Free Cloudflare rules for public self-hosted services

A small public website can get basic protection with the Cloudflare Free Plan. The main idea is to distrust traffic by default and filter suspicious requests before they reach the , such as a Mac mini running at home. The rules cover a , basic , bot settings, and .

They aim to block bad bots and scanners, empty User-Agent requests, and automated curl, wget, and python requests. They also block attempts to reach sensitive paths such as .env, .git, backup files, and phpMyAdmin. Other targets include dangerous query strings, very old browsers, and some unwanted AI scrapers and crawlers.

The rules are open source, free to use, and have no paid version.

Key points

  • Cloudflare Free Plan can add a basic protection layer in front of public self-s.
  • Suspicious traffic is filtered before it reaches the , such as a home Mac mini.
  • The rules target bad bots, scanners, empty User-Agent requests, and automated curl, wget, and python requests.
  • Requests for .env, .git, backup files, and phpMyAdmin are treated as suspicious.
  • A block-first approach needs tuning so useful crawlers and still work.
Read original