domain level. - -[Cloudflare account analytics](/analytics/account-and-zone-analytics/account-analytics/) lets you access a wide range of aggregated metrics from all the sites under a specific Cloudflare account. - -### Security Analytics and Security Events - -[Security Analytics](/waf/analytics/security-analytics/) displays information about all incoming HTTP requests for your domain, including requests not handled by Cloudflare security products. - -You can also use the [Security Events](/waf/analytics/security-events/) to review mitigated requests and tailor your security configurations. - -### Cache Analytics - -You can use [Cache Analytics](/cache/performance-review/cache-analytics/) to improve site performance or reduce origin web server traffic. -Cache Analytics helps determine if resources are missing from cache, expired, or ineligible for caching. From ab2a1d024e41976b6edd52281ad09d7faeca7bc6 Mon Sep 17 00:00:00 2001 From: Denise Pena Date: Wed, 24 Sep 2025 16:08:56 -0500 Subject: [PATCH 05/18] Implementing feedback --- .../security/block-agents-lock-zones.mdx | 4 --- .../security/control-domain-access.mdx | 25 --------------- .../security/control-incoming-requests.mdx | 2 +- .../surge-readiness/security/enable-iaum.mdx | 32 +++++++++++++++++++ 4 files changed, 33 insertions(+), 30 deletions(-) create mode 100644 src/content/docs/learning-paths/surge-readiness/security/enable-iaum.mdx diff --git a/src/content/docs/learning-paths/surge-readiness/security/block-agents-lock-zones.mdx b/src/content/docs/learning-paths/surge-readiness/security/block-agents-lock-zones.mdx index bf8e7106b47f060..23564eb3d02ca3c 100644 --- a/src/content/docs/learning-paths/surge-readiness/security/block-agents-lock-zones.mdx +++ b/src/content/docs/learning-paths/surge-readiness/security/block-agents-lock-zones.mdx @@ -17,7 +17,3 @@ Actions: ## Zone Lockdown [Zone lockdown](/waf/tools/zone-lockdown/) rules allow you to define paths and only allow specific, trusted IPs to those paths. Any requests to those paths from non-whitelisted IPs will be automatically blocked with an 1106 HTTP code. This ability is particularly useful for locking down administrative or staging portions of your application. - -# Defend content with Scrape Shield - -Scrape Shield is a collection of settings meant to protect your site's content. diff --git a/src/content/docs/learning-paths/surge-readiness/security/control-domain-access.mdx b/src/content/docs/learning-paths/surge-readiness/security/control-domain-access.mdx index acbb6578b2c6bdf..0884f9bf3acf268 100644 --- a/src/content/docs/learning-paths/surge-readiness/security/control-domain-access.mdx +++ b/src/content/docs/learning-paths/surge-readiness/security/control-domain-access.mdx @@ -35,28 +35,3 @@ Actions: Challenge Passage timeout applies to IP reputation, IUAM mode and user IP Firewall (CAPTCHA or JS Challenge): [cf_clearance cookie](/fundamentals/reference/policies-compliances/cloudflare-cookies/#additional-cookies-used-by-the-challenge-platform) is set with `Max-age=Challenge Passage`. ::: -## Enable "I'm Under Attack" mode (IAUM) - -If you are under attack and have this feature enabled during the attack, visitors will receive an interstitial page for about five seconds while the traffic is analyzed to make sure it is a legitimate human visitor. The vast majority of Layer 7 attack scripts are defeated by IUAM and can be honed via Page Rules. - -Refer to [I'm Under Attack Mode](https://developers.cloudflare.com/fundamentals/reference/under-attack-mode/) for more information. - - -## Change Access Control List (ACL) - -An ACL refers to rules that are applied to port numbers or IP addresses that are available on a host permitting use of the service. When you only allow Cloudflare IPs, you eliminate threats attempting to attack your origin IP range. - -Refer to [Cloudflare IP Ranges](https://www.cloudflare.com/ips) for more information. - - -## Change Origin IPs and update Cloudflare DNS records - -If your origin is still being attacked, consider moving your Origin IPs and updating your Cloudflare DNS records. - -Refer to [Prevent DDoS attacks](/learning-paths/prevent-ddos-attacks/concepts/) for detailed guidance. - -:::note - -To learn about best practices for DDoS protection, review [Respond to DDoS attacks](/ddos-protection/best-practices/respond-to-ddos-attacks/). - -::: diff --git a/src/content/docs/learning-paths/surge-readiness/security/control-incoming-requests.mdx b/src/content/docs/learning-paths/surge-readiness/security/control-incoming-requests.mdx index ea4e4953f4f1d52..acb95457b5a20cf 100644 --- a/src/content/docs/learning-paths/surge-readiness/security/control-incoming-requests.mdx +++ b/src/content/docs/learning-paths/surge-readiness/security/control-incoming-requests.mdx @@ -7,7 +7,7 @@ sidebar: Use [Custom rules](/waf/custom-rules/) to allow you to control incoming traffic by filtering requests to a zone. They work as customized web application firewall (WAF) rules that you can use to perform actions like Block or Managed Challenge on incoming requests. -UseWAF [Managed Rules](/waf/managed-rules/) to apply custom criteria for all incoming HTTP requests. +Use WAF [Managed Rules](/waf/managed-rules/) to apply custom criteria for all incoming HTTP requests. ## Understand hosting plan limits diff --git a/src/content/docs/learning-paths/surge-readiness/security/enable-iaum.mdx b/src/content/docs/learning-paths/surge-readiness/security/enable-iaum.mdx new file mode 100644 index 000000000000000..1b0d8c085c6a9ba --- /dev/null +++ b/src/content/docs/learning-paths/surge-readiness/security/enable-iaum.mdx @@ -0,0 +1,32 @@ +--- +title: What to do when under attack +pcx_content_type: overview +sidebar: + order: 9 +--- + +## Enable "I'm Under Attack" mode (IAUM) + +If you are under attack and have this feature enabled during the attack, visitors will receive an interstitial page for about five seconds while the traffic is analyzed to make sure it is a legitimate human visitor. The vast majority of Layer 7 attack scripts are defeated by IUAM and can be honed via Page Rules. + +Refer to [I'm Under Attack Mode](https://developers.cloudflare.com/fundamentals/reference/under-attack-mode/) for more information. + + +## Change Access Control List (ACL) + +An ACL refers to rules that are applied to port numbers or IP addresses that are available on a host permitting use of the service. When you only allow Cloudflare IPs, you eliminate threats attempting to attack your origin IP range. + +Refer to [Cloudflare IP Ranges](https://www.cloudflare.com/ips) for more information. + + +## Change Origin IPs and update Cloudflare DNS records + +If your origin is still being attacked, consider moving your Origin IPs and updating your Cloudflare DNS records. + +Refer to [Prevent DDoS attacks](/learning-paths/prevent-ddos-attacks/concepts/) for detailed guidance. + +:::note + +To learn about best practices for DDoS protection, review [Respond to DDoS attacks](/ddos-protection/best-practices/respond-to-ddos-attacks/). + +::: From 2f626c9a36d90fce35d6cf4174c5f5a7c0895afd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Denise=20Pe=C3=B1a?= <75506267+dcpena@users.noreply.github.com> Date: Thu, 25 Sep 2025 10:43:45 -0500 Subject: [PATCH 06/18] Apply suggestion from @caley-b Co-authored-by: Caley Burton --- .../learning-paths/surge-readiness/concepts/custom-pages.mdx | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/content/docs/learning-paths/surge-readiness/concepts/custom-pages.mdx b/src/content/docs/learning-paths/surge-readiness/concepts/custom-pages.mdx index 1b0bb0fb396fc79..0ed84e7a2d8d1ef 100644 --- a/src/content/docs/learning-paths/surge-readiness/concepts/custom-pages.mdx +++ b/src/content/docs/learning-paths/surge-readiness/concepts/custom-pages.mdx @@ -7,7 +7,9 @@ sidebar: Design your custom HTML page and host it online anywhere. Once published, Cloudflare will use the customized page instead of serving our standard page to your visitors. -Note: We encourage you to customize every page to provide a consistent branding experience for your users. Origin Error pages can also be activated for 502,504, and 404 errors. +:::note[Note] +We encourage you to customize every page to provide a consistent branding experience for your users. Origin Error pages can also be activated for 502, 504, and 404 errors. +::: Pages you can customize: From 12a9ac89656c0f342304f375dc02558298d2de08 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Denise=20Pe=C3=B1a?= <75506267+dcpena@users.noreply.github.com> Date: Thu, 25 Sep 2025 10:44:09 -0500 Subject: [PATCH 07/18] Apply suggestion from @caley-b Co-authored-by: Caley Burton --- .../docs/learning-paths/surge-readiness/concepts/index.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/learning-paths/surge-readiness/concepts/index.mdx b/src/content/docs/learning-paths/surge-readiness/concepts/index.mdx index 9ee5502125543a5..5e7cf057cb75bea 100644 --- a/src/content/docs/learning-paths/surge-readiness/concepts/index.mdx +++ b/src/content/docs/learning-paths/surge-readiness/concepts/index.mdx @@ -41,5 +41,5 @@ Note: Refer to [Manage members](/fundamentals/manage-members/) to learn how to r - Review your Operational and Disaster recovery preparedness - Enable Load Balancing with smart cache strategies: Use [Cloudflare Load Balancing](/reference-architecture/architectures/load-balancing) to distribute traffic across multiple healthy origins, and increase cache-hit ratios by leveraging [custom cache rules](/cache/performance-review/cache-analytics) and [edge compute](https://www.cloudflare.com/learning/cdn/caching-static-and-dynamic-content/) (e.g., Cloudflare Workers) to offload origin traffic during high-demand periods. - Configure failover pools and back up DNS with a playbook: Set up [Cloudflare Load Balancer failover pools](/reference-architecture/architectures/load-balancing) to automatically redirect traffic to healthy origins if one fails. Export DNS records for safekeeping and prepare a clear [incident response plan](https://www.cloudflare.com/learning/performance/preventing-downtime) that includes steps for re-routing or recovery. -- Review and update your current users' access? +- Review and update your current users' access - Check your domain registry validity \ No newline at end of file From e59aaed0ff00d8e395705ec73e029a300db78d9f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Denise=20Pe=C3=B1a?= <75506267+dcpena@users.noreply.github.com> Date: Thu, 25 Sep 2025 10:44:19 -0500 Subject: [PATCH 08/18] Apply suggestion from @caley-b Co-authored-by: Caley Burton --- .../learning-paths/surge-readiness/performance/analytics.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/learning-paths/surge-readiness/performance/analytics.mdx b/src/content/docs/learning-paths/surge-readiness/performance/analytics.mdx index 5fb3612e8569c52..aea6149aa0f5b9c 100644 --- a/src/content/docs/learning-paths/surge-readiness/performance/analytics.mdx +++ b/src/content/docs/learning-paths/surge-readiness/performance/analytics.mdx @@ -17,7 +17,7 @@ Use [Account and zone analytics](/analytics/account-and-zone-analytics/) to prov ## Cloudflare Network Analytics -Use [Cloudflare Network Analytics](/analytics/network-analytics/) to Provide near real-time visibility into network and transport-layer traffic patterns and DDoS attacks. +Use [Cloudflare Network Analytics](/analytics/network-analytics/) to provide near real-time visibility into network and transport-layer traffic patterns and DDoS attacks. ## GraphQL Analytics API From c7214de233a989dc872418b4eada50ba144bf6e8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Denise=20Pe=C3=B1a?= <75506267+dcpena@users.noreply.github.com> Date: Thu, 25 Sep 2025 10:45:18 -0500 Subject: [PATCH 09/18] Apply suggestion from @caley-b Co-authored-by: Caley Burton --- .../docs/learning-paths/surge-readiness/performance/caching.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/learning-paths/surge-readiness/performance/caching.mdx b/src/content/docs/learning-paths/surge-readiness/performance/caching.mdx index 58527ee182af40d..d7983d80f798328 100644 --- a/src/content/docs/learning-paths/surge-readiness/performance/caching.mdx +++ b/src/content/docs/learning-paths/surge-readiness/performance/caching.mdx @@ -57,7 +57,7 @@ This ensures that your content is served from cache longer, shielding your origi ## Use Cloudflare IP addresses -Take action to prevent attacks to your application during peak season by configuring your firewall to only accept traffic from Cloudflare IP addresses. By only allowing [Cloudflare IPs ↗](https://www.cloudflare.com/ips), you can prevent attackers from bypassing Cloudflare and sending requests directly to your origin. +Take action to prevent attacks to your application during peak season by configuring your firewall to only accept traffic from Cloudflare IP addresses. By only allowing [Cloudflare IPs](https://www.cloudflare.com/ips), you can prevent attackers from bypassing Cloudflare and sending requests directly to your origin. Refer to [Cloudflare IP addresses](/fundamentals/concepts/cloudflare-ip-addresses/) for more information. From a9f4a5046dc6a696919c756eeda79eebdda5cb98 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Denise=20Pe=C3=B1a?= <75506267+dcpena@users.noreply.github.com> Date: Thu, 25 Sep 2025 10:45:37 -0500 Subject: [PATCH 10/18] Apply suggestion from @caley-b Co-authored-by: Caley Burton --- .../surge-readiness/security/secure-against-attacks.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/learning-paths/surge-readiness/security/secure-against-attacks.mdx b/src/content/docs/learning-paths/surge-readiness/security/secure-against-attacks.mdx index facdea2bf42c0f6..946c137dda256c7 100644 --- a/src/content/docs/learning-paths/surge-readiness/security/secure-against-attacks.mdx +++ b/src/content/docs/learning-paths/surge-readiness/security/secure-against-attacks.mdx @@ -9,6 +9,6 @@ Review the different actions you can take to secure your website against attacks ## Orange cloud all proper subdomains -When a subdomain is set to Proxied (also known as orange-clouded), Cloudflare proxying is active for that record will resolve to a Cloudflare IP. +When a subdomain is set to Proxied (also known as orange-clouded), Cloudflare proxying is active for that record and the record will resolve to a Cloudflare IP. Refer to [Proxy status](/dns/proxy-status/) for more information. From 6a43c3c4723612966a473a497352f2024b4e5861 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Denise=20Pe=C3=B1a?= <75506267+dcpena@users.noreply.github.com> Date: Thu, 25 Sep 2025 10:45:55 -0500 Subject: [PATCH 11/18] Apply suggestion from @caley-b Co-authored-by: Caley Burton --- .../surge-readiness/security/prepare-for-surges.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/learning-paths/surge-readiness/security/prepare-for-surges.mdx b/src/content/docs/learning-paths/surge-readiness/security/prepare-for-surges.mdx index 7531004ce77a21c..0b619b3354d0930 100644 --- a/src/content/docs/learning-paths/surge-readiness/security/prepare-for-surges.mdx +++ b/src/content/docs/learning-paths/surge-readiness/security/prepare-for-surges.mdx @@ -16,4 +16,4 @@ Cloudflare's Advanced [DDoS protection](/ddos-protection/) is always on for Ente ## Browser Integrity Check -[Browser Integrity Check](/waf/tools/browser-integrity-check/) looks for requests with HTTP headers commonly used by spammers, bots, and crawlers such as requests with a missing or non-standard user agent. If a threat is found, Cloudflare will present a challenge page before allowing access. This may affect your API and can be selectively disabled using Page Rules. +[Browser Integrity Check](/waf/tools/browser-integrity-check/) looks for requests with HTTP headers commonly used by spammers, bots, and crawlers such as requests with a missing or non-standard user agent. If a threat is found, Cloudflare will present a challenge page before allowing access. This may affect your API and can be selectively disabled using [Page Rules](rules/page-rules/). From 514e2c22d1930e4e7d3b3d14c1333d285f95fa09 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Denise=20Pe=C3=B1a?= <75506267+dcpena@users.noreply.github.com> Date: Thu, 25 Sep 2025 10:46:09 -0500 Subject: [PATCH 12/18] Apply suggestion from @caley-b Co-authored-by: Caley Burton --- .../surge-readiness/security/control-incoming-requests.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/learning-paths/surge-readiness/security/control-incoming-requests.mdx b/src/content/docs/learning-paths/surge-readiness/security/control-incoming-requests.mdx index acb95457b5a20cf..0f0d894c3c19863 100644 --- a/src/content/docs/learning-paths/surge-readiness/security/control-incoming-requests.mdx +++ b/src/content/docs/learning-paths/surge-readiness/security/control-incoming-requests.mdx @@ -17,7 +17,7 @@ Once you are aware of your plan limits, you can use [Rate Limiting](/waf/rate-li To help you define the best rate limiting setting for your use case, refer to [How Cloudflare determines the request rate article](/waf/rate-limiting-rules/request-rate/). -## Security Models +## Security models - Positive Security policy: Allow specific requests and deny everything else. - Negative Security policy: Block specific requests and allow everything else. From 1b2fabe3343b55f6bec8e1342e16d15bdadf0bb9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Denise=20Pe=C3=B1a?= <75506267+dcpena@users.noreply.github.com> Date: Thu, 25 Sep 2025 10:47:41 -0500 Subject: [PATCH 13/18] Apply suggestion from @caley-b Co-authored-by: Caley Burton --- .../surge-readiness/security/control-incoming-requests.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/learning-paths/surge-readiness/security/control-incoming-requests.mdx b/src/content/docs/learning-paths/surge-readiness/security/control-incoming-requests.mdx index 0f0d894c3c19863..4367d2798a7fde9 100644 --- a/src/content/docs/learning-paths/surge-readiness/security/control-incoming-requests.mdx +++ b/src/content/docs/learning-paths/surge-readiness/security/control-incoming-requests.mdx @@ -15,7 +15,7 @@ Cloudflare offsets most of the load to your website via caching and request filt Once you are aware of your plan limits, you can use [Rate Limiting](/waf/rate-limiting-rules/) to restrict how many times a requesting entity can make a request to your website. -To help you define the best rate limiting setting for your use case, refer to [How Cloudflare determines the request rate article](/waf/rate-limiting-rules/request-rate/). +To help you define the best rate limiting setting for your use case, refer to [How Cloudflare determines the request rate](/waf/rate-limiting-rules/request-rate/). ## Security models From 90274aca3efdec9436f99606379593c149f9a6d1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Denise=20Pe=C3=B1a?= <75506267+dcpena@users.noreply.github.com> Date: Thu, 25 Sep 2025 10:48:01 -0500 Subject: [PATCH 14/18] Apply suggestion from @caley-b Co-authored-by: Caley Burton --- .../surge-readiness/security/block-agents-lock-zones.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/learning-paths/surge-readiness/security/block-agents-lock-zones.mdx b/src/content/docs/learning-paths/surge-readiness/security/block-agents-lock-zones.mdx index 23564eb3d02ca3c..bb9bddbf354721a 100644 --- a/src/content/docs/learning-paths/surge-readiness/security/block-agents-lock-zones.mdx +++ b/src/content/docs/learning-paths/surge-readiness/security/block-agents-lock-zones.mdx @@ -16,4 +16,4 @@ Actions: ## Zone Lockdown -[Zone lockdown](/waf/tools/zone-lockdown/) rules allow you to define paths and only allow specific, trusted IPs to those paths. Any requests to those paths from non-whitelisted IPs will be automatically blocked with an 1106 HTTP code. This ability is particularly useful for locking down administrative or staging portions of your application. +[Zone Lockdown](/waf/tools/zone-lockdown/) rules allow you to define paths and only allow specific, trusted IPs to those paths. Any requests to those paths from non-whitelisted IPs will be automatically blocked with an 1106 HTTP code. This ability is particularly useful for locking down administrative or staging portions of your application. From 8b505fb95a2880048b9092d4dd5d591e3ff60260 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Denise=20Pe=C3=B1a?= <75506267+dcpena@users.noreply.github.com> Date: Thu, 25 Sep 2025 10:48:15 -0500 Subject: [PATCH 15/18] Apply suggestion from @caley-b Co-authored-by: Caley Burton --- .../surge-readiness/security/block-agents-lock-zones.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/learning-paths/surge-readiness/security/block-agents-lock-zones.mdx b/src/content/docs/learning-paths/surge-readiness/security/block-agents-lock-zones.mdx index bb9bddbf354721a..18aa11aa2acd3ee 100644 --- a/src/content/docs/learning-paths/surge-readiness/security/block-agents-lock-zones.mdx +++ b/src/content/docs/learning-paths/surge-readiness/security/block-agents-lock-zones.mdx @@ -11,7 +11,7 @@ sidebar: Actions: - Block: Ensures that an IP address will never be allowed to access your site --CAPTCHA Challenge: Rules will be shown a CAPTCHA before allowed access +- CAPTCHA Challenge: Rules will be shown a CAPTCHA before allowed access - Javascript Challenge: Rules will be shown 5 second javascript confirmation ## Zone Lockdown From a8d1663bb1b725555a6b2e494129bcf20fcbe5ad Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Denise=20Pe=C3=B1a?= <75506267+dcpena@users.noreply.github.com> Date: Thu, 25 Sep 2025 10:48:33 -0500 Subject: [PATCH 16/18] Apply suggestion from @caley-b Co-authored-by: Caley Burton --- .../docs/learning-paths/surge-readiness/performance/caching.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/learning-paths/surge-readiness/performance/caching.mdx b/src/content/docs/learning-paths/surge-readiness/performance/caching.mdx index d7983d80f798328..32aafd5bcaa82ff 100644 --- a/src/content/docs/learning-paths/surge-readiness/performance/caching.mdx +++ b/src/content/docs/learning-paths/surge-readiness/performance/caching.mdx @@ -76,7 +76,7 @@ You can use the Cloudflare dashboard to closely monitor the traffic on your doma ### Security Analytics and Security Events -[Security Analytics](https://developers.cloudflare.com/waf/analytics/security-analytics/) displays information about all incoming HTTP requests for your domain, including requests not handled by Cloudflare security products. +[Security Analytics](/waf/analytics/security-analytics/) displays information about all incoming HTTP requests for your domain, including requests not handled by Cloudflare security products. You can also use the [Security Events](/waf/analytics/security-events/) to review mitigated requests and tailor your security configurations. From 473b6365ffc840fb11fedab5c8f6083f233fe42e Mon Sep 17 00:00:00 2001 From: Denise Pena Date: Thu, 25 Sep 2025 10:57:59 -0500 Subject: [PATCH 17/18] Implemented review feedback --- .../surge-readiness/concepts/index.mdx | 12 +++++++++--- .../surge-readiness/support/resources.mdx | 2 +- 2 files changed, 10 insertions(+), 4 deletions(-) diff --git a/src/content/docs/learning-paths/surge-readiness/concepts/index.mdx b/src/content/docs/learning-paths/surge-readiness/concepts/index.mdx index 5e7cf057cb75bea..16eac7af06be37a 100644 --- a/src/content/docs/learning-paths/surge-readiness/concepts/index.mdx +++ b/src/content/docs/learning-paths/surge-readiness/concepts/index.mdx @@ -21,12 +21,16 @@ For the security and protection of your account, be sure to register all account 2. Select more than one Super Administrator to ensure appropriate access when needed. +:::note + +Refer to [Manage members](/fundamentals/manage-members/) to learn how to review and update registered account users. + +::: + Failure to register account users can create issues with our ticketing system. Unverified users who contact support will be funneled to the self-serve queue rather than the Enterprise queue which can result in long wait times. We strongly advise against credential-sharing which can jeopardize the trust and safety of your account. -Note: Refer to [Manage members](/fundamentals/manage-members/) to learn how to review and update registered account users. - ## Confirm user and domain administration - **Multi-User:** Provide role-based permissions to a group of users to better control the administration of your domains. Each user has their own role and limited API key. @@ -37,7 +41,9 @@ Note: Refer to [Manage members](/fundamentals/manage-members/) to learn how to r ## Additional items - Check when your [SSL Certificates expire (only custom and origin certificates)](/ssl/edge-certificates/custom-certificates/renewing/) - - Note: Certificates managed by Cloudflare are auto-renewed + :::note + Certificates managed by Cloudflare are auto-renewed. + ::: - Review your Operational and Disaster recovery preparedness - Enable Load Balancing with smart cache strategies: Use [Cloudflare Load Balancing](/reference-architecture/architectures/load-balancing) to distribute traffic across multiple healthy origins, and increase cache-hit ratios by leveraging [custom cache rules](/cache/performance-review/cache-analytics) and [edge compute](https://www.cloudflare.com/learning/cdn/caching-static-and-dynamic-content/) (e.g., Cloudflare Workers) to offload origin traffic during high-demand periods. - Configure failover pools and back up DNS with a playbook: Set up [Cloudflare Load Balancer failover pools](/reference-architecture/architectures/load-balancing) to automatically redirect traffic to healthy origins if one fails. Export DNS records for safekeeping and prepare a clear [incident response plan](https://www.cloudflare.com/learning/performance/preventing-downtime) that includes steps for re-routing or recovery. diff --git a/src/content/docs/learning-paths/surge-readiness/support/resources.mdx b/src/content/docs/learning-paths/surge-readiness/support/resources.mdx index cb05331da63aeed..65160b9ea46741a 100644 --- a/src/content/docs/learning-paths/surge-readiness/support/resources.mdx +++ b/src/content/docs/learning-paths/surge-readiness/support/resources.mdx @@ -16,7 +16,7 @@ import { Plan } from "~/components" | Critical issues such as attacks (reactive) | - Call the 24/7 Emergency Support line
- +1 (650)353-5922 (US)
- www.cloudflare.com/ecp/support (global lines)| :::note -For security reasons, Cloudflare Support only assists individuals whose email addresses are validated against the list of registered account contacts. Review and update all contacts accordingly in your Cloudflare Dashboard. +For security reasons, Cloudflare Support only assists individuals whose email addresses are validated against the list of registered account contacts. Review and update all contacts accordingly in your Cloudflare Dashboard. For more information, refer to [Manage members](/fundamentals/manage-members/). ::: ## Additional resources From ced5e9823007b3cf09181dc58c5140bdf2ba0642 Mon Sep 17 00:00:00 2001 From: Denise Pena Date: Thu, 25 Sep 2025 11:17:35 -0500 Subject: [PATCH 18/18] Fixed relative link --- .../surge-readiness/security/prepare-for-surges.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/content/docs/learning-paths/surge-readiness/security/prepare-for-surges.mdx b/src/content/docs/learning-paths/surge-readiness/security/prepare-for-surges.mdx index 0b619b3354d0930..0cd3b4b57cbf889 100644 --- a/src/content/docs/learning-paths/surge-readiness/security/prepare-for-surges.mdx +++ b/src/content/docs/learning-paths/surge-readiness/security/prepare-for-surges.mdx @@ -16,4 +16,4 @@ Cloudflare's Advanced [DDoS protection](/ddos-protection/) is always on for Ente ## Browser Integrity Check -[Browser Integrity Check](/waf/tools/browser-integrity-check/) looks for requests with HTTP headers commonly used by spammers, bots, and crawlers such as requests with a missing or non-standard user agent. If a threat is found, Cloudflare will present a challenge page before allowing access. This may affect your API and can be selectively disabled using [Page Rules](rules/page-rules/). +[Browser Integrity Check](/waf/tools/browser-integrity-check/) looks for requests with HTTP headers commonly used by spammers, bots, and crawlers such as requests with a missing or non-standard user agent. If a threat is found, Cloudflare will present a challenge page before allowing access. This may affect your API and can be selectively disabled using [Page Rules](/rules/page-rules/).