Cloudflare: Early Reports Question Effectiveness as Website Security Tool

Do you know how your sites are protected? What tools your host uses?

One tool you've probably heard of is Cloudflare. Maybe you've seen advertising saying something like “we protect your site from attacks” or “we protect your site from hackers”. How do they do this?

Part of CloudFlare's service is something called a Web Application Firewall (WAF), which is fancy-speak for saying their computer looks at what people are coming to your site to do, what data they're sending, and tries to figure out if they're nice visitors (which it should let through) or naughty hackers (which it should block).

But does it work?

Tony Perez (of Sucuri fame, and a serious man-crush of mine 😉 ) has been through a looooong and boring report from a gang of web security ninjas. They compared Cloudflare, Incapsula and just plain ol' mod_security (a set of rules, configured by the server admin — you almost certainly have mod_security on your shared hosting account). The results don't look good.

Tony extracted the results into a summary blog post, and I'm going to summarise his summary to save some more time for you.

mod_security: great! Stops almost every attack they tested (123 attacks, covering 3 different types of hack)
Incapsula: very good – stops almost as much as mod_security
CloudFlare: stops absolutely nothing. Not a thing

There are other reasons to use CloudFlare, like speeding up your site and getting some level of downtime protection, but for a company which markets itself as a security solution and Web Application Firewall, I find these results extremely troubling.


Do you know how your sites are protected? You should. From these results, using CloudFlare is not a security solution. I know some popular hosts have a one-click install for CloudFlare in their control panels, and it might well still be worth doing that for their other benefits. But not for security.

Talk to your host about mod_security, and ask them what else they do to keep the server secure. A lot of things they won't tell you, but they should be willing to tell you some information about how they keep your server  – and your business's reputation – safe.


Speak Your Mind