Thanks for asking.
I might not be so much familiar, but the least what I know which is required, is to set the “Minimum TLS version” option at least to 1.2 at Cloudflare dashboard → SSL/TLS → Edge Certificates for your domain name.
Furthermore, make sure to have a valid SSL certificate at your origin host/server and use proper “Full (Strict) SSL” option at SSL/TLS tab.
I’d also suggest enabling the “Automatic HTTPS Rewrites”, “Always Use HTTPS”, “HTTP Strict Transport Security (HSTS)” and “TLS 1.3” options.
All that can be applied even on a Free plan as far as I know.
Nevertheless, Pro plan offers “Web Application Firewall” (Managed WAF Rules), “Cloudflare Managed Ruleset” and “Package: OWASP ModSecurity Core Rule Set” which we can enable with a single click and configure per demand.
Combining this with custom Firewall Rules and other security & protection options we have at Cloudflare, per our need, we get a really good one.
You could also enable Rate Limiting for some specific request to protect the checkout/cart/payment page and login pages too.
Despite of this, Pro plan has got an option to “Configure Super Bot Fight Mode” to challenge “Definitely automated” bots.
Furthermore, you can use Firewall Rules to block Amazon AS numbers - there are multiple as far as I remember - and even more like old HTTP/1.0 requests, or block some known “bad” user-agents, crawlers, etc.
Under the Firewall Setings, you can set the Security Level, Challenge Passage, enable Browser Integrity Check and few others.
You could also track your Firewall Events and check for any suspicious or being challenged or blocked, that way you can tune-up and adapt your security settings as you need.
Using Cloudflare Scrape Shield, you can protect written e-mail addresses in your HTML content of a webpage by enabling Email Address Obfuscation for example.
And, I’d suggest using Advanced Certificate Manager (also callted Dedicated SSL) at Cloudflare, if possible in that case.
In other words, the Business plan offers to configure the strong ciphers which are required by the PCI DSS 3.2 → maybe that’s the trick here
If so, I’d suggest using “Minimum TLS - 1.3” if so and re-check the ciphers via online tools like SSL Labs.
If some “vulnerable” appear, on Business plan it can be disabled and only the “high / strong” ones enabled.
So, if we use “Minimum TLS - 1.2”, we might get the report on the SSL labs for some “old” or “vulnerable” ones which are used and which at Business plan we can disabled.
Nevertheless, in terms of the ciphers, here is the list:
I’d go with Pro plan, and make sure all the above stated is applied (not set Minimum TLS to 1.2, rather to 1.3 → despite some “services” or “users” couldn’t open the Website due to some “old” web browser or OS which doesn’t support TLS 1.3 nowadays?).
Last but not the least, kindly see more by reading Cloudflare articles which contain a lot of helpful information for better understanding and usage as well in terms of Security and Protection:
Could be I am wrong about this.
Kindly and patiently wait for another reply on this topic.