How to Set Up Cloudflare with PrestaShop Correctly

Why Use Cloudflare with PrestaShop?

Cloudflare sits between your visitors and your PrestaShop server, acting as a reverse proxy that provides DDoS protection, a Web Application Firewall (WAF), a global CDN for static assets, and SSL/TLS termination. When configured correctly, Cloudflare can dramatically improve your store's page load times, reduce server bandwidth, and block malicious traffic before it ever reaches your hosting. However, a misconfigured Cloudflare setup is one of the most common causes of redirect loops, broken checkouts, incorrect customer IPs, and caching disasters in PrestaShop. This guide walks you through every step of a correct configuration.

Step 1: DNS Configuration

After adding your domain to Cloudflare, you need to configure your DNS records. The most important decision is which records should be proxied (orange cloud) versus DNS-only (grey cloud).

Proxied records (orange cloud):

• Your main A or AAAA record pointing to your server IP (e.g., example.com and www.example.com)
• Any CNAME for subdomains serving web content

DNS-only records (grey cloud):

• MX records (mail) — these must never be proxied
• Records used for FTP, SSH, or other non-HTTP services
• Records pointing to mail servers (e.g., mail.example.com)

Important: If you use a subdomain for your PrestaShop back office (e.g., admin.example.com), you can proxy it, but be mindful of caching rules discussed later. Never create a DNS record that exposes your real server IP unnecessarily — once your main domain is proxied, attackers who know the real IP can bypass Cloudflare entirely. Consider changing your server IP after enabling Cloudflare if it was previously public.

Step 2: SSL/TLS Configuration — Use Full (Strict)

This is the single most critical setting. Navigate to SSL/TLS > Overview in your Cloudflare dashboard.

Always use Full (Strict) mode. Here is what each mode does and why the others are wrong for PrestaShop:

• Off: No encryption at all. Never use this for an e-commerce store.
• Flexible: Encrypts traffic between the visitor and Cloudflare, but sends unencrypted HTTP to your server. This causes infinite redirect loops in PrestaShop because the server sees HTTP, sets force_ssl = 1, redirects to HTTPS, Cloudflare delivers it over HTTPS, but the next request hits the server as HTTP again. This is the number one Cloudflare mistake with PrestaShop.
• Full: Encrypts end-to-end but does not validate your server's SSL certificate. Acceptable but not recommended.
• Full (Strict): Encrypts end-to-end and validates your origin certificate. This is correct. If you do not have a paid SSL certificate, use a free Cloudflare Origin Certificate (valid for 15 years) installed on your server.

To install a Cloudflare Origin Certificate: go to SSL/TLS > Origin Server > Create Certificate. Download the certificate and private key, install them in your web server (Apache or Nginx), and restart the service. This certificate is only valid for traffic coming through Cloudflare — it will show as invalid if accessed directly.

Under SSL/TLS > Edge Certificates, enable:

• Always Use HTTPS: Yes
• Automatic HTTPS Rewrites: Yes (fixes mixed content by rewriting HTTP URLs to HTTPS)
• Minimum TLS Version: TLS 1.2

Step 3: Caching Configuration

Cloudflare's default caching behavior works well for static assets but can cause serious problems if it caches dynamic PrestaShop pages. Navigate to Caching > Configuration.

Recommended settings:

• Caching Level: Standard
• Browser Cache TTL: Respect Existing Headers (let PrestaShop control browser caching via its CCC settings)
• Always Online: Disable this for e-commerce stores — showing stale product pages with wrong prices or out-of-stock items is worse than showing an error page

What Cloudflare caches by default: Only static file extensions like .js, .css, .png, .jpg, .gif, .svg, .woff2, .ico. It does NOT cache HTML pages by default, which is correct for PrestaShop. Do not enable "Cache Everything" without proper bypass rules, or your customers will see other people's carts, sessions, and personal data.

Step 4: Page Rules and Cache Rules

Page Rules (or the newer Cache Rules) let you customize Cloudflare's behavior for specific URL patterns. For PrestaShop, you need rules that protect the admin panel and checkout from caching while optimizing static content delivery.

Rule 1: Bypass Cache for Admin Panel

Create a rule matching example.com/admin* (replace "admin" with your actual back office directory name):

• Cache Level: Bypass
• Disable Performance: Yes (disables Rocket Loader, Mirage, and other optimizations that can break the admin JS)
• Security Level: High

Rule 2: Bypass Cache for Checkout and Cart

Create a rule matching example.com/order* and another for example.com/cart* (or use example.com/*order* if you use friendly URLs):

• Cache Level: Bypass
• Disable Performance: Yes

If your PrestaShop uses module-generated checkout URLs (like those from express checkout modules), add rules for those paths as well.

Rule 3: Bypass Cache for Customer Account

Match example.com/my-account* or example.com/identity* and any other customer-facing authenticated pages:

• Cache Level: Bypass

Rule 4: Cache Static Assets Aggressively

Match example.com/themes/* and example.com/js/* and example.com/modules/*/views/css/*:

• Cache Level: Cache Everything
• Edge Cache TTL: 1 month
• Browser Cache TTL: 1 week

Note on the newer Rules system: Cloudflare is migrating from Page Rules to separate Cache Rules, Configuration Rules, and Transform Rules. The logic is the same — create a Cache Rule with a custom filter expression like (http.request.uri.path contains "/admin") and set the action to bypass cache.

Step 5: Rocket Loader — Disable It

Rocket Loader is Cloudflare's feature that defers loading of all JavaScript on your pages. Navigate to Speed > Optimization > Content Optimization and disable Rocket Loader.

While it sounds beneficial, Rocket Loader causes severe problems with PrestaShop:

• Broken add-to-cart buttons: PrestaShop relies on inline JavaScript blocks and jQuery ready handlers that must execute in order. Rocket Loader defers and reorders them.
• Payment module failures: Payment gateways like PayPal, Stripe, and Mollie inject their own JavaScript that Rocket Loader interferes with, causing checkout failures and lost orders.
• Admin panel breakage: The back office uses extensive inline JavaScript for form validation, AJAX calls, and module configuration pages. Rocket Loader breaks all of it.
• Cookie consent and GDPR modules: These rely on blocking certain resources until consent is given. Rocket Loader undermines this by rewriting how all external resources load.

Even if you set a Page Rule to disable performance features on /admin*, the front office will still break. The safest approach is to disable Rocket Loader globally.

Step 6: Real IP Restoration

When Cloudflare proxies traffic, your server sees Cloudflare's IP addresses instead of your visitors' real IPs. This breaks PrestaShop in several ways: order records show Cloudflare IPs, fraud detection fails, geo-location is wrong, rate limiting does not work, and analytics data is useless.

Apache (mod_remoteip)

Install and enable the module:

sudo a2enmod remoteip
sudo systemctl restart apache2

Add to your Apache configuration (virtual host or global):

RemoteIPHeader CF-Connecting-IP
RemoteIPTrustedProxy 173.245.48.0/20
RemoteIPTrustedProxy 103.21.244.0/22
RemoteIPTrustedProxy 103.22.200.0/22
RemoteIPTrustedProxy 103.31.4.0/22
RemoteIPTrustedProxy 141.101.64.0/18
RemoteIPTrustedProxy 108.162.192.0/18
RemoteIPTrustedProxy 190.93.240.0/20
RemoteIPTrustedProxy 188.114.96.0/20
RemoteIPTrustedProxy 197.234.240.0/22
RemoteIPTrustedProxy 198.41.128.0/17
RemoteIPTrustedProxy 162.158.0.0/15
RemoteIPTrustedProxy 104.16.0.0/13
RemoteIPTrustedProxy 104.24.0.0/14
RemoteIPTrustedProxy 172.64.0.0/13
RemoteIPTrustedProxy 131.0.72.0/22

Cloudflare publishes their IP ranges at cloudflare.com/ips — check periodically and update your configuration if they change.

Nginx

Use the ngx_http_realip_module (usually compiled in by default):

set_real_ip_from 173.245.48.0/20;
set_real_ip_from 103.21.244.0/22;
# ... add all Cloudflare ranges ...
real_ip_header CF-Connecting-IP;

PrestaShop Configuration

Even with mod_remoteip, some PrestaShop modules read the IP from $_SERVER['HTTP_CF_CONNECTING_IP'] or $_SERVER['HTTP_X_FORWARDED_FOR']. If you still see Cloudflare IPs in orders after configuring mod_remoteip, check your PrestaShop's config/defines.inc.php for any IP-related overrides or add the following (not always needed if mod_remoteip is working):

if (isset($_SERVER['HTTP_CF_CONNECTING_IP'])) {
    $_SERVER['REMOTE_ADDR'] = $_SERVER['HTTP_CF_CONNECTING_IP'];
}

Step 7: WAF (Web Application Firewall) Rules

Cloudflare's WAF protects your store from SQL injection, XSS, and other attacks. On the free plan, you get basic protection. On Pro and higher, you get the managed rulesets.

Recommended WAF Settings

• Security Level: Medium (under Security > Settings). "High" may trigger challenges for legitimate customers on mobile networks or VPNs.
• Challenge Passage: 30 minutes (how long a visitor stays verified after solving a challenge)
• Bot Fight Mode: Enable with caution — it can block payment gateway callbacks (IPNs) from PayPal, Stripe, etc. If you enable it, add WAF exceptions for known webhook paths like /module/paypal/notify.

Custom WAF Rules for PrestaShop

Create these firewall rules under Security > WAF > Custom Rules:

Block direct access to sensitive files:

Expression: (http.request.uri.path contains "config/settings.inc.php") or (http.request.uri.path contains ".env") or (http.request.uri.path contains "composer.json") or (http.request.uri.path contains "var/logs/")

Action: Block

Rate limit login attempts:

Use Rate Limiting Rules to restrict requests to your admin login URL (e.g., /adminXYZ/index.php) to 5 requests per minute per IP. This prevents brute force attacks on the back office.

Whitelist payment provider IPs:

If you use Bot Fight Mode, create an Allow rule for your payment provider's webhook IPs so their server-to-server callbacks are never challenged.

Step 8: Performance Settings

Navigate to Speed > Optimization and configure:

• Auto Minify: Enable for JavaScript, CSS, and HTML. PrestaShop's CCC (Combine, Compress, Cache) does its own minification, so there may be double-minification, but this is usually harmless. If you see rendering issues, disable Cloudflare's CSS minification and rely on PrestaShop's CCC instead.
• Brotli: Enable — better compression than gzip, supported by all modern browsers
• Early Hints: Enable — tells browsers to preload critical assets before the HTML is fully delivered
• HTTP/2: Enabled by default on all Cloudflare plans
• HTTP/3 (QUIC): Enable for better performance on mobile networks

Mirage (Pro plan): If available, enable it. Mirage lazy-loads images and serves appropriately sized images based on the visitor's device. It works well with PrestaShop product images.

Polish (Pro plan): Enable with "Lossy" compression for product images, or "Lossless" if image quality is critical (e.g., art prints). Polish compresses images on the fly at the edge without modifying your originals.

Step 9: Purging Cloudflare Cache

When you update your store's design, add new products, or change CSS/JS files, you need to purge Cloudflare's cache so visitors see the latest version.

Methods to purge:

• Purge Everything: Dashboard > Caching > Configuration > Purge Everything. Use sparingly — it forces all assets to be re-fetched from your server.
• Purge by URL: Purge specific files like example.com/themes/your-theme/assets/css/theme.css
• Purge by Tag / Prefix: Available on Enterprise plans
• API-based purge: Use Cloudflare's API to automate cache purging after deployments. You can integrate this into your PrestaShop module deployment workflow.

PrestaShop's CCC system appends version strings to CSS and JS files (e.g., theme.css?v=12345), which naturally busts Cloudflare's cache when files change. If you rely on CCC properly, you rarely need manual cache purges for static assets.

Common Mistakes and How to Avoid Them

Mistake 1: SSL Set to Flexible

Symptoms: Infinite redirect loop, ERR_TOO_MANY_REDIRECTS, white page. Fix: Change SSL mode to Full (Strict) and install an origin certificate on your server.

Mistake 2: Caching Dynamic Pages

Symptoms: Customer A sees Customer B's cart or account details, wrong prices displayed, logged-in users see logged-out content. Fix: Never use "Cache Everything" as a global setting. Only cache static asset paths. Always bypass cache for /order, /cart, /my-account, and the admin panel.

Mistake 3: Rocket Loader Enabled

Symptoms: Add to cart does not work, payment forms do not load, back office modules throw JavaScript errors, product page galleries are broken. Fix: Disable Rocket Loader globally.

Mistake 4: Not Restoring Real IPs

Symptoms: All orders show the same IP address (a Cloudflare IP), geolocation modules show wrong countries, rate limiting bans Cloudflare instead of attackers. Fix: Configure mod_remoteip or ngx_http_realip_module as described above.

Mistake 5: Bot Fight Mode Blocking Webhooks

Symptoms: Payment confirmations never arrive, orders stay in "Awaiting payment" status, IPN/webhook logs show 403 or challenge responses. Fix: Create WAF exception rules for payment provider webhook URLs and IP ranges.

Mistake 6: Email Problems After Setup

Symptoms: Emails stop working, SPF/DKIM validation fails. Cause: Email-related DNS records (MX, SPF TXT, DKIM) were accidentally set to proxied (orange cloud). Fix: All email DNS records must be DNS-only (grey cloud). Proxying only works for HTTP/HTTPS traffic.

Mistake 7: Development Mode Left On

Symptoms: Cache never works, high origin server load. Cause: Development Mode was enabled during setup and forgotten. Fix: Disable Development Mode in Caching > Configuration once your setup is complete. Development Mode automatically disables after 3 hours, but check anyway.

Troubleshooting Checklist

When something goes wrong with Cloudflare and PrestaShop, work through this checklist:

1. Redirect loops: Check SSL mode (must be Full or Full Strict), check .htaccess for duplicate HTTPS redirects, verify PrestaShop's PS_SSL_ENABLED is set to 1 in the database.
2. Mixed content warnings: Enable Automatic HTTPS Rewrites in Cloudflare, check for hardcoded http:// URLs in your theme or CMS pages.
3. Slow TTFB (Time to First Byte): Cloudflare does not cache HTML by default. Slow TTFB is your origin server being slow — optimize PrestaShop (enable CCC, configure OPcache, check database queries) rather than blaming Cloudflare.
4. CSS/JS not updating: Clear PrestaShop's CCC cache (back office > Performance), then purge Cloudflare cache. Check that CCC is appending version strings to file URLs.
5. Admin panel slow or broken: Ensure your Page Rule bypasses cache and disables performance features for the admin directory. Check that Cloudflare's WAF is not blocking admin AJAX requests.
6. Customers getting challenged: Lower Security Level to Medium or Low. Check Under Attack Mode is not enabled (it should only be used during active DDoS attacks). Review firewall events in Security > Events to see what rules are triggering.
7. API calls failing: If your store has REST API endpoints or web services, ensure Cloudflare is not challenging or blocking API requests. Create a WAF rule to allow requests to /api/* from known IP ranges.
8. Images not loading: Check if Hotlink Protection is enabled and accidentally blocking your own domain. Verify that image URLs are using HTTPS.

Cloudflare with PrestaShop Multistore

If you run PrestaShop multistore with multiple domains, each domain must be added to Cloudflare separately (on the free plan, each domain is a separate zone). Ensure that:

• SSL mode is set to Full (Strict) on every zone
• Page Rules are duplicated for each domain
• Real IP restoration covers all domains (mod_remoteip is global, so one configuration handles all virtual hosts)

Recommended Cloudflare Plan for PrestaShop

The free plan covers most needs: DNS, CDN, basic WAF, and SSL. The Pro plan (approximately 20 USD/month) adds Mirage, Polish, WAF managed rulesets, and more Page Rules. For high-traffic stores, the Business plan adds custom WAF rules and additional performance features. Most small to medium PrestaShop stores run perfectly well on the free or Pro plan.

Summary

Setting up Cloudflare with PrestaShop correctly comes down to a few critical decisions: use Full (Strict) SSL, disable Rocket Loader, bypass cache on dynamic pages, restore real visitor IPs, and protect payment webhooks from bot protection. Get these right from the start and Cloudflare becomes a powerful ally for your store's performance and security. Get them wrong and you will spend hours debugging redirect loops, broken checkouts, and phantom orders. Take the time to configure it properly once, and your PrestaShop store will benefit from faster load times worldwide, reduced server load, and robust protection against attacks.

For more details, read our guides: How to Set Up SSL and HTTPS on PrestaShop and PrestaShop Cache: Full Page Cache Modules Explained.