This guide covers the complete setup of Cloudflare R2 Object Storage (zero egress fee, S3-compatible free storage) for website/forum remote media storage, including backend admin configuration, API key setup, CORS rules, custom domain binding, and standard BBCode embedding methods for images & download links.
Bucket Page → Settings → CORS Policy → Edit → Paste the following JSON:
[
{
"AllowedHeaders": ["*"],
"AllowedMethods": ["GET", "HEAD"],
"AllowedOrigins": ["*"],
"ExposeHeaders": []
}
]
Production Optimization: Replace ["*"] with your forum domain (e.g. ["https://yourforum.com"]) to improve security.
Syntax
Example
Syntax
Custom Download Text
Example
Download Official User Manual
Syntax

Example

Part 1: Preparations & R2 Service Activation
Cloudflare R2 is a zero-egress-fee S3-compatible object storage, permanent free quota: 10GB storage, unlimited public download traffic, no bandwidth charges. It is the best alternative to AWS S3 for forum image beds and file hosting.1. Preconditions
- Valid Cloudflare account (free plan is fully available)
- Bound payment method (Visa/MasterCard/PayPal, no deduction within free quota, mandatory for activating R2 service)
2. Activate R2 & Create Bucket
- Log in to Cloudflare Dashboard → Left sidebar R2 Object Storage
- Click Enable R2, complete payment method verification
- Click Create Bucket, input custom bucket name (all lowercase, no special symbols)
- Storage location: Select Asia-Pacific for fastest domestic access
- Save and enter the bucket management panel
Part 2: Backend Admin Configuration (Core Setup)
R2 is fully compatible with S3 API. We need to configure R2 API Access Keys (for website backend upload/delete) and CORS rules (for forum BBCode normal display).1. Generate R2 API Credentials (Backend Authorization)
Used for forum/website backend binding, realizing file upload, overwrite, list and delete permissions.- R2 Overview Page → Click Manage R2 API Tokens
- Create API Token → Set custom token name (e.g. forum-r2-storage)
- Permission scope: Select Edit & Read (full bucket operation permissions)
- Bucket scope: Bind the newly created bucket
- Generate and save three core credentials (only displayed once):
- Account ID (Cloudflare account unique ID)
- Access Key ID
- Secret Access Key
Critical Reminder: The Secret Key cannot be retrieved after refresh. Please back it up securely!
2. R2 Bucket CORS Configuration (Fix Broken Images)
Default R2 cross-origin restrictions will cause forum embedded images to fail to load. Add universal CORS rules to adapt all forum programs.Bucket Page → Settings → CORS Policy → Edit → Paste the following JSON:
[
{
"AllowedHeaders": ["*"],
"AllowedMethods": ["GET", "HEAD"],
"AllowedOrigins": ["*"],
"ExposeHeaders": []
}
]
Production Optimization: Replace ["*"] with your forum domain (e.g. ["https://yourforum.com"]) to improve security.
3. Public Access & Custom Domain Configuration (Optional)
R2 default public file access is allowed, no need to manually turn off block rules like S3.- Bucket → Settings → Public Access → Custom Domains
- Connect your custom domain (e.g. img.yourdomain.com)
- Automatically apply Cloudflare SSL certificate, enable HTTPS access
Part 3: Standard R2 URL Structure & BBCode Usage
After backend configuration is completed, users can use standard BBCode tags to embed R2 images and files in forum posts.1. R2 Standard File URL Format
Official Default DomainCustom Domain (Recommended)https://<ACCOUNT_ID>.r2.cloudflarestorage.com/<BUCKET_NAME>/<FILE_NAME>
https://img.yourdomain.com/<FILE_NAME>
2. Universal BBCode Usage Tutorial
A. Embed R2 Image (Image Display)
Applicable to jpg/png/gif/webp and other image formats, directly rendered in posts.Syntax
Example
B. File Download Link (PDF/ZIP/Document)
Applicable to non-image files, create clickable download text links.Syntax
Custom Download Text
Example
Download Official User Manual
C. Clickable Image Thumbnail (Image Button)
Realize click image jump to specified website, suitable for buttons/advertising diagrams.Syntax
Example

Part 4: Fault Troubleshooting Table
| Fault Phenomenon | Root Cause | Solution |
|---|---|---|
| 403 Access Denied | 1. API token permission insufficient2. File private access enabled3. URL path error | Re-generate Edit-level API token; confirm file public access; check URL spelling |
| Backend cannot upload files | 1. Wrong Account ID/Key2. Endpoint not R2 standard address3. No full bucket permission | Fill in correct R2 endpoint: https://r2.cloudflarestorage.com; verify token permissions |
| Broken image icon in posts | 1. CORS rule not saved or error2. File expired/ deleted3. HTTP non-HTTPS link | Re-save CORS configuration; use full HTTPS URL; re-upload missing files |
| Direct access normal, forum embedding failed | Browser cross-origin cache restriction | Clear browser cache; refresh CORS policy; wait 1-2 minutes for rule take effect |
Part 5: Administrator Complete Checklist
R2 service activated + bucket created successfully
Valid Account ID + R2 API Access/Secret Key backed up
Standard CORS policy configured to solve cross-origin errors
Website/Forum backend filled with R2 endpoint and key information
Custom domain bound (optional) + SSL effective
Test upload image, verify BBCode renders normally
[*]✅ Test file download link to ensure no 403/404 errors
[/LIST]
[HR][/HR]
[HEADING=1]Part 6: Security & Usage Notes[/HEADING]
[LIST]
[*][B]Zero Fee Advantage[/B]: R2 has no outbound traffic fees, unlimited public download, only excess storage capacity is charged
[*][B]Key Security[/B]: Do not disclose R2 Secret Key in posts, prevent malicious upload and deletion
[*][B]File Specification[/B]: Do not upload sensitive/private files to public buckets
[*][B]Rule Optimization[/B]: Formal forums replace wildcard CORS with fixed domain names to prevent cross-site abuse
[*][B]Cache Acceleration[/B]: Custom domain automatically enables Cloudflare global CDN, faster access than official domain
[/LIST]