CDN Delivery Checklist

Use this checklist when you set up Cloudflare (or when performance changes after a DNS/cache/security tweak).

DNS and Proxy

Domain uses Cloudflare nameservers
Primary A/AAAA record is proxied (orange cloud)
Mail records are DNS-only (as appropriate)
DNSSEC enabled (if you can operate it)

SSL/TLS

SSL mode: Full (Strict)
Minimum TLS: 1.2
TLS 1.3 enabled
No redirect loops (Always Use HTTPS + origin redirects aligned)

Caching

Static assets cached at edge and in browser (long TTL when versioned)
HTML caching configured intentionally (APO or cache rules)
Bypass rules in place for:
- /wp-admin*, /wp-login.php*
- /cart*, /checkout*, /my-account*
- logged-in cookies (example: wordpress_logged_in_)

Performance Features

Brotli enabled
Early Hints tested (optional)
HTTP/2 enabled
HTTP/3 enabled (test compatibility)

Security (Performance-Protecting)

Managed WAF rules enabled
/xmlrpc.php blocked if unused
Login endpoint protected (rate limit / challenge)

Verification Commands

cloudflare-headers-and-timing.sh
# CDN header signals
curl -I https://example.com/ | grep -iE 'cf-cache-status|cf-ray|server'

# Static asset caching/compression
curl -I -H "Accept-Encoding: br" https://example.com/style.css | grep -iE 'cache-control|content-encoding|cf-cache-status'

# Checkout should bypass
curl -I https://example.com/checkout/ | grep -i cf-cache-status

# Timing breakdown
curl -w "DNS: %{time_namelookup}s\nTLS: %{time_appconnect}s\nTTFB: %{time_starttransfer}s\nTotal: %{time_total}s\n" -o /dev/null -s https://example.com

What's Next

DNS and Proxy
SSL/TLS
Caching
Performance Features
Security (Performance-Protecting)
Verification Commands
What's Next

DNS and Proxy​

SSL/TLS​

Caching​

Performance Features​

Security (Performance-Protecting)​

Verification Commands​

What's Next​

DNS and Proxy

SSL/TLS

Caching

Performance Features

Security (Performance-Protecting)

Verification Commands

What's Next