Portal / Nodes / Cloudflare / zone/updateSettings
zone/updateSettings
Update one or more configuration settings for a Cloudflare zone.
Live traffic impact: Zone settings affect all traffic to the domain immediately upon update. Test setting changes on a staging zone before applying to production. Some settings (e.g., SSL mode) can break the site if set incorrectly.
When to Use
- Enable always-HTTPS: After an SSL certificate is verified as active, switch
always_https to on as part of a go-live checklist workflow.
- Increase cache TTL: After a stable release, set a longer
browser_cache_ttl to reduce origin requests and improve performance.
- Disable minification during debugging: Temporarily set
minify.html to off during a support investigation, then re-enable after.
- Enable HTTP/2 for performance optimization: Set
http2 to on as part of a performance hardening pipeline.
- Security level escalation: Automatically set
security_level to under_attack in response to a DDoS alert from a monitoring workflow.
Configuration
Connection
| Field | Type | Required | Description |
ApiToken | string | required | Scoped Cloudflare API Token with Zone.Edit permission. Store in BizFirst Credentials Manager. |
Operation Fields
| Field | Type | Required | Description |
ZoneId | string | required | 32-character hexadecimal Zone ID. |
Settings | object | required | Key-value pairs of settings to update. Only specified keys are changed — unspecified settings remain unchanged. See common settings below. |
Common Settings Keys
| Key | Type | Valid Values |
always_https | string | "on", "off" |
ssl | string | "off", "flexible", "full", "strict" |
browser_cache_ttl | integer | 0, 30, 60, 300, 1200, 1800, 3600, 7200, 10800, 14400, 18000, 28800, 43200, 57600, 72000, 86400, 172800, 259200, 345600, 432000, 691200, 1382400, 2073600, 2678400, 5356800, 16070400, 31536000 |
brotli | string | "on", "off" |
http2 | string | "on", "off" |
security_level | string | "essentially_off", "low", "medium", "high", "under_attack" |
minify | object | {"css":"on","html":"on","js":"on"} |
Sample Configuration
{
"resource": "zone",
"operation": "updateSettings",
"connection": {
"ApiToken": "{{ $credentials.cloudflare_edit }}"
},
"ZoneId": "023e105f4ecef8ad9ca31a8372d0c353",
"Settings": {
"always_https": "on",
"ssl": "full",
"browser_cache_ttl": 86400
}
}
Validation Errors
| Code | Condition | Resolution |
MISSING_API_TOKEN | ApiToken is empty or not configured | Set the ApiToken credential with Zone.Edit permission |
MISSING_ZONE_ID | ZoneId field is empty | Provide a valid 32-character hex Zone ID |
UNKNOWN_ERROR | Invalid setting key/value or insufficient permissions | Verify setting keys and values are valid for the zone's plan |
Output
Success Port
| Field | Type | Description |
updatedSettings | object | The settings as they now stand after the update — confirms applied values |
zoneId | string | The Zone ID that was updated |
Error Port
On failure, the error port receives an object with code and message.
Sample Output
{
"zoneId": "023e105f4ecef8ad9ca31a8372d0c353",
"updatedSettings": {
"always_https": "on",
"ssl": "full",
"browser_cache_ttl": 86400
}
}
Expression Reference
| Expression | Returns |
{{ $node.UpdateSettings.output.zoneId }} | Zone ID that was updated |
{{ $node.UpdateSettings.output.updatedSettings.ssl }} | Confirmed SSL mode after update |
{{ $node.UpdateSettings.output.updatedSettings.always_https }} | Confirmed always-HTTPS state |
{{ $node.UpdateSettings.output.updatedSettings.browser_cache_ttl }} | Confirmed cache TTL value |
Node Policies & GuardRails
| Policy | Detail |
| Backup settings before updating | Always precede this node with zone/getSettings and persist the output — enables rollback on failure |
| Test on staging zone first | Apply setting changes to a non-production zone and verify behavior before targeting production |
| Require Zone.Edit token | The token must have Zone.Edit permission — a read-only token will fail with a 403 |
| Store ApiToken in Credentials Manager | Never hardcode the token in configuration JSON |
| Changes are immediate and global | Settings apply to all traffic on the zone instantly — coordinate deployments to minimize user impact |
| SSL mode changes require origin readiness | Setting ssl to strict requires a valid origin SSL certificate — verify cert status with ssl/getSettings first |
Examples
Example 1: Enable Always-HTTPS After Certificate Verification
In a go-live workflow: (1) Call ssl/getSettings to verify the certificate is active. (2) If active, call zone/updateSettings with {"always_https":"on","ssl":"full"}. (3) Send a Slack notification confirming HTTPS is enforced.
Example 2: Security Level Escalation on DDoS Alert
Connect to a monitoring webhook trigger. When a DDoS alert is received, call zone/updateSettings with {"security_level":"under_attack"}. After a set time window (Delay node), automatically revert to "medium".
Example 3: Cache Optimization After Stable Release
After a successful deployment, call zone/updateSettings with {"browser_cache_ttl":86400,"brotli":"on","http2":"on"} to enable long-lived caching and compression for the new release.