Uit De Vliegende Brigade
Naar navigatie springen Naar zoeken springen

CloudFlare is a service for CDN (Content Delivery Network), but also as front-end proxy fore security. I have some mixed feelings about it.

This article is about using CloudFlare for security - Maybe what's called Web Application Firewall (WAF)?


  • Blocking visitors from choosen countries or even continents
  • Defense against DDOS
  • An extra defense layer
  • It doesn't take resources from the actual webserver, as it is a front-end proxy.


Own experience:

  • It seems to generate errors: At times, visitors see a CloudFlare error page in stead of the site
  • Inconvenient that DNS entries are now administrated somewhere else
  • Issues with Klaviyo (email marketing): Some extra DNS-related settings were needed

Some remarkable negative views - halfway the page. They might be all correct, but how significant are these criticisms?

  • by using cloudflare, you add a point of failure between web server and visitors
  • Cloudflare may not speed up your pageload
  • Cloudflare may get your website penalized by Google.
  • Cloudflare inject code into your HTTP headers
  • Cloudflare may deliver the wrong version of a page
  • Cloudflare makes you believe that it protects your server against bots. In fact, a clever bot can start many handshakes with your servers and crash your server even behind cloudflare. (Syn DDOS attack)
  • Cloudflare may modify your code and you didn’t want Cloudflare to modify your code. (HTML minify, removing comments, adding JS lines)
  • Using cloudflare is like handing over your house keys to someone. You get dependent on cloudflare to deliver your content.
  • Cloudflare can spy on your data and the data of your website visitors since their servers stand in the middle between two HTTPS chains.
  • Cloudflare can decide to shut down the connectivity to your web server.