Most of the products I’ve built on this site required real engineering — writing Workers, configuring Durable Objects, building an AI agent from scratch. But Cloudflare has an entire layer of products that take minutes to enable and immediately improve your security posture.
I call them “front door” products. They don’t require code. They don’t require architecture changes. You toggle them on, configure a few settings, and they start protecting you.
In one session, I enabled six of them. Here’s what each one does, what I found when I turned them on, and why I should have done this months ago.
AI Crawl Control — Who’s Eating Your Content?
This one surprised me.
Cloudflare’s AI Crawl Control gives you a dashboard showing exactly which AI companies are crawling your site, how much data they’re consuming, and — critically — whether they’re sending any traffic back.
Within 30 seconds of opening the dashboard, I had my answer: 627 AI crawler requests in the last 7 days. A 15.5% increase from the previous week.
Here’s the breakdown:
| Crawler | Company | Requests | Data Consumed | Referrals Back |
|---|---|---|---|---|
| ChatGPT-User | OpenAI | 280 | 3.59 MB | 0 |
| BingBot | Microsoft | 172 | 411 kB | 1 |
| GPTBot | OpenAI | 41 | 924 kB | 0 |
| ClaudeBot | Anthropic | 40 | 112 kB | 0 |
| OAI-SearchBot | OpenAI | 39 | 232 kB | 0 |
| Amazonbot | Amazon | 25 | 195 kB | 0 |
| Googlebot | 12 | 93 kB | 5 | |
| Bytespider | ByteDance | 5 | 52 kB | 0 |
The most crawled page on my entire site? My Cloudflare Spectrum training PDF — 206 successful requests from OpenAI alone. They downloaded a 2.02 MB document hundreds of times, used it to train their models, and sent me exactly zero visitors in return.
What I Blocked
AI Crawl Control lets you set per-crawler rules. I blocked three pure training crawlers that give nothing back:
- GPTBot (OpenAI’s training crawler — different from ChatGPT-User, which is the assistant)
- Bytespider (ByteDance/TikTok)
- Amazonbot (Amazon)
I left the search engine crawlers (Googlebot, BingBot) and AI assistant crawlers (ChatGPT-User, ClaudeBot, OAI-SearchBot) allowed. The assistants help when someone pastes my URL into a chat — blocking them would hurt discovery. The search crawlers are SEO.
I also enabled Markdown for Agents, which auto-converts my HTML to clean markdown when an AI agent requests content with the Accept: text/markdown header. If an AI is going to read my content, it should at least get a clean version.
The Sales Angle
Every customer I talk to is asking the same question right now: “Who’s scraping our content for AI training and what can we do about it?” AI Crawl Control is one of the easiest conversations to have. The data is visual, the controls are granular, and the “pay per crawl” feature (in beta) lets companies monetize their content instead of just blocking it.
Turnstile — CAPTCHA Without the Pain
Turnstile is Cloudflare’s CAPTCHA replacement. Instead of asking visitors to identify fire hydrants, it runs invisible challenges in the browser — proof-of-work puzzles, behavior analysis, browser API probes — and determines if someone is human without showing them anything.
On this site, every visitor passes through Turnstile before they can access any page — enforced at the edge via a WAF Managed Challenge rule. No code required. One rule, deployed in 30 seconds.
How It Works Under the Hood
- Create a Turnstile widget in the Cloudflare dashboard — get a site key (public, goes in HTML) and secret key (private, stays on the server)
- Add a
<div class="cf-turnstile">element to your page with the Turnstile script - When the visitor passes the challenge, Turnstile generates a single-use token
- Your server sends that token to Cloudflare’s Siteverify API (
POST /turnstile/v0/siteverify) to confirm it’s valid - Token expires after 5 minutes and can’t be replayed
On this site, the verification endpoint lives in the Agent V3 Worker at /api/verify-turnstile. It validates the token server-side before the WebSocket connection opens. If TURNSTILE_SECRET_KEY isn’t configured, it gracefully passes through — so existing deploys don’t break.
Three widget modes: Managed (Cloudflare decides whether to show a checkbox based on risk), Non-interactive (fully invisible), and Invisible (hidden in the DOM). I’m using Managed.
Why Not reCAPTCHA?
Turnstile is free. It doesn’t use tracking cookies. It doesn’t sell visitor data to train ad models. It’s WCAG 2.2 AA accessible. And it works on any site, even ones not on Cloudflare.
DMARC Management — Stop Domain Spoofing
Without email authentication records, anyone can send an email that looks like it’s from brandon@saltwaterbrc.com. That’s called domain spoofing, and it’s the foundation of phishing attacks.
DMARC (Domain-based Message Authentication, Reporting & Conformance) ties together SPF and DKIM to tell receiving email servers what to do when an email fails authentication checks.
Cloudflare’s DMARC Management creates the DNS records for you and gives you a dashboard showing every service sending email on your behalf — with pass/fail rates for SPF, DKIM, and DMARC.
I created a DMARC record with p=none (monitor mode). This means receiving servers will report failures but won’t block anything yet. Once I verify all legitimate senders (which is mostly just Google Workspace for saltwaterbrc.com), I’ll move to p=quarantine and eventually p=reject.
The first DMARC reports take about 24 hours to come in. After that, the dashboard populates with every sender using my domain.
Why This Matters
Even if your domain doesn’t send bulk email, you need DMARC. Without it, a phishing attack could use your domain name and receiving servers have no way to know it’s fake. For saltwaterbrc.com, the risk is low. For a company like Epic Games or LexisNexis, it’s a compliance requirement.
Waiting Room — Queue Instead of Crash
Waiting Room puts a virtual queue in front of a specific page when traffic exceeds your thresholds. Instead of your origin crashing under load, new visitors see a branded waiting page with estimated wait times and get let in as capacity opens up.
I set one up on /ask-ai — the AI agent page. If the agent ever gets slammed with traffic (say, if a blog post goes viral), the Durable Object backing the agent could get overwhelmed. The Waiting Room catches the surge before it hits the origin.
Configuration:
- Path:
/ask-ai - Total active users: 200
- New users per minute: 200
- Queueing method: FIFO (first in, first out)
- Session duration: 5 minutes
Right now the status shows “Not queueing” because traffic is well under the threshold. That’s the point — it’s a safety net, not a gate.
The Customer Conversation
Every customer with traffic spikes needs this — e-commerce during Black Friday, gaming during launches, media during breaking news, ticketing during on-sales. The pitch is simple: would you rather show customers a loading error or a branded queue with an estimated wait time?
Web Analytics — Privacy-First Metrics
Cloudflare Web Analytics was already enabled on my zone, but I hadn’t looked at the data in a while. When I opened the dashboard, I found real data worth paying attention to.
Core Web Vitals from real visitors (not synthetic tests):
- LCP (Largest Contentful Paint): 50% Good, 50% Poor — needs work on
www.saltwaterbrc.com - CLS (Cumulative Layout Shift): 100% Good
- Page load time: 1,021ms (down 47% from the previous period)
No cookies. No consent banners. No data sampling. 100% of page views are measured using the browser’s Performance API. This is what Google Analytics should be but isn’t.
Health Checks — The Smoke Detector
Health Checks are standalone HTTP/HTTPS monitors that ping your endpoints from Cloudflare’s global network and alert you when something goes down.
I created a health check for the main site:
- Endpoint:
saltwaterbrc.com - Type: HTTPS / GET
- Port: 443
- Interval: 60 seconds
- Region: Eastern North America
- Retries: 2
If the site goes down, I get notified before any visitor does. Enterprise plans include up to 1,000 health checks — I’m using 1. The agent worker and SSH proxy (Spectrum) are next.
The Running Total
This session brought the site from 27 to 33 Cloudflare products running in production. Here’s the updated stack:
New in this session:
- Turnstile (bot verification on /ask-ai)
- AI Crawl Control (crawler visibility + blocking)
- DMARC Management (email domain protection)
- Waiting Room (traffic queue on /ask-ai)
- Web Analytics (Core Web Vitals + RUM)
- Health Checks (uptime monitoring)
Bonus: Markdown for Agents (auto-converts pages to markdown for AI agents)
None of these required writing a single Worker. The Turnstile integration needed a few lines of code in the agent and the Astro page, but everything else was dashboard configuration. That’s the point — Cloudflare’s security and observability layer is designed to sit on top of whatever you’ve already built.
Next up: Phase 9.2 — building a complete email stack on Cloudflare (Email Routing + Email Service). No Mailgun. No SendGrid. No SES. Just Cloudflare.