SalienceNotes.dev

Hardening Cloudflare Pages for Small Publications

A pragmatic baseline for static sites that still need sane headers, clean DNS, and safe deployment habits.

Ye Soe ยท 2 min read
Contents

Category

Article

Tags

cloudflareheadersstatic sites

Contents

Cloudflare Pages is a good fit for a small publication because the default delivery model is simple: build once, ship static assets, and keep the origin out of the way. Simplicity is the security feature.

The risk is configuration drift. Once the site grows, people start adding scripts, forms, redirects, and integrations without a review path.

Keep the publish surface small

For a static publication, the deployment surface should be narrow:

  • one source of truth for content
  • one build command
  • one production domain
  • one redirect policy

If the site needs secrets, scopes, or runtime state, ask whether it should still be static. Most publication sites do not need much more than build-time data and edge delivery.

Treat headers as part of the product

Security headers are not a separate hardening task. They are part of the publication contract.

The baseline I expect is:

  • Content-Security-Policy
  • Strict-Transport-Security
  • X-Content-Type-Options
  • Referrer-Policy
  • Permissions-Policy

That is enough to make the site more predictable without overfitting it to one browser behavior.

Make DNS boring

DNS should not be creative. Use the minimal number of records, keep the apex and www story clear, and avoid unnecessary subdomains.

For a personal publication, the most common failure mode is not an exploit. It is an ownership problem: an old DNS record, an abandoned verification token, or a stale redirect.

Protect the build pipeline

The deployment pipeline is where trust gets concentrated. The main control is review discipline:

  1. lock down who can modify the content repo
  2. separate preview and production changes
  3. avoid ad hoc secrets in markdown or frontmatter
  4. audit third-party embeds before publishing

If the site stays content-only, it is easier to reason about. That is a good tradeoff for a personal publication.

Outcome

The strongest Cloudflare Pages setup is usually not the most elaborate one. It is the one that is easy to understand six months later.

For small publications, hardening is mostly about reducing surprise.