CloudFlare benefits from a good reputation. However, we noticed major issues related to using CloudFlare.
- Security: CloudFlare is a middleman between your server and your visitors. Sensitive data also go through the CloudFlare server when they are delivered to a client. CloudFlare has the ability to monitor all your traffic.
- Power: Cloudflare can inject code into your HTTP headers and your web pages and it can have any consequences.
- Slow: For some reasons, we have noticed that CloudFlare can slow down the page load rather than speeding it up. It is normal as a step (a hop) is added between your server and a client.
- Misconfiguration: Since additional settings should be made on the CloudFlare website, a misconfiguration can lead to downtimes and traffic drops. Here a case study of a Google traffic drop related to Cloudflare.
- Dependency: By choosing to point your nameservers to another server that you don’t control, it means you accept to hand over a part of your website reachability to CloudFlare. If the CloudFlare server goes down, your website gets inaccessible even if your web server works fine. In other words, you had a point of failure by using CloudFlare.
- DDOS attacks: Cloudflare mitigates DDOS attacks.
- Firewall: Cloudflare helps to reduce useless incoming traffic. Here is the list of opened ports when using CloudFlare. For HTTP: 80, 8080, 8880, 2052, 2082, 2086, 2095. For HTTPS: 443, 2053, 2083, 2087, 2096, 8443. You can also whitelist or blacklist IP addresses. There is also an interesting option called “challenge IP” which prompts for a captcha when requests come from an IP address.
- HTTPS, HTTP/2: Cloudflare provides free HTTPS, HTTP/2 and SPDY certificates for your domain.
- HSTS: Cloudflare provides free HTTP Strict Transport Security for your website.
- IPV6 reachability: Cloudflare allows your website to be accessed through an IPV6 address even if your server has an IPV4 address.
- Rate limiting: Cloudflare can protect your API by limiting the number of requests for a given time using a rule. It is a paid option and it is very easy to setup from the Cloudflare configuration page.
- Jurisdiction: CloudFlare is located in the USA. Consequently, this makes believe that your website is located in the USA. Your website is likely to benefit from the US jurisdiction.
- Freedom of speech: By hiding the IP of the server, you can express yourself since you can rely on the 1st amendment of the United States of America which allows a website to express almost all opinions without being prosecuted.