cloudflare-guardConfigures and manages Cloudflare DNS, caching, security rules, rate limiting, and Workers
Install via ClawdBot CLI:
clawdbot install guifav/cloudflare-guardYou are an infrastructure engineer managing Cloudflare configurations for web applications deployed on Vercel. You handle DNS, caching, security, and edge logic. Always use the Cloudflare API v4 via curl. Never store API tokens in files.
Before making any API call to Cloudflare, you MUST complete this planning phase:
Do NOT skip this protocol. A wrong DNS record or SSL setting can take the entire site offline.
All requests use:
https://api.cloudflare.com/client/v4Auth header:
Authorization: Bearer $CLOUDFLARE_API_TOKENcurl -s -X GET \
"https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/dns_records" \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-H "Content-Type: application/json" | jq '.result[] | {id, type, name, content, proxied}'curl -s -X POST \
"https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/dns_records" \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-H "Content-Type: application/json" \
--data '{
"type": "CNAME",
"name": "<subdomain>",
"content": "cname.vercel-dns.com",
"ttl": 1,
"proxied": true
}' | jq .curl -s -X POST \
"https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/dns_records" \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-H "Content-Type: application/json" \
--data '{
"type": "A",
"name": "@",
"content": "76.76.21.21",
"ttl": 1,
"proxied": true
}' | jq .curl -s -X DELETE \
"https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/dns_records/<record-id>" \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" | jq .This is required when proxying through Cloudflare to Vercel:
curl -s -X PATCH \
"https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/settings/ssl" \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-H "Content-Type: application/json" \
--data '{"value": "strict"}' | jq .curl -s -X PATCH \
"https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/settings/always_use_https" \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-H "Content-Type: application/json" \
--data '{"value": "on"}' | jq .curl -s -X PATCH \
"https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/settings/browser_cache_ttl" \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-H "Content-Type: application/json" \
--data '{"value": 14400}' | jq .Use after major deployments:
curl -s -X POST \
"https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/purge_cache" \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-H "Content-Type: application/json" \
--data '{"purge_everything": true}' | jq .curl -s -X POST \
"https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/purge_cache" \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-H "Content-Type: application/json" \
--data '{"files": ["https://example.com/path"]}' | jq .Protect API routes from abuse:
curl -s -X POST \
"https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/rulesets/phases/http_ratelimit/entrypoint" \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-H "Content-Type: application/json" \
--data '{
"rules": [{
"expression": "(http.request.uri.path matches \"^/api/\")",
"description": "Rate limit API routes",
"action": "block",
"ratelimit": {
"characteristics": ["ip.src"],
"period": 60,
"requests_per_period": 100,
"mitigation_timeout": 600
}
}]
}' | jq .curl -s -X PUT \
"https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/bot_management" \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-H "Content-Type: application/json" \
--data '{"fight_mode": true}' | jq .curl -s -X POST \
"https://api.cloudflare.com/client/v4/zones/$CLOUDFLARE_ZONE_ID/pagerules" \
-H "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
-H "Content-Type: application/json" \
--data '{
"targets": [{"target": "url", "constraint": {"operator": "matches", "value": "*.<domain>/_next/static/*"}}],
"actions": [{"id": "cache_level", "value": "cache_everything"}, {"id": "edge_cache_ttl", "value": 2592000}],
"status": "active"
}' | jq .When setting up Cloudflare for a new project on Vercel:
cname.vercel-dns.com./api/* routes._next/static/* aggressively.Run all steps in sequence and report the result of each.
https://.Cache-Control headers are set correctly in vercel.json.Generated Mar 1, 2026
An infrastructure engineer needs to configure DNS for a new domain, setting up CNAME records for Vercel and A records for the root domain. They must enable SSL/TLS with Full (Strict) mode and Always Use HTTPS to ensure secure connections, then set caching rules for optimal performance and security measures like Bot Fight Mode.
During migration, the engineer surveys current DNS records and SSL settings to avoid downtime. They update DNS records to point to Vercel, adjust SSL configurations, and purge old cache to ensure the new deployment serves fresh content without breaking existing traffic.
For a web app with public APIs, the engineer implements rate limiting rules to protect against DDoS attacks and brute force attempts. They configure rules to block excessive requests from single IPs and enable additional security features to safeguard backend services.
The engineer sets aggressive caching rules for static assets using page rules, adjusts browser cache TTL, and periodically purges cache after deployments. This reduces server load and improves page load times for users accessing media-rich content.
When rebranding, the engineer plans and executes DNS record updates for subdomains and root domains, ensuring proper propagation and minimal downtime. They verify changes step-by-step and adjust SSL settings to maintain HTTPS integrity throughout the transition.
This skill supports SaaS companies by managing Cloudflare configurations for scalable web applications. It ensures high availability, security, and performance, helping retain customers through reliable service and reducing operational overhead for recurring revenue streams.
For e-commerce businesses, the skill optimizes DNS and caching to handle traffic spikes during sales, secures transactions with strict SSL settings, and implements rate limiting to prevent fraud. This enhances user experience and protects revenue from downtime or attacks.
Agencies use this skill to manage Cloudflare for multiple client projects, offering infrastructure management as a service. It streamlines DNS, security, and performance tuning, allowing agencies to charge for setup, maintenance, and optimization services.
💬 Integration Tip
Ensure CLOUDFLARE_API_TOKEN and CLOUDFLARE_ZONE_ID environment variables are set before execution, and always follow the mandatory planning protocol to avoid configuration errors that could cause site outages.
Automatically update Clawdbot and all installed skills once daily. Runs via cron, checks for updates, applies them, and messages the user with a summary of what changed.
Full desktop computer use for headless Linux servers. Xvfb + XFCE virtual desktop with xdotool automation. 17 actions (click, type, scroll, screenshot, drag,...
Essential Docker commands and workflows for container management, image operations, and debugging.
Tool discovery and shell one-liner reference for sysadmin, DevOps, and security tasks. AUTO-CONSULT this skill when the user is: troubleshooting network issues, debugging processes, analyzing logs, working with SSL/TLS, managing DNS, testing HTTP endpoints, auditing security, working with containers, writing shell scripts, or asks 'what tool should I use for X'. Source: github.com/trimstray/the-book-of-secret-knowledge
Deploy applications and manage projects with complete CLI reference. Commands for deployments, projects, domains, environment variables, and live documentation access.
Monitor topics of interest and proactively alert when important developments occur. Use when user wants automated monitoring of specific subjects (e.g., product releases, price changes, news topics, technology updates). Supports scheduled web searches, AI-powered importance scoring, smart alerts vs weekly digests, and memory-aware contextual summaries.