Skip to main content
All posts

Astro + Cloudflare Pages: Full Launch Checklist

· 5 min read ·
astro cloudflare seo deployment gdpr

Launching an Astro site on Cloudflare Pages is fast. The build pipeline connects to GitHub in minutes and auto-deploys on every push. The part that takes time is everything around the build: SEO correctness, security headers, GDPR compliance, structured data, DNS configuration, and the first-week monitoring that tells you whether anything broke.

We maintain this checklist across all our Astro + Cloudflare Pages projects. It’s the difference between a site that’s live and a site that’s actually ready.

Before you write code — secure handles first

Before any development work starts, register the brand handles that matter. These go fast, and recovering a taken username is either impossible or expensive.

  • GitHub org or user page with the repo
  • LinkedIn company page (for agency and product brands)
  • Twitter/X handle
  • Instagram handle (for product and visual brands)

Register the primary domain and immediately transfer DNS to Cloudflare. Consider registering redirect variants (no-hyphen version, .dev, .io) if the brand has obvious typos people might try.

Technical SEO

Every page needs a unique <title> (50–60 chars) and <meta name="description"> (150–160 chars). These aren’t optional — Google uses them directly in SERPs and duplicate titles are a coverage signal.

Canonical URLs need a trailing slash guard in Astro SSG builds. Astro.url.pathname drops the trailing slash during the build even if trailingSlash: 'always' is set, which generates wrong canonicals on every page and causes 308 redirect chains:

const _pathname = Astro.url.pathname.endsWith('/')
  ? Astro.url.pathname
  : Astro.url.pathname + '/';
const canonicalURL = new URL(_pathname, Astro.site);

OG and Twitter card tags: og:title, og:description, og:image, og:url, og:type + the Twitter equivalents. The OG image must be 1200×675px WebP or PNG — never SVG. Social scrapers silently ignore SVG files and show no preview.

Add max-image-preview:large to the robots meta tag. This is required for Google Discover — without it, your images won’t appear full-size in feed placements.

If the site is bilingual, add hreflang tags. If a page has both en and de versions, each version should reference the other.

JSON-LD structured data

Schema markup produces rich snippets in search results and helps Google understand what the page is about. The types we add by default:

  • Organization in BaseLayout (every page) — include logo as an ImageObject, not a plain URL string. Add sameAs links to social profiles as they go live.
  • WebSite on the homepage — enables the sitelinks search box in Google results.
  • BreadcrumbList on all inner pages.
  • Article / NewsArticle on blog and news posts — always include datePublished, dateModified, and author.
  • Product + Offer on product pages.
  • FAQPage on any FAQ section — this is a high-value rich snippet that regularly appears as expandable answers in SERPs.

Performance

Image loading strategy:

  • Hero / LCP image: loading="eager" fetchpriority="high" decoding="async"
  • Everything below the fold: loading="lazy" decoding="async"

Use self-hosted fonts in WOFF2 format with font-display: swap. Google Fonts adds a third-party request on every page load, which hurts both performance and GDPR compliance.

Add preconnect hints for analytics domains in <head>:

<link rel="preconnect" href="https://plausible.yourdomain.com" />

Security headers (public/_headers)

/*
  X-Frame-Options: DENY
  X-Content-Type-Options: nosniff
  Referrer-Policy: strict-origin-when-cross-origin
  Permissions-Policy: camera=(), microphone=(), geolocation=()
  Content-Security-Policy: default-src 'self'; ...

Do not add X-XSS-Protection. It is deprecated and causes issues in some browsers. Every time we add it out of habit, we remove it.

The CSP script-src must include any analytics or third-party script domains. Review it after adding any new external scripts.

GDPR

Use Plausible for analytics — self-hosted means no cookie consent banner needed, and no data leaves your infrastructure. Do not add Cloudflare Web Analytics (RUM) — it sets a cookie and requires a consent flow.

Disclose all data processors in the Datenschutzerklärung: Cloudflare CDN, analytics provider, error tracker, email API, payment processor. Sign DPAs for processors that require them. Any functional cookies (language preference, theme) should be disclosed in the privacy page but don’t require a consent banner.

Cloudflare setup

www → apex 301 redirect: use Cloudflare Redirect Rules, not Page Rules (those are retired). Rule: http.host eq "www.yourdomain.com"https://yourdomain.com${http.request.uri.path} (301). The www DNS CNAME must be proxied (orange cloud).

Disable email obfuscation: Zone → Scrape Shield → Email Address Obfuscation → Off. Cloudflare’s email obfuscation breaks mailto: links by replacing them with JavaScript — it mangles your contact links and causes hard-to-diagnose failures.

Do not enable Cloudflare Web Analytics. We’ve disabled it on all our zones by policy — it’s unnecessary overhead given self-hosted analytics.

DNS and email

For any domain sending email:

  • SPF record: v=spf1 include:your-smtp-provider ~all
  • DKIM: provided by your email provider
  • DMARC: start with p=none; rua=mailto:dmarc@yourdomain.com. Monitor for 2–4 weeks before hardening to p=quarantine. Do not jump straight to p=reject without a rua tag — you’d be rejecting with no visibility into failures.

Contact forms

Every form needs a honeypot field (not CAPTCHA — bad UX), HTML escaping on all inputs, and a CORS origin check. Rate limiting is worth adding once you have traffic that justifies the complexity.

Launch day

Connect the GitHub repo to Cloudflare Pages and trigger the first deploy. Add the custom domain in Pages → Custom domains and verify HTTPS is active. Then:

  • Submit the sitemap to Google Search Console: https://yourdomain.com/sitemap-index.xml
  • Submit to Bing Webmaster Tools (covers ~10% additional reach)
  • Add the site to Plausible
  • Add the site to Uptime Kuma

Week one

Check GSC Coverage for crawl errors. Run URL Inspection on the homepage to confirm it’s indexed. Run URL Inspection on www.yourdomain.com — it should show “URL is not on Google” (confirming the redirect is working). Check Plausible to confirm analytics is recording.

In week two through four: identify pages ranking 11–20 in GSC with impressions — these are candidates for content improvement with the easiest wins. Request Google Business Profile if the site is a local or product business. Ask early customers for reviews.

Common mistakes

MistakeFix
OG image is SVGUse WebP or PNG, 1200×675. SVG is silently ignored by all social scrapers
Astro.url.pathname drops trailing slash in SSGAlways use the _pathname guard (see canonical section above)
X-XSS-Protection header addedRemove it
Named slot slot="head" silently dropsBaseLayout must have <slot name="head" /> inside <head>
Cloudflare email obfuscation left onDisable it immediately — it breaks mailto: links
Missing explicit canonical on layout variantsIf your layout doesn’t auto-derive canonical from URL, every page must pass it explicitly

Want to learn more?

See what a modern Astro website can do for your business, transparently priced.

Learn more
← All posts