Do the prerequisites once; repeat steps 2–5 for every end customer.
Know which layer a setting lives on — it tells you where to click and what a token needs to touch.
Anything marked "No" is a clear upsell conversation — not a gap in the baseline.
Tip: the dashboard search bar is the fastest way to jump to any setting by name.
Least privilege everywhere — scope tokens to exactly what the baseline touches.
Same module, different tfvars — every customer gets an identical baseline.
Lead with the Managed Ruleset. Do not "enable all rules" — some are off by default on purpose.
The one-time WAF turn-on for a new customer zone.
Fill these five fields in order and any rate-limit rule makes sense.
Pro gives you 2 rate-limiting rules — login and API are the usual choices. Log for a day, then Block.
Pro values: block for 15 min, counting per IP over a 1-minute window.
Security rules → DDoS protection tab → Create override. Leave the action at Cloudflare’s default.
Always-on mitigation is already active — this only tunes it.
Caching is DDoS protection: cached content never touches the origin.
Cloudflare One → Traffic policies. Deploy the Cloudflare CA to devices before HTTP inspection.
Start with DNS-layer blocks — no device trust needed. HTTP inspection comes after the CA is deployed.
Access mgmt: scoped roles, 2FA enforced, no Global API Key. Then verify and hand off.
One module, applied per customer — identical, auditable, reviewable in a merge request.