Is Cloudflare Safe?

If you use or plan to use Cloudflare, you need to know: Is Cloudflare safe? 

Below, we explain whether Cloudflare is: 

• Safe to use. 
• Good for privacy. 

We also look at some steps you can take to improve both your safety and privacy when using this online service. 

What Is Cloudflare?

Cloudflare is a web infrastructure and website security company that provides a range of services designed to enhance the performance, security, and reliability of websites and online services. 

Among the services it provides are a Content Delivery Network (CDN), firewall protection, DDoS protection, DNS management, and more.

When a user visits a website protected by Cloudflare, their request is routed through Cloudflare’s network. Cloudflare’s servers, strategically located around the globe, cache and serve content, inspect traffic for threats, and manage requests efficiently.

This process ensures that users experience faster load times while the website is protected from various cyber threats.

Cloudflare is widely used by businesses of all sizes, from small blogs to large enterprises, to ensure their online presence is fast, secure, and reliable.

Is Cloudflare Safe?

Depends on your definition of “safe.” 

A significant portion of Cloudflare’s value offering is its security, meaning that users who turn to the site are doing so to improve their online safety. As such, Cloudflare’s security features include nearly a dozen facets, from API shields to SSL and TLS encryption to firewalls and more. 

The cybersecurity company UpGuard gives Cloudflare a security rating of 763 out of 950.

The concerns listed by UpGuard include a lack of support for HTTPS redirect requests, the use of insecure versions of SSL and TLS encryption, a lack of supporting Content Security Policy, and the use of weak cipher suites.

Cloudflare experienced a data breach in November 2023 when nation-state-level hackers used stolen credentials to access some of the company’s internal servers. The threat was immediately addressed by Cloudflare’s security team.

This wasn’t the only breach impacting Cloudflare. In 2012, a hacker used social engineering to access the account of one of Cloudflare’s customers.

Is Cloudflare Private?

Depends on your definition of “private.”

Cloudflare bills itself as a privacy-first operation with a focus on protecting and obscuring personal data, particularly while using its DNS resolver service and its DDoS protection. 

However, some users are concerned about the breadth of Cloudflare’s access to personal data as it performs these services. 

In its privacy policy, Cloudflare outlines that it collects users’ names, email addresses, and contact information, along with website log files, cookies, and limited DNS query data. According to the privacy policy, the information is collected to enable Cloudflare to provide its services.

Cloudflare’s privacy policy gets a “Grade D” on Terms of Service; Didn’t Read (ToS;DR), a project that rates internet services’ terms of service and privacy policies.

Some of the concerns highlighted include the service keeping logs for an undefined period of time, tracking which web page referred you to it, using your personal data for advertising, and using tracking pixels, web beacons, and other techniques. Users also waive their right to a class action. 

In 2017, Cloudflare disclosed a software bug that caused the exposure of sensitive data, such as passwords and authentication tokens, in plaintext from customers’ websites. The leak might have been happening since 2016. 

Also in 2017, ProPublica published an article saying that Cloudflare gave hate sites the personal information of people who complained about them.

Cloudflare’s CEO responded that the company would allow individuals to file complaints anonymously in specific cases and exercise greater discretion in deciding when to share the personal information of those who reported concerns with its clients.

How to Improve Your Safety and Privacy On Cloudflare

For a safer and more private experience on Cloudflare, follow these steps:

• Enable SSL/TLS encryption. Use Cloudflare’s SSL/TLS settings to enable and configure SSL. Opt for Full or Full (Strict) SSL mode for the highest level of encryption.
• Use Cloudflare’s Privacy Pass. Implement Privacy Pass (typically through browser extensions) to reduce the need for CAPTCHA challenges, which can enhance your privacy by minimizing tracking and profiling while still protecting against bots.
• Minimize data exposure in logs. Configure your logging settings to anonymize IP addresses and remove unnecessary personal data to mitigate risk in case of a data breach.
• Use encrypted DNS (DNS over HTTPS/TLS). Configure DNS settings in Cloudflare and ensure your browser or operating system supports DoH or DoT to prevent third parties from spying on DNS requests.
• Configure privacy-oriented firewall rules. Use Cloudflare’s firewall tools to create and manage rules based on IP addresses, geolocation, and other criteria. This can help prevent unauthorized access and reduce exposure to potential attacks.
• Enable opportunistic encryption. Turn on Opportunistic Encryption in Cloudflare settings under the “Edge Certificates” tab to provide encryption even for HTTP sites by encrypting the connection wherever possible.
• Use Cloudflare Access for secure authentication. Implement Cloudflare Access to secure your internal applications and restrict access to authorized and authenticated users.