Do Not Put Your Site Behind Cloudflare If You Don't Need To
139 comments
·November 18, 2025throwaway150
phyzome
If you added up all the outage time caused by DDOS and all the outage time caused by being behind auxiliary services that have their own outages... I wonder which would be larger?
I'm not too worried about someone DDOSing my personal site. Yeah, they could do it. And then what? Who cares?
throwaway150
> I'm not too worried about someone DDOSing my personal site. Yeah, they could do it. And then what? Who cares?
Have you experienced a targeted DDoS attack on your personal site? I have. I too had this attitude like yours when I didn't know how nasty targeted DDoS attacks can get.
If you're not too worried about someone DDoSing your personal site, then your host taking your website down and then you having to run circles around their support staff to bring back the website up again, then I guess, you don't have a problem. It's nice that you don't care. (Honestly speaking. Not being sarcastic at all.)
Personally, I wouldn't mind DDoS on my personal site if the problem was just the DDoS. Unfortunately, mostly it isn't. A DDoS has other repercussions which I don't want to deal with exactly because it's a personal site. I just don't want to spend time with customer support staff to find out if and when I can bring my website back up again. DDoS on my personal website by itself isn't all that bad for me. But having to deal with the fallout is a pain in the neck.
wpm
If I wasn’t running my own personal site at home on a proxmox vm, why would I choose a hosting provider that doesn’t do DDOS protection themselves?
TZubiri
Starting without ddos protection and installing ddos protection IF you get attacked sounds like a reasonable strategy to me.
close04
> then your host taking your website down and then you having to run circles around their support staff to bring back the website up again
These are very different situations. With a DDoS the disruption ends when the attack ends, and your site should become available without any intervention. Your host taking down your site is a whole different matter, you have to take action to have this fixed, waiting around won't cut it.
graeme
It sounds like OP is describing a situation where someone persistently DDOS's them as long as it works. In which case DDOS time trivially dominates cloudflare outage time. Note that OP is posting, even now, from an anon account.
This is a good essay: https://inoticeiamconfused.substack.com/p/ive-never-had-a-re...
dpoloncsak
I have my personal site behind CF because I'm hosting it locally. Wouldn't a DDoS like....affect my internet?
nijave
For our SaaS, the uptime probably isn't much different but the cost definitely is. If any of your stack has usage based billing, things can get very expensive quickly.
iLoveOncall
My blog was constantly going down for unknown reasons, with nothing obvious in the logs. I migrated it to CloudFlare and was able to track down the root-cause of the issue.
I also blocked all the AI crawlers after moving to CloudFlare and have stopped a huge amount of traffic theft with it.
My website is definitely much more stable, and loads insanely faster, since moving to CloudFlare.
MallocVoidstar
> I'm not too worried about someone DDOSing my personal site. Yeah, they could do it. And then what? Who cares?
Your host, assuming you're hosting your site on a VPS. Many of them have a policy of terminating clients who get DDoSed.
woodrowbarlow
and if you're hosting on your home network, a DDoS means connectivity problems for your home.
lxgr
> Nobody wants to be in this situation even if for a personal, small blog.
I would gladly be in this situation if it otherwise lets me remove a large source of complexity, avoid paying a few bucks, and increasing the avoidable centralization of the Internet on my personal, small blog.
Maybe I'd change my mind if it continues happening, or if I didn't have unlimited traffic (which is a very bad idea for many reasons other than DDoSes for personal sites), but otherwise, enabling Cloudflare for a hypothetical without consequences seems like pretty extreme premature optimization.
AndroTux
Add to that, once an attacker has your server's IP (because it wasn't behind a CDN in the first place), it's basically impossible to fend off the attack unless the attacker is not very bright, or you swap your server's IP.
elAhmo
You think someone would DDoS you because you made a comment like this on HN? Seems a bit overly cautious.
JumpCrisscross
> You think someone would DDoS you because you made a comment like this on HN?
Yes. Moderation can only do so much.
kopirgan
Do providers offering VPS have a layer of protection against such attacks?
It might overwhelm their routers etc too?
throwaway150
> You think someone would DDoS you because you made a comment like this on HN?
Yes. Welcome to the internet! I don't just think someone would do this. I've seen these things happen. It just takes one person to be pissed off who has got nothing better to do and a few bucks to spare to buy DDoS as a service.
cindyllm
[dead]
brightball
Agreed. I plan to continue using Cloudflare for everything because it's a phenomenal service at a great price.
bunderbunder
Meanwhile the maintainer of Bear Blog - very nearly the poster child for small blogs with 100 visitors per month - recently put up a post talking about how much extra infrastructure it takes to keep the service online in the face of the massive uptick in AI scraper bot traffic we've had over the past few years.
I haven't tried managing my own site in ages, but I get the impression that the modern Internet is pretty much just one big constant DDoS attack, punctuated by the occasional uptick in load when someone decides to do it on purpose instead of out of garden variety apathetic psychopathy.
MattSayar
My small personal blog with tens of readers a month gets thousands of hits a day from bots. The ROI there must be worthwhile for those bots but not for me to self-host
swiftcoder
What's the actual cost to me of my blog being offline for a few hours? Basically nothing. Certainly less than the couple of bucks someone might spend on a DDoS service
null
hrimfaxi
What's the cost for someone to put their blog behind cloudflare, besides a few minutes of setup?
sph
What’s the cost of making the internet more centralised because of sheer laziness?
blibble
they (and whoever they have hiding in the shadows behind them) can intercept or directly man-in-the-middle attack anything you or your customers do
less reliable (more hops -> less reliable)
dependence on the US regime
superkuh
Well, if you do that than human people like myself won't be able to load your blog behind cloudflare for as long as it's behind cloudflare. A much longer and more insidious denial of service targeted to those who cloudflare doesn't think are profitable.
frizlab
Cloudflare (basic option which does have DDoS protection) is free.
NooneAtAll3
free spying, nice!
tjwebbnorfolk
> Hopes and prayers do not make a valid security strategy.
True, but they are free and effortless, unlike "appropriate controls and defenses"
elondaits
I administer a PHP website with very little legit traffic per month, but a few thousand pages probably. The bot traffic is crazy. We're not using Cloudflare for that site, but we're using a local static-page cache... and without it, the site simply can't function.
You don't need to be the target of a dDoS to use a CDN.
Also, using CDNs (Fastly via Github pages, not Cloudflare, in this case) once allowed us to be featured in a very large newspaper without worries, extra expenses, or extra work.
zikero
If we're talking about putting static assets (like basic websites) on their CDN, or moving your backend to Workers, (etc...) you are by definition moving _away_ from single point-of-failure.
> Maybe that's the core of this message. Face your fears. Put your service on the internet. Maybe it goes down, but at least not by yet another Cloudflare outage.
Well I'd rather have my website going down (along with half the internet) be the concern of a billion dollar corporation with thousands of engineers - than mine.
greengreengrass
> you are by definition moving _away_ from single point-of-failure
Depends on the frame of reference of “single point-of-failure”.
In the context of technical SPOFs, sure. It’s a distributed system across multiple geographies and failure domains to mitigate disaster in the event any one of those failure domains, well, fails.
It doesn’t fix that technology is operated by humans who form part of the sociotechnical system and build their own feedback loops (whose failures may not be, in fact are likely not going to be, independent events).
SPOFs also need to contemplate the resilience and independence of the operators of the system from the managing organisation. There is one company that bears accountability for operating CF infra. The pressures, headwinds, policies and culture of that organisation can still influence a failure in their supposedly fully distributed and immune system.
For most people hosting behind Cloudflare probably makes sense. But you need to understand what you’re giving up in doing so, or what you’re sacrificing in that process. For others, this will lead to a decision _not_ to use them and that’s also okay.
shiandow
That's a bit like the 'nobody was fired for choosing Oracle' argument, but it does make sense.
Still a bit weird to pretend we now have cyber weather that takes our webpages down.
MattGaiser
> That's a bit like the 'nobody was fired for choosing Oracle' argument, but it does make sense.
The reaction to AWS US-East-1 going down demonstrates this. As so many others were in the same boat, companies got a pass on their infrastructure failing. Everyone was understanding.
Justsignedup
Yuuuuup.
We once had a cloudflare outage. My CEO asked "mitigate it" I hit him back with, okay, but that'll take me weeks/months potentially, since we're tiny, do you really want to take away that many resources just to mitigate a once every few years half the internet is down issue?
He got it really quickly.
I did mitigate certain issues that were just too common not to, but when it comes to this sort of thing, you gotta ask "is it worth it"
Edit: If you're so small, cloudflare isn't needed, then you don't care if you go down if half the internet does. If you're so big that you need cloudflare, you don't wanna build that sort of feature set. The perfect problem.
papichulo2023
Is it removing cf as the middleman temporally such a big deal?
nijave
I think that really depends on feature usage. You can use Argo/Cloudflare tunnels to route to private backends that are normally unroutable. In such a setup, it might be quite difficult to remove Cloudflare since then you have no edge network and no ability to reach your servers without another proxy/tunnel product.
If you're using other features like page rules you may need to stand up additional infrastructure to handle things like URI rewrites.
If you're using CDN, your backend might not be powerful enough to serve static assets without Cloudflare.
If your using all of the above, you're work to temporarily disable becomes fairly complicated.
otabdeveloper4
Afaik, Cloudflare is mostly used for anonymity and privacy, not for scale.
DDoS protection is one nice side effect of privacy, but I'd imagine there are others too.
rozap
Nice, yea as long as the problem is someone else's then that's just as good as there being no problem at all.
dizhn
I just paused cloudflare on a site of mine. On a normal day, it would be pretty easy to unpause it if it gets hit by a DDOS. Now cloudflare is down and the site is up again. Small sites do not benefit much from the performance effects of cloudflare either. Site won't be in their cache.
TZubiri
> yet another Cloudflare outage.
Are these common?
I guess by using cloudflare you are pooling your connection with other services that are afraid of being ddosed and actively targetted, whether by politics or by sheer volume. Unless you have volume or political motivations, it might be better not to pool, (or to pool for other purposes)
spoaceman7777
?? It's free, and it protects you from all sorts of nasty things.
I can't think of any reason not to use cloudflare. It's _dead easy_ to set up too.
I can't help but think that the author understands what cloudflare actually does, or just has a poor understanding of what goes on on the internet. Probably a bit of just being in a bad mood about cloudflare being down too.
mrweasel
Many also put their personal stuff behind CloudFlare because it's a good way to learn a tool that they might need professionally later.
I'm all for decentralizing and I don't feel the need for CloudFlare personally, but yes, arguing that people really shouldn't be doing it, period, requires some good technical reason or a more convincing political stance.
AndroTux
But your site will be down for 3 hours once every 3 years!!1
lilOnion
I get these arguments and I see the appeal. But should this be the primary reason to use them, this way the web is being massively centralized. Everything running through them doesn't seem that smart to me.
But of course I understand that for most users this isn't really a concern and the benefits that cf provides are much more important rather then the centralization problem.
Faaak
Yeah, for me this is the main reason. I don't need it (even though I self host many websites, some having 100k requests/day, which is reasonable for a homelab). But most importantly, and don't want all the traffic to my websites being MITM by a company, even more so when it's foreign
neya
The lesson I learned is it's OK to put your site with Cloudflare. It's not ok to put your DNS on a registrar who is also on Cloudflare. We got locked out because our registrar is also on Cloudlfare, and now I can't even switch DNS to get the site back up. Keep your domain name registrar, DNS service provider and application infrastructure provider separately.
mariopt
Fair point but you also get exposed if the dns provider has an outage.
Self hosting will also bring its own set of problems and costs.
swiftcoder
> > Keep your domain name registrar, DNS service provider and application infrastructure provider separately.
> Fair point but you also get exposed if the dns provider has an outage
The usual workaround here is to put two IP addresses in your A record, one that points to your main server on hosting provider A, and the other to your mirror server on hosting provider B.
If your DNS provider goes down, cached DNS should still contain both IPs. And if one of your hosting providers goes down as well, clients should timeout and then fallback to the other IP (I believe all major browsers implement this).
Of course this is extra hassle/cost to maintain, and if you aren't quite careful in selecting hosting providers A and B, there's a good chance they have coordinated failures anyway (i.e. both have a dependency on some 3rd party like AWS/Cloudflare).
thyristan
Traditional non-cloud, non-weird DNS providers have sufficiently long TTLs, not the "60 seconds and then it's broken" crap that clouds do to facilitate some of their services.
Something like TTL 86400 gets you over a lot of outages just because all the caches will still have your entries.
npn
Only for you use case. I use cloudflare for my dynamic ip dns, caching that long make it worthless.
cj
You can switch DNS providers if you're able to edit the domain's nameservers.
You can also separate your DNS provider from your registrar, so that you can switch DNS providers if your registrar is still online.
ZeroConcerns
Fun fact: a whole bunch of local (as opposed to global: the distinction here is important) Cloudflare-related outages were caused by exactly this thinking: see https://blog.cloudflare.com/going-bgp-zombie-hunting/ and related HN discussion at https://news.ycombinator.com/item?id=45775051
But yeah, if you don't need Cloudflare, like, at all, obviously don't use them. But, who can predict whether they're going to be DDOS-ed in advance? Fact is, most sites are better off with Cloudflare than without.
Until something like this happens, of course, but even then the question of annual availability remains. I tried to ask Claude how to solve this conundrum, but it just told me to allow access to some .cloudflare.com site, so, ehhm, not sure...
s1mplicissimus
> Fact is, most sites are better off with Cloudflare than without
Citation direly needed.
In particular I wonder: Who is that total mass of sites where you consider most being better off using cloudflare? I would be curious on what facts you base your assumption. How was the catalog of "all" procured? How are you so confident that "most" of this catalogue are better off using cf? Do you know lots of internals about how strangers (to you) run their sites? If so, mind sharing them?
ZeroConcerns
> total mass of sites where you consider most being better off using cloudflare?
Most. A lot of simple sites are hosted at providers that will be taken down themselves by run-of-the-mill DDOS attacks.
So, what will such providers do when confronted with that scenario? Nuke your simple site (and most likely the associated DNS hosting and email) from orbit.
Recovering from that will take several days, if not weeks, if not forever.
s1mplicissimus
I was hoping you could share some of the factual evidence you apparently possess to make such bold claims, alas it seems my hopes will go unfulfilled. Have a good rest of the day!
PunchyHamster
one DDOS won't kill your business, and you can just turn on cloudflare after that happens, if it ever happens.
ZeroConcerns
Most sustained DDOS attacks will cause your hosting provider to drop you. Sure, you can recover from that in 72 hours or so, but that's not as simple as "turning on Cloudflare" at that point.
Seriously: having someone in charge of your first-line traffic that is aware of today's security landscape is worth it. Even if they require an upgrade to the "enterprise plan" before actually helping you out.
codegeek
But imagine right now vs you only being down. It sucks right now but most customers are aware of why and we can just say "hey its everyone, just not us". If you had a DDOS attack only on you, imagine dealing with customers then. It is a double edged sword.
TrickyRick
Being able to link to a BBC article (Or whatever major news source you prefer) to a customer is the best type of outage. "Look, this is so big it made the news - this isn't our fault"
throwaway150
> one DDOS won't kill your business
I see many people saying this but be honest, do you know this for sure or are you just guessing? I've experienced DDoS so I know I'm not just guessing when I say that if your website gets DDoSed your hosting service would just take your website down for good. Then good luck running circles around their support staff to bring your website back up again. Maybe it won't kill your business but it'll surely create a lot of bad PR when your customers find out how you let a simple DDoS attack spiral out of control so bad that your host is refusing to run your website anymore.
DoctorOW
Honestly I'm sure I'll get some eye rolls here, but that's my compromise. DNS through Cloudflare, orange cloud if and when I need to.
udev4096
Stop encouraging centralization and non-private web. Cloudflare's famous mitm also puts everyone's data under their watch. Remember how cloudflare leaked secrets in 2017 on every major search engine?
neilv
> Most of these sites are not even that big. I expect maybe a few thousand visitors per month.
Incidentally, if you can make a site "static", so far I'm mostly liking AWS CloudFront served from S3. After many years serving my site from a series of VPSs/hosters/colo/bedroom. It's fast and inexpensive, and so far perfectly solid.
Deploying consists of updating S3, and then triggering a CloudFront invalidation, which takes several seconds. The two key fragments of my deploy script (not including error checking, etc.), after the Web site generator has spat all the files into a staging directory on my laptop where I can test them as `file:` URLs, are:
aws s3 sync \
--profile "$AwsProfile" \
--exclude "*~" \
--delete \
"$WebStagingDir" \
"s3://${S3Bucket}/"
aws cloudfront create-invalidation \
--profile "$AwsProfile" \
--distribution-id "$CloudFrontDistId" \
--paths "/*" \
< /dev/null 2>&1 | cat
hk1337
It's still a function you have to create but I would opt to use a cloudfront function instead of creating a whole lambda for the request routing.
https://docs.aws.amazon.com/AmazonCloudFront/latest/Develope...
saltywhistle
I use Cloudflare tunnels to expose lots of small projects to the internet that I host on my home server. I don't want my home internet to be knocked offline because someone decides to hammer my network and knock me offline for a while.
Cloudflare handles caching of static resources, rate limiting, and blocking of bots with very little configuration.
Also, my ISP here in the UK doesn't provide static IP addresses, so Cloudflare allows me to avoid using a dynamic DNS service, and avoid exposing ports on my router.
herbst
I get constantly attacked.
Usually it's big actors like Facebook, Azure and OpenAI who bombard my servers without any respect or logic. I need to update my access rules constantly to keep them away (using Cloudflare) Sometimes it's clustered traffic, more classic DDoS, from China, Russia or America. That I could easily filter with the DDos protection from my hosting (which is cheaper than cloudflare anyway)
What should I do if not Cloudflare to block with "complex rules" that is strong enough to survive hundreds of concurrent requests by big companies?
udev4096
OpenAI bots are relentless. I used to see some random requests every time I requested LE cert for making a service public but now, it's always "gptbot"
52-6F-62
There are other CDNs out there with less surface area, but the corollary being they are less of a target.
hat_monger
The market has spoken, you are not needed.
herbst
Because big companies can't stop looking at my website ("borrow" my content for their AIs I guess) constantly? Makes sense
null
tedggh
If you have a blog with 100 visitors per month why would you worry about being hit by an 4-8 hours outage once every year or two? I like Cloudflare because it is easy to setup and manage and because the amount of value you get for free or just a few bucks per month can’t be matched by any other company. Sure, if my income depends on my website/service uptime then I would probably consider other options. I think for most folks that’s not the case. Just chill and wait it out.
stroebs
I get your gripe, but the free protection that Cloudflare offers automatically often far exceeds the effort required to thwart some random script kiddie’s attacks on my client’s Wordpress site. Add easy caching, tunnels, automated certificate management, etc. to that and it’s obvious why a lot of sites use them.
codegeek
Cloudflare is still down and now its been 5+ hours. Having said that, the thing about "if you don't need to" is not that simple. FOr personal sites/blogs, I can agree but then it really doesnt matter for those. For a real business, the value of cloudflare (As centralized as it gets) is the proxy especially against attacks. The other stuff like CDN/Caching etc are bonus on top.
Unless there is a better option, just asking real businesses (no matter how small) to not use cloudflare is not an option.
beaker52
5+ hours. It's amusing to reflect on all the "leaders" I've seen jumping on people's heads because a single feature of some unknown product was unavailable for 30 minutes.
> For your small blog with one hundred visitors per month, it's probably the same: "no one will burn their DDoS capabilities on you!"
If this is their core argument for not using CDN, then this post sounds like a terribly bad advice. Hopes and prayers do not make a valid security strategy. Appropriate controls and defenses do. The author seems to be completely missing that it takes only a few bucks to buy DDoS as a service. Sometimes people do DDoS your small blog because some random stranger didn't like something you said somewhere online. Speaking from experience. Very much the reason I'm posting this with a throwaway account. If your website receives DDoS, your hosts will take down your server. Nobody wants to be in this situation even if for a personal, small blog.