Problems setting up my domain on Cloudflare


I’m new to all this, so I’ve been struggling. I bought a domain on Namecheap for a full-stack app that I made and initially deployed on Heroku, and I’m trying to get my custom domain working properly with Cloudflare. I’ve looked online watched tutorials, have done trial and error, etc. but I can’t seem to get my app working how I want with my new domain. I want users to be redirected to when they enter any of the following variations (see domains on left side of screenshot):

Right now, it only works if I type in my domain beginning with “https: // www” None of the other variations work. When I try to type in any other variation, I just get the error in the browser that says, “This site can’t be reached” with nothing displayed in the browser.

This is what I have set up (see right side of my screenshot):

First of all, I don’t know if this set up is correct. “vast-gooseberry-g65purh1gdxd…” is the DNS Target from Heroku, and is for my domain with www. There is another DNS Target from Heroku too, for my domain without the www. I’m not sure if I should add this here too. At the top of my screenshot, it says, “Add an A, AAAA, or CNAME record for your root domain so that lucky-student will resolve.” I’m not sure what to add. When I try to add something, I don’t know what to input for the IPv4 address.

Another thing that I have set up in Cloudflare is a Page Rule. This is the Page Rule that I added:
Always Use HTTPS

Finally, my SSL/TLS encryption mode is set to “Full”.

I also added my two Cloudflare nameservers in Namecheap, under the Custom DNS setting.

I would appreciate any help or suggestions. I’ve tried so many different things, so now I’m a little confused. Please let me what I did wrong in my settings and what I can do? I may also need to fix my settings in Heroku or Namecheap, but I don’t know. Like I said, it’s my first time attempting to do this, so I don’t know enough. Thank you so much.


Here we go

Also, you dont have the actual record that you want to use for the naked domain.


Thank you so much. Your instructions were clear and everything worked well. I got all my redirects working and HTTPS and everything was good.

But then suddenly today, when I tried logging in to my app, the padlock was gone when I was entering my password to log in, and it says “Dangerous”. And then a message pops up and says, "Your password may be compromised. This is a screenshot:

When you go to my domain, everything is good. The padlock is there and it’s secure. It’s when I try to log in that it changes to “Dangerous”.

I don’t know if this has anything to do with the changes I made to get my domain working. How did this happen and what can I do to fix it? This is my domain for reference:

Thank you for your help,


That appears to be something Chrome specific. You best clarify on a Google forum why they show that warning.


I just started using Cloudflare, so I’m still new here, but over the weekend I was finally able to get the domain to my full-stack app secure. Everything was working well. All my redirects were working, I had my SSL Certificate, and I had HTTPS like I wanted. Today, I was trying my app, and now when I tried to log in to my app, the padlock is gone, and now it says “Dangerous”. And when I click on it for more information, it says “Your password may be compromised”. This is a screenshot:

How did this happen and what can I do to fix it so that it is secure and working like it was before?

Thank you,


That’s straight from your browser. It could be that your browser knows you entered your password there before it was secured and is now warning you. That domain does not show up in Google’s site transparency report. Try Incognito mode. Or a different device with Chrome.

1 Like

For reference, I just tried logging in with bogus credentials and I didn’t get this warning (but due to how it detects logins, it did show “do you want to save your password”). Regardless, this wouldn’t be something with Cloudflare.

Edit: It looks like the issue is a combination of that password you entered being re-used on other websites, and from some combination of signals that try to tackle completely new spear-phishing sites that safe browsing can’t label yet. This most likely includes the signal that your domain was registered only three weeks ago, the domain just received SSL (yesterday), the domain has common phishing keywords in it (like lucky).

I just tried entering a password I used to re-use a lot (no longer use at all) and got this:

After enough time and enough legitimate users log into your website for Chrome to decide it’s not some phishing site, this will probably go away even if a user is re-using passwords.

1 Like

Thank you for your response. I tried incognito mode and I still get the warning. However, when I used Chrome on my phone, I did not. When I tried it on Chrome on my phone, I got the message: “Save password?” Also, when I tried it on Firefox, it was fine and it did not say “Dangerous”. It seems to only be happening on my Chrome browser on my laptop. I suppose that my browser would know that I entered this password before it was secured, since I did that a lot in order to test my app.

Thank you for your response. I wasn’t sure if this had anything to do with Cloudflare or not, so I thought I’d ask. After I read what you wrote, I created a different test account and logged in, and it was fine. I did not get the warning. As I mentioned in my reply to “sdayman”, I tried incognito mode and I still get the warning. However, when I used Chrome on my phone, I did not. When I tried it on Chrome on my phone, I got the message: “Save password?” Also, when I tried it on Firefox, it was fine and it did not say “Dangerous”.

It seems like I should just wait and give it some time, especially since, as you said, my domain was registered only three weeks ago and just received SSL yesterday.

Thank you for your response.


Okay. I wasn’t really sure, so I thought I’d ask. Thank you for your suggestion.


This topic was automatically closed after 31 days. New replies are no longer allowed.