Before changing DNS
- Export the current DNS records from the registrar before importing them into Cloudflare.
- Confirm Microsoft 365 MX, SPF, DKIM, and DMARC records are present after import.
- Confirm Resend SPF/DKIM records are present after import.
- Keep email-related records DNS-only. Do not proxy MX, SPF, DKIM, DMARC, or verification records.
- Lower DNS TTL before a planned migration if your registrar supports it.
Proxy and cache rules
- Proxy only the public website hostnames after DNS import is verified.
- Do not cache `/api/*`, `/app`, `/admin`, `/settings`, `/cms`, `/integrations`, `/workflows`, `/clients`, `/mfa`, `/billing/*`, `/verify-email`, `/reset-password`, or `/accept-invite`.
- Do not cache `/api/webhooks/capture` or any customer-owned bridge URL.
- Cache static assets conservatively first, then tune after smoke tests and analytics confirm stability.
- Keep the origin health URL `https://instachime.com/api/health/ready` uncached.
WAF and rate limiting
- Start new WAF and rate-limit rules in log mode where the plan supports it.
- Rate-limit obvious abuse against signup, login, forgot-password, contact, CMS/admin login, and public form endpoints.
- Avoid aggressive blocking on lead-source webhook endpoints until every vendor and bridge has been tested through Cloudflare.
- Allow known provider IP ranges only when the vendor publishes stable ranges and you are ready to maintain them.
- Review Cloudflare events before changing a rule from log/challenge to block.
Smoke test after enabling Cloudflare
- Open the homepage, pricing, help, compare, contact, signup, login, admin, CMS, and settings pages.
- Submit the contact form and confirm the email arrives.
- Create a test lead and confirm the dashboard, alert history, and delivery history update.
- Run the health check at `/api/health/ready`.
- Send one source webhook and one outgoing CRM webhook test before enabling stricter WAF rules.
Official references
These vendor-owned pages explain the controls and requirements referenced in this guide.
- Cloudflare rate limiting best practicesOfficial documentation used to verify this setup path and its current vendor requirements.
- Cloudflare cache rulesOfficial documentation used to verify this setup path and its current vendor requirements.
- Cloudflare WAF custom rulesOfficial documentation used to verify this setup path and its current vendor requirements.