Last Updated: March 8, 2026 (Session 236) Difficulty: Beginner — no coding needed, just clicking in dashboards Time Required: 30-45 minutes (plus up to 24h for DNS propagation) Prerequisites: Cloudflare account (free), a domain registrar account Cost: Domain ~$10-15/year, everything else free
| Feature | Without Custom Domain | With Custom Domain |
|---|---|---|
| URL | global-anti-ccp-resistance-hub.stane203.workers.dev |
resistance-hub.org |
| Tor / .onion access | ❌ Not available | ✅ Automatic |
| Email forwarding | ❌ Not available | ✅ Free via Cloudflare |
| SEO & link sharing | ✅ Professional, memorable | |
| DNSSEC | ❌ Not available | ✅ Free |
| Custom security rules | Limited | Full Cloudflare suite |
- Open your browser and go to dash.cloudflare.com
- Log in to your Cloudflare account
- Look at the left sidebar → click "Domain Registration"
- Click "Register Domain" (blue button)
- In the search box, type your desired domain (e.g.,
resistance-hub.org) - Cloudflare shows available domains with prices.
.orgdomains are typically ~$10-12/year - Click "Purchase" next to your chosen domain
- Fill in the registration form:
- Name, address, etc. (required by ICANN, but Cloudflare automatically enables WHOIS privacy — your details will NOT be public)
- Enter payment (credit card or PayPal)
- Click "Complete Purchase"
✅ Done! The domain is already on Cloudflare — skip straight to Part 2 Step 4 below.
If you already own a domain or prefer another registrar:
Privacy-friendly registrars:
- Njalla (njal.la) — Maximum anonymity, registers domains on their behalf, accepts crypto
- Porkbun (porkbun.com) — Affordable, free WHOIS privacy
- Namecheap (namecheap.com) — Budget option, free WHOIS privacy
After purchasing, continue to Part 2 below.
If you bought the domain through Cloudflare Registrar, skip to Step 4 — your domain is already on Cloudflare.
- Go to dash.cloudflare.com
- On the home page, you'll see a blue button at the top: "Add a site" — click it
- Type your domain name (e.g.,
resistance-hub.org) into the text field - Click "Continue"
You'll see a plan selection page with options ranging from Free to Enterprise.
- Scroll down to the "Free" plan (bottom option, $0/month)
- Click "Continue" on the Free plan
Cloudflare will now scan your domain for existing DNS records. This takes 10-30 seconds.
This is the most important step. Cloudflare will show you a page that says:
"Change your nameservers"
Remove any existing nameservers and add the following:
nina.ns.cloudflare.comart.ns.cloudflare.com
(Your actual nameservers will be different — use what Cloudflare shows you)
Now go to your domain registrar:
If you used Porkbun:
- Log in to porkbun.com → Domain Management
- Click your domain → Nameservers (or "Edit" next to nameservers)
- Delete the existing entries
- Add the two Cloudflare nameservers exactly as shown
- Click Save
If you used Namecheap:
- Log in to namecheap.com → Domain List → click Manage next to your domain
- In the Nameservers section, select "Custom DNS" from the dropdown
- Enter the two Cloudflare nameservers
- Click the green checkmark to save
If you used Njalla:
- Log in to njal.la → click your domain
- Go to Nameservers tab
- Replace existing nameservers with Cloudflare's
- Click Update
After changing nameservers:
- Go back to the Cloudflare tab
- Click "Done, check nameservers"
- Cloudflare will email you when nameservers are active (usually 5-30 minutes, sometimes up to 24 hours)
- Go to dash.cloudflare.com
- Click on your domain in the list
- Look at the top of the page — you should see a green "Active" status
- If it still says "Pending", wait a bit longer and refresh
⏳ Note: If you just changed nameservers, it can take up to 24 hours in rare cases. Usually it's 5-30 minutes.
Now we'll point your new domain to the existing Workers deployment.
- From the Cloudflare dashboard home, look at the left sidebar
- Click "Workers & Pages"
- You'll see a list of your deployed projects
- Click on "global-anti-ccp-resistance-hub" (your worker)
- You're now on the worker's overview page
- Click the "Settings" tab at the top
- In the left sidebar (or section list), click "Domains & Routes"
- You'll see a section called "Custom Domains"
- Click the "Add +" button (or "Add Custom Domain")
- Type your domain:
resistance-hub.org(or whatever you registered) - Click "Add Custom Domain"
Cloudflare will automatically:
- Create the DNS record pointing to your worker
- Provision an SSL certificate (takes 1-2 minutes)
Repeat the process:
- Click "Add +" again
- Type
www.resistance-hub.org - Click "Add Custom Domain"
- Open a new browser tab
- Go to
https://resistance-hub.org(your domain) - You should see the Resistance Hub site! 🎉
- Also try
https://resistance-hub.org/api/v1/— should show the API response
⏳ If it doesn't work immediately, wait 2-5 minutes for the SSL certificate to be issued. You can check the status on the Settings → Domains & Routes page — look for a green "Active" badge.
- From the Cloudflare dashboard, click your domain in the left sidebar (or go to dash.cloudflare.com and click your domain)
- In the left sidebar, click "SSL/TLS"
- Click "Overview"
- You'll see a section showing your encryption mode with 4 options:
- Off
- Flexible
- Full
- Full (strict) ← Click this one
- The page auto-saves — you'll see a green confirmation
- Still in SSL/TLS section, click "Edge Certificates" in the sidebar
- Scroll down to find "Always Use HTTPS"
- Toggle it ON (switch should turn blue/green)
This automatically redirects any http:// visitors to https://.
- Still on the Edge Certificates page, scroll down to "HTTP Strict Transport Security (HSTS)"
- Click "Enable HSTS"
- A warning dialog appears — read it, then click "I understand"
- Set these values:
- Max-Age:
12 months(select from dropdown) - Include subdomains: ✅ ON
- Preload: ✅ ON
- No-Sniff: ✅ ON
- Max-Age:
- Click "Save"
Open your terminal or command prompt and run:
curl -I https://resistance-hub.orgYou should see:
HTTP/2 200
strict-transport-security: max-age=31536000; includeSubDomains; preload
This is the feature that only works with a custom domain — it's why we're doing all this!
- From the Cloudflare dashboard for your domain
- In the left sidebar, click "Network"
- Scroll down the page until you see "Onion Routing"
- Toggle it ON
That's it. Cloudflare automatically:
- Generates a unique
.onionaddress for your site - Adds an
Onion-Locationheader to every response - Tor Browser users see a 🟣 purple ".onion available" pill in the address bar
- Download and open Tor Browser
- Navigate to
https://resistance-hub.org - Look at the address bar — you should see a purple pill icon: ".onion available"
- Click the pill → you'll be redirected to the
.onionversion - The site loads identically but through Tor's encrypted onion network
💡 Why this matters: Users in censored regions (China, Iran, etc.) can access the site through Tor without revealing they're visiting a human rights website.
DNSSEC prevents DNS spoofing attacks — someone pretending to be your domain.
- In the left sidebar, click "DNS"
- Click "Settings" (tab at top of DNS page)
- Find "DNSSEC" → Click "Enable DNSSEC"
- ✅ Done — Cloudflare handles everything automatically
- In Cloudflare dashboard → DNS → Settings → "Enable DNSSEC"
- Cloudflare shows you a DS record — it looks like this:
DS Record: Key Tag: 2371 Algorithm: 13 Digest Type: 2 Digest: abc123def456... - Go to your registrar's domain settings
- Find "DNSSEC" or "DS Records"
- Add the DS record from Cloudflare
- Save
Get professional email addresses like admin@resistance-hub.org that forward to your personal email.
- In the Cloudflare left sidebar, click "Email"
- Click "Email Routing"
- If it's your first time, click "Get Started"
- You'll be asked to add a destination address — enter your personal email
- Cloudflare sends a verification email → go check your inbox and click the link
After verification:
-
Click "Routing Rules" tab
-
Click "Create address"
-
Create these addresses (one at a time):
Custom address Forwards to admin@resistance-hub.orgyour personal email security@resistance-hub.orgyour personal email tips@resistance-hub.orgyour personal email press@resistance-hub.orgyour personal email -
For each: type the address prefix (e.g.,
admin), select your verified destination, click "Save"
To receive email sent to any address at your domain:
- At the bottom of Routing Rules, find "Catch-all address"
- Set the action to "Send to an email destination address"
- Select your personal email
- Click "Save"
Now update the codebase references to use your new domain.
- Go to Workers & Pages → click your worker
- Click "Settings" → "Variables"
- Add or update:
VITE_SITE_URL=https://resistance-hub.org - Click "Save and Deploy"
Edit these files and replace the old URL with your new domain:
public/sitemap.xml — Find any workers.dev URLs and replace with your domain:
<loc>https://resistance-hub.org/</loc>public/robots.txt — Update the sitemap URL:
Sitemap: https://resistance-hub.org/sitemap.xml
index.html — Update Open Graph meta tags (for link previews on social media):
<meta property="og:url" content="https://resistance-hub.org" />npm run build
npx wrangler deployIf anyone has bookmarked the old *.workers.dev URL, you can redirect them.
- Go to your domain in the Cloudflare dashboard
- Left sidebar → "Rules" → "Redirect Rules"
- Click "Create rule"
- Set up the rule:
- Rule name: "Redirect old workers.dev"
- When incoming requests match: Custom filter expression
- Field:
HostnameOperator:equalsValue:global-anti-ccp-resistance-hub.stane203.workers.dev - Then redirect to:
https://resistance-hub.org+ same URI path - Status code:
301(Permanent Redirect)
- Click "Deploy"
⚠️ Note: This only works if the workers.dev hostname passes through this domain's Cloudflare zone. If it doesn't, the old workers.dev URL will simply continue to work alongside the new one (which is fine).
Go through each of these in the Cloudflare dashboard for your domain:
- Left sidebar → "Speed" → "Optimization" → "Content Optimization"
- Auto Minify: Turn ON for
JavaScript,CSS, andHTML - Brotli: Toggle ON
- Early Hints: Toggle ON
- Auto Minify: Turn ON for
- Left sidebar → "Network"
- HTTP/3 (with QUIC): Toggle ON
- 0-RTT Connection Resumption: Toggle ON
- WebSockets: Toggle ON (in case you add real-time features later)
- Left sidebar → "Security" → "Bots"
- Bot Fight Mode: Toggle ON
- This blocks known bad bots while allowing legitimate crawlers (Google, Bing)
- Left sidebar → "Security" → "WAF"
- You can create custom rules to block traffic from specific countries if needed
- The API worker already has rate limiting (100 req/min per IP), so this is usually not needed
After finishing all parts above, verify everything is set:
| ✅ | Setting | Where to Check |
|---|---|---|
| ☐ | Domain resolves to your site | Visit https://your-domain.com |
| ☐ | SSL mode is "Full (strict)" | SSL/TLS → Overview |
| ☐ | "Always Use HTTPS" is ON | SSL/TLS → Edge Certificates |
| ☐ | HSTS is enabled | SSL/TLS → Edge Certificates |
| ☐ | DNSSEC is enabled | DNS → Settings |
| ☐ | Onion Routing is ON | Network |
| ☐ | HTTP/3 is ON | Network |
| ☐ | Bot Fight Mode is ON | Security → Bots |
| ☐ | Auto Minify is ON | Speed → Optimization |
| ☐ | Brotli is ON | Speed → Optimization |
| ☐ | API works at /api/v1/ |
Visit https://your-domain.com/api/v1/ |
| ☐ | Tor Browser shows .onion pill | Open site in Tor Browser |
- Wait longer — DNS propagation can take 5 minutes to 24 hours
- Check nameservers: Run
dig your-domain.org NS— should show Cloudflare nameservers - Verify in Cloudflare: Dashboard should show domain status as "Active" (green)
- Go to SSL/TLS → Overview → Set mode to "Full (strict)" (not "Flexible")
- If still broken: temporarily turn OFF "Always Use HTTPS" to test
- Custom domain SSL certificates can take up to 15 minutes to issue
- Check: Workers & Pages → your worker → Settings → Domains & Routes → look for green "Active" status
- If stuck: remove the custom domain and re-add it
- This ONLY appears when you have a custom domain (not on
*.workers.dev) - Make sure you're looking at your domain settings, not the worker settings
- Path: dash.cloudflare.com → [your domain] → Network → Onion Routing
- Clear Tor Browser cache: ☰ menu → Settings → Privacy → Clear Data
- Make sure you're visiting the
https://version (nothttp://) - Verify the header:
curl -I https://your-domain.com— look forOnion-Location:in the response
- Check that you verified the destination email (Cloudflare sent a confirmation link)
- Go to Email → Email Routing → check that MX records are set correctly (Cloudflare usually does this automatically)
- Check your spam folder
| Item | Cost | Notes |
|---|---|---|
| Domain registration | ~$10-15/year | Depends on TLD (.org, .com, etc.) |
| Cloudflare plan | Free | Free plan is sufficient |
| SSL certificate | Free | Auto-issued by Cloudflare |
| Onion Routing (Tor) | Free | Included in free plan |
| Email Routing | Free | Up to 200 email addresses |
| DNSSEC | Free | Included in free plan |
| Workers (100K req/day) | Free | Free plan limit |
| CDN / caching | Free | Included in free plan |
| Total | ~$10-15/year | Domain is the only cost |
If you're concerned about your identity being linked to this project:
-
Cloudflare Registrar — Automatically hides your WHOIS info with their redaction service. Your name/address is NOT publicly visible. However, Cloudflare knows who you are.
-
Njalla (njal.la) — Registers the domain on THEIR behalf. Even the registrar records show Njalla's info, not yours. Accepts cryptocurrency. Highest anonymity.
-
Porkbun / Namecheap — Free WHOIS privacy that hides your info behind a proxy service. Standard level of privacy.
-
Payment anonymity — If paying with crypto: use Monero (XMR) for maximum privacy, or use CoinJoin-mixed Bitcoin. Njalla is the only registrar above that accepts crypto directly.
⚠️ Important: Even with WHOIS privacy, your registrar knows your identity. If you need maximum protection, use Njalla with cryptocurrency and a VPN.