Portal Community

zone/updateSettings

Update one or more configuration settings for a Cloudflare zone.

Live traffic impact: Zone settings affect all traffic to the domain immediately upon update. Test setting changes on a staging zone before applying to production. Some settings (e.g., SSL mode) can break the site if set incorrectly.

When to Use

Configuration

Connection

FieldTypeRequiredDescription
ApiTokenstringrequiredScoped Cloudflare API Token with Zone.Edit permission. Store in BizFirst Credentials Manager.

Operation Fields

FieldTypeRequiredDescription
ZoneIdstringrequired32-character hexadecimal Zone ID.
SettingsobjectrequiredKey-value pairs of settings to update. Only specified keys are changed — unspecified settings remain unchanged. See common settings below.

Common Settings Keys

KeyTypeValid Values
always_httpsstring"on", "off"
sslstring"off", "flexible", "full", "strict"
browser_cache_ttlinteger0, 30, 60, 300, 1200, 1800, 3600, 7200, 10800, 14400, 18000, 28800, 43200, 57600, 72000, 86400, 172800, 259200, 345600, 432000, 691200, 1382400, 2073600, 2678400, 5356800, 16070400, 31536000
brotlistring"on", "off"
http2string"on", "off"
security_levelstring"essentially_off", "low", "medium", "high", "under_attack"
minifyobject{"css":"on","html":"on","js":"on"}

Sample Configuration

{
  "resource": "zone",
  "operation": "updateSettings",
  "connection": {
    "ApiToken": "{{ $credentials.cloudflare_edit }}"
  },
  "ZoneId": "023e105f4ecef8ad9ca31a8372d0c353",
  "Settings": {
    "always_https": "on",
    "ssl": "full",
    "browser_cache_ttl": 86400
  }
}

Validation Errors

CodeConditionResolution
MISSING_API_TOKENApiToken is empty or not configuredSet the ApiToken credential with Zone.Edit permission
MISSING_ZONE_IDZoneId field is emptyProvide a valid 32-character hex Zone ID
UNKNOWN_ERRORInvalid setting key/value or insufficient permissionsVerify setting keys and values are valid for the zone's plan

Output

Success Port

FieldTypeDescription
updatedSettingsobjectThe settings as they now stand after the update — confirms applied values
zoneIdstringThe Zone ID that was updated

Error Port

On failure, the error port receives an object with code and message.

Sample Output

{
  "zoneId": "023e105f4ecef8ad9ca31a8372d0c353",
  "updatedSettings": {
    "always_https": "on",
    "ssl": "full",
    "browser_cache_ttl": 86400
  }
}

Expression Reference

ExpressionReturns
{{ $node.UpdateSettings.output.zoneId }}Zone ID that was updated
{{ $node.UpdateSettings.output.updatedSettings.ssl }}Confirmed SSL mode after update
{{ $node.UpdateSettings.output.updatedSettings.always_https }}Confirmed always-HTTPS state
{{ $node.UpdateSettings.output.updatedSettings.browser_cache_ttl }}Confirmed cache TTL value

Node Policies & GuardRails

PolicyDetail
Backup settings before updatingAlways precede this node with zone/getSettings and persist the output — enables rollback on failure
Test on staging zone firstApply setting changes to a non-production zone and verify behavior before targeting production
Require Zone.Edit tokenThe token must have Zone.Edit permission — a read-only token will fail with a 403
Store ApiToken in Credentials ManagerNever hardcode the token in configuration JSON
Changes are immediate and globalSettings apply to all traffic on the zone instantly — coordinate deployments to minimize user impact
SSL mode changes require origin readinessSetting ssl to strict requires a valid origin SSL certificate — verify cert status with ssl/getSettings first

Examples

Example 1: Enable Always-HTTPS After Certificate Verification

In a go-live workflow: (1) Call ssl/getSettings to verify the certificate is active. (2) If active, call zone/updateSettings with {"always_https":"on","ssl":"full"}. (3) Send a Slack notification confirming HTTPS is enforced.

Example 2: Security Level Escalation on DDoS Alert

Connect to a monitoring webhook trigger. When a DDoS alert is received, call zone/updateSettings with {"security_level":"under_attack"}. After a set time window (Delay node), automatically revert to "medium".

Example 3: Cache Optimization After Stable Release

After a successful deployment, call zone/updateSettings with {"browser_cache_ttl":86400,"brotli":"on","http2":"on"} to enable long-lived caching and compression for the new release.