Use Cookie-Free Domains with Cloudflare in WordPress

Seeing "Use cookie-free domains" error at GTmetrix Yslow or Pingdom for your site?

GTmetrix
GTmetrix reports

Why use Cookie Free Domains?

When the browser requests a static element and sends cookies with the request, the server ignores the cookies. These cookies are unnecessary network traffic. It increases page load time. Therefore, it is better to avoid cookies for static resources like CSS, JS, Images, etc. files. This is why speed test tool such as GTMetrix and Pingdom recommend to serve the static resources from a domain that doesn't set cookies.

Solutions

#1. Use a CDN to Serve Cookie-Free Content

As uneccessary cookies can comes from various source such as Cloudflare, Analytics, top level domain name and so on, it's better to completely offload static resources to a CDN unique hostname.

  • Use Stackpath (Formerly known as MaxCDN), they support cookie-free domains.
stackpath strip all cookies
Strip all cookies with Stackpath CDN

This method should work for site using top level (non-www) domain or www alias.

Bonus tip: If you're using Yoast SEO WordPress plugin, it would be best to update image path in XML file. You can add below snippet via Code Snippets plugin.

function wpseo_cdn_filter( $uri ) {
	return str_replace( 'https://example.com', 'https://example.stackpathcdn.com', $uri );
}
add_filter( 'wpseo_xml_sitemap_img_src', 'wpseo_cdn_filter' );

#2. Use Cloudflare only for DNS

Generally you can't serve cookie-free content while using its CDN (Reverse Proxy) services together. The way Cloudflare provide services, it must adds a special cookie namely _cfduid with each HTTP requests over whole domain

HTTP/1.1 200 OK
Date: Thu, 26 Mar 2020 15:37:09 GMT
Content-Type: image/vnd.microsoft.icon
Content-Length: 0
Connection: keep-alive
Set-Cookie: __cfduid=d36b1934da000d3fbc11e5a8e13fccde11585237029; expires=Sat, 25-Apr-20 15:37:09 GMT; path=/; domain=.gulshankumar.net; HttpOnly; SameSite=Lax; Secure
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
CF-Cache-Status: HIT
Age: 4650
Accept-Ranges: bytes
Expect-CT: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
X-Content-Type-Options: nosniff
Server: cloudflare
CF-RAY: 57a1f3878d3ad597-BOM
alt-svc: h3-27=":443"; ma=86400, h3-25=":443"; ma=86400, h3-24=":443"; ma=86400, h3-23=":443"; ma=86400

Solution: To eliminate __cfduid cookies, keep Cloudflare in DNS only mode or switch to Enterprise Plan that allow to remove but it would be costly. Alternatively, you can use Sucuri performance and security solution which doesn't set cookies with each request.

How to check either my domain/subdomain cookiesless or not?

Check at Network Tab of Chrome Developer tool or using GTmetrix.

Final words: I have tried my best to explain this tutorial to you. If you have any question in mind, or couldn't understand this tutorial at any part. Please feel free to ask via below in the comment section. I would be happy to reply your queries.

Thanks!

49 thoughts on “Use Cookie-Free Domains with Cloudflare in WordPress”

  1. This tutorial is really helpful. But only problem with Yoast Image index. The code is not updating image locale path in Yoast Sitemap. I think Yoast has something changed due to this functions.php code is not working. Is there any solution for this?

    Reply
  2. Start Working. I just disabled and re enabled Yoast Sitemap and it start working thanks. Your Tutorial is really great. Thanks!

    Reply
  3. I have followed your tutorial but how long will it take for the subdomain to resolve?
    I am using Direct Admin and Cloadflare.
    But if I go to my subdomain for testing, it would not work.

    My site is at http://www.scuba-dooby.com.

    Thanks a lot!

    Reply
    • Hi Kristof,

      Sorry for delay response.
      Could you please elaborate your question?
      I would like to answer it.

      Thanks

      Reply
      • Dear Gulshan,

        I have figured it out why it doesn't work my provider has disabled this setting so his customers should use his CDN service.

        Thank you

  4. Thanks for this guide. This is by far the most thorough one I found on the subject. I especially like your "Pausing CF" trick, thanks 🙂

    Reply
    • Actually, Cloudflare don't allow to eliminate cookies. So this is the only way that we can use it just as a DNS manager. Thanks for stopping by!

      Reply
  5. It seems to work except I get 404 errors for all my images. What am I missing? I use speed booster pack not W3 Total Cache because my site loads faster with this plugin. Im not good at coding. Is there an easy to not get my images 404ed?

    Reply
    • Have you pointed your subdomain to the public_html directory? If no, first make sure to do it as per your host guideline.

      Reply
  6. Okay Sir ! Can u plz give my site a visit and tell me how's it's speed ! plz check i feels it is slow dont know y or i can be be my myth ! tnx in advance !

    Reply
  7. Hello Sir, thank you very much for this tutorial. I managed to get 95/100 for that score and I'm quite happy because from F score to A is truly tremendous. Once again, thank you very much. 🙂

    Reply
  8. Hi,
    this is really an excellent post for the guidance of CDN. i followed all the instructions in your post. but i have a problem .when i pause the cloudfalre my website is not working saying security error / threat etc.,
    can you help me how to solve this?

    Reply
    • Hello,

      Thanks for the comment. I understand when you paused Cloudflare, it is saying security error. Okay, are you using HTTPS via Cloudflare Flexible SSL on your blog? If possible, kindly share a screenshot of the error. I would love to assist.

      Thanks & Regards,
      Gulshan

      Reply
    • Thanks for the complete information. Let me tell you, once you pause Cloudflare service, their Flexible SSL will stop working. As a solution, you must have SSL at the origin server from your host side.

      Reply
  9. hi,
    i have seen cloudflare certificate in my host origin. i have to uninstall this certificate? if i uninstall it ,then my website will be having only http:\\ is it?
    do i really need to uninstall it?
    what is u r opinion?

    Reply
    • When you will pause Cloudflare, then you will be able to use cookie-free subdomain.

      But…

      If then problem is Fexible SSL for your site will not work.

      As a fall back, you must have real SSL installed at your web hosting server.

      If you can, then only proceed. Else, please continue with Cloudflare as usual.

      To use HTTPS, SSL is indeed required.

      Thanks

      Reply
    • Hi John,

      You have to keep a separate domain as cookie-free. The process would be similar like having DNS records pointed to your main domain and it should be accessible. If you want me to elaborate more on this in detail, please let me know.

      Thanks & Regards,
      Gulshan

      Reply
  10. I have tried step by step but failed to, I just noticed that it should use www, As for me non-www … can you help me the best way? should i buy new domain or move to www ( can i move to www, even mine non-www). Thanks

    Reply
  11. Hi, Thanks for guide. I have 1 question, my have SSL (Comodo SSL, no wildcard). I want to implement your guide, will it work? Or wildcard ssl is necessary?

    Reply
  12. Thanks for article, I've a question:
    When we update plugins, we have to move/upload the new plugin folders to our cookieless domain?
    Is it a way to make this process automatic?
    Thanks.

    Reply
  13. Bro,You can points cname values to primary domain but my host told me point cdn url…but when i point cdn url my subdomain ssl not working also subdomain server not found error also facecing…??

    Reply
    • Ya, because your subdomain must be authorised to be used in your CDN. Please ask customer care for support. Another thing, SSL must be active.

      Reply
  14. Hey,
    How to move all static content on cookies-free subdomain via CDN EnablerPlugin because I do not find any option for moving.

    Reply
    • I have the same question..

      I made all the things in the tutorial, but when i check the source code on the site.. all the css, js and images are still pointing to www.domain.com instead to static.domain.com

      We forgot something?

      Thanks
      Fabian

      Reply
      • Please purge cache. If you can share website URL, then I would be able to check, what's exactly happening. Thanks.

  15. Hii,

    Thanks for the detailed peocedures. I've followed all the steps, but finally my blog was broke and no miages are loading. I pointed subdomain to public_html only. Could you please help

    Reply
    • It's because of mixed content error, your subdomain point be supported for HTTPS if your primary domain uses HTTPS.

      Reply
  16. Hi, thanks for the very informative post. I'm wondering if every you set up the sub domain correctly, how would you upload and manage all images from there?

    your answer would be greatly appreciated.

    Thanks!

    Reply
    • A subdomain is typically a hostname that should point to same directory where your WordPress exist. So, it's nothing about moving files.

      Reply
  17. Thank you so much Sir. Your valuable comments are really helpful to resolve my problem. I really impressed.

    Reply
  18. Hi,

    I followed all your instructions and they were very helpful, I was able to set the subdomain as cookie less to serve static content, but now pindom is complaining of too many redirects from my static domain to main domain and decreasing the overall score. Can you please suggest what can be done to resolve this ?

    Reply
  19. Hello I have a problem with my domain that is motorevistacr.com without the www but according to the metrics of pindom I must configure the problem of serving the data, I have tried other tutorials and the site is broken, I do not know if it is a problem of cloudflare? would you help me ? Thank you.

    Reply
  20. I tried out your guide, I must say you did a good job in explaining. But i still not able to get a cookie free domain. Even though I have ssl for both domain and sub domain. May be I am having issue with cloudflare.
    Any suggestion ?

    Reply
    • You have to disable Cloudflare reverse proxy (I mean, at record keep your domain in Grey mode to use only DNS) in order to get Cookie-free domain.

      Reply
  21. It all sounds good but the images are not appearing in this article so it becomes confusing when you refer to see this image. Great if you can fix this

    Reply

Leave a Comment