Setting up Cloudflare for your Indian website: what to turn on and what to leave off
10 min read · 05-Oct-2024
villagehosting.in team
5 October 2024
Cloudflare has dozens of toggles. Most people enable everything and then wonder why their forms stop working, their admin is locked out, or their checkout breaks. Here is what to turn on, what to skip, and why — specifically for Indian websites.
Rocket Loader breaks Indian payment gateways
Cloudflare's Rocket Loader feature asynchronously delays JavaScript execution. This breaks Razorpay, PayU, and CCAvenue checkout scripts which depend on synchronous loading order. Always leave Rocket Loader OFF if you process payments. This is the single most common Cloudflare-related support issue for Indian e-commerce sites.
Why use Cloudflare?
Cloudflare sits between your website visitors and your hosting server. Benefits:
- CDN: Static files (images, CSS, JS) are cached at Cloudflare's PoPs, including Mumbai. Indian visitors load those files from Mumbai instead of your origin server.
- DDoS protection: Absorbs volumetric attacks before they reach your server.
- Free SSL: Cloudflare provides SSL between visitors and Cloudflare. You still need an origin certificate on your server.
- Speed: Smaller JS/CSS via Cloudflare's minification, Brotli compression, and HTTP/3.
The free plan covers most Indian websites. Pro (₹1,500/mo) adds the WAF.
Step 1: Add your site to Cloudflare
- Create an account at cloudflare.com
- Add your site → enter domain name
- Select the Free plan
- Cloudflare scans your existing DNS records — verify they're imported correctly
- Change your nameservers at your domain registrar to the two Cloudflare nameservers shown
- Wait 24–48 hours for nameserver propagation
Common Indian registrars: GoDaddy India, BigRock, Namecheap. In each, look for "Nameservers" or "DNS Management" and change from your hosting provider's nameservers to Cloudflare's.
Step 2: Verify DNS records
After nameserver switch, verify Cloudflare has the correct records:
| Type | Name | Value |
|---|---|---|
| A | @ | Your server IP |
| A | www | Your server IP |
| MX | @ | Your mail server |
| TXT | @ | SPF record |
The orange cloud icon = proxied through Cloudflare (CDN + DDoS protection). The grey cloud icon = DNS-only, bypasses Cloudflare.
Keep grey (DNS-only):
- Mail records (MX, mail subdomain)
- FTP subdomain
- cPanel subdomain (
cpanel.yourdomain.in) — Cloudflare proxy breaks cPanel access - Database access subdomains
Keep orange (proxied):
- Main domain (@ and www)
- API subdomain (if you want protection)
- Any public-facing subdomain
Step 3: SSL/TLS mode
Go to SSL/TLS → Overview.
Full (Strict) is the only safe SSL mode
Cloudflare's 'Flexible' SSL mode sends traffic from Cloudflare to your origin server unencrypted. This means your login credentials and user data travel in plaintext between Cloudflare and your hosting server. Always use Full (Strict) — it requires a valid SSL certificate on your origin, which is free via Let's Encrypt.
Set to: Full (Strict)
| Mode | Meaning | Use when |
|---|---|---|
| Off | No SSL | Never |
| Flexible | Cloudflare→visitor SSL only; Cloudflare→server plain HTTP | Only if no origin SSL (not recommended) |
| Full | SSL everywhere, but origin cert not verified | You have a self-signed cert on the server |
| Full (Strict) | SSL everywhere, valid cert required on origin | You have a Let's Encrypt cert on the server |
Most Indian hosting providers include free Let's Encrypt SSL — use Full (Strict).
Also enable: SSL/TLS → Edge Certificates → Always Use HTTPS: ON
Step 4: Speed settings to enable
Speed → Optimization:
- Auto Minify: Turn on CSS, JavaScript, HTML. Reduces file sizes.
- Brotli: Turn ON. Better compression than gzip (supported by all modern browsers).
Speed → Optimization → Early Hints: Turn ON. Improves perceived load time by preloading resources.
Network:
- HTTP/2: Should already be ON (Cloudflare default).
- HTTP/3 (with QUIC): Turn ON. Faster on mobile networks, including Indian 4G/5G.
- 0-RTT Connection Resumption: Turn ON. Reduces latency for returning visitors.
Step 5: Caching settings
Caching → Configuration:
- Caching Level: Standard
- Browser Cache TTL: 4 hours (for most sites) or 1 month for heavily cached static sites
Caching → Cache Rules (replaces the old Page Rules):
Create a rule to bypass cache for WordPress admin and dynamic pages:
| Field | Value |
|---|---|
| URI Path | contains /wp-admin/ OR /wp-login.php OR /cart/ OR /checkout/ |
| Action | Bypass cache |
Step 6: Security settings
Security → Settings:
- Security Level: Medium (aggressive enough for most Indian sites without false positives)
- Bot Fight Mode: Turn ON (free). Blocks obvious bot traffic.
Security → WAF (Pro plan only, ₹1,500/mo):
- Enable the Cloudflare Managed Ruleset for generic protection
- Enable the WordPress-specific ruleset if running WordPress
What NOT to turn on (common mistakes)
Rocket Loader: This asynchronously loads JavaScript. It breaks many Indian payment gateways (Razorpay, PayU, CCAvenue) that rely on synchronous script loading. Leave OFF.
Mirage and Polish: These optimize images. Mirage can distort images and Polish can conflict with your existing optimized images. Leave OFF unless you've tested.
IP Geolocation: Adds a header with visitor's country. Only turn on if your application needs it.
Email Address Obfuscation: Scrambles email addresses to protect from scrapers. Can break contact forms or email links. Leave OFF unless your email addresses are scraped.
Cloudflare and Razorpay / payment gateways
This is the most common Cloudflare issue for Indian e-commerce. Cloudflare's security features can:
- Block Razorpay payment callback IPs — Cloudflare's WAF may block POST requests from payment gateway servers as "bot traffic"
- Rocket Loader breaking checkout scripts — don't enable Rocket Loader if using Razorpay, PayU, or CCAvenue
Fixes:
- Security → WAF → Create a rule to allow traffic from
*.razorpay.com(or your gateway's IPs) - Add
/api/payment/callbackto your cache bypass rule so Cloudflare never caches payment webhooks
Cloudflare and cPanel / WHM
Never proxy cpanel.yourdomain.in or whm.yourdomain.in through Cloudflare. cPanel uses non-standard ports (2082, 2083, 2086, 2087) that Cloudflare doesn't proxy. Keep these DNS-only (grey cloud).
Checking if Cloudflare is working
# Check if traffic is going through Cloudflare
curl -I https://yourdomain.in | grep -i "cf-ray\|server"
# If you see "Server: cloudflare" and a "cf-ray" header, it's working
In a browser, the Cloudflare icon in Network tab of DevTools, or security certificate showing "Cloudflare" as the issuer, confirms it's active.
Cloudflare's free tier is genuinely worth setting up for every Indian website — the performance improvement from the Mumbai PoP alone is measurable. Just take 20 minutes to configure it correctly rather than enabling everything and troubleshooting later.