6 · Cloudflare CDN

# ZajLibrary — implementation playbook

You are a **senior implementation assistant** working inside the user’s real development environment (terminal, editor, git repo). You are **not** a documentation writer, tutor, or library editor.

**Mission:** Execute the procedure described below in the user’s real project workspace — create or modify the files and run the commands it specifies. Do not just summarize it.

## Metadata
- title: 6 · Cloudflare CDN
- url: https://library.zajapps.com/tech-stack/laravel/codecanyon/build/playbooks/setup-new/04-deploy-pipeline/06-cloudflare-cdn/
- shelf: Build & Create
- doc_type: implementation playbook
- status: current
- kind: playbook
- category: tech-stack
- subcategory: laravel
- topic: codecanyon
- phase: 4
- step_number: 6
- est_time: ~45–60 min (+ nameserver propagation)
- description: Front the app with Cloudflare on the Free plan — nameserver cutover, API-driven DNS, Full (Strict) SSL + HSTS, WAF and rate limiting, cache rules, DNSSEC, and a final API verification probe. Rocket Loader stays OFF for Laravel.
- tags: codecanyon, cloudflare, cdn, waf, security

## Execution rules (binding)
- This is step 6 of phase 4 (~45–60 min (+ nameserver propagation)) — do only this step, then stop at its `## Checklist`.
- Follow `## Steps` in order. Do not skip steps or declare the work complete early.
- Respect `:::note[Who does this]`: 👤 **User** steps (browser, downloads, OAuth, moving files) need the human — wait for or instruct them; 🤖 **Agent** steps you run in the shell.
- After every command, compare its output to the `# Expected:` comment or ✅ bullet beneath it. If it differs, **stop, show what you got, and ask how to proceed** — do not guess or rewrite the procedure.
- Honor `:::caution` / `:::note` callouts as hard gates (a step may forbid a command at this stage).
- Do not mark the step done until every `## Checklist` item is genuinely satisfied.
- Scope: implement only what this page describes — no refactors, added features, or later-phase work unless the page says so.
- When reporting progress, cite the `##` / `###` headings you completed or got blocked on.
- Secrets: never put API keys, passwords, or `.env` values in frontend code, commits, or chat logs — use server-side `.env` / config only, and keep `.env` gitignored.

---

# 6 · Cloudflare CDN

## TL;DR

**Objective** — front the app with Cloudflare on the **Free plan** (TLS termination, DDoS absorption, a WAF, global caching): nameserver cutover, API-driven DNS, Full (Strict) SSL + HSTS, WAF and rate limiting, cache rules, DNSSEC, and a final API verification probe — with Rocket Loader **OFF** for Laravel.

:::note[User part + done-when]
**👤 User part** — the account, zone add, and nameserver cutover happen in the Cloudflare and registrar dashboards: a person creates the zone, updates the registrar's nameservers, sets the SSL mode and WAF/rate-limit rules in the UI, and adds the DNSSEC DS record at the registrar. An agent drives DNS via the API and runs the verification probe.

**Done when** the zone is Active on Cloudflare nameservers, SSL is Full (Strict) with HSTS, WAF + one rate-limit rule are within budget, the static-asset cache rule is live, Rocket Loader is off, DNSSEC is active, and the probe shows `cf-ray`, the HSTS header, and `"status":"active"`. &nbsp;·&nbsp; **⏱ ~45–60 min (+ nameserver propagation)** &nbsp;·&nbsp; 🔀 mixed (👤 dashboards, 🤖 API DNS + probe).
:::

## Background

:::note[SHOULD — edge security + performance]
Cloudflare adds a caching/security edge in front of the origin: TLS termination, DDoS absorption, a WAF, and global caching. This page configures it on the **Free plan**, which covers everything a typical CodeCanyon launch needs.
:::

## Steps

### 1. Budget against the Free plan

Free tier limits are real — plan inside them so nothing silently fails to apply.

| Resource | Free-plan budget | Notes |
|---|---|---|
| WAF custom rules | 5 | Spend on the highest-value blocks |
| Rate-limiting rules | 1 | Reserve for login/API abuse |
| Cache rules | a few | One good static-asset rule goes far |
| Page Rules (legacy) | 3 | Prefer modern Rules where possible |

:::note[Free-plan rate-limit rule requires two extra API fields]
On the Free plan you get one rate-limit rule, and the API rejects the rule unless the `ratelimit` object includes both `mitigation_timeout` and `characteristics`.

```bash
curl -s -X PUT "https://api.cloudflare.com/client/v4/zones/<zone-id>/rulesets/phases/http_ratelimit/entrypoint" \
  -H "Authorization: Bearer $CF_API_TOKEN" -H "Content-Type: application/json" \
  --data '{"rules":[{
    "expression": "(starts_with(http.request.uri.path, \"/admin\")) or (starts_with(http.request.uri.path, \"/login\"))",
    "action": "block",
    "ratelimit": {
      "requests_per_period": 10, "period": 10,
      "mitigation_timeout": 10,
      "characteristics": ["cf.colo.id", "ip.src"]
    },
    "description": "Rate limit admin + login (10 req/10s)"
  }]}'
```

Scope the single rule to `/admin` + `/login` only — never the landing page or public API. Additional rate-limit rules require Pro.
:::

### 2. Add the zone and cut over nameservers

:::note[Who does this]
👤 **User** adds the zone in Cloudflare and updates the registrar's nameservers — dashboard/registrar actions an agent can't perform.
:::

<Steps>

1. **Add the site as a zone** in Cloudflare; it imports existing records — **audit the import** against what page 2 and page 5 created.

   - ✅ The zone exists and its imported records have been audited.

2. **Update the registrar's nameservers** to Cloudflare's pair, then wait for the zone to go **Active**.

   ```bash
   dig NS example.com    # returns Cloudflare nameservers once Active
   # Expected: the NS query returns Cloudflare's nameserver pair
   ```

   - ✅ `dig NS example.com` returns Cloudflare and the zone shows **Active**.

</Steps>

:::caution[Re-check email DNS after import]
Confirm the SPF/DKIM/DMARC/MX records from **[5 · DNS email](/tech-stack/laravel/codecanyon/build/playbooks/setup-new/04-deploy-pipeline/05-dns-email/)** survived the import intact — a dropped MX silently kills mail.
:::

### 3. Configure DNS via the API

Drive record changes through the API so they're scriptable and auditable. Use a scoped token (Zone:DNS:Edit), never the global key.

<Steps>

1. **Create records through the API** — load the token from vault or a mode-600 file; **never** `export CF_API_TOKEN="<literal>"` in a runbook (visible in shell history and `ps`):

   ```bash
   # CF_API_TOKEN and ZONE_ID already exported from vault / ~/.zshrc (see Phase 1 machine setup)
   curl -s -X POST "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records" \
     -H "Authorization: Bearer $CF_API_TOKEN" -H "Content-Type: application/json" \
     --data '{"type":"A","name":"app","content":"<origin-ip>","proxied":true}'
   # Expected: a JSON response with "success":true and the created record
   ```

   - ✅ Records are created via the scoped-token API; `proxied:true` (orange cloud) routes traffic through Cloudflare, `false` (grey cloud) is DNS-only.

</Steps>

### 4. Set SSL/TLS and HSTS

:::note[Who does this]
👤 **User** sets the SSL mode, Always Use HTTPS, and HSTS toggles in the Cloudflare dashboard.
:::

- Set SSL mode to **Full (Strict)** — encrypts edge↔origin *and* validates the origin cert. `Flexible` causes redirect loops and is insecure.
- Enable **Always Use HTTPS**.
- Enable **HSTS** only once you're confident HTTPS is permanent (it's hard to undo): `max-age` ≥ 6 months, include subdomains, preload optional.

### 5. Configure security: WAF + rate limiting

Spend the 5 WAF rules on real threats (block bad bots, restrict `/admin` by country/ASN, challenge suspicious paths). Use the single rate-limit rule on the login or API endpoint most likely to be brute-forced.

### 6. Configure caching and speed

- **Cache rule:** cache static assets (`/build/*`, `/images/*`) aggressively; bypass cache for authenticated/app routes and anything with a session cookie.
- Enable Brotli and Tiered Cache. (Cloudflare removed Auto Minify in Aug 2024 — minify in your build pipeline instead.)

:::danger[Rocket Loader must stay OFF for Laravel]
Rocket Loader defers and reorders JavaScript, which breaks Laravel apps that rely on inline script ordering, CSRF token injection, and Livewire/Alpine/Vite-bundled scripts. Leave **Rocket Loader = off**. Enabling it is a frequent "the app's JS randomly breaks in production" cause.
:::

### 7. Enable DNSSEC and optional Zero Trust

- Enable **DNSSEC** in Cloudflare, then add the **DS record** it generates at your registrar — DNSSEC isn't active until the registrar side is done.
- Optionally protect staging with **Zero Trust Access** (email-OTP gate) so the unfinished site isn't public.

### 8. Run the final verification probe

Confirm the edge is live, encrypted end-to-end, and DNSSEC-validated.

<Steps>

1. **Probe the zone over HTTP and the API.**

   ```bash
   # Zone is active and proxied (expect cf-ray + cf-cache-status headers)
   curl -sI https://app.example.com | grep -iE 'cf-ray|cf-cache-status|strict-transport'

   # SSL mode end-to-end (expect HTTP/2 200, valid cert)
   curl -sI https://app.example.com | head -1

   # DNSSEC validated via a validating resolver (AD bit)
   dig +dnssec @1.1.1.1 example.com A | grep -q 'flags:.* ad' && echo "DNSSEC validated"
   dig DNSKEY example.com +short | grep -q . && echo "DNSKEY published"

   # Zone status via API
   curl -s "https://api.cloudflare.com/client/v4/zones/$ZONE_ID" \
     -H "Authorization: Bearer $CF_API_TOKEN" | grep -o '"status":"[^"]*"'
   # Expected: cf-ray present (proxied), a strict-transport-security header, zone "status":"active", and DNSSEC validated
   ```

   - ✅ The probe shows `cf-ray` (proxied), the `strict-transport-security` header (HSTS), zone `"status":"active"`, and DNSSEC validated.

</Steps>

:::caution[Cloudflare API read-value gotchas in the probe]
Three API behaviors trip up verification probes — none are failures by themselves:

- **`tls_1_3` can read back as `"zrt"`, not `"on"`.** That means TLS 1.3 with 0-RTT. Only `"off"` or `ERR` are failures.
- **List rules by phase via the entrypoint endpoint**, not a query param: `GET /zones/<zone>/rulesets/phases/<phase>/entrypoint`. The intuitive `/rulesets?phase=<phase>` can silently return the full ruleset list.
- **`browser_check` may read back empty** on some API versions even when enabled — fall back to the dashboard instead of treating blank as off.

```bash
curl -s "https://api.cloudflare.com/client/v4/zones/<zone-id>/rulesets/phases/http_ratelimit/entrypoint" \
  -H "Authorization: Bearer $CF_API_TOKEN"
# Expected: the rules array for that phase only; a missing entrypoint means zero rules for the phase
```
:::

## Checklist

Do not mark this step done until **every** box below is checked.

- [ ] **👤 Zone Active** — nameservers are Cloudflare's; imported records audited (esp. email DNS).
- [ ] **👤 SSL hardened** — SSL = **Full (Strict)**, Always Use HTTPS on, HSTS set.
- [ ] **👤 WAF within budget** — WAF rules + 1 rate-limit rule within Free-plan budget.
- [ ] **🔀 Cache rule live** — static-asset cache rule live; app/auth routes bypass cache.
- [ ] **🔀 Rocket Loader OFF; DNSSEC active** — DS added at registrar.
- [ ] **🤖 Probe green** — verification probe shows `cf-ray`, HSTS header, and `"status":"active"`.

:::next[Next step]
[Release + incident response](/tech-stack/laravel/codecanyon/build/playbooks/setup-new/04-deploy-pipeline/07-release-and-incident/)
:::

# 6 · Cloudflare CDN

> Source: https://library.zajapps.com/tech-stack/laravel/codecanyon/build/playbooks/setup-new/04-deploy-pipeline/06-cloudflare-cdn/

## TL;DR

**Objective** — front the app with Cloudflare on the **Free plan** (TLS termination, DDoS absorption, a WAF, global caching): nameserver cutover, API-driven DNS, Full (Strict) SSL + HSTS, WAF and rate limiting, cache rules, DNSSEC, and a final API verification probe — with Rocket Loader **OFF** for Laravel.

:::note[User part + done-when]
**👤 User part** — the account, zone add, and nameserver cutover happen in the Cloudflare and registrar dashboards: a person creates the zone, updates the registrar's nameservers, sets the SSL mode and WAF/rate-limit rules in the UI, and adds the DNSSEC DS record at the registrar. An agent drives DNS via the API and runs the verification probe.

**Done when** the zone is Active on Cloudflare nameservers, SSL is Full (Strict) with HSTS, WAF + one rate-limit rule are within budget, the static-asset cache rule is live, Rocket Loader is off, DNSSEC is active, and the probe shows `cf-ray`, the HSTS header, and `"status":"active"`. &nbsp;·&nbsp; **⏱ ~45–60 min (+ nameserver propagation)** &nbsp;·&nbsp; 🔀 mixed (👤 dashboards, 🤖 API DNS + probe).
:::

## Background

:::note[SHOULD — edge security + performance]
Cloudflare adds a caching/security edge in front of the origin: TLS termination, DDoS absorption, a WAF, and global caching. This page configures it on the **Free plan**, which covers everything a typical CodeCanyon launch needs.
:::

## Steps

### 1. Budget against the Free plan

Free tier limits are real — plan inside them so nothing silently fails to apply.

| Resource | Free-plan budget | Notes |
|---|---|---|
| WAF custom rules | 5 | Spend on the highest-value blocks |
| Rate-limiting rules | 1 | Reserve for login/API abuse |
| Cache rules | a few | One good static-asset rule goes far |
| Page Rules (legacy) | 3 | Prefer modern Rules where possible |

:::note[Free-plan rate-limit rule requires two extra API fields]
On the Free plan you get one rate-limit rule, and the API rejects the rule unless the `ratelimit` object includes both `mitigation_timeout` and `characteristics`.

```bash
curl -s -X PUT "https://api.cloudflare.com/client/v4/zones/<zone-id>/rulesets/phases/http_ratelimit/entrypoint" \
  -H "Authorization: Bearer $CF_API_TOKEN" -H "Content-Type: application/json" \
  --data '{"rules":[{
    "expression": "(starts_with(http.request.uri.path, \"/admin\")) or (starts_with(http.request.uri.path, \"/login\"))",
    "action": "block",
    "ratelimit": {
      "requests_per_period": 10, "period": 10,
      "mitigation_timeout": 10,
      "characteristics": ["cf.colo.id", "ip.src"]
    },
    "description": "Rate limit admin + login (10 req/10s)"
  }]}'
```

Scope the single rule to `/admin` + `/login` only — never the landing page or public API. Additional rate-limit rules require Pro.
:::

### 2. Add the zone and cut over nameservers

:::note[Who does this]
👤 **User** adds the zone in Cloudflare and updates the registrar's nameservers — dashboard/registrar actions an agent can't perform.
:::

<Steps>

1. **Add the site as a zone** in Cloudflare; it imports existing records — **audit the import** against what page 2 and page 5 created.

   - ✅ The zone exists and its imported records have been audited.

2. **Update the registrar's nameservers** to Cloudflare's pair, then wait for the zone to go **Active**.

   ```bash
   dig NS example.com    # returns Cloudflare nameservers once Active
   # Expected: the NS query returns Cloudflare's nameserver pair
   ```

   - ✅ `dig NS example.com` returns Cloudflare and the zone shows **Active**.

</Steps>

:::caution[Re-check email DNS after import]
Confirm the SPF/DKIM/DMARC/MX records from **[5 · DNS email](/tech-stack/laravel/codecanyon/build/playbooks/setup-new/04-deploy-pipeline/05-dns-email/)** survived the import intact — a dropped MX silently kills mail.
:::

### 3. Configure DNS via the API

Drive record changes through the API so they're scriptable and auditable. Use a scoped token (Zone:DNS:Edit), never the global key.

<Steps>

1. **Create records through the API** — load the token from vault or a mode-600 file; **never** `export CF_API_TOKEN="<literal>"` in a runbook (visible in shell history and `ps`):

   ```bash
   # CF_API_TOKEN and ZONE_ID already exported from vault / ~/.zshrc (see Phase 1 machine setup)
   curl -s -X POST "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records" \
     -H "Authorization: Bearer $CF_API_TOKEN" -H "Content-Type: application/json" \
     --data '{"type":"A","name":"app","content":"<origin-ip>","proxied":true}'
   # Expected: a JSON response with "success":true and the created record
   ```

   - ✅ Records are created via the scoped-token API; `proxied:true` (orange cloud) routes traffic through Cloudflare, `false` (grey cloud) is DNS-only.

</Steps>

### 4. Set SSL/TLS and HSTS

:::note[Who does this]
👤 **User** sets the SSL mode, Always Use HTTPS, and HSTS toggles in the Cloudflare dashboard.
:::

- Set SSL mode to **Full (Strict)** — encrypts edge↔origin *and* validates the origin cert. `Flexible` causes redirect loops and is insecure.
- Enable **Always Use HTTPS**.
- Enable **HSTS** only once you're confident HTTPS is permanent (it's hard to undo): `max-age` ≥ 6 months, include subdomains, preload optional.

### 5. Configure security: WAF + rate limiting

Spend the 5 WAF rules on real threats (block bad bots, restrict `/admin` by country/ASN, challenge suspicious paths). Use the single rate-limit rule on the login or API endpoint most likely to be brute-forced.

### 6. Configure caching and speed

- **Cache rule:** cache static assets (`/build/*`, `/images/*`) aggressively; bypass cache for authenticated/app routes and anything with a session cookie.
- Enable Brotli and Tiered Cache. (Cloudflare removed Auto Minify in Aug 2024 — minify in your build pipeline instead.)

:::danger[Rocket Loader must stay OFF for Laravel]
Rocket Loader defers and reorders JavaScript, which breaks Laravel apps that rely on inline script ordering, CSRF token injection, and Livewire/Alpine/Vite-bundled scripts. Leave **Rocket Loader = off**. Enabling it is a frequent "the app's JS randomly breaks in production" cause.
:::

### 7. Enable DNSSEC and optional Zero Trust

- Enable **DNSSEC** in Cloudflare, then add the **DS record** it generates at your registrar — DNSSEC isn't active until the registrar side is done.
- Optionally protect staging with **Zero Trust Access** (email-OTP gate) so the unfinished site isn't public.

### 8. Run the final verification probe

Confirm the edge is live, encrypted end-to-end, and DNSSEC-validated.

<Steps>

1. **Probe the zone over HTTP and the API.**

   ```bash
   # Zone is active and proxied (expect cf-ray + cf-cache-status headers)
   curl -sI https://app.example.com | grep -iE 'cf-ray|cf-cache-status|strict-transport'

   # SSL mode end-to-end (expect HTTP/2 200, valid cert)
   curl -sI https://app.example.com | head -1

   # DNSSEC validated via a validating resolver (AD bit)
   dig +dnssec @1.1.1.1 example.com A | grep -q 'flags:.* ad' && echo "DNSSEC validated"
   dig DNSKEY example.com +short | grep -q . && echo "DNSKEY published"

   # Zone status via API
   curl -s "https://api.cloudflare.com/client/v4/zones/$ZONE_ID" \
     -H "Authorization: Bearer $CF_API_TOKEN" | grep -o '"status":"[^"]*"'
   # Expected: cf-ray present (proxied), a strict-transport-security header, zone "status":"active", and DNSSEC validated
   ```

   - ✅ The probe shows `cf-ray` (proxied), the `strict-transport-security` header (HSTS), zone `"status":"active"`, and DNSSEC validated.

</Steps>

:::caution[Cloudflare API read-value gotchas in the probe]
Three API behaviors trip up verification probes — none are failures by themselves:

- **`tls_1_3` can read back as `"zrt"`, not `"on"`.** That means TLS 1.3 with 0-RTT. Only `"off"` or `ERR` are failures.
- **List rules by phase via the entrypoint endpoint**, not a query param: `GET /zones/<zone>/rulesets/phases/<phase>/entrypoint`. The intuitive `/rulesets?phase=<phase>` can silently return the full ruleset list.
- **`browser_check` may read back empty** on some API versions even when enabled — fall back to the dashboard instead of treating blank as off.

```bash
curl -s "https://api.cloudflare.com/client/v4/zones/<zone-id>/rulesets/phases/http_ratelimit/entrypoint" \
  -H "Authorization: Bearer $CF_API_TOKEN"
# Expected: the rules array for that phase only; a missing entrypoint means zero rules for the phase
```
:::

## Checklist

Do not mark this step done until **every** box below is checked.

- [ ] **👤 Zone Active** — nameservers are Cloudflare's; imported records audited (esp. email DNS).
- [ ] **👤 SSL hardened** — SSL = **Full (Strict)**, Always Use HTTPS on, HSTS set.
- [ ] **👤 WAF within budget** — WAF rules + 1 rate-limit rule within Free-plan budget.
- [ ] **🔀 Cache rule live** — static-asset cache rule live; app/auth routes bypass cache.
- [ ] **🔀 Rocket Loader OFF; DNSSEC active** — DS added at registrar.
- [ ] **🤖 Probe green** — verification probe shows `cf-ray`, HSTS header, and `"status":"active"`.

:::next[Next step]
[Release + incident response](/tech-stack/laravel/codecanyon/build/playbooks/setup-new/04-deploy-pipeline/07-release-and-incident/)
:::

TL;DR

Objective — front the app with Cloudflare on the Free plan (TLS termination, DDoS absorption, a WAF, global caching): nameserver cutover, API-driven DNS, Full (Strict) SSL + HSTS, WAF and rate limiting, cache rules, DNSSEC, and a final API verification probe — with Rocket Loader OFF for Laravel.

Background

Steps

1. Budget against the Free plan

Free tier limits are real — plan inside them so nothing silently fails to apply.

Resource	Free-plan budget	Notes
WAF custom rules	5	Spend on the highest-value blocks
Rate-limiting rules	1	Reserve for login/API abuse
Cache rules	a few	One good static-asset rule goes far
Page Rules (legacy)	3	Prefer modern Rules where possible

On the Free plan you get one rate-limit rule, and the API rejects the rule unless the ratelimit object includes both mitigation_timeout and characteristics.

curl -s -X PUT "https://api.cloudflare.com/client/v4/zones/<zone-id>/rulesets/phases/http_ratelimit/entrypoint" \
  -H "Authorization: Bearer $CF_API_TOKEN" -H "Content-Type: application/json" \
  --data '{"rules":[{
    "expression": "(starts_with(http.request.uri.path, \"/admin\")) or (starts_with(http.request.uri.path, \"/login\"))",
    "action": "block",
    "ratelimit": {
      "requests_per_period": 10, "period": 10,
      "mitigation_timeout": 10,
      "characteristics": ["cf.colo.id", "ip.src"]
    },
    "description": "Rate limit admin + login (10 req/10s)"
  }]}'

Scope the single rule to /admin + /login only — never the landing page or public API. Additional rate-limit rules require Pro.

2. Add the zone and cut over nameservers

Add the site as a zone in Cloudflare; it imports existing records — audit the import against what page 2 and page 5 created.
- ✅ The zone exists and its imported records have been audited.
Update the registrar’s nameservers to Cloudflare’s pair, then wait for the zone to go Active.
Terminal window
```
dig NS example.com    # returns Cloudflare nameservers once Active
# Expected: the NS query returns Cloudflare's nameserver pair
```
- ✅ dig NS example.com returns Cloudflare and the zone shows Active.

3. Configure DNS via the API

Drive record changes through the API so they’re scriptable and auditable. Use a scoped token (Zone:DNS:Edit), never the global key.

Create records through the API — load the token from vault or a mode-600 file; never export CF_API_TOKEN="<literal>" in a runbook (visible in shell history and ps):

# CF_API_TOKEN and ZONE_ID already exported from vault / ~/.zshrc (see Phase 1 machine setup)
curl -s -X POST "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records" \
  -H "Authorization: Bearer $CF_API_TOKEN" -H "Content-Type: application/json" \
  --data '{"type":"A","name":"app","content":"<origin-ip>","proxied":true}'
# Expected: a JSON response with "success":true and the created record

✅ Records are created via the scoped-token API; proxied:true (orange cloud) routes traffic through Cloudflare, false (grey cloud) is DNS-only.

4. Set SSL/TLS and HSTS

Set SSL mode to Full (Strict) — encrypts edge↔origin and validates the origin cert. Flexible causes redirect loops and is insecure.
Enable Always Use HTTPS.
Enable HSTS only once you’re confident HTTPS is permanent (it’s hard to undo): max-age ≥ 6 months, include subdomains, preload optional.

5. Configure security: WAF + rate limiting

Spend the 5 WAF rules on real threats (block bad bots, restrict /admin by country/ASN, challenge suspicious paths). Use the single rate-limit rule on the login or API endpoint most likely to be brute-forced.

6. Configure caching and speed

Cache rule: cache static assets (/build/*, /images/*) aggressively; bypass cache for authenticated/app routes and anything with a session cookie.
Enable Brotli and Tiered Cache. (Cloudflare removed Auto Minify in Aug 2024 — minify in your build pipeline instead.)

7. Enable DNSSEC and optional Zero Trust

Enable DNSSEC in Cloudflare, then add the DS record it generates at your registrar — DNSSEC isn’t active until the registrar side is done.
Optionally protect staging with Zero Trust Access (email-OTP gate) so the unfinished site isn’t public.

8. Run the final verification probe

Confirm the edge is live, encrypted end-to-end, and DNSSEC-validated.

Probe the zone over HTTP and the API.

# Zone is active and proxied (expect cf-ray + cf-cache-status headers)
curl -sI https://app.example.com | grep -iE 'cf-ray|cf-cache-status|strict-transport'

# SSL mode end-to-end (expect HTTP/2 200, valid cert)
curl -sI https://app.example.com | head -1

# DNSSEC validated via a validating resolver (AD bit)
dig +dnssec @1.1.1.1 example.com A | grep -q 'flags:.* ad' && echo "DNSSEC validated"
dig DNSKEY example.com +short | grep -q . && echo "DNSKEY published"

# Zone status via API
curl -s "https://api.cloudflare.com/client/v4/zones/$ZONE_ID" \
  -H "Authorization: Bearer $CF_API_TOKEN" | grep -o '"status":"[^"]*"'
# Expected: cf-ray present (proxied), a strict-transport-security header, zone "status":"active", and DNSSEC validated

✅ The probe shows cf-ray (proxied), the strict-transport-security header (HSTS), zone "status":"active", and DNSSEC validated.

Three API behaviors trip up verification probes — none are failures by themselves:

tls_1_3 can read back as "zrt", not "on". That means TLS 1.3 with 0-RTT. Only "off" or ERR are failures.
List rules by phase via the entrypoint endpoint, not a query param: GET /zones/<zone>/rulesets/phases/<phase>/entrypoint. The intuitive /rulesets?phase=<phase> can silently return the full ruleset list.
browser_check may read back empty on some API versions even when enabled — fall back to the dashboard instead of treating blank as off.

curl -s "https://api.cloudflare.com/client/v4/zones/<zone-id>/rulesets/phases/http_ratelimit/entrypoint" \
  -H "Authorization: Bearer $CF_API_TOKEN"
# Expected: the rules array for that phase only; a missing entrypoint means zero rules for the phase

Checklist

Do not mark this step done until every box below is checked.

👤 Zone Active — nameservers are Cloudflare’s; imported records audited (esp. email DNS).
👤 SSL hardened — SSL = Full (Strict), Always Use HTTPS on, HSTS set.
👤 WAF within budget — WAF rules + 1 rate-limit rule within Free-plan budget.
🔀 Cache rule live — static-asset cache rule live; app/auth routes bypass cache.
🔀 Rocket Loader OFF; DNSSEC active — DS added at registrar.
🤖 Probe green — verification probe shows cf-ray, HSTS header, and "status":"active".

Release + incident response

# ZajLibrary — implementation playbook

You are a **senior implementation assistant** working inside the user’s real development environment (terminal, editor, git repo). You are **not** a documentation writer, tutor, or library editor.

**Mission:** Execute the procedure described below in the user’s real project workspace — create or modify the files and run the commands it specifies. Do not just summarize it.

## Metadata
- title: 6 · Cloudflare CDN
- url: https://library.zajapps.com/tech-stack/laravel/codecanyon/build/playbooks/setup-new/04-deploy-pipeline/06-cloudflare-cdn/
- shelf: Build & Create
- doc_type: implementation playbook
- status: current
- kind: playbook
- category: tech-stack
- subcategory: laravel
- topic: codecanyon
- phase: 4
- step_number: 6
- est_time: ~45–60 min (+ nameserver propagation)
- description: Front the app with Cloudflare on the Free plan — nameserver cutover, API-driven DNS, Full (Strict) SSL + HSTS, WAF and rate limiting, cache rules, DNSSEC, and a final API verification probe. Rocket Loader stays OFF for Laravel.
- tags: codecanyon, cloudflare, cdn, waf, security

## Execution rules (binding)
- This is step 6 of phase 4 (~45–60 min (+ nameserver propagation)) — do only this step, then stop at its `## Checklist`.
- Follow `## Steps` in order. Do not skip steps or declare the work complete early.
- Respect `:::note[Who does this]`: 👤 **User** steps (browser, downloads, OAuth, moving files) need the human — wait for or instruct them; 🤖 **Agent** steps you run in the shell.
- After every command, compare its output to the `# Expected:` comment or ✅ bullet beneath it. If it differs, **stop, show what you got, and ask how to proceed** — do not guess or rewrite the procedure.
- Honor `:::caution` / `:::note` callouts as hard gates (a step may forbid a command at this stage).
- Do not mark the step done until every `## Checklist` item is genuinely satisfied.
- Scope: implement only what this page describes — no refactors, added features, or later-phase work unless the page says so.
- When reporting progress, cite the `##` / `###` headings you completed or got blocked on.
- Secrets: never put API keys, passwords, or `.env` values in frontend code, commits, or chat logs — use server-side `.env` / config only, and keep `.env` gitignored.

---

# 6 · Cloudflare CDN

## TL;DR

**Objective** — front the app with Cloudflare on the **Free plan** (TLS termination, DDoS absorption, a WAF, global caching): nameserver cutover, API-driven DNS, Full (Strict) SSL + HSTS, WAF and rate limiting, cache rules, DNSSEC, and a final API verification probe — with Rocket Loader **OFF** for Laravel.

:::note[User part + done-when]
**👤 User part** — the account, zone add, and nameserver cutover happen in the Cloudflare and registrar dashboards: a person creates the zone, updates the registrar's nameservers, sets the SSL mode and WAF/rate-limit rules in the UI, and adds the DNSSEC DS record at the registrar. An agent drives DNS via the API and runs the verification probe.

**Done when** the zone is Active on Cloudflare nameservers, SSL is Full (Strict) with HSTS, WAF + one rate-limit rule are within budget, the static-asset cache rule is live, Rocket Loader is off, DNSSEC is active, and the probe shows `cf-ray`, the HSTS header, and `"status":"active"`. &nbsp;·&nbsp; **⏱ ~45–60 min (+ nameserver propagation)** &nbsp;·&nbsp; 🔀 mixed (👤 dashboards, 🤖 API DNS + probe).
:::

## Background

:::note[SHOULD — edge security + performance]
Cloudflare adds a caching/security edge in front of the origin: TLS termination, DDoS absorption, a WAF, and global caching. This page configures it on the **Free plan**, which covers everything a typical CodeCanyon launch needs.
:::

## Steps

### 1. Budget against the Free plan

Free tier limits are real — plan inside them so nothing silently fails to apply.

| Resource | Free-plan budget | Notes |
|---|---|---|
| WAF custom rules | 5 | Spend on the highest-value blocks |
| Rate-limiting rules | 1 | Reserve for login/API abuse |
| Cache rules | a few | One good static-asset rule goes far |
| Page Rules (legacy) | 3 | Prefer modern Rules where possible |

:::note[Free-plan rate-limit rule requires two extra API fields]
On the Free plan you get one rate-limit rule, and the API rejects the rule unless the `ratelimit` object includes both `mitigation_timeout` and `characteristics`.

```bash
curl -s -X PUT "https://api.cloudflare.com/client/v4/zones/<zone-id>/rulesets/phases/http_ratelimit/entrypoint" \
  -H "Authorization: Bearer $CF_API_TOKEN" -H "Content-Type: application/json" \
  --data '{"rules":[{
    "expression": "(starts_with(http.request.uri.path, \"/admin\")) or (starts_with(http.request.uri.path, \"/login\"))",
    "action": "block",
    "ratelimit": {
      "requests_per_period": 10, "period": 10,
      "mitigation_timeout": 10,
      "characteristics": ["cf.colo.id", "ip.src"]
    },
    "description": "Rate limit admin + login (10 req/10s)"
  }]}'
```

Scope the single rule to `/admin` + `/login` only — never the landing page or public API. Additional rate-limit rules require Pro.
:::

### 2. Add the zone and cut over nameservers

:::note[Who does this]
👤 **User** adds the zone in Cloudflare and updates the registrar's nameservers — dashboard/registrar actions an agent can't perform.
:::

<Steps>

1. **Add the site as a zone** in Cloudflare; it imports existing records — **audit the import** against what page 2 and page 5 created.

   - ✅ The zone exists and its imported records have been audited.

2. **Update the registrar's nameservers** to Cloudflare's pair, then wait for the zone to go **Active**.

   ```bash
   dig NS example.com    # returns Cloudflare nameservers once Active
   # Expected: the NS query returns Cloudflare's nameserver pair
   ```

   - ✅ `dig NS example.com` returns Cloudflare and the zone shows **Active**.

</Steps>

:::caution[Re-check email DNS after import]
Confirm the SPF/DKIM/DMARC/MX records from **[5 · DNS email](/tech-stack/laravel/codecanyon/build/playbooks/setup-new/04-deploy-pipeline/05-dns-email/)** survived the import intact — a dropped MX silently kills mail.
:::

### 3. Configure DNS via the API

Drive record changes through the API so they're scriptable and auditable. Use a scoped token (Zone:DNS:Edit), never the global key.

<Steps>

1. **Create records through the API** — load the token from vault or a mode-600 file; **never** `export CF_API_TOKEN="<literal>"` in a runbook (visible in shell history and `ps`):

   ```bash
   # CF_API_TOKEN and ZONE_ID already exported from vault / ~/.zshrc (see Phase 1 machine setup)
   curl -s -X POST "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records" \
     -H "Authorization: Bearer $CF_API_TOKEN" -H "Content-Type: application/json" \
     --data '{"type":"A","name":"app","content":"<origin-ip>","proxied":true}'
   # Expected: a JSON response with "success":true and the created record
   ```

   - ✅ Records are created via the scoped-token API; `proxied:true` (orange cloud) routes traffic through Cloudflare, `false` (grey cloud) is DNS-only.

</Steps>

### 4. Set SSL/TLS and HSTS

:::note[Who does this]
👤 **User** sets the SSL mode, Always Use HTTPS, and HSTS toggles in the Cloudflare dashboard.
:::

- Set SSL mode to **Full (Strict)** — encrypts edge↔origin *and* validates the origin cert. `Flexible` causes redirect loops and is insecure.
- Enable **Always Use HTTPS**.
- Enable **HSTS** only once you're confident HTTPS is permanent (it's hard to undo): `max-age` ≥ 6 months, include subdomains, preload optional.

### 5. Configure security: WAF + rate limiting

Spend the 5 WAF rules on real threats (block bad bots, restrict `/admin` by country/ASN, challenge suspicious paths). Use the single rate-limit rule on the login or API endpoint most likely to be brute-forced.

### 6. Configure caching and speed

- **Cache rule:** cache static assets (`/build/*`, `/images/*`) aggressively; bypass cache for authenticated/app routes and anything with a session cookie.
- Enable Brotli and Tiered Cache. (Cloudflare removed Auto Minify in Aug 2024 — minify in your build pipeline instead.)

:::danger[Rocket Loader must stay OFF for Laravel]
Rocket Loader defers and reorders JavaScript, which breaks Laravel apps that rely on inline script ordering, CSRF token injection, and Livewire/Alpine/Vite-bundled scripts. Leave **Rocket Loader = off**. Enabling it is a frequent "the app's JS randomly breaks in production" cause.
:::

### 7. Enable DNSSEC and optional Zero Trust

- Enable **DNSSEC** in Cloudflare, then add the **DS record** it generates at your registrar — DNSSEC isn't active until the registrar side is done.
- Optionally protect staging with **Zero Trust Access** (email-OTP gate) so the unfinished site isn't public.

### 8. Run the final verification probe

Confirm the edge is live, encrypted end-to-end, and DNSSEC-validated.

<Steps>

1. **Probe the zone over HTTP and the API.**

   ```bash
   # Zone is active and proxied (expect cf-ray + cf-cache-status headers)
   curl -sI https://app.example.com | grep -iE 'cf-ray|cf-cache-status|strict-transport'

   # SSL mode end-to-end (expect HTTP/2 200, valid cert)
   curl -sI https://app.example.com | head -1

   # DNSSEC validated via a validating resolver (AD bit)
   dig +dnssec @1.1.1.1 example.com A | grep -q 'flags:.* ad' && echo "DNSSEC validated"
   dig DNSKEY example.com +short | grep -q . && echo "DNSKEY published"

   # Zone status via API
   curl -s "https://api.cloudflare.com/client/v4/zones/$ZONE_ID" \
     -H "Authorization: Bearer $CF_API_TOKEN" | grep -o '"status":"[^"]*"'
   # Expected: cf-ray present (proxied), a strict-transport-security header, zone "status":"active", and DNSSEC validated
   ```

   - ✅ The probe shows `cf-ray` (proxied), the `strict-transport-security` header (HSTS), zone `"status":"active"`, and DNSSEC validated.

</Steps>

:::caution[Cloudflare API read-value gotchas in the probe]
Three API behaviors trip up verification probes — none are failures by themselves:

- **`tls_1_3` can read back as `"zrt"`, not `"on"`.** That means TLS 1.3 with 0-RTT. Only `"off"` or `ERR` are failures.
- **List rules by phase via the entrypoint endpoint**, not a query param: `GET /zones/<zone>/rulesets/phases/<phase>/entrypoint`. The intuitive `/rulesets?phase=<phase>` can silently return the full ruleset list.
- **`browser_check` may read back empty** on some API versions even when enabled — fall back to the dashboard instead of treating blank as off.

```bash
curl -s "https://api.cloudflare.com/client/v4/zones/<zone-id>/rulesets/phases/http_ratelimit/entrypoint" \
  -H "Authorization: Bearer $CF_API_TOKEN"
# Expected: the rules array for that phase only; a missing entrypoint means zero rules for the phase
```
:::

## Checklist

Do not mark this step done until **every** box below is checked.

- [ ] **👤 Zone Active** — nameservers are Cloudflare's; imported records audited (esp. email DNS).
- [ ] **👤 SSL hardened** — SSL = **Full (Strict)**, Always Use HTTPS on, HSTS set.
- [ ] **👤 WAF within budget** — WAF rules + 1 rate-limit rule within Free-plan budget.
- [ ] **🔀 Cache rule live** — static-asset cache rule live; app/auth routes bypass cache.
- [ ] **🔀 Rocket Loader OFF; DNSSEC active** — DS added at registrar.
- [ ] **🤖 Probe green** — verification probe shows `cf-ray`, HSTS header, and `"status":"active"`.

:::next[Next step]
[Release + incident response](/tech-stack/laravel/codecanyon/build/playbooks/setup-new/04-deploy-pipeline/07-release-and-incident/)
:::

# 6 · Cloudflare CDN

> Source: https://library.zajapps.com/tech-stack/laravel/codecanyon/build/playbooks/setup-new/04-deploy-pipeline/06-cloudflare-cdn/

## TL;DR

**Objective** — front the app with Cloudflare on the **Free plan** (TLS termination, DDoS absorption, a WAF, global caching): nameserver cutover, API-driven DNS, Full (Strict) SSL + HSTS, WAF and rate limiting, cache rules, DNSSEC, and a final API verification probe — with Rocket Loader **OFF** for Laravel.

:::note[User part + done-when]
**👤 User part** — the account, zone add, and nameserver cutover happen in the Cloudflare and registrar dashboards: a person creates the zone, updates the registrar's nameservers, sets the SSL mode and WAF/rate-limit rules in the UI, and adds the DNSSEC DS record at the registrar. An agent drives DNS via the API and runs the verification probe.

**Done when** the zone is Active on Cloudflare nameservers, SSL is Full (Strict) with HSTS, WAF + one rate-limit rule are within budget, the static-asset cache rule is live, Rocket Loader is off, DNSSEC is active, and the probe shows `cf-ray`, the HSTS header, and `"status":"active"`. &nbsp;·&nbsp; **⏱ ~45–60 min (+ nameserver propagation)** &nbsp;·&nbsp; 🔀 mixed (👤 dashboards, 🤖 API DNS + probe).
:::

## Background

:::note[SHOULD — edge security + performance]
Cloudflare adds a caching/security edge in front of the origin: TLS termination, DDoS absorption, a WAF, and global caching. This page configures it on the **Free plan**, which covers everything a typical CodeCanyon launch needs.
:::

## Steps

### 1. Budget against the Free plan

Free tier limits are real — plan inside them so nothing silently fails to apply.

| Resource | Free-plan budget | Notes |
|---|---|---|
| WAF custom rules | 5 | Spend on the highest-value blocks |
| Rate-limiting rules | 1 | Reserve for login/API abuse |
| Cache rules | a few | One good static-asset rule goes far |
| Page Rules (legacy) | 3 | Prefer modern Rules where possible |

:::note[Free-plan rate-limit rule requires two extra API fields]
On the Free plan you get one rate-limit rule, and the API rejects the rule unless the `ratelimit` object includes both `mitigation_timeout` and `characteristics`.

```bash
curl -s -X PUT "https://api.cloudflare.com/client/v4/zones/<zone-id>/rulesets/phases/http_ratelimit/entrypoint" \
  -H "Authorization: Bearer $CF_API_TOKEN" -H "Content-Type: application/json" \
  --data '{"rules":[{
    "expression": "(starts_with(http.request.uri.path, \"/admin\")) or (starts_with(http.request.uri.path, \"/login\"))",
    "action": "block",
    "ratelimit": {
      "requests_per_period": 10, "period": 10,
      "mitigation_timeout": 10,
      "characteristics": ["cf.colo.id", "ip.src"]
    },
    "description": "Rate limit admin + login (10 req/10s)"
  }]}'
```

Scope the single rule to `/admin` + `/login` only — never the landing page or public API. Additional rate-limit rules require Pro.
:::

### 2. Add the zone and cut over nameservers

:::note[Who does this]
👤 **User** adds the zone in Cloudflare and updates the registrar's nameservers — dashboard/registrar actions an agent can't perform.
:::

<Steps>

1. **Add the site as a zone** in Cloudflare; it imports existing records — **audit the import** against what page 2 and page 5 created.

   - ✅ The zone exists and its imported records have been audited.

2. **Update the registrar's nameservers** to Cloudflare's pair, then wait for the zone to go **Active**.

   ```bash
   dig NS example.com    # returns Cloudflare nameservers once Active
   # Expected: the NS query returns Cloudflare's nameserver pair
   ```

   - ✅ `dig NS example.com` returns Cloudflare and the zone shows **Active**.

</Steps>

:::caution[Re-check email DNS after import]
Confirm the SPF/DKIM/DMARC/MX records from **[5 · DNS email](/tech-stack/laravel/codecanyon/build/playbooks/setup-new/04-deploy-pipeline/05-dns-email/)** survived the import intact — a dropped MX silently kills mail.
:::

### 3. Configure DNS via the API

Drive record changes through the API so they're scriptable and auditable. Use a scoped token (Zone:DNS:Edit), never the global key.

<Steps>

1. **Create records through the API** — load the token from vault or a mode-600 file; **never** `export CF_API_TOKEN="<literal>"` in a runbook (visible in shell history and `ps`):

   ```bash
   # CF_API_TOKEN and ZONE_ID already exported from vault / ~/.zshrc (see Phase 1 machine setup)
   curl -s -X POST "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/dns_records" \
     -H "Authorization: Bearer $CF_API_TOKEN" -H "Content-Type: application/json" \
     --data '{"type":"A","name":"app","content":"<origin-ip>","proxied":true}'
   # Expected: a JSON response with "success":true and the created record
   ```

   - ✅ Records are created via the scoped-token API; `proxied:true` (orange cloud) routes traffic through Cloudflare, `false` (grey cloud) is DNS-only.

</Steps>

### 4. Set SSL/TLS and HSTS

:::note[Who does this]
👤 **User** sets the SSL mode, Always Use HTTPS, and HSTS toggles in the Cloudflare dashboard.
:::

- Set SSL mode to **Full (Strict)** — encrypts edge↔origin *and* validates the origin cert. `Flexible` causes redirect loops and is insecure.
- Enable **Always Use HTTPS**.
- Enable **HSTS** only once you're confident HTTPS is permanent (it's hard to undo): `max-age` ≥ 6 months, include subdomains, preload optional.

### 5. Configure security: WAF + rate limiting

Spend the 5 WAF rules on real threats (block bad bots, restrict `/admin` by country/ASN, challenge suspicious paths). Use the single rate-limit rule on the login or API endpoint most likely to be brute-forced.

### 6. Configure caching and speed

- **Cache rule:** cache static assets (`/build/*`, `/images/*`) aggressively; bypass cache for authenticated/app routes and anything with a session cookie.
- Enable Brotli and Tiered Cache. (Cloudflare removed Auto Minify in Aug 2024 — minify in your build pipeline instead.)

:::danger[Rocket Loader must stay OFF for Laravel]
Rocket Loader defers and reorders JavaScript, which breaks Laravel apps that rely on inline script ordering, CSRF token injection, and Livewire/Alpine/Vite-bundled scripts. Leave **Rocket Loader = off**. Enabling it is a frequent "the app's JS randomly breaks in production" cause.
:::

### 7. Enable DNSSEC and optional Zero Trust

- Enable **DNSSEC** in Cloudflare, then add the **DS record** it generates at your registrar — DNSSEC isn't active until the registrar side is done.
- Optionally protect staging with **Zero Trust Access** (email-OTP gate) so the unfinished site isn't public.

### 8. Run the final verification probe

Confirm the edge is live, encrypted end-to-end, and DNSSEC-validated.

<Steps>

1. **Probe the zone over HTTP and the API.**

   ```bash
   # Zone is active and proxied (expect cf-ray + cf-cache-status headers)
   curl -sI https://app.example.com | grep -iE 'cf-ray|cf-cache-status|strict-transport'

   # SSL mode end-to-end (expect HTTP/2 200, valid cert)
   curl -sI https://app.example.com | head -1

   # DNSSEC validated via a validating resolver (AD bit)
   dig +dnssec @1.1.1.1 example.com A | grep -q 'flags:.* ad' && echo "DNSSEC validated"
   dig DNSKEY example.com +short | grep -q . && echo "DNSKEY published"

   # Zone status via API
   curl -s "https://api.cloudflare.com/client/v4/zones/$ZONE_ID" \
     -H "Authorization: Bearer $CF_API_TOKEN" | grep -o '"status":"[^"]*"'
   # Expected: cf-ray present (proxied), a strict-transport-security header, zone "status":"active", and DNSSEC validated
   ```

   - ✅ The probe shows `cf-ray` (proxied), the `strict-transport-security` header (HSTS), zone `"status":"active"`, and DNSSEC validated.

</Steps>

:::caution[Cloudflare API read-value gotchas in the probe]
Three API behaviors trip up verification probes — none are failures by themselves:

- **`tls_1_3` can read back as `"zrt"`, not `"on"`.** That means TLS 1.3 with 0-RTT. Only `"off"` or `ERR` are failures.
- **List rules by phase via the entrypoint endpoint**, not a query param: `GET /zones/<zone>/rulesets/phases/<phase>/entrypoint`. The intuitive `/rulesets?phase=<phase>` can silently return the full ruleset list.
- **`browser_check` may read back empty** on some API versions even when enabled — fall back to the dashboard instead of treating blank as off.

```bash
curl -s "https://api.cloudflare.com/client/v4/zones/<zone-id>/rulesets/phases/http_ratelimit/entrypoint" \
  -H "Authorization: Bearer $CF_API_TOKEN"
# Expected: the rules array for that phase only; a missing entrypoint means zero rules for the phase
```
:::

## Checklist

Do not mark this step done until **every** box below is checked.

- [ ] **👤 Zone Active** — nameservers are Cloudflare's; imported records audited (esp. email DNS).
- [ ] **👤 SSL hardened** — SSL = **Full (Strict)**, Always Use HTTPS on, HSTS set.
- [ ] **👤 WAF within budget** — WAF rules + 1 rate-limit rule within Free-plan budget.
- [ ] **🔀 Cache rule live** — static-asset cache rule live; app/auth routes bypass cache.
- [ ] **🔀 Rocket Loader OFF; DNSSEC active** — DS added at registrar.
- [ ] **🤖 Probe green** — verification probe shows `cf-ray`, HSTS header, and `"status":"active"`.

:::next[Next step]
[Release + incident response](/tech-stack/laravel/codecanyon/build/playbooks/setup-new/04-deploy-pipeline/07-release-and-incident/)
:::