Cloudflare Features

Cloudflare is far more than a CDN. When you deploy to Cloudflare Pages, you get access to an entire platform of performance, security, developer, and analytics features — many of them free. This document is the definitive reference for every feature available, organized by category with pricing tiers, setup instructions, and Pages-specific recommendations.

How to read this guide:

• Free features are available on the free plan at no cost
• Pro features require the Pro plan ($20/month per zone)
• Business features require the Business plan ($200/month per zone)
• Enterprise features require a custom Enterprise contract
• Add-on features are paid add-ons available on any plan

Pages Users: What You Get

Cloudflare Pages projects include: global CDN, unlimited bandwidth, automatic SSL, DDoS protection, HTTP/2 and HTTP/3, Brotli compression, and preview deployments. The Workers Paid plan ($5/month per account, not per site) is recommended for portfolios — it upgrades builds to 5,000/month, requests to 10M/day, and files to 100K per deployment. Many features below require your domain to be on Cloudflare DNS (orange-cloud proxied) to take effect.

---

Feature Summary

Every Cloudflare feature falls into one of three proxy modes. Understanding this determines what you can use and when.

• O2O (Orange-to-Orange) — Traffic must be proxied through Cloudflare (orange cloud enabled on DNS record). The feature inspects, modifies, or acts on live traffic at the edge.
• Pages — Built into the Pages platform. Works on *.pages.dev with no custom domain or DNS configuration.
• Platform — Developer API/service. Accessed programmatically from Workers or Functions. No proxy requirement.
• DNS — Requires your domain on Cloudflare DNS, but proxy (orange cloud) is not required.

O2O = Custom Domain Required

Features marked O2O only work when your custom domain’s DNS record has the orange cloud (proxy) enabled. They do not work on *.pages.dev subdomains or gray-cloud (DNS-only) records. If you need WAF, DDoS, Bot Management, Cache Rules, or any traffic-inspection feature, you must add a custom domain and proxy it through Cloudflare.

Performance Features

Feature	Plan	Proxy	Notes
CDN	Free	Pages	Edge-hosted natively. 300+ locations, unlimited bandwidth
Auto Minify	Free	O2O	Removes whitespace from HTML/CSS/JS at the edge
Brotli Compression	Free	O2O	15-25% better compression than gzip
Early Hints (103)	Free	O2O	Sends Link headers before full response
HTTP/2 & HTTP/3	Free	O2O	Multiplexing, QUIC. 10-30% faster mobile loads
Rocket Loader	Free	O2O	Defers all JS. Test carefully — breaks interactive elements
Polish & Mirage	Pro ($20/mo)	O2O	Edge image optimization, WebP/AVIF conversion
Argo Smart Routing	Add-on (~$5/mo)	O2O	Routes through CF private backbone. Minimal benefit for static sites
Speed Brain	Free	O2O	Predictive prefetching for multi-page navigation

Security Features

Feature	Plan	Proxy	Notes
DDoS Protection	Free	O2O	L3/L4/L7. Unlimited, unmetered, always-on
WAF	Free (basic)	O2O	Managed rulesets, custom rules. Pro for OWASP rules
Bot Fight Mode	Free	O2O	JS challenges to block malicious bots
SSL/TLS	Free	Pages	Auto certs on *.pages.dev and proxied custom domains
HSTS	Free	Pages	Configure via _headers file or Dashboard (O2O)
Security Headers	Free	Pages	Full control via _headers file. CSP, X-Frame, etc.
Rate Limiting	Free (1 rule)	O2O	Protect form/API endpoints from abuse
Turnstile	Free	Any	Client-side CAPTCHA alternative. Works on any domain
Cloudflare Access	Free (50 users)	O2O	Identity-based access control. Challenge mode needs O2O

DNS & Domains

Feature	Plan	Proxy	Notes
DNS Management	Free	DNS	Fastest authoritative DNS (~11ms). DNSSEC, unlimited queries
Email Routing	Free	DNS	Forward info@yourdomain.com to any inbox. MX records only
Domain Registration	Free	—	At-cost pricing (~$10/yr .com). Free WHOIS privacy

Developer Platform

Feature	Plan	Proxy	Notes
Pages	Free	Pages	Unlimited sites and bandwidth. 500 builds/mo (5K with Workers Paid)
Workers	Free	Platform	Edge serverless functions. 100K req/day free
Pages Functions	Free	Platform	File-based API routing. Deploys with your site
KV Storage	Free (limited)	Platform	Global key-value store. Config, counters, cache
D1 Database	Free (limited)	Platform	Serverless SQLite at the edge
R2 Object Storage	Free (10 GB)	Platform	S3-compatible, zero egress fees
Durable Objects	Add-on ($5/mo)	Platform	Stateful serverless. WebSockets, real-time
Queues	Free (limited)	Platform	Async message processing. At-least-once delivery
Vectorize	Add-on ($5/mo)	Platform	Vector database for AI/ML and semantic search
AI Gateway	Free (limited)	Platform	Proxy for AI APIs with caching and fallbacks
Workers AI	Free (limited)	Platform	Run open-source AI models on CF edge

Analytics & Monitoring

Feature	Plan	Proxy	Notes
Web Analytics	Free	Any	JS beacon works anywhere. Auto-mode needs O2O
Real User Monitoring	Free	Any	Core Web Vitals from real visitors. Included with Web Analytics
Logs (Logpush)	Enterprise	O2O	Raw logs to S3/R2/BigQuery. Free tier gets Dashboard analytics

Caching

Feature	Plan	Proxy	Notes
Cache Rules	Free (10 rules)	O2O	Custom TTLs, bypass rules by URL pattern
Page Rules	Free (3 rules)	O2O	Legacy. Being replaced by Cache/Redirect/Config Rules
Cache Reserve	Add-on ($5/mo)	O2O	Persistent edge cache backed by R2. Eliminates cache misses
Tiered Caching	Free	O2O	Regional cache hierarchy. Reduces redundant fetches

Compliance

Feature	Plan	Proxy	Notes
GDPR DPA	Free	—	Data Processing Addendum. Account-level legal agreement
Privacy-First Analytics	Free	Any	No cookies, no PII. No consent banners needed
Data Localization	Enterprise	O2O	Regional data processing. Strict residency requirements

---

Performance

Cloudflare’s performance features turn every static site into a globally distributed, edge-optimized application. Most of these features require zero code changes — enable them in the Dashboard and they apply automatically.

CDN (Content Delivery Network)

Free

Cloudflare operates one of the largest CDN networks in the world with 300+ data centers across 100+ countries. When a visitor requests your site, the response comes from the nearest edge location rather than a single origin server.

What it does: Caches and serves your static assets (HTML, CSS, JS, images, fonts) from the edge location closest to each visitor. For Cloudflare Pages, your entire site is edge-hosted by default — there is no origin server.

Pages relevance: Core to how Pages works. Every deployment is distributed across the entire network automatically.

Setup: Automatic for all Cloudflare Pages projects. No configuration needed.

Metric	Traditional Hosting	Cloudflare Pages
TTFB	200-2000ms	10-50ms
Edge locations	1 (your server)	300+
Bandwidth cost	$0.08-0.12/GB	$0 (free, unlimited)

Auto Minify

Free

What it does: Removes whitespace, comments, and unnecessary characters from HTML, CSS, and JavaScript files on the fly at the edge. Reduces file sizes by 5-15% without changing functionality.

Pages relevance: Useful as a safety net. If your build process already minifies assets, this provides marginal additional gains. If you deploy unminified files (e.g., WordPress migration snapshots), the savings are significant.

Dashboard

Go to Speed > Optimization > Content Optimization > Auto Minify > Enable for HTML, CSS, and JS.

API

curl -X PATCH "https://api.cloudflare.com/client/v4/zones/{zone_id}/settings/minify" \
  -H "Authorization: Bearer {api_token}" \
  -H "Content-Type: application/json" \
  --data '{"value":{"css":"on","html":"on","js":"on"}}'

Caution

Auto Minify occasionally causes issues with inline JavaScript that relies on specific whitespace or comments. If you see broken scripts after enabling, either fix the source or disable JS minification and handle it at build time instead.

Brotli Compression

Free

What it does: Compresses text-based responses (HTML, CSS, JS, JSON, XML, SVG) using the Brotli algorithm, which achieves 15-25% better compression than gzip. All modern browsers support Brotli.

Pages relevance: Directly reduces transfer sizes for every page load. Especially impactful for CSS and JS files.

Dashboard

Go to Speed > Optimization > Content Optimization > Brotli > Enable.

API

curl -X PATCH "https://api.cloudflare.com/client/v4/zones/{zone_id}/settings/brotli" \
  -H "Authorization: Bearer {api_token}" \
  --data '{"value":"on"}'

Setup: Enable once. No risk, no side effects.

Early Hints (103)

Free

What it does: When a browser requests a page, Cloudflare immediately sends a 103 Early Hints response with Link headers pointing to critical resources (CSS, fonts, JS) before the full HTML response is ready. The browser starts downloading these resources while waiting for the page.

Pages relevance: Meaningful improvement for Pages sites with multiple CSS/JS files. Cloudflare learns which resources are needed from previous requests and automatically generates hints.

Dashboard

Go to Speed > Optimization > Content Optimization > Early Hints > Enable.

API

curl -X PATCH "https://api.cloudflare.com/client/v4/zones/{zone_id}/settings/early_hints" \
  -H "Authorization: Bearer {api_token}" \
  --data '{"value":"on"}'

Impact: 0.1-0.5s improvement in LCP, depending on the number and size of critical resources.

HTTP/2 and HTTP/3

Free

What it does: HTTP/2 enables multiplexing (multiple requests over a single connection), header compression, and server push. HTTP/3 uses QUIC (UDP-based transport) for even faster connections, especially on mobile networks with packet loss.

Pages relevance: Significant improvement for pages with many assets (images, CSS, JS files). HTTP/3 is particularly impactful for mobile visitors on cellular connections.

Dashboard

HTTP/2 is enabled by default for all Cloudflare zones. For HTTP/3:

Go to Network > HTTP/3 (with QUIC) > Enable.

API

# Enable HTTP/3
curl -X PATCH "https://api.cloudflare.com/client/v4/zones/{zone_id}/settings/http3" \
  -H "Authorization: Bearer {api_token}" \
  --data '{"value":"on"}'

Impact: 10-30% faster page loads on mobile. Zero risk.

Rocket Loader

Free

What it does: Defers loading of all JavaScript (both inline and external) until after the page has fully rendered. Forces all scripts to load asynchronously, improving perceived load time.

Pages relevance: Less relevant for well-optimized static sites that already use defer and async attributes. Most useful for migrated WordPress sites that still have render-blocking scripts.

Dashboard

Go to Speed > Optimization > Content Optimization > Rocket Loader > Enable.

API

curl -X PATCH "https://api.cloudflare.com/client/v4/zones/{zone_id}/settings/rocket_loader" \
  -H "Authorization: Bearer {api_token}" \
  --data '{"value":"on"}'

Test Thoroughly

Rocket Loader rewrites how scripts execute. It can break form validation, interactive widgets, booking embeds, and any JavaScript that depends on execution order. If something breaks, either disable Rocket Loader or exclude specific scripts:

<script data-cfasync="false" src="/js/form-handler.js"></script>

Image Optimization (Polish and Mirage)

Pro

Polish automatically compresses images and converts them to WebP or AVIF format at the edge. Mirage detects screen size and network speed, then serves appropriately sized placeholder images on slow connections and lazy-loads full images when ready.

Pages relevance: Polish is valuable if you deploy unoptimized images (e.g., direct WordPress migration). If you already convert to WebP at build time (recommended), Polish provides minimal additional benefit. Mirage is useful for image-heavy pages.

Dashboard

Go to Speed > Optimization > Image Optimization > Enable Polish (Lossy or Lossless) and Mirage.

Free Alternative

For free-tier users, handle image optimization at build time using Sharp. See the Optimization guide for the complete build script.

Argo Smart Routing

Add-on (Pay-per-use: ~$5/month base + $0.10/GB)

What it does: Routes requests through Cloudflare’s private network backbone instead of the public internet, finding the fastest path between the visitor and the edge cache. Reduces latency by detecting real-time congestion and routing around it.

Pages relevance: Marginal for most static sites since Pages content is already cached at every edge location. Most beneficial for sites with Pages Functions that make origin requests (e.g., API calls, form processing).

Setup: Go to Traffic > Argo > Enable. Billing is usage-based.

Impact: 20-35% improvement in TTFB for dynamic requests. Minimal impact on fully cached static content.

Speed Brain (Speculative Prefetching)

Free

What it does: Uses Cloudflare’s network-level intelligence to predict which page a visitor will navigate to next and prefetches it in the background. When the visitor clicks, the page loads instantly from the browser cache.

Pages relevance: Excellent for multi-page static sites (medical practices with service pages, about pages, contact pages). Visitors clicking through your site experience near-instant navigation.

Dashboard

Go to Speed > Optimization > Speed Brain > Enable.

Impact: Near-instant subsequent page loads for multi-page navigation.

Performance Features Summary

CDN

300+ edge locations, automatic caching, unlimited bandwidth for Pages.

Free

Auto Minify

Edge minification for HTML, CSS, JS. 5-15% size reduction.

Free

Brotli Compression

15-25% better compression than gzip for text assets.

Free

Early Hints (103)

Preload critical resources before the full page response.

Free

HTTP/2 & HTTP/3

Multiplexing, header compression, QUIC for mobile performance.

Free

Rocket Loader

Async all JS loading. Test carefully — can break interactive elements.

Free

Polish & Mirage

Edge image optimization, WebP/AVIF conversion, responsive images.

Pro ($20/mo)

Argo Smart Routing

Optimized routing through Cloudflare’s private backbone.

Add-on (~$5/mo+)

Speed Brain

Predictive prefetching for near-instant page navigation.

Free

---

Security

Static sites on Cloudflare Pages eliminate the entire WordPress attack surface (no PHP, no database, no login, no plugins). Cloudflare adds multiple layers of protection on top.

DDoS Protection

Free

What it does: Detects and mitigates distributed denial-of-service attacks automatically. Cloudflare absorbs attack traffic across its global network — no configuration, no traffic caps, no surcharges during attacks. Protection covers L3/L4 (network) and L7 (application) attacks.

Pages relevance: Always on for all Pages projects. Your site stays up even during massive attacks. This alone eliminates the need for WordPress security plugins like Sucuri or Cloudflare’s own “Under Attack” mode.

Setup: Automatic. Always on. Unlimited. Unmetered.

WAF (Web Application Firewall)

Free (basic) / Pro (managed rulesets) / Business (advanced)

What it does: Inspects incoming HTTP requests and blocks malicious traffic based on rulesets. The free tier includes basic managed rules. Pro adds OWASP Core Rule Set and Cloudflare Managed Ruleset. Business adds advanced custom rules and rate limiting.

Pages relevance: Less critical for purely static sites (no server-side code to exploit), but valuable for sites with Pages Functions (form handlers, API endpoints). The free WAF rules protect against common attack patterns.

Plan	WAF Features
Free	5 custom firewall rules, basic managed rules, bot fight mode
Pro	OWASP Core Rule Set, Cloudflare Managed Ruleset, 20 custom rules
Business	Advanced rate limiting, 100 custom rules, response header modification
Enterprise	Custom rulesets, advanced bot management, unlimited rules

Dashboard

Go to Security > WAF > Managed Rules > Enable desired rulesets.

For custom rules: Security > WAF > Custom Rules > Create rule.

Bot Management

Free (Bot Fight Mode) / Enterprise (full Bot Management)

What it does: Detects and blocks malicious bots while allowing legitimate crawlers (Googlebot, Bingbot). Free Bot Fight Mode uses JavaScript detection challenges. Enterprise Bot Management uses machine learning and behavioral analysis.

Pages relevance: Protects form endpoints from spam bots. Ensures only real users submit forms and only legitimate crawlers index your site.

Dashboard

Go to Security > Bots > Enable Bot Fight Mode.

For Enterprise: Configure Super Bot Fight Mode or full Bot Management.

Tip

For form spam specifically, combine Bot Fight Mode with Cloudflare Turnstile (free CAPTCHA alternative) for comprehensive protection.

SSL/TLS

Free

What it does: Provides free, automatically managed SSL/TLS certificates for all custom domains. Certificates renew automatically before expiration. Supports TLS 1.2 and 1.3.

Pages relevance: Every Pages project gets automatic HTTPS — both on *.pages.dev subdomains and custom domains. No certificate management required.

Setup: Automatic for Pages custom domains. Set SSL mode to Full (Strict) at: SSL/TLS > Overview.

Configuration	Where
SSL mode: Full (Strict)	SSL/TLS > Overview
Minimum TLS version: 1.2	SSL/TLS > Edge Certificates
Always Use HTTPS: On	SSL/TLS > Edge Certificates
Automatic HTTPS Rewrites: On	SSL/TLS > Edge Certificates

HSTS (HTTP Strict Transport Security)

Free

What it does: Tells browsers to always use HTTPS for your domain, even if the user types http://. Prevents SSL stripping attacks and ensures secure connections. Can be submitted to the browser HSTS preload list for protection on first visit.

Pages relevance: Essential for all production sites. Configure via the _headers file or the Cloudflare Dashboard.

_headers File

/*
  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload

Dashboard

Go to SSL/TLS > Edge Certificates > HTTP Strict Transport Security (HSTS) > Enable with max-age of 12 months, include subdomains, and preload.

Security Headers

Free

What it does: HTTP security headers protect against clickjacking, MIME sniffing, XSS, and other browser-based attacks. Cloudflare Pages supports headers via the _headers file deployed with your site.

Pages relevance: The _headers file is the primary way to configure security headers on Pages. No server configuration needed.

public/_headers

/*
  X-Frame-Options: SAMEORIGIN
  X-Content-Type-Options: nosniff
  Referrer-Policy: strict-origin-when-cross-origin
  Permissions-Policy: camera=(), microphone=(), geolocation=(), payment=()
  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
  Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; font-src 'self'

Verify: Test your headers at securityheaders.com — target grade A or A+.

Rate Limiting

Free (1 rule) / Pro (basic) / Business (advanced)

What it does: Limits the number of requests a single IP can make to your site within a time window. Protects API endpoints and form handlers from abuse.

Pages relevance: Important if you have Pages Functions handling form submissions. Prevents a single user or bot from flooding your form endpoint.

Dashboard

Go to Security > WAF > Rate Limiting Rules > Create rule.

Example: Limit /api/submit-form to 5 requests per 10 seconds per IP.

Turnstile

Free

What it does: A free, privacy-preserving CAPTCHA alternative that verifies visitors are human without showing them a puzzle. Uses non-intrusive challenges (proof-of-work, device attestation) that run in the background. No user interaction required in most cases.

Pages relevance: Perfect for protecting contact forms, booking forms, and any user input on Pages sites. Replaces reCAPTCHA, hCaptcha, and WordPress anti-spam plugins like CleanTalk.

Setup

1. Go to Cloudflare Dashboard > Turnstile > Add Site

2. Choose widget type: Managed (recommended), Non-interactive, or Invisible

3. Copy the Site Key and Secret Key

4. Add the widget to your form:

   <script src="https://challenges.cloudflare.com/turnstile/v0/api.js" async defer></script>
   
   <form action="/api/submit-form" method="POST">
     <!-- Form fields... -->
     <div class="cf-turnstile" data-sitekey="YOUR_SITE_KEY"></div>
     <button type="submit">Submit</button>
   </form>

5. Validate the token server-side in your Pages Function:

   functions/api/submit-form.js

   export async function onRequestPost(context) {
     const formData = await context.request.formData();
     const token = formData.get('cf-turnstile-response');
   
     const verification = await fetch(
       'https://challenges.cloudflare.com/turnstile/v0/siteverify',
       {
         method: 'POST',
         headers: { 'Content-Type': 'application/json' },
         body: JSON.stringify({
           secret: context.env.TURNSTILE_SECRET_KEY,
           response: token,
         }),
       }
     );
   
     const result = await verification.json();
     if (!result.success) {
       return new Response('Bot detected', { status: 403 });
     }
   
     // Process form submission...
   }

Cloudflare Access (Zero Trust)

Free (up to 50 users)

What it does: Adds identity-based access control in front of any URL. Visitors must authenticate (via email OTP, Google, GitHub, SAML, etc.) before reaching the page. Part of Cloudflare’s Zero Trust platform.

Pages relevance: Ideal for protecting staging/preview environments, admin areas, or internal pages. Put Cloudflare Access in front of staging.yoursite.com so only your team can view preview deployments.

Setup

1. Go to Cloudflare Zero Trust Dashboard (one.dash.cloudflare.com)
2. Navigate to Access > Applications > Add an Application
3. Select Self-hosted
4. Configure:
   • Application URL: staging.yoursite.com or *.yoursite.pages.dev
   • Authentication method: One-time PIN (email), Google, GitHub, etc.
   • Policy: Allow emails ending in @yourcompany.com

Pricing: Free for up to 50 users. Beyond that, Cloudflare Zero Trust plans start at $7/user/month.

Security Features Summary

DDoS Protection

Unlimited, unmetered, always-on protection against L3/L4/L7 attacks.

Free

WAF

Managed rulesets, OWASP rules, custom firewall rules.

Free (basic)

Bot Management

Bot Fight Mode with JS challenges. Block malicious bots automatically.

Free

SSL/TLS

Free auto-managed certificates, TLS 1.3, Full (Strict) mode.

Free

HSTS

Force HTTPS. Preload list eligible. Prevent SSL stripping.

Free

Security Headers

Full control via _headers file. CSP, X-Frame-Options, and more.

Free

Rate Limiting

Protect form endpoints and APIs from abuse.

Free (1 rule)

Turnstile

Free CAPTCHA alternative. Privacy-preserving, non-intrusive.

Free

Cloudflare Access

Zero Trust access control for staging/preview. Up to 50 users free.

Free (50 users)

---

DNS and Domains

DNS Management

Free

What it does: Cloudflare operates the fastest authoritative DNS in the world (~11ms average response time). Supports DNSSEC, wildcard records, CNAME flattening at the apex, and an API for programmatic management. Unlimited DNS queries at no cost.

Pages relevance: Required for full Cloudflare integration (CDN, WAF, security features). When your domain’s nameservers point to Cloudflare, all proxied traffic flows through the Cloudflare network.

Setup: Add your domain at the Cloudflare Dashboard. Update nameservers at your registrar. See the Deployment guide for step-by-step instructions.

Feature	Details
Response time	~11ms average (fastest globally)
DNSSEC	Free, one-click enable
Records	Unlimited
API management	Full CRUD via REST API
CNAME flattening	Supported at apex (root domain)
Wildcard DNS	Supported

Email Routing

Free

What it does: Free email forwarding for your custom domain. Route info@yourdomain.com to your Gmail, Outlook, or any email inbox. Supports catch-all addresses, multiple routing rules, and custom addresses. No mailbox hosting required.

Pages relevance: Essential for sites using a custom domain. Create professional email addresses that forward to your existing inbox without paying for email hosting.

Dashboard

1. Go to your domain > Email > Email Routing

2. Click Get Started and verify the destination email

3. Add routing rules:

   Custom Address	Forwards To
   info@yourdomain.com	your-gmail@gmail.com
   contact@yourdomain.com	your-gmail@gmail.com
   * (catch-all)	your-gmail@gmail.com

4. Cloudflare adds the required MX and TXT records automatically

Domain Registration

Free (at-cost pricing)

What it does: Register and transfer domains directly through Cloudflare at wholesale (at-cost) pricing with no markup. Includes free WHOIS privacy, automatic DNSSEC, and no renewal price increases.

Pages relevance: Simplifies management by keeping DNS, hosting, and registration in one place. At-cost pricing means you pay only the registry fee (typically $9-12/year for .com).

Feature	Cloudflare Registrar	Typical Registrar
.com annual price	~$10.11	$12-20
WHOIS privacy	Free	$0-12/year
Auto-renewal	Yes	Yes
Price increases	Never (at-cost)	Common
DNSSEC	Free, automatic	Often extra

Setup: Go to Domain Registration in the Cloudflare Dashboard. Transfer existing domains or register new ones.

DNS and Domains Summary

DNS Management

Fastest authoritative DNS (~11ms). DNSSEC, unlimited queries, full API.

Free

Email Routing

Free email forwarding. Route custom addresses to any inbox.

Free

Domain Registration

At-cost pricing, free WHOIS privacy, no renewal markups.

Free (at-cost)

---

Developer Platform

Cloudflare Pages is the hosting layer, but the broader Developer Platform extends your site with serverless compute, storage, databases, queues, and AI capabilities — all running at the edge.

Pages

Free

What it does: Static site hosting with Git integration, preview deployments, and instant rollbacks. Unlimited sites, unlimited bandwidth, and 500 builds/month on the free tier. Deploy via Wrangler CLI, Git push, or Dashboard upload.

Pages relevance: This is the core product. Everything else in this guide extends it.

Feature	Free	Workers Paid ($5/mo per account)
Sites	Unlimited	Unlimited
Bandwidth	Unlimited	Unlimited
Builds/month	500 (per account)	5,000 (per account)
Concurrent builds	1	5
Max file size	25 MB	25 MB
Max files/project	20,000	100,000
Preview deployments	Unlimited	Unlimited
Custom domains	Unlimited	Unlimited
Function requests	100,000/day	10M/day

Note

Workers Paid is per account, not per site. One $5/month subscription covers all Pages projects on your account. At 300 sites, that is $0.02/site/month. The free tier’s 500 builds/month is also per account — at scale, Workers Paid is effectively required.

Workers

Free (100,000 requests/day free)

What it does: Serverless JavaScript/TypeScript functions that execute at the edge (not in a central data center). Sub-millisecond cold starts, no containers to manage. Runs in every one of Cloudflare’s 300+ data centers.

Pages relevance: Workers power the backend logic for Pages sites — form processing, API proxying, authentication, A/B testing, redirects, and more. Workers can also be standalone services that your Pages site calls.

// Example: A/B test middleware as a Worker
export default {
  async fetch(request) {
    const url = new URL(request.url);

    // 50/50 split for homepage
    if (url.pathname === '/') {
      const variant = Math.random() < 0.5 ? '/a' : '/b';
      return fetch(new URL(variant, url.origin));
    }

    return fetch(request);
  }
};

Feature	Free	Workers Paid ($5/mo per account)
Requests/day	100,000	10M included, then $0.50/M
CPU time	10ms/request	30ms/request (50ms burst)
Script size	1 MB	10 MB

Pages Functions

Free

What it does: File-based routing for serverless functions, built on Workers. Place JavaScript/TypeScript files in a functions/ directory and they become API endpoints automatically. No separate deployment — Functions deploy with your Pages project.

Pages relevance: The primary way to add server-side logic to a Pages site. Form handling, API endpoints, redirects, and middleware.

functions/
├── api/
│   ├── submit-form.js      → POST /api/submit-form
│   ├── contact.js           → GET/POST /api/contact
│   └── newsletter.js        → POST /api/newsletter
├── _middleware.js            → Runs on every request
└── admin/
    └── _middleware.js        → Runs on /admin/* requests

functions/api/submit-form.js

export async function onRequestPost(context) {
  const { request, env } = context;
  const data = await request.json();

  // Process form submission
  // Send email via MailChannels, SendGrid, etc.

  return new Response(JSON.stringify({ success: true }), {
    headers: { 'Content-Type': 'application/json' }
  });
}

KV (Key-Value Storage)

Free (limited) / Included with Workers Paid ($5/mo per account)

What it does: A globally distributed key-value store accessible from Workers and Pages Functions. Eventually consistent with low-latency reads from every edge location. Ideal for configuration data, feature flags, counters, and cached API responses.

Pages relevance: Store form submission counters, feature flags, site configuration, or cached data that your Pages Functions need.

functions/api/submit-form.js

export async function onRequestPost(context) {
  const { env } = context;

  // Increment form submission counter
  const count = parseInt(await env.FORM_KV.get('submission_count') || '0');
  await env.FORM_KV.put('submission_count', String(count + 1));

  // Store submission data
  const id = crypto.randomUUID();
  await env.FORM_KV.put(`submission:${id}`, JSON.stringify(data), {
    expirationTtl: 86400 * 90 // 90 days
  });

  return new Response(JSON.stringify({ success: true, id }));
}

Feature	Free	Paid ($5/mo)
Read operations/day	100,000	10M included
Write operations/day	1,000	1M included
Storage	1 GB	1 GB included
Max value size	25 MB	25 MB

D1 (Serverless SQL Database)

Free (limited) / Included with Workers Paid ($5/mo per account)

What it does: A serverless SQLite-compatible database that runs at the edge. Supports full SQL queries, transactions, and joins. Data is automatically replicated for read performance.

Pages relevance: When key-value storage is not enough — contact form submissions with structured queries, user preferences, content management, analytics aggregation.

functions/api/submissions.js

export async function onRequestGet(context) {
  const { env } = context;

  const results = await env.DB.prepare(
    'SELECT * FROM submissions ORDER BY created_at DESC LIMIT 50'
  ).all();

  return new Response(JSON.stringify(results), {
    headers: { 'Content-Type': 'application/json' }
  });
}

Feature	Free	Paid ($5/mo)
Rows read/day	5M	25B included
Rows written/day	100,000	50M included
Storage	5 GB	5 GB included
Databases	50	50,000

R2 (Object Storage)

Free (10 GB free) / Pay-per-use beyond

What it does: S3-compatible object storage with zero egress fees. Store files, images, videos, backups, and large assets. Access via Workers/Functions, S3 API, or public bucket URL. No data transfer charges for reads.

Pages relevance: Store large media files (videos, high-res images, PDFs) that exceed Pages’ 25 MB file size limit. Serve them via a custom domain or Workers.

Feature	Free	Pay-per-use
Storage	10 GB	$0.015/GB/month
Class A ops (writes)	1M/month	$4.50/M
Class B ops (reads)	10M/month	$0.36/M
Egress	Free	Free

Zero Egress Fees

R2’s zero egress pricing is a major differentiator. AWS S3 charges $0.09/GB for data transfer. For a site serving 100 GB/month of images and PDFs, that is $9/month on S3 vs $0 on R2.

Durable Objects

Add-on ($5/mo base)

What it does: Stateful serverless computing with strong consistency guarantees. Each Durable Object is a single-threaded JavaScript instance with its own persistent storage, accessible from any edge location. Ideal for coordination, WebSockets, real-time collaboration, and rate limiting.

Pages relevance: Advanced use case. Useful for real-time features like live chat, collaborative editing, or WebSocket connections on Pages sites. Most static sites do not need this.

Use Case	Example
WebSockets	Live chat widget on your site
Coordination	Distributed rate limiting
Sessions	User session management
Real-time	Collaborative document editing

Queues

Free (limited) / Add-on ($5/mo for higher limits)

What it does: Message queues for asynchronous processing. A Pages Function can enqueue a message (e.g., “send this email”) and a Worker consumer processes it later. Guarantees at-least-once delivery with configurable retries.

Pages relevance: Decouple form submissions from email sending. The user gets an instant response while email delivery happens asynchronously. Handles spikes in form submissions without timeouts.

// functions/api/submit-form.js - Producer
export async function onRequestPost(context) {
  const data = await context.request.json();

  // Queue the email for async processing
  await context.env.EMAIL_QUEUE.send({
    to: 'info@mypractice.com',
    subject: `New form: ${data.name}`,
    body: JSON.stringify(data),
  });

  // Instant response to user
  return new Response(JSON.stringify({ success: true }));
}

Feature	Free	Paid ($5/mo)
Messages/month	1M	10M included
Operations	1M/month	Included
Max message size	128 KB	128 KB
Max batch size	100 messages	100 messages

Vectorize

Add-on ($5/mo base)

What it does: A vector database optimized for AI/ML applications. Store and query vector embeddings for semantic search, recommendations, and RAG (Retrieval Augmented Generation) pipelines.

Pages relevance: Advanced use case. Power a “smart search” feature on your site that understands meaning rather than just keywords. Combine with Workers AI for a fully edge-native AI search.

Feature	Details
Dimensions	Up to 1536
Indexes	100 per account
Vectors per index	5M
Metadata filtering	Supported

AI Gateway

Free (limited) / Pay-per-use beyond

What it does: A proxy layer for AI API calls (OpenAI, Anthropic, Google, etc.) that adds caching, rate limiting, logging, and fallback providers. Reduces AI API costs by caching identical requests and provides observability into AI usage.

Pages relevance: If your Pages site or Functions call AI APIs (chatbots, content generation, search), AI Gateway adds cost control and reliability without code changes.

Feature	Details
Caching	Cache identical prompts to reduce API costs
Rate limiting	Control spend per user/endpoint
Logging	Full request/response logging
Fallbacks	Automatic failover between providers
Supported providers	OpenAI, Anthropic, Google AI, Azure, HuggingFace, and more

Workers AI

Free (limited) / Pay-per-use beyond

What it does: Run open-source AI models directly on Cloudflare’s network. Supports text generation, text-to-image, embeddings, translation, summarization, speech-to-text, and image classification. No GPU provisioning, no external API keys needed.

Pages relevance: Add AI features to your Pages site without third-party API costs. Generate page summaries, power a chatbot, create embeddings for search, or classify images — all running on Cloudflare’s edge.

Model Category	Example Models
Text generation	Llama 3, Mistral, Gemma
Embeddings	bge-base, bge-large
Image generation	Stable Diffusion
Speech-to-text	Whisper
Translation	m2m100

functions/api/chat.js

export async function onRequestPost(context) {
  const { prompt } = await context.request.json();

  const response = await context.env.AI.run('@cf/meta/llama-3.1-8b-instruct', {
    messages: [
      { role: 'system', content: 'You are a helpful medical practice assistant.' },
      { role: 'user', content: prompt }
    ]
  });

  return new Response(JSON.stringify(response));
}

Developer Platform Summary

Pages

Static hosting, unlimited bandwidth, 500 builds/month, preview deploys.

Free

Workers

Edge serverless functions. 100K requests/day free.

Free

Pages Functions

File-based routing for API endpoints. Deploys with your site.

Free

KV Storage

Global key-value store. Config, counters, cached data.

Free (limited)

D1 Database

Serverless SQLite. Full SQL queries at the edge.

Free (limited)

R2 Object Storage

S3-compatible, zero egress fees. 10 GB free.

Free (10 GB)

Durable Objects

Stateful serverless. WebSockets, coordination, real-time.

Add-on ($5/mo)

Queues

Message queues for async processing. At-least-once delivery.

Free (limited)

Vectorize

Vector database for AI/ML. Semantic search, RAG.

Add-on ($5/mo)

AI Gateway

Proxy for AI APIs with caching, rate limiting, fallbacks.

Free (limited)

Workers AI

Run AI models on Cloudflare. Text, image, speech, embeddings.

Free (limited)

---

Analytics and Monitoring

Web Analytics

Free

What it does: Privacy-first analytics that track page views, visitors, referrers, and Core Web Vitals without cookies, without JavaScript tracking scripts (optional), and without collecting PII. Compliant with GDPR, CCPA, and PECR without cookie consent banners.

Pages relevance: Drop-in replacement for Google Analytics for basic traffic metrics. No cookie banner needed. Can run entirely from Cloudflare’s edge (no client-side JS required if using the HTTP-based mode).

JavaScript Beacon (Recommended)

Add the script tag to your site. Cloudflare provides the snippet:

<!-- Cloudflare Web Analytics -->
<script defer src='https://static.cloudflareinsights.com/beacon.min.js'
  data-cf-beacon='{"token": "YOUR_TOKEN"}'></script>

Automatic (DNS Proxied)

If your domain is proxied through Cloudflare (orange cloud), basic analytics are collected automatically at the network level. No JavaScript needed.

Go to Analytics & Logs > Web Analytics to view.

Feature	Cloudflare Web Analytics	Google Analytics
Price	Free	Free
Cookies	None	Multiple
Cookie banner needed	No	Yes (EU/UK)
PII collection	None	IP address, user ID
Client-side JS	Optional	Required
Core Web Vitals	Yes	Yes
Real-time	Yes	Yes
Custom events	No	Yes
Conversion tracking	No	Yes

Note

Cloudflare Web Analytics is excellent for traffic metrics and Core Web Vitals monitoring, but does not replace Google Analytics for conversion tracking, event tracking, or marketing attribution. Many sites use both.

Real User Monitoring (RUM)

Free

What it does: Collects Core Web Vitals (LCP, INP, CLS) from real visitors’ browsers and reports them in the Cloudflare Dashboard. Provides the same field data that Google uses for search rankings, directly from your own analytics.

Pages relevance: Monitor your Core Web Vitals scores from real users, not just lab tests. Detect performance regressions before they affect search rankings.

Setup: Included automatically with Cloudflare Web Analytics. View at Analytics & Logs > Web Analytics > Core Web Vitals tab.

Logs

Enterprise (full Logpush) / Free (basic Dashboard analytics)

What it does: Enterprise Logpush delivers raw request logs to external destinations (S3, R2, Splunk, Datadog, BigQuery) in real time. Free-tier users get aggregated analytics in the Dashboard.

Pages relevance: Basic Dashboard analytics are sufficient for most Pages sites. Enterprise Logpush is useful for compliance, detailed debugging, or feeding data into existing analytics pipelines.

Tier	Log Access
Free	Dashboard analytics (aggregated, 72 hours)
Pro	Dashboard analytics (aggregated, 72 hours)
Business	Dashboard analytics (aggregated, 72 hours)
Enterprise	Logpush to external destinations (real-time, raw logs)

Analytics Summary

Web Analytics

Privacy-first traffic metrics. No cookies, no PII, no consent banners.

Free

Real User Monitoring

Core Web Vitals from real visitors. LCP, INP, CLS field data.

Free

Logs

Dashboard analytics (free) or Logpush to external destinations (Enterprise).

Enterprise (Logpush)

---

Caching

Cloudflare’s caching features work on top of the CDN. For Pages, your static files are already edge-cached by default. These features give you fine-grained control over caching behavior.

Cache Rules

Free (10 rules) / Pro (25 rules) / Business (50 rules)

What it does: Define caching behavior based on URL patterns, file extensions, headers, or other request attributes. Set custom TTLs, bypass cache for specific paths, or force caching for paths that Cloudflare would not cache by default.

Pages relevance: Fine-tune caching for your Pages site. For example, cache HTML pages longer, bypass cache for API endpoints, or set different TTLs for different asset types.

Dashboard

Go to Caching > Cache Rules > Create Rule.

Example rules:

Rule	Match	Action
Cache HTML longer	URI path ends with .html	Cache TTL: 1 day
Bypass API cache	URI path starts with /api/	Bypass cache
Cache images aggressively	File extension in jpg,png,webp,avif	Cache TTL: 1 year, edge TTL: 1 month

Tip

For Pages, the _headers file Cache-Control directives handle most caching needs. Use Cache Rules for edge-level overrides that you cannot control with response headers alone.

Page Rules

Free (3 rules) / Pro (20 rules)

What it does: URL-pattern based settings that can modify caching, security, and performance behavior per URL. Cloudflare is migrating Page Rules functionality to the newer Rules system (Cache Rules, Redirect Rules, Configuration Rules).

Pages relevance: Being deprecated in favor of the newer Rules system. For new setups, use Cache Rules and Redirect Rules instead. Existing Page Rules continue to work.

Page Rules Deprecation

Cloudflare is phasing out Page Rules. For new projects, use:

• Cache Rules for caching behavior
• Redirect Rules for URL redirects
• Configuration Rules for per-URL settings

Existing Page Rules will continue to work but are no longer recommended for new configurations.

Cache Reserve

Add-on ($5/month + $0.015/GB)

What it does: Extends Cloudflare’s edge cache by backing it with R2 storage. Content that would normally be evicted from the edge cache (due to low traffic) stays cached indefinitely. Eliminates cache misses for long-tail content.

Pages relevance: Beneficial for large sites with thousands of pages where some pages receive infrequent traffic. Ensures every page loads fast, even rarely visited ones.

Setup: Go to Caching > Cache Reserve > Enable.

Tiered Caching

Free

What it does: Organizes Cloudflare’s data centers into tiers. Instead of every edge location fetching from the origin on a cache miss, lower-tier locations check upper-tier (regional) caches first. Reduces origin load and improves cache hit rates.

Pages relevance: Automatically enabled for Pages. Improves cache hit rates for global audiences by reducing redundant fetches.

Setup: Enabled by default. Configure at Caching > Tiered Cache for custom topology.

Caching Summary

Cache Rules

Fine-grained caching control by URL, extension, or headers.

Free (10 rules)

Page Rules

Legacy URL-pattern settings. Being replaced by Cache/Redirect Rules.

Free (3 rules)

Cache Reserve

Persistent edge cache backed by R2. Eliminates cache misses.

Add-on ($5/mo)

Tiered Caching

Regional cache hierarchy. Reduces origin fetches, improves hit rates.

Free

---

Compliance and Privacy

GDPR Compliance

Free

What it does: Cloudflare offers a Data Processing Addendum (DPA) that covers GDPR requirements. Cloudflare acts as a data processor and provides contractual guarantees about data handling, security measures, and sub-processor management.

Pages relevance: Important for sites serving EU visitors. Cloudflare’s DPA is available at no cost and covers all plans including Free.

Setup: Sign the DPA at the Cloudflare Dashboard under Account > Configurations > Legal > Data Processing Addendum, or download it from cloudflare.com/cloudflare-customer-dpa.

Privacy-First Analytics

Free

What it does: Cloudflare Web Analytics collects no PII, sets no cookies, and requires no consent banners. Traffic data is aggregated and cannot be used to identify individual visitors.

Pages relevance: Eliminates the need for cookie consent banners if Cloudflare Web Analytics is your only analytics tool. If you also use Google Analytics, you still need consent management for GA’s cookies.

Requirement	Cloudflare Web Analytics	Google Analytics
Cookie consent banner	Not needed	Required (EU/UK)
GDPR compliant by default	Yes	Requires configuration
Data Processing Addendum	Available (free)	Available
PII collection	None	IP address by default
Data retention controls	Automatic (aggregated)	Configurable

Data Localization

Enterprise (Data Localization Suite)

What it does: Control where Cloudflare processes and stores your data. Restrict log data, cache, and TLS termination to specific regions (EU, US, etc.). Required for some regulatory frameworks.

Pages relevance: Only needed for Enterprise customers with strict data residency requirements. Free, Pro, and Business plans process data across Cloudflare’s global network.

Feature	Availability
Geo Key Manager (TLS private keys)	Enterprise
Regional Services (request processing)	Enterprise
Customer Metadata Boundary	Enterprise
Logpush to specific regions	Enterprise

Compliance Summary

GDPR Compliance

Free Data Processing Addendum. Contractual data handling guarantees.

Free

Privacy-First Analytics

No cookies, no PII. No consent banners needed for CF analytics.

Free

Data Localization

Regional data processing and storage controls.

Enterprise

---

Platform Limits

Understanding Cloudflare Pages’ hard limits is critical for planning a portfolio-scale deployment. These are non-negotiable platform constraints.

Hard Limits

Limit	Free Plan	Workers Paid ($5/mo)	Impact
Files per deployment	20,000	100,000	Image-heavy WordPress sites with large media libraries may hit this
Single file size	25 MB	25 MB	Large PDFs, videos won’t deploy — use R2 storage instead
Builds per month	500 (per account)	5,000 (per account)	At 300 sites, free tier allows ~1.6 builds/site/month
Build timeout	20 minutes	20 minutes	Complex Astro builds with many pages may need optimization
Projects per account	100 (soft limit)	100 (soft limit)	300 sites needs multiple accounts or enterprise limit increase
Custom domains per project	100	250-500	Fine for most sites
Redirect rules	2,000 static + 100 dynamic	Same	WordPress sites with long redirect histories may hit this
_headers rules	100 max	100 max	Fine for most sites

Planning for 300+ Sites

Build limits are per account, not per project. At 300 sites on the free tier, you get ~1.6 builds per site per month. The Workers Paid plan ($5/month) gives you 5,000 builds — roughly 16 builds per site per month, which is comfortable for most workflows.

The 100-project soft limit means a 300-site portfolio will eventually need either multiple Cloudflare accounts or an enterprise limit increase. Plan for this once you approach 100 sites.

File count limits matter for WordPress migrations. A WordPress site with 500+ blog posts and thousands of images could exceed 20,000 files on the free tier. Use R2 for large media libraries or upgrade to Workers Paid (100,000 files).

Mitigation Strategies

Limit	Mitigation
Files per deployment	Use R2 storage for large media; optimize images at build time to reduce count
Builds per month	Batch content updates; use Workers Paid ($5/mo) for 5,000 builds
Projects per account	Plan for multiple accounts at ~100 sites; request limit increase
Build timeout	Optimize build scripts; use incremental content strategies
Redirect rules	Consolidate redirects; use regex patterns where possible

---

Quick Reference: Features by Plan

Free Plan (All Pages Projects)

Everything you need for production static sites:

Category	Features Included
Hosting	Unlimited sites, unlimited bandwidth, 500 builds/month (upgrade to 5,000 with Workers Paid at $5/mo per account), preview deployments
Performance	Global CDN (300+), Auto Minify, Brotli, HTTP/2 & HTTP/3, Early Hints, Rocket Loader, Speed Brain
Security	DDoS (unlimited), basic WAF, Bot Fight Mode, free SSL/TLS, HSTS, Turnstile, Access (50 users)
DNS	Fastest authoritative DNS, DNSSEC, Email Routing, at-cost domain registration
Developer	Workers (100K req/day), Pages Functions, KV, D1, R2 (10 GB), Queues, Workers AI
Analytics	Web Analytics, Real User Monitoring (Core Web Vitals)
Caching	Cache Rules (10), Page Rules (3), Tiered Caching
Compliance	GDPR DPA, privacy-first analytics

Workers Paid Plan ($5/month per account) — Recommended

Everything in Free, plus:

Feature	Value
Builds per month	5,000 (vs 500 free)
Concurrent builds	5 (vs 1 free)
Files per deployment	100,000 (vs 20,000 free)
Function requests/day	10M (vs 100K free)
CPU time per request	30ms (vs 10ms free)
Script size	10 MB (vs 1 MB free)
KV reads/day	10M (vs 100K free)
D1 rows read/day	25B (vs 5M free)

Tip

This is the plan most portfolios should use. At $5/month for the entire account (not per site), it removes the free tier’s most impactful limitations: build count, file count, and function request limits.

Pro Plan ($20/month per domain/zone)

Everything in Workers Paid, plus:

Feature	Value
Image Optimization (Polish & Mirage)	Edge WebP/AVIF conversion, responsive loading
WAF Managed Rulesets	OWASP, Cloudflare Managed Rules
Cache Rules	25 rules (vs 10 free)
Page Rules	20 rules (vs 3 free)
Enhanced analytics	Longer retention, more granular data
Priority support	Email support with faster response

Business Plan ($200/month per zone)

Everything in Pro, plus:

Feature	Value
Advanced WAF	100 custom rules, response header modification
Advanced Rate Limiting	Complex rate limiting rules
Cache Rules	50 rules
Custom error pages	Branded error pages
100% uptime SLA	Guaranteed availability

Enterprise (Custom pricing)

Everything in Business, plus:

Feature	Value
Full Bot Management	ML-based bot detection
Logpush	Real-time raw logs to external destinations
Data Localization Suite	Regional data processing
Dedicated support	Named account team
Custom contracts	SLAs, terms, volume pricing

---

Recommended Setup for Pages Sites

The Free-Tier Checklist

Enable these features on day one for every new Pages project. All free, all low-risk, all meaningful improvements.

1. DNS: Move nameservers to Cloudflare (full integration)
2. SSL: Set mode to Full (Strict), enable Always Use HTTPS
3. Performance: Enable Auto Minify (HTML, CSS, JS), Brotli, HTTP/3, Early Hints, Speed Brain
4. Security: Enable Bot Fight Mode, add _headers file with security headers
5. Analytics: Enable Cloudflare Web Analytics (privacy-first)
6. HSTS: Add Strict-Transport-Security header via _headers file
7. Email: Set up Email Routing for custom domain email addresses
8. Access: Put staging/preview behind Cloudflare Access (if team > 1)

Skip these unless needed:

• Rocket Loader — Test first. Can break interactive elements.
• Polish/Mirage — Pro plan. Use build-time optimization instead on free tier.
• Argo — Paid add-on. Minimal benefit for fully cached static sites.
• Cache Reserve — Paid add-on. Only for large sites with thousands of pages.
• D1/KV/R2 — Only if your site has server-side logic (forms, APIs).

---

Further Reading

Resource	URL
Cloudflare Pages Docs	developers.cloudflare.com/pages
Workers Docs	developers.cloudflare.com/workers
R2 Docs	developers.cloudflare.com/r2
D1 Docs	developers.cloudflare.com/d1
Turnstile Docs	developers.cloudflare.com/turnstile
Web Analytics Docs	developers.cloudflare.com/analytics
Cloudflare Plans Comparison	cloudflare.com/plans
Workers AI Models	developers.cloudflare.com/workers-ai/models
Cloudflare Status	cloudflarestatus.com