Build What You Sell
I sell Cloudflare. I’ve done it for almost a decade. But there’s a difference between knowing the pitch deck and knowing what it feels like to deploy a Worker, lock down an API with schema validation, or watch your firewall block a real .env probe from Lithuania at 2am.
So I built this site. Not as a side project — as a forcing function. If I’m going to tell a CISO that Zero Trust replaces their VPN, I should probably have set it up myself. If I’m going to pitch Spectrum to a gaming company, I should know what it takes to proxy SSH traffic through Layer 4.
saltwaterbrc.com runs 23 Cloudflare products in production. Every one of them is live, configured, and demo-ready. This post walks through the full build — from the first DNS record to the AI agent you can talk to right now.
The Starting Line
Every Cloudflare deployment starts in the same place: a domain.
Cloudflare Registrar — I registered saltwaterbrc.com directly through Cloudflare. No markup, no middleman. This is the cleanest starting point because DNS is already managed in the same dashboard from day one.
Cloudflare Pages — The site itself is built on Astro (a modern static site framework) and deployed to Cloudflare Pages. Every git push triggers a build and deploys globally. No servers to manage, no CI/CD pipelines to maintain. Push code, it’s live.
These two products are the foundation. Domain + hosting. Five minutes and you’re on the internet.
The Developer Platform
Once the site was live, I started building on Cloudflare’s compute and storage layer. This is where it stops being a website and starts being a platform.
Workers — Serverless functions at the edge. Every backend endpoint on this site — the AI agent, the visitor counter, the guestbook, the API demo — runs on Workers. JavaScript/TypeScript, deployed globally, sub-50ms cold starts. No origin server.
Durable Objects — Stateful compute. When you chat with the AI agent on this site, your conversation history persists across messages. That’s a Durable Object — a single instance with its own storage, running wherever it needs to be.
R2 — Object storage with zero egress fees. S3-compatible API, but you don’t pay to read your own data. Assets on this site are stored in R2.
D1 — Serverless SQL database (SQLite at the edge). The Guestbook page on this site writes to D1. Visitors sign it, entries persist. A real database with no infrastructure to manage.
KV — Global key-value store. The visitor counter on the homepage reads and writes to KV. Simple, fast, globally replicated.
Demo it live: Open the Guestbook →, sign it, refresh — that’s D1 in action. Check the visitor counter on the homepage → — that’s KV.
The AI Stack
This is where the site gets interesting for customer conversations. Three products work together to power the AI features.
Workers AI — Run inference at the edge. This site uses two models: a large language model for the AI chat agent, and BGE embeddings for turning blog content into vectors. No API keys to external providers, no infrastructure. Just bind the AI service to your Worker and call it.
Vectorize — Vector database for semantic search. Every blog post on this site is chunked into pieces, embedded with BGE, and indexed in Vectorize. When someone asks the AI agent a question, it searches Vectorize for relevant content and uses it to ground the response. This is RAG (retrieval-augmented generation) running entirely on Cloudflare.
AI Gateway — A proxy that sits in front of AI calls. It gives you logging (see every prompt and response), caching (identical prompts return cached results), and rate limiting (prevent abuse). Every AI call on this site routes through AI Gateway.
Demo it live: Open Ask AI → and ask “What is Spectrum?” or “What products does this site use?” — that’s Workers AI + Vectorize + AI Gateway + Agents SDK all working together in one request.
The AI Agent (Agents SDK)
The Ask AI page is not a simple chatbot. It’s built on Cloudflare’s Agents SDK — a framework for multi-turn AI agents with tool calling.
What makes it different from a basic LLM wrapper:
- Multi-turn memory — It remembers your conversation. Ask a follow-up question and it knows the context.
- Tool calling — The agent can search blog content (via Vectorize), look up customer use cases by industry, and check live site traffic stats. It decides which tool to use based on your question.
- WebSocket streaming — Responses stream in real-time, not batch.
- Persistent state — Conversation history is stored in a Durable Object. Close the tab, come back, your chat is still there.
The site also has Ask This Blog (V1) — a simpler RAG implementation that just searches blog content. You can compare the two side by side.
Demo it live: Open Ask AI → and ask “Show me Workers use cases for healthcare” — watch it call the find_use_cases tool and return structured results with customer names and industry labels. Then try Ask This Blog → to compare V1 vs V2.
The Interactive Features
Sandbox SDK (Code Playground) — An isolated code execution environment at the edge. The Code Playground page lets visitors write and run JavaScript in a sandboxed container. Think Docker at the edge — but serverless.
Stream (Watch the video) — Video hosting with adaptive bitrate. The Stream page has an AI-generated video embedded and delivered through Cloudflare’s video pipeline. Upload, transcode, embed, deliver — all managed.
Guestbook (Sign it) — A real database-backed feature. Sign it, read entries, see D1 in action.
Demo it live — walk the Explore menu:
- Ask AI → — Multi-turn agent with tool calling
- Ask This Blog → — Classic RAG search (V1)
- Code Playground → — Write and run code in the browser
- Stream → — AI-generated video on Cloudflare Stream
- Guestbook → — D1 database in action
- Admin → — Locked behind Zero Trust (triggers Access login)
Security: Layer 7
This is where the site becomes a security demo — not just a developer platform demo.
WAF (Web Application Firewall) — Rate limiting rules protect the site’s endpoints. But more importantly, the WAF has already blocked real attacks in production. Automated scanners probing for .env files, wp-config.php.bak, and admin panels. Those show up in Security Events with source IPs, countries, and matched rules. Real threats, real blocks.
API Shield — I wrote an OpenAPI schema for this site’s 18 API endpoints and uploaded it to API Shield. Schema validation is active — if a request doesn’t match the spec, it gets flagged. API Shield also provides endpoint discovery (finds API endpoints Cloudflare sees in traffic) and BOLA detection (broken object-level authorization).
Page Shield — Client-side security monitoring. It tracks every JavaScript file, external connection, and cookie loaded on the site. If a malicious script gets injected (Magecart-style), Page Shield flags it. This is directly relevant to PCI DSS 4.0 compliance — requirements 6.4.3 and 11.6.1 specifically require monitoring scripts on payment pages.
Demo it live: Open the Cloudflare dashboard → Security → Events. Show real blocked requests. Then show API Shield with the uploaded schema and 18 monitored endpoints. Then show Page Shield’s script inventory.
Security: Layer 4
Spectrum — This is the product that protects everything that isn’t HTTP. SSH, RDP, game servers, databases, IoT — all of it runs on TCP/UDP, and all of it is invisible to a traditional web WAF.
I set up a live demo: ssh.saltwaterbrc.com proxies SSH traffic (port 22) through Cloudflare Spectrum to a DigitalOcean VPS. When you connect, the VPS sees Cloudflare’s IP (104.28.x.x) — not yours. The origin IP is completely hidden.
The VPS firewall (UFW) is locked down to only accept connections from Cloudflare’s IP ranges. Direct SSH to the origin IP is blocked. The only way in is through Spectrum.
This is exactly how a gaming company protects Minecraft servers, or how a bank secures its RDP bastion hosts, or how an enterprise hides its database endpoints from the internet.
Demo it live: Show the Spectrum app in the Cloudflare dashboard. If you have terminal access, run
ssh -l root ssh.saltwaterbrc.comand show the connection succeeding through Cloudflare. Show the UFW rules on the VPS blocking everything except Cloudflare CIDRs.
Security: Zero Trust
Seven Zero Trust products are live on this site. Here’s what each one does and how to demo it.
Access (ZTNA) — Click Admin in the Explore dropdown. You’ll hit a login screen — that’s Cloudflare Access protecting the page with Google Workspace SSO. No VPN. Identity-aware access at the edge.
Gateway (SWG) — DNS filtering and HTTP inspection. My Gateway policies block malware domains, adult content, and gambling sites. There’s also a DLP policy blocking sensitive data in HTTP traffic. This is active on my enrolled devices.
Tunnel — Outbound-only connectivity via cloudflared. I have dev.saltwaterbrc.com tunneled to a local development server. No inbound ports open, no firewall holes. The tunnel dials out to Cloudflare and traffic routes back through it.
WARP (Cloudflare One Client) — The device client. My Mac is enrolled, Gateway policies are enforced, traffic is routed through Cloudflare. This is the “on-ramp” for Zero Trust.
Browser Isolation (RBI) — Clientless remote browser isolation. Websites render in Cloudflare’s cloud and stream pixels to the user’s browser. No code executes locally. Access it at saltwaterbrc.cloudflareaccess.com/browser/.
CASB — Cloud Access Security Broker. Connected to my Google Workspace instance. It scans for misconfigurations, overshared files, risky third-party app permissions, and data exposure.
DLP — Data Loss Prevention. Detection profiles for financial data (credit card numbers), credentials and secrets, and SSNs. HTTP block policy enforced.
Demo it live: Click Admin → to trigger the Access login. Then open the Zero Trust dashboard to show Access applications, Gateway DNS policies, and CASB findings from the Google Workspace scan.
The Full Stack at a Glance
| Layer | Products |
|---|---|
| Domain & Hosting | Registrar, Pages, Astro |
| Compute | Workers, Durable Objects |
| Storage | R2, D1, KV |
| AI | Workers AI, Vectorize, AI Gateway, Agents SDK |
| Media | Stream |
| Interactive | Sandbox SDK |
| Security (L7) | WAF, API Shield, Page Shield |
| Security (L4) | Spectrum |
| Zero Trust | Access, Gateway, Tunnel, WARP, Browser Isolation, CASB, DLP |
23 products. One domain. All live.
Why This Matters
Every product on this site is something I can walk a customer through — not from a slide, but from a live environment I built and maintain myself.
When a healthcare customer asks about CASB, I can show my own Google Workspace scan. When a gaming company asks about Spectrum, I can SSH into a protected server in front of them. When an e-commerce company asks about Page Shield and PCI DSS 4.0, I can pull up the actual script inventory running on my site.
The pitch is simple: if one person can deploy 23 products on a single domain in weeks, imagine what your team can do with Cloudflare behind them.
Build what you sell.
Want to see it live? Start at saltwaterbrc.com and click through the Explore menu. Or ask the AI agent → anything about the products on this site. Check out the training resources → for downloadable PDFs on every product.