Skip to content
Documentation

Cloudflare Pages Runbook

⚠️ INTERNAL ONLY — Platform + Website Architecture
Not intended for public distribution.

This runbook prepares the marketing and documentation applications for Cloudflare Pages. Deployments remain manual until CI/CD is introduced; follow these steps exactly.

Project Layout

Section titled “Project Layout”
ProjectRoot DirectoryBuild CommandOutputDomain
Siteapps/sitepnpm install --frozen-lockfile && pnpm builddisthttps://example.com
Docsapps/docspnpm install --frozen-lockfile && pnpm builddisthttps://docs.example.com

Use Node 20+ (Pages default) to match the Docker toolchain.

Deployment Steps

Section titled “Deployment Steps”
  1. Run builds inside Docker: pnpm build:site and pnpm build:docs.
  2. Push the verified commit to main.
  3. Trigger deployments in both Pages projects; confirm build logs show the commands above.
  4. Validate production URLs and note the Pages build IDs plus Git SHA in the release log.

Access Plan (Docs Project)

Section titled “Access Plan (Docs Project)”
  • Protect docs.example.com with Cloudflare Access before inviting stakeholders.
  • Supported SSO providers: GitHub Enterprise and Google Workspace—select one and configure group-based policies.
  • Grant least-privilege access to engineering leadership and security.
  • Enable session duration ≤ 12 hours and enforce MFA via the IdP.
  • Document policy IDs and group mappings here when configured.

Security Headers Checklist

Section titled “Security Headers Checklist”

Apply via Cloudflare Pages custom headers (preferred) or a lightweight Worker later.

Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Content-Security-Policy: default-src 'self'; object-src 'none'; base-uri 'self'
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: geolocation=(); microphone=(); camera=()

Review headers quarterly and after any DNS or domain changes.

Environment & Secrets Policy

Section titled “Environment & Secrets Policy”
  • No secrets are needed today; keep Cloudflare env/secret stores empty.
  • If a secret becomes necessary, add it via Pages project settings and document the name, purpose, and rotation owner here.
  • Never commit secrets to git or bake them into Docker images.

DNS & Routing

Section titled “DNS & Routing”
  1. Point apex domain (example.com) to the marketing Pages project.
  2. Configure docs.example.com as a custom domain for the docs project.
  3. Use Cloudflare-managed certificates; enforce HTTPS only.

Rollback Procedure

Section titled “Rollback Procedure”
  1. In Cloudflare Pages, promote the last known good build to production.
  2. Log the rollback in the operations change log with build ID and Git SHA.
  3. Review this runbook for any step requiring updates.