Cloudflare's Free Tier: What You Get for $0 and Where the Upsell Starts
Cloudflare's free tier includes DNS hosting, a global CDN, DDoS protection, SSL/TLS termination, basic WAF rules, and five page rules — for zero dollars, indefinitely, with no credit card required. If that sounds too good to be true, it isn't. Cloudflare's business model subsidizes the free tier with enterprise contracts, and the free product is genuinely excellent. It is also — and this matters for self-hosters specifically — the single most impactful infrastructure decision you can make before spending a dollar on anything else.
What The Docs Say
The free plan documentation lists a feature set that reads like it was designed by someone who wanted to put managed hosting providers out of business. DNS hosting with Cloudflare's anycast network — your DNS queries resolve from the nearest of 300+ data centers worldwide. A CDN that caches static assets at the edge and serves them to visitors without hitting your origin server. DDoS mitigation that absorbs volumetric attacks automatically. SSL/TLS termination so traffic between your visitors and Cloudflare is encrypted, and you can enforce encryption between Cloudflare and your origin. A web application firewall with managed rulesets for common attack patterns. Five page rules for URL-based redirects, cache overrides, or forced HTTPS.
Beyond the core plan, Cloudflare offers several free-tier products that operate alongside your domain. Workers — serverless JavaScript execution at the edge — gives you 100,000 requests per day for free. Pages — static site hosting — offers unlimited sites, unlimited bandwidth, and unlimited requests. R2 — S3-compatible object storage — includes 10GB of free storage with no egress fees. Cloudflare Tunnel — a daemon that connects your origin server to Cloudflare's network without opening inbound ports — is free with no usage limits. [VERIFY: Cloudflare Tunnel free tier limits — last checked, there were no request or bandwidth limits on free tunnels, but confirm this hasn't changed.]
What Actually Happens
Start with DNS, because this is the foundation everything else builds on. Moving your domain's nameservers to Cloudflare is the single best thing you can do for your self-hosted infrastructure, and it costs nothing. Cloudflare's DNS is fast — consistently the fastest public DNS resolver in independent benchmarks — and the anycast network means queries resolve from the closest edge location regardless of where your users are. You also get free DNSSEC, which prevents DNS spoofing attacks, and a dashboard that's genuinely pleasant to use for managing records. The propagation speed for DNS changes is near-instant within Cloudflare's network, compared to the "up to 48 hours" you'll see with budget registrar DNS.
Once your DNS is on Cloudflare, you can proxy your traffic through their network by clicking the orange cloud icon next to your DNS records. This does three things simultaneously: it hides your origin server's IP address (visitors see Cloudflare's IP, not yours), it caches static assets at edge locations globally, and it applies DDoS protection to all incoming traffic. For a self-hoster running a VPS on Hetzner, this transforms your single-server setup from "everything hits one box in Falkenstein" to "static assets are served from 300+ locations, and only dynamic requests reach your server." The performance improvement for sites with any static content is substantial and immediate.
The DDoS protection on the free tier is not a token gesture. Cloudflare mitigates layer 3/4 attacks (volumetric floods) and layer 7 attacks (HTTP floods) automatically. You don't configure it, you don't pay for it, and it works. Self-hosters running services on a single VPS are particularly vulnerable to DDoS because one overwhelmed server means total downtime — Cloudflare absorbs the attack traffic before it reaches your origin. This alone makes the free tier worth the five minutes it takes to set up.
Now, Cloudflare Tunnel — this is the feature that changes the self-hosting security model. Traditionally, exposing a service on your VPS means opening ports 80 and 443 to the internet, configuring a reverse proxy, and hoping your firewall rules are correct. Cloudflare Tunnel inverts this. You run a small daemon called cloudflared on your server, and it establishes an outbound connection to Cloudflare's network. Traffic flows from visitors to Cloudflare to your tunnel to your server — and your server never opens an inbound port at all. Your VPS's IP address is never exposed. Port scans find nothing. The entire attack surface of "someone found your server's IP and is probing open ports" disappears.
Setting up a tunnel takes about 15 minutes: install cloudflared, authenticate it with your Cloudflare account, create a tunnel, and map it to your local services. The configuration is a YAML file that maps public hostnames to local ports — app.yourdomain.com routes to localhost:3000, db-admin.yourdomain.com routes to localhost:8080, and so on. Cloudflare handles SSL termination, so your local services can run plain HTTP while visitors get HTTPS. This is genuinely elegant infrastructure for zero dollars.
Workers on the free tier give you 100,000 requests per day — enough for lightweight API endpoints, redirects, A/B testing, or header manipulation at the edge. The limitation is 10ms CPU time per invocation on the free plan, which rules out heavy computation but handles most request-routing and transformation tasks. Pages is unlimited for static sites — deploy a Hugo, Astro, or plain HTML site and Cloudflare hosts it globally with automatic builds from Git. For self-hosters, Pages is the right answer for any static frontend that doesn't need server-side rendering.
R2 storage deserves specific attention because of what it doesn't charge: egress. AWS S3, Google Cloud Storage, and Azure Blob Storage all charge you when data leaves their network — and those egress fees add up fast if you're serving media files or hosting backups that get downloaded regularly. R2 charges $0 for egress. The free tier gives you 10GB of storage, 1 million Class A operations (writes), and 10 million Class B operations (reads) per month. For self-hosters, this is a natural home for backups, media files, or any static content you want to serve through Cloudflare's CDN. Beyond the free tier, storage is $0.015/GB/month — roughly comparable to S3 pricing but without the egress cost that typically doubles or triples your effective S3 bill.
When To Use This
Use Cloudflare's free tier for every domain you own, regardless of where you host. There is no downside. The DNS is faster than your registrar's, the CDN improves load times, the DDoS protection is insurance you'd be foolish to skip, and the SSL termination simplifies your server configuration. If you're self-hosting on a VPS — Hetzner, DigitalOcean, anywhere — Cloudflare should be the first thing you configure, before Coolify, before Docker, before anything else.
Use Cloudflare Tunnel specifically if you're running services that don't need to be directly reachable by IP. This covers most self-hosted applications. The security improvement from eliminating open inbound ports is significant, and the setup cost is minimal. The main exceptions are services that need raw TCP connections (some game servers, certain database protocols) or applications where the added latency hop through Cloudflare's network is unacceptable — which in practice means almost nothing for typical self-hosted workloads.
Use R2 for backups and media storage. The zero-egress pricing model means you can store backup snapshots and download them during a restore without an unexpected bill. Pair R2 with restic or rclone for automated backup shipping — the S3-compatible API means any tool that works with S3 works with R2.
Use Pages for any static site. If your project doesn't need a server, don't use your server. Pages is faster (edge-served), more reliable (Cloudflare's infrastructure vs. your single VPS), and free.
When To Skip This
The free tier has real boundaries, and knowing where they are matters.
Rate limiting rules — the ability to throttle requests from specific IPs or to specific endpoints — require the Pro plan at $20/month. If you're running an API that needs rate limiting, you'll either pay Cloudflare or implement it yourself at the origin. The free WAF rules cover common attacks but don't include the advanced managed rulesets (OWASP Core Rule Set, for example) available on paid plans. Image optimization — automatic resizing, format conversion, quality adjustment — is a paid feature through Cloudflare Images or Polish.
Argo Smart Routing, which optimizes the path between Cloudflare's edge and your origin server for faster dynamic content delivery, costs $5/month plus $0.10 per GB. If your application is latency-sensitive and serves dynamic content to a global audience, Argo is the first paid Cloudflare feature worth considering. For most self-hosted setups, it's unnecessary — the free tier's standard routing is fine.
The broader concern with Cloudflare is vendor concentration. If you're using Cloudflare for DNS, CDN, tunnel, storage, and static hosting, a single Cloudflare outage or account issue takes down everything simultaneously. Cloudflare's uptime record is strong, but the risk of putting all infrastructure behind one provider — even a free one — is worth acknowledging. The mitigation is having documented fallback plans: know how to point your DNS back to your registrar, know how to open ports on your VPS and configure direct access, keep your R2 backups replicated to a second storage provider. You probably won't need these fallbacks. But "probably" is not "definitely," and the difference matters when your services are down.
The honest take on Cloudflare's free tier: it's the best deal in infrastructure. Not the best free deal — the best deal, period. The combination of DNS, CDN, DDoS protection, tunnels, edge compute, static hosting, and S3-compatible storage at zero cost is absurd, and it's been stable long enough that betting on it is reasonable. Use it. Just don't forget that free products serve the provider's strategy — and Cloudflare's strategy is to be so embedded in your infrastructure that upgrading to paid features feels inevitable. That's not sinister. It's just business. And on the free tier, the business works in your favor.
This is part of CustomClanker's Self-Hosting series — the honest cost of running it yourself.