Cloudflare Free Tier Limits Checklist: Are CDN, DNS, WAF, and Workers Enough?

Cloudflare’s free tier is often called a “cyber bodhisattva” by users. Global CDN, DDoS protection, SSL certificates, DNS resolution—all free. But “free” always has boundaries.

Workers gets 100K requests per day, Pages gets 500 builds per month, DNS allows up to 1000 records. What do these numbers mean? Will your project suddenly get rate-limited? This article lists all specific Cloudflare product limits in one place to help you determine if you’re within bounds.

Let’s be direct: if you’re planning to host a personal blog or small project on the free tier, this article will help you decide in 5 minutes.

I. CDN & DNS: The Reality Behind “Unlimited”

Cloudflare’s most attractive selling point: unlimited bandwidth. These four words excite many developers. But hold your horses.

What Does “Unlimited” CDN Actually Mean?

Official documentation doesn’t specify bandwidth caps. Free, Pro, and Business tiers all lack specific numbers. What does this mean?

In October 2024, a Reddit user shared real-world data: 20TB of monthly traffic for several months, account still running normally. Cloudflare community has similar feedback—someone ran 15TB/month on the free tier without issues.

But there’s a catch. Terms of Service clearly state: no hosting of streaming video or large non-HTML files. What counts as “large”? No specific number. The official term is “disproportionate load.” This phrasing is vague, but the meaning is clear: if you use it as a video CDN, you’ll eventually get banned.

There’s also a hard limit: per-file cache limit of 512MB. This number is explicitly stated in the Workers Limits documentation, same for both free and paid tiers. Want to cache large videos? No can do.

So CDN’s “unlimited” actually has two meanings:

1. Normal website traffic (HTML, CSS, JS, images)—essentially no upper limit
2. Videos and large files—explicitly prohibited

Blog sites, static sites, small API proxies? Go ahead. Image hosting sites? Also OK, as long as individual images don’t exceed 512MB. Planning a video platform? Forget it.

DNS Record Limits: What You Might Not Have Considered

DNS is Cloudflare’s core service. Where are the free tier limits?

September 2024 is a dividing line. Free zones created before this date could hold 3000 records. Those created after can only have 1000 records.

Why this change? Official reason wasn’t publicly disclosed, but community discussions point to one cause: preventing abuse. People were using free tiers to batch-create domains and fill them with garbage records.

Is 1000 enough? For a single domain with dozens of subdomains, plus some MX and TXT records—usually a few hundred suffice. The real question is: how many domains do you have?

Good news: no limit on domain count. Free accounts can add unlimited domains. As long as each domain stays under 1000 records, you can keep adding.

But there’s a detail to note: DNS queries themselves have no limits. You can rest assured that high traffic won’t cause DNS resolution to stall.

Real-World Sufficient Scenarios

If your project is:

• Personal blog (WordPress, Hexo, Hugo)—completely sufficient
• Static site (Astro, Next.js SSG)—completely sufficient
• Small API proxy (forwarding a few backend services)—basically sufficient
• Image hosting site (single image < 512MB)—sufficient, but watch total volume

Beyond these ranges, suggest checking the ToS in advance. Don’t wait until your account gets banned to realize you stepped in a trap.

II. Workers & KV: Where Are the Red Lines for Compute?

Workers is Cloudflare’s edge computing platform. Write some JavaScript or TypeScript, deploy to 200+ global nodes. Sounds great, but free tier limits are much tighter than CDN.

Workers Request Limit: 100,000 Per Day

Official documentation is clear: 100,000 requests per day on free tier. Resets at UTC 00:00.

What does this number mean? Suppose your API gets called 10 times per user per day:

• 100 users → 1000 requests/day → 30,000 per month → Safe
• 1000 users → 10,000 requests/day → 300,000 per month → Exceeded

In practice, many small projects use Workers for:

• API Gateway (forwarding requests to backend)
• SSR rendering (Next.js, Remix)
• Form handling (receiving POST requests)
• JWT validation (intercepting unauthorized requests)

These scenarios consume one quota per request. If your site gets 1000 daily visitors, each triggering 5 Workers calls, that’s 5000 requests per day. Seems fine. But what if traffic increases 10x? You’ll exceed the limit in a month.

A more critical limit: CPU time 30ms per request. This number comes from the official Limits documentation. What can you do in 30ms? Simple JSON parsing, routing decisions, JWT validation—OK. Complex computations? No. For example, using Workers for image compression, PDF generation, or deep learning inference—likely to timeout.

Another detail: script size limit of 1MB (compressed). Environment variables max 64, each up to 5KB. These are usually sufficient for small projects, but large applications should take note.

KV: Quotas for the Cache Layer

Workers KV is edge key-value storage. In February 2026, the official blog announced increased free tier quotas:

• Reads: 100,000 per day
• Writes: 1,000 per day
• Storage capacity: 1 GB

Writes limited to 1000/day—this is tight.

What scenarios require heavy writes? User session caching, access logs, counters. If your API writes a record per request, you’ll hit the limit at 1000 requests per day.

But reads are relatively generous. 100K/day is enough for a small read-cache scenario:

• Config caching (reading API keys, feature flags from KV)
• Static data caching (product lists, article directories)
• User profile caching (read-heavy, write-light)

Planning to use KV for vector storage in a RAG application—wait, that’s not suitable. KV has no vector retrieval capability, and write limits are tight. For vector databases, use Cloudflare Vectorize (paid) or connect to Pinecone or Milvus.

D1: Edge SQLite Database

D1 is Cloudflare’s SQLite edge database. In May 2026, tech blog buildmvpfast summarized official data:

• Row reads: 5,000,000 rows per day
• Row writes: 100,000 rows per day
• Storage: 5 GB

Read quota is generous—5 million rows. Writes are also higher than KV—100K rows. This means D1 is better suited for data persistence than pure caching.

Real-world scenarios:

• Blog comment system (read-heavy, write-light)
• User profile storage (occasional updates)
• Small CMS (articles, tags, categories)

Building an e-commerce order system? Writes might exceed limits. One record per order, a few thousand orders per day, and you’ll hit the limit in a month.

Is It Enough? Depends on Your Traffic Model

Let’s organize the key numbers:

Product	Daily Free Quota	Use Case
Workers	100,000 requests	Small APIs, SSR rendering
Workers CPU	30ms/request	Simple logic
KV Reads	100,000 operations	Read caching
KV Writes	1,000 operations	Session caching (limited)
D1 Reads	5,000,000 rows	Data queries
D1 Writes	100,000 rows	Data writes

If your project gets under 1000 daily visits, these quotas are basically sufficient. Over 5000, suggest monitoring Workers quota in advance. Check the dashboard daily—don’t wait for a sudden 403 to realize you’ve exceeded limits.

III. Pages: Deployment Limits Are Tighter Than You Think

Cloudflare Pages is a static site hosting platform. Supports Git integration, automatic builds, global deployment. Free tier limits are more specific than Workers.

File Count and Build Count: Hard Limits

Official Pages Limits documentation gives these numbers:

• File count: 20,000 per site
• Build count: 500 per month
• Concurrent builds: 1
• Per-file limit: 25 MB

20,000 files sounds like a lot, but if you use Next.js or Astro for a medium-sized blog—hundreds of articles, each with images, CSS, JS—you might quickly approach this number.

In January 2026, official changelog announced paid tier file limit increase to 100,000. Free tier remains at 20,000. What does this mean? If your site starts scaling (over 500 articles, or lots of media files), you’ll eventually hit the wall.

Build count of 500/month is more critical. Each git push triggers a build (unless manually cancelled). Suppose your development pace:

• 2 code changes per day → 60 builds per month → Safe
• 10 code changes per day → 300 builds per month → Nearing limit
• CI/CD auto-build (per commit) → Might exceed in a week

Concurrent builds limited to 1. This means: if you push twice, the second build queues up. Fine for solo developers, but team collaboration might block each other.

Real-World Scenario Analysis

Static blog (Hexo, Hugo, Astro):

• File count: Articles + images + theme files, usually under 5000 → OK
• Build count: A few changes per week → OK
• Conclusion: Completely sufficient

Medium content site (500+ articles, with images):

• File count: Might approach 20,000 → Watch this
• Build count: Frequent updates → Might exceed
• Conclusion: Suggest monitoring, prepare for paid upgrade

Small SPA (React, Vue single-page application):

• File count: After bundling, usually < 1000 → OK
• Build count: Frequent pushes during development → Might exceed
• Conclusion: Control build frequency during development

Team collaboration project:

• Concurrent builds: Multiple people pushing causes queuing → Efficiency issue
• Build count: Everyone making changes → Easy to exceed
• Conclusion: Suggest upgrading to paid tier to unlock concurrent builds

Over-Limit Warning Signs

When should you consider paying?

1. File count exceeds 15,000 — Getting close to limit
2. Builds exceed 300 per month — Development pace too fast
3. Team exceeds 3 people — Concurrent builds start blocking
4. Site content growing rapidly — Adding 50+ articles per month

Pro plan at $20/month unlocks 100,000 files and concurrent builds. If your project is starting to scale, this cost is more economical than emergency fixes after hitting limits.

IV. R2 & WAF: Free Boundaries for Storage and Security

R2 is Cloudflare’s object storage. WAF is Web Application Firewall. These two products’ free tier limits determine how far your project can go.

R2: The Price of Zero Egress Fees

R2’s most attractive point: zero egress fees. AWS S3 charges egress traffic at $0.09 per GB. Cloudflare R2 doesn’t.

But free tier has limits. Official Pricing documentation clearly states:

• Storage capacity: 10 GB
• Class A operations (write/list): 1,000,000 per month
• Class B operations (read): 10,000,000 per month

What can 10 GB store?

• Images (500KB each) → Approximately 20,000 images
• PDF files (5MB each) → Approximately 2,000 files
• Videos (100MB each) → Approximately 100 files

Seems OK. But if you’re building an image hosting site with uncontrollable user uploads—you might fill it in two months.

Operation quotas are relatively generous. Class A (write) 1M/month, Class B (read) 10M/month. This means read-heavy scenarios (image CDN)—basically won’t exceed. Write-heavy scenarios (users frequently uploading)—watch the monitoring.

WAF: Limited but Sufficient Protection

What does WAF free tier provide?

After the May 2026 update, official documentation clarifies:

• Cloudflare Free Managed Ruleset (subset of managed rules)
• Domain-level WAF only, no account-level access
• No WordPress-specific protection
• Custom rules available (Custom Firewall Rules)

What does “subset of managed rules” mean? Official docs don’t give specific numbers, but based on community discussions and the 2022 “WAF for everyone” article—the free tier covers high-risk vulnerability protection, not all rules.

Specifically includes:

• OWASP Top 10 core vulnerabilities (SQL Injection, XSS, etc.)
• Cloudflare-specific threat rules (partial)
• High-risk CVE vulnerabilities (emergency fixes)

Does not include:

• WordPress-specific protection (requires Pro or higher)
• Advanced managed rules (fine-grained configuration)
• Account-level unified management (multi-domain unified rules)

Custom rules work. You can set:

• Block by IP (ban malicious IPs)
• Block by country (Geo-blocking)
• Block by User-Agent (block bots)
• Block by URL path (protect sensitive paths)

These features are sufficient for small sites. Blog sites, personal projects—free WAF can block most automated attacks. But if you’re running e-commerce or financial services—suggest upgrading to paid tier for complete rulesets.

Scenario Suitability Analysis

Scenario	R2 Sufficient?	WAF Sufficient?
Personal blog (< 100 images)	✓ Completely	✓ Sufficient
Image hosting site (controlled uploads)	✓ Watch total	✓ Sufficient
Image hosting site (uncontrolled uploads)	✗ May exceed	✓ Sufficient
File sharing site (PDF/docs)	✓ Depends on file count	✓ Sufficient
Small e-commerce (no sensitive data)	✓ Sufficient	△ Suggest upgrade
Medium e-commerce (payment flow)	✓ Sufficient	✗ Suggest upgrade

R2’s 10 GB is the most critical bottleneck. If your project has uncontrollable user uploads—suggest planning storage expansion in advance, or connect external AWS S3 / Backblaze B2 for tiered storage.

V. Scenario Decision Table: Is Free Tier Actually Enough?

Previous sections listed all the numbers. But the most critical question is: will your project exceed limits?

Here’s a quick judgment table. Categorized by project type and scale—clear at a glance.

By Project Type

Project Type	Monthly Requests	Monthly Traffic	Storage Needs	Free Tier Verdict
Personal Blog (Static)	< 10K	< 1 GB	< 1 GB	✓ Completely Sufficient
Tech Blog (Dynamic SSR)	< 100K	< 10 GB	< 1 GB	△ Workers may exceed
API Service (Small)	< 3M	—	< 5 GB	✗ Workers needs payment
Image Hosting Site (Small)	—	< 20 GB	< 10 GB	△ R2 may exceed
Image Hosting Site (Medium)	—	> 50 GB	> 10 GB	✗ R2 needs payment
Static Content Site (500+ articles)	—	< 20 GB	—	△ Pages files may exceed
Team Collaboration Project	Multi-person dev	—	—	✗ Pages concurrent needs payment

By Traffic Scale

Daily Visits	Workers Risk	Pages Risk	CDN Risk
< 100	None	None	None
100-500	None	None	None
500-1000	Low (~15K requests/month)	None	None
1000-5000	Medium (~150K requests/month)	Low	None
5000-10000	High (may exceed Workers)	Medium (build frequency)	None
> 10000	Exceeded	High	None (unless video)

Quick Self-Check List

Answer these questions to determine if you’ll exceed limits:

1. How many daily visitors does your site get?

   • < 100 → All products sufficient
   • 100-1000 → Watch Workers, others OK

   • 1000 → Workers may exceed

2. How many files/articles does your site have?

   • < 100 → Pages completely sufficient
   • 100-500 → Pages OK, but watch growth

   • 500 → Pages files may approach limit

3. How large is your team?

   • 1 person → Pages single concurrent sufficient
   • 2-3 people → Pages may block

   • 3 people → Suggest upgrading to paid tier

4. How much user file storage do you need?

   • < 5 GB → R2 sufficient
   • 5-10 GB → R2 nearing capacity

   • 10 GB → R2 needs payment

5. How many times per day does your code build?

   • < 10/week → Pages 500 builds sufficient
   • 10-30/week → Pages may approach limit

   • 30/week → Pages may exceed

When Should You Upgrade?

If your project shows these signs, consider the Pro plan ($20/month):

• Workers requests approaching 80K/day — Getting close to limit
• Pages builds exceeding 400/month — Development pace too fast
• R2 storage exceeding 8 GB — Nearing capacity
• Team collaboration showing build queuing — Concurrency bottleneck
• Site traffic growing rapidly — Preventive upgrade

Pro plan unlocks:

• Workers requests: Unlimited (pay-per-use, $0.02/million requests)
• Pages files: 100,000
• Pages builds: 5 concurrent
• R2 storage: Paid pay-per-use, zero egress
• WAF rules: Complete managed ruleset

If your project is starting to scale, $20/month might be more economical than AWS/Vercel’s pay-per-use—at least Workers and CDN costs are predictable, instead of waiting for bill shock.

Conclusion

Cloudflare free tier’s core limits concentrate in three products: Workers (100K requests/day), Pages (500 builds/month), R2 (10GB storage). CDN and DNS’s “unlimited” is real—as long as you don’t host videos and large files.

If your project is still within free tier limits, now is the time to onboard with Cloudflare. Global CDN, DDoS protection, SSL certificates—these features cost money on other platforms.

But if your project is approaching limits, Pro plan’s $20/month might be more economical than AWS/Vercel’s pay-per-use. At least you know exactly how much you’ll spend each month, instead of waiting for bill shock.

Final advice: monitor in advance. Check the dashboard once a day, review quota usage weekly. Don’t wait for a sudden 403 to discover you’ve exceeded limits.