Do not put your site behind Cloudflare if you don't need to

> For your small blog with one hundred visitors per month, it's probably the same: "no one will burn their DDoS capabilities on you!"

If this is their core argument for not using CDN, then this post sounds like a terribly bad advice. Hopes and prayers do not make a valid security strategy. Appropriate controls and defenses do. The author seems to be completely missing that it takes only a few bucks to buy DDoS as a service. Sometimes people do DDoS your small blog because some random stranger didn't like something you said somewhere online. Speaking from experience. Very much the reason I'm posting this with a throwaway account. If your website receives DDoS, your hosts will take down your server. Nobody wants to be in this situation even if for a personal, small blog.

If we're talking about putting static assets (like basic websites) on their CDN, or moving your backend to Workers, (etc...) you are by definition moving _away_ from single point-of-failure.

> Maybe that's the core of this message. Face your fears. Put your service on the internet. Maybe it goes down, but at least not by yet another Cloudflare outage.

Well I'd rather have my website going down (along with half the internet) be the concern of a billion dollar corporation with thousands of engineers - than mine.

I administer a PHP website with very little legit traffic per month, but a few thousand pages probably. The bot traffic is crazy. We're not using Cloudflare for that site, but we're using a local static-page cache... and without it, the site simply can't function.

You don't need to be the target of a dDoS to use a CDN.

Also, using CDNs (Fastly via Github pages, not Cloudflare, in this case) once allowed us to be featured in a very large newspaper without worries, extra expenses, or extra work.

The problem is, we need to. It’s simply insane how many stupid, malicious requests we get without it, and we honestly are a small, unimportant site.

If we don’t filter all this crap out, our metrics become basically meaningless, and our Data Warehouse, whose analyses we need to do business with our partners, would be one big „shit in, shit out“ travesty.

And on the other hand, becoming non-affected by today’s Cloudflare incident was a single DNS update away, and effective in under a minute.

I’m not saying we are perfectly happy, and I don’t exactly love the Cloudflare bill, but just slapping them in front of our loadbalancer and have them filter out the bad guys has been a good deal so far.

?? It's free, and it protects you from all sorts of nasty things.

I can't think of any reason not to use cloudflare. It's _dead easy_ to set up too.

I can't help but think that the author understands what cloudflare actually does, or just has a poor understanding of what goes on on the internet. Probably a bit of just being in a bad mood about cloudflare being down too.

I get constantly attacked.

Usually it's big actors like Facebook, Azure and OpenAI who bombard my servers without any respect or logic. I need to update my access rules constantly to keep them away (using Cloudflare) Sometimes it's clustered traffic, more classic DDoS, from China, Russia or America. That I could easily filter with the DDos protection from my hosting (which is cheaper than cloudflare anyway)

What should I do if not Cloudflare to block with "complex rules" that is strong enough to survive hundreds of concurrent requests by big companies?

The lesson I learned is it's OK to put your site with Cloudflare. It's not ok to put your DNS on a registrar who is also on Cloudflare. We got locked out because our registrar is also on Cloudlfare, and now I can't even switch DNS to get the site back up. Keep your domain name registrar, DNS service provider and application infrastructure provider separately.

Fun fact: a whole bunch of local (as opposed to global: the distinction here is important) Cloudflare-related outages were caused by exactly this thinking: see https://blog.cloudflare.com/going-bgp-zombie-hunting/ and related HN discussion at https://news.ycombinator.com/item?id=45775051

But yeah, if you don't need Cloudflare, like, at all, obviously don't use them. But, who can predict whether they're going to be DDOS-ed in advance? Fact is, most sites are better off with Cloudflare than without.

Until something like this happens, of course, but even then the question of annual availability remains. I tried to ask Claude how to solve this conundrum, but it just told me to allow access to some .cloudflare.com site, so, ehhm, not sure...

I use Cloudflare tunnels to expose lots of small projects to the internet that I host on my home server. I don't want my home internet to be knocked offline because someone decides to hammer my network and knock me offline for a while.

Cloudflare handles caching of static resources, rate limiting, and blocking of bots with very little configuration.

Also, my ISP here in the UK doesn't provide static IP addresses, so Cloudflare allows me to avoid using a dynamic DNS service, and avoid exposing ports on my router.

I don't consider Cloudflare part of the "real" internet anymore, instead it's a private intranet that got too big.

I ran a highly trafficked adult website for 18 years. In the early days, CDNs were unattainable for me and I managed my own rudimentary network by hosting bare metal servers in data centres around the world, using geo-ip aware DNS servers to send traffic to the closest data centre to them.

My most significant running expense was bandwidth cost. So I never switched to cloud since the bandwidth costs would have instantly bankrupted me. Cloudflare, on the other hand, was the single most significant development when it came to my bottom line. Adding a basic, $200 / month business account saved me thousands per month on bandwidth + server costs.

DDoS protection was just a nice perk.

Most small websites are hosting with cloud providers these days. If their websites are at all media rich (and most are these days), and those assets can be cached by a CDN ... the cost savings on bandwidth are not marginal. They are often the difference between being able to afford to host your website or not having one at all.

There are, of course, ways to optimize and reduce those expenses without a 3rd party CDN. But if Cloudflare still has their free plans for smaller traffic volumes, it is often a financial decision to use them over your cloud provider's CDN options.

> Most of these sites are not even that big. I expect maybe a few thousand visitors per month.

Incidentally, if you can make a site "static", so far I'm mostly liking AWS CloudFront loaded from S3. After many years serving my site from a series of VPSs/hosters/colo/bedroom. It's fast and inexpensive, and so far perfectly solid.

Deploying consists of updating S3, and then triggering a CloudFront invalidation, which takes several seconds. The two key fragments of my deploy script (not including error checking, etc.), after the Web site generator has spat all the files into a staging directory on my laptop where I can test them as `file:` URLs, are:

  aws s3 sync \
      --profile "$AwsProfile" \
      --exclude "*~" \
      --delete \
      "$WebStagingDir" \
      "s3://${S3Bucket}/"

  aws cloudfront create-invalidation \
      --profile "$AwsProfile" \
      --distribution-id "$CloudFrontDistId" \
      --paths "/*" \
      < /dev/null 2>&1 | cat

Cloudflare is still down and now its been 5+ hours. Having said that, the thing about "if you don't need to" is not that simple. FOr personal sites/blogs, I can agree but then it really doesnt matter for those. For a real business, the value of cloudflare (As centralized as it gets) is the proxy especially against attacks. The other stuff like CDN/Caching etc are bonus on top.

Unless there is a better option, just asking real businesses (no matter how small) to not use cloudflare is not an option.

> For your small blog with one hundred visitors per month, it's probably the same: "no one will burn their DDoS capabilities on you!"

Running behind something like Cloudflare doesn't just protect against DDoS, it protects against surprise traffic spikes.

If your site ends up on the Hacker News frontpage it's nice for it not to fall over right as people are trying to check it out.

All the people posting all their reasons why they use Cloudflare ("it's free!"/"it's easy!"/"my site won't go down!") makes me realize this apparent arms race is going to effectively result in the total centralization of all web content. Cool. Seems like a great idea to rely on a singular US service rather than diversify the risk across hundreds/thousands of services around the world. What could possibly go wrong?

I get it... but you can pry my cloudflare-tunnel from my cold dead hands.

I'm no stranger to hosting things 'the hard way', but I am not going back from my happy casual hosting where I just spin up a docker container, and point the cloudflare tunnel at the local port and opt out of worrying over DDOS, SSL termination and certs, and everything else that goes with it.

With tailscale, I don't even keep port 22 open to the world.

The massive centralisation going through cloudflare, especially their dns, is good reason to reconsider using them. It doesn't matter how good their product or ethos is, 10s of %s of the Internet traffic going through one company is a bad thing for the Internet.

I have a small blog with a few hundred visitors per month (not including the AI scrapers), and I use Cloudflare because it lets me run everything on a box in my home office with Cloudflare tunnel in the way and I don't have to worry about a static IP or anything. The best part about Cloudflare is how unintrusive it is. It's properly a layer over everything that you have.

I run my stuff as quadlets on Linux, and `cloudflared` just forwards requests to a specific port. It's a reverse proxy. If I wanted to move off Cloudflare, I'd need to run Nginx (or Traefik/Caddy which I'm less familiar with) + certbot and switch DNS.

I like this layering approach, and when I decided to move from a cheap VPS to my own homeserver, I found it very easy to do so by just swapping a few things. I do have Google Fiber who don't mind when you host stuff so that's nice.

Of all the cloud services that are a problem, I'd say Cloudflare is particularly well-designed as a non-lock-in service and is very generous with the terms. So I am quite happy putting Cloudflare in between.

After all, if I'm only receiving a few hundred visits a month, it's not that important if Cloudflare is down. It's not like I'm providing an essential service except to my wife, who relies on some of the apps I've made for her Custom GPTs[1] and she is quite the forgiving user.

0: https://wiki.roshangeorge.dev/w/One_Quick_Way_To_Host_A_WebA... a description of how I host, but mostly structured as a note to myself

1: https://wiki.roshangeorge.dev/w/Blog/2025-10-17/Custom_GPTs

I get your gripe, but the free protection that Cloudflare offers automatically often far exceeds the effort required to thwart some random script kiddie’s attacks on my client’s Wordpress site. Add easy caching, tunnels, automated certificate management, etc. to that and it’s obvious why a lot of sites use them.

Even my tiny little personal sites got hammered by bots. I was very reluctant, but I feel like I had no choice but to go to Cloudflare. It was the only free option, and for tiny little sites it’s not worth paying for a solution.

I think the big error here is thinking cloud flare is DDoS when it’s an entire self contained platform with workers and pages etc..

You’d see those same errors if someone took their own site down while working on it , probably accidentally

CDNs and reverse proxies are important part of internet infrastructure. Problem here is not that webservers use CloudFlare, but that use only CloudFlare.

Let's assume that i could easily use multiple CDNs/proxies and put them all in my DNS record. It would be nice if web browsers would use happy-eyeballs like logic to switch between multiple IP addresses, but i don't think this is default behavior with multiple A/AAAA records.

Guys, OP is clearly joking, he uses Cloudflare himself:

  dig NS huijzer.xyz +short
    fay.ns.cloudflare.com.
    gerardo.ns.cloudflare.com.

If you have a blog with 100 visitors per month why would you worry about being hit by an 4-8 hours outage once every year or two? I like Cloudflare because it is easy to setup and manage and because the amount of value you get for free or just a few bucks per month can’t be matched by any other company. Sure, if my income depends on my website/service uptime then I would probably consider other options. I think for most folks that’s not the case. Just chill and wait it out.

Can't find the following argument in the replies: respect your visitors by not showing cloudflare's spinners and other bs in their faces.

If your site is static, a VPS would carry it a long way. I once hosted a tiny video site - 500 daily visitors, 100GB, 10$/month. Worked better than youtube, 0 issues.

We mainly use cloudflare due to the first class DNS experience. Free and super easy to work with.

Anyone have a suggestion for an alternative? I don’t want to pay per domain but I would pay an agency fee for like 100 domains for a few hundred bucks sorta think, like migadu offers for email.

Worst thing is when local municipality is using Cloudflare on their pages and unintentionally breaks their RSS feeds, because they restrict foreign traffic. And RSS readers usually are running on some server in different country.

Comparing burning a zero day to flexing DDoS capabilities is absolutely insane.

I dislike CloudFlare for their extremely hostile stance against VPNs and for collecting a near autocratic control of a large part of the “world wide” web. I think that there are very valid concerns regarding that. And yes, that power is given to them by service providers, however also essential services use it and as a user I can not choose to not use your service without CF, so it’s still very much asymmetric.

It is mentioned in the article that round-robin DNS is an alternative to this setup, however, in reality, it is not the same thing, and that's the reason load-balancers exist, and it is not feasible to provide something very similar due to the very nature of a distributed and cached DNS system.

The one time my company suffered a denial-of-service attack we were able to get support from our colo provider to stop the attack. This was years ago and our provider has been bought a couple of times and while the company has grown the staff are more remote and fewer in number so I'm not sure if we'd get the same support today.

So, every now and then I think about at least putting our assets on a cdn with the option of using it in the case of a ddos attack but then I see things like today and the recent Aws problems and I just get the feeling I should keep everything close.

one way to mitigate DDoS is to enforce source IP checks on the way OUT of a datacenter (egress).

sure there are botnets, infected devices, etc that would conform to this but where does the sheer power of a big ddos attack come from? including those who sell it as a service. they have to have some infrastructure in some datacenter right?

make a law that forces every edge router of a datacenter to check for source IP and you would eliminate a very big portion of DDoS as we know it.

until then, the only real and effective method of mitigating a DDoS attack is with even more bandwidth. you are basically a black hole to the attack, which cloudflare basically is.

it seems everyone here is of the mind "I do it because it's convenient"

Just like most internet nonsense...

"I like privacy, but it's convenient"

"I don't like amazon policies, but it's convenient"

etc...

so luxuries become necessities...

I don't use even close to all the services they offer, mostly just DNS and some web workers but the convenience of it as opposed to rolling my own is, excluding down time, an incredible free offering.

Way back years ago when I used to roll my own, any problems I had to fix took extremely long and painful. Could I do it again today ? Yeah sure, but I know I couldn't do a better job than Cloudflare.

I'm running a Raspberry Pi 5 at home as a lightweight web server. I put it behind `cloudflared` as to not leak my home IP address, and today I got to pay for it.

Should I just stop being paranoid about "leaking my IP address" and self-host it 100%? All I fear is that my family will have to live with degraded internet experience because some script kiddie targeted me for fun.

I've learned this the hard way, by putting an Arweave gateway behind Cloudflare.

The gateway was checked regularly for random data and the client would stop a download after 1MB, causing the gateway to stop sending the rest of the file.

However, Cloudflare CDN wouldn't stop when the client stop, causing the gateway to send the whole file. Some files are multiple GBs big, so I suddenly got an invoice of 600€.

Using cloudflare really helps cut the bandwidth bill for free for smaller self-hosted sites. That was my primary motivation - not security.

Cloudflare tunnels makes it dead simple these days. Like some others in the comments it seems; I'd rather Cloudflare fighting the war against hacker armies than me. Once our networks become compromised from opening our firewalls (possibly even not) our routers and IOT devices become unwillingly complicit in the army that's bringing the internet down.

Enterprise self hosting is an expensive nightmare for most companies. I think it is time to discuss multi cloud deployments to escape outages.

I am hosted on Cloudflare but my stack is also capable of running on a single server if needed, most libraries are not design with this in mind.

I’m also wondering if all these recent outages are connected to cyber attacks, the timing is strange.

Cloudflare has saved me from a bunch of "Hacker News Hug of Death". It also works around the world, including China, where I have a lot of friends and family. Quite nice.

Thanks for all the discussion here. I use cloudflared to proxy a bunch of small sites I serve from home. I will take a look a other solutions mentioned in this thread.

These days Cloudflare offers more than network (CDN) and security (WAF). I guess there's - workers and containers for backend/fullstack, pages for severless/frontend/fullstack, storage and database solutions, and Ai and stuffs.

I don't think anyone is arguing that.. the truth is that all these big companies do actually need to

I actually would argue against this idea, it is quite resource intensive to keep your sites up-to-date with latest security patches (think something like webservers, openssl, tls cipher suites ...). Putting your site behind a CDN makes you not so vulnerable to these attacks.

Well good news, the Cloudflare error page gave me a perfect PageSpeed Insights score for a bit.

All the sites that I'm personally aware of are either NOT behind Cloudflare, are large and targeted, or are behind Cloudflare because they have actually experienced a DDOS attack(s). I don't know of anyone that is just sticking themselves behind Cloudflare willy-nilly.

Cloudflare pages (free) connected to GitHub is a very easy way to host your site though!

> Most people use Cloudflare because they have been scared into the idea that you need DDoS protection

I don't think that is correct that's why most people use Cloudflare

>> if you put your site behind a centralized service, then this service is a single point of failure

I don't think it is fair to characterize Cloudflare as a single point of failure, at least in the tradition sense.

The lesson for me here is the round robin DNS configuration.

I had an issue with the theme of your site probably not being important anyway. If your site probably isn’t important then it’s probably ok that it’s down too.

I'd happily use Cloudflare's proxy as it does a good job of serving static assets. The problem I have is the root certificate that it uses doesn't seem to be universally trusted.

Lets solve the problem. Why should some IP address be on the internet when it is being used for malicious activity. Everyone seems to assume there is no fix for this. Really?

The discussion is here is sort of which way do you want to let DDos sites damage you? By signing up for Cloudflare or not signing up for Cloudflare. In both case normal users suffer harm.

Why? This is a serious question.

I don't know if I need to, but cloudflare pages is without a doubt one of the easiest and cheapest ways to host a static personal site.

I don't care about ddos on my blog/home stuff. I do however care about blocking annoying bots and some basic security stuff.

I'm waiting for my first DDoS attack at which point I will hide behind Cloudflare. I have all the bits in place to make that a smooth transition but would hate every aspect of it.

Also, Cloudflare’s human-checking page makes sites not work with JavaScript disabled even if the site itself doesn’t require JS.

Which is more likely, a DDOS attack on your site or a Cloudflare outage?

I think that for most sites the DDOS attack is more likely.

IMO this is terrible advice.

1. Put a moderate amount of money toward having the world's experts in uptime keep your site performing fast, and accept that occasionally your service goes down at the same time as everyone else.

2. Roll your own service, hire a large number of expensive experts to try to solve these problems yourself, and be responsible for your own outages and failures which will happen eventually and probably more frequently.

If no one is going to die from your service going down, it seems like this is a perfectly reasonable third-party dependency. And if the issue is just your contract's SLA or a financial customer, the saving that comes from using Cloudflare can probably be worked through via negotiations.

Yeah but cloudflare is one of the few places with free static hosting so ... Not much of a choice

How is this article anything other than advice on "you shouldn't have a single point of failure "?

Cloudflare is a little like Google, they're doing a lot of really cool and amazing things to better the internet but they're frontend interface to use the services kind of sucks, they're raising the bar though so that everyone gets better. It's like when backend developers do really cool shit and also make your frontend.

I'm mostly using cloudflare to block AI crawlers which don't respect robots.txt

this. despite all the ghost stories and war stories. it’s how apple sells you the watch to save you from that bear attack or that time you got trapped somewhere.

the stories are real, and in some cases you may need it — in most cases you don’t. and it clearly doesn’t always protect you.

These threads always make me think what percentage of the commenters are commenting due to FUD, and how many are shilling. "My home ip address might leak", "hacker armies will attack me", "only cloud flare with its billion dollar engineers can protect you on the internet", "if the attacker gets your server ip it's GAME OVER", "rampant run of the mill ddos attacks that will make your provider NUKE YOU FROM ORBIT".

Meanwhile CF is closing in on monopolizing the internet.

Yep, my websites are up and running. No AWS, no CloudFlare, no problem.

We get excited by KPIs like uptime or scale while in truth for most of us those are not the key metrics. We think like BigTech because that's the metrics they sell us. It's a mistake that is profitable for them.

> Most of these sites are not even that big. I expect maybe a few thousand visitors per month.

> This demonstrates again a simple fact: if you put your site behind a centralized service, then this service is a single point of failure. Even large established companies make mistakes and can go down.

I'm guessing sites with a few thousand visitors a month don't much care about single points of failure. Seems like kind of a circular argument - if they're too small to care about needing a proxy in front of their service, then they are also probably too small to care about the handful of events that cause it to go down every so often.

People talk about "single points of failure" like invoking that phrase in and of itself means something is bad. There are many areas where avoiding single points of failure is essentially impossible. It's about how much risk and impact you are willing to tolerate with those points of failure.

The xkcd comic does not apply. Goes to show that a very big block holding everything is equally bad.

Cloudflare is nice for things like ZTNA, but only a very few need to use their caching services, 90% are just lazy devsoops people

tirreno guy is here.

Don’t trust your traffic to autopilot, get a it back in your hands, take a look into your bots (1), perhaps there is no real need for CloudFlare at all.

1. https://github.com/tirrenotechnologies/tirreno

I would not need Cloudflare for personal projects if lack of IPv6 support in random places would not make connecting to services I run on little VMs difficult.

CloudFare is owning most equity of internet, will they ever give back our equity?

Yeah, but I need it.

Every site should be behind cloudflare unless its static HTML.

Clearly there is plenty of DDOS capacity out there so your argument is invalid. One ten millionth of the current traffic would be enough to bring a small blog or service down.

Also if you aren’t practiced at diagnosing a DDOS or if your monitoring is not tuned for it, diagnosing it can be supremely difficult. Answering as someone who has successfully diagnosed ddos at 11pm on a Sunday night without access to the logs or monitors (mostly because the necessary monitoring did not exist)

And I could only do that because I had a decade of experience and I had the clarity of emotional distance (not my site, not my server, not my fault).

Amen.

As someone who maintains/hosts a lot of small business sites, allow me to inform this thread that the author of this post is as wrong as any person can be wrong.

If you're not behind Cloudflare, the level of effort required to impact your operations goes down, not up. Yes, of course, you're not impacted by massive outages like this, but you will be affected by other outages, and you will have a harder time recovering.

Do not listen to this author.

It also not necessary to use external fonts. I'm finding many pages that run fontawesome are looking something other than "awesome" right about now.

Counterpoint, my personal project sites aren't that important, but are self-hosted. My blog being inaccessible for for half a day is preferable, to having to figure out my own protections, and why not just use their free CDN while I'm at it.

Do i need to? Definitely not. Am i going to stop using cloudflare? Also no.

When it comes to bigger sites, i think having someone to blame for an outage (especially when these big ones are effectively "the whole Internet broke") is still probably preferable to managing it all yourself.

I have several tiny blogs behind Cloudflare. I'm not going to change a thing because of an exceptional event happening, and I think knee-jerk pontificating or being reactionary is extremely unproductive.

And DDOS is hardly my concern, and was never the reason I went to CF in the first place, so the whole foundation of this seems to be a strawman.

Unless these sites are your personal pages, oftentimes these decisions to use cloudflare or not are made by the business and money and risk people, not by the operations and other technically-minded employees. They see every other site using cloudflare and ask why they aren't as well.

"No one was fired for buying IBM (or cloudflare)."

Fat chance arguing against the people holding the purse strings.

> As they say in security, "no one will burn a zero day on you!". For your small blog with one hundred visitors per month, it's probably the same: "no one will burn their DDoS capabilities on you!"

The last I saw you can hire DDoS as a service for like $5 for a short DDoS, and many hosts will terminate clients who get DDoSed.

cloudflare considered harmful.

If you're hoster doesn't have perfect DDOS protection and bills you for bandwith.

Good luck with your bill if you have a DDOS attack. If they don't close your account at least.

A couple of weeks ago my apprentice put a demo of ours behind cloudflare, I had him remove it. His explanation was interestingly "it hides our IP, if we remove it, they'll know our IP", yup, that's fine buddy, consider our IP to be a public piece of data.

And we all lived happily ever after.

I put my personal website behind Cloudflare, and I recommend that you do too.

Why?

Pretty simple, really. My personal website, along with some other services, can run successfully from a $10/mo VPS on Digital Ocean because I can be assured that anything I post will have its traffic primarily absorbed by Cloudflare.

This lets me do things I want to do without having to consider the consequences or eating the direct cost myself, like having a gallery of my travel photography where I post nearly full-sized images that can be arbitrarily crawled. I have no concerns about my images being "stolen", because for the most part there'd be no reason to do so, but I'd have to stop doing that if I didn't have Cloudflare in front of my site because of AI crawlers and other things that will abuse the shit out of my little VPS.

Do I think I'm on the target list for a DDoS? Not at all. Do I think badly behaved crawlers and the general tom-fuckery of the Internet will destroy my little VPS and/or cause me outage bills? Absolutely. Cloudflare prevents all that, and as a bonus lets me geo-block bad actors to minimize the likelihood of even that happening.

See, my entire website is static, and for most people, so should yours be. The greatest thing about a static website is that the entire surface area is cacheable via a CDN. I /built/ my site with the idea of putting it behind Cloudflare in mind, specifically so I could do whatever I wanted (as long as it didn't need to query a database) and be entirely out of the woods.

It's worked great for over a decade, and I expect it to continue working great for a decade more. The fact it is currently down is not a big deal because I get maybe one organic visitor every week that's not my mom.

[flagged]

[flagged]