Cloudflare

A configuration change caused a file to double in size, exceeding Bot Management's upper limit, resulting in HTTP 5XX errors that cascaded across dependent services (Workers KV, Access, Turnstile, Dashboard) into an internet-wide outage.

Bad configurations take extended time (90 minutes) to propagate across distributed infrastructure, resulting in intermittent errors before sustained failure, making rapid detection and rollback difficult.

Centralizing infrastructure dependencies on Cloudflare creates brittleness and risk. When Cloudflare experiences outages, all dependent SaaS services and proxied sites fail simultaneously, making the platform a critical single point of failure.

Cloudflare's abuse desk uses form-only reporting with high evidentiary bars, automated denials, and opaque outcomes. The process places burden of proof on reporters and cannot handle bulk incident submissions efficiently. Despite thousands of reports from trusted flaggers, Cloudflare rarely discloses action taken, creating potential regulatory non-compliance with NIS2 and Digital Services Act.

While serverless platforms work well for small websites, costs increase dramatically for large websites, making the economics untenable at scale.

Cloudflare frequently releases products with incomplete features and UI limitations that hinder adoption of newer capabilities. Enterprise customers report having to work around missing functionality that was promised at launch.

Organizations piecing together multiple legacy CDNs, VPNs, and security point solutions face unmanageable complexity at scale. Older solutions lack automation and poor integration, resulting in unnecessary manual management effort.

Cloudflare experiences recent outages due to quality engineering lagging behind production engineering velocity. This is concerning for an infrastructure provider where stability should be paramount.

Cloudflare's architecture suffers from unvisible dependency chains several levels deep. Engineers focus on immediate dependencies but fail to map three or four levels of transitive dependencies, making cascading failures difficult to anticipate.

Cloudflare's built-in capabilities for critical data metrics and API security are insufficient, forcing teams to pipe data into third-party services like Datadog and build custom application logic for security concerns.

Cloudflare's developer platform and products lack sufficient documentation, making it difficult for developers to understand and implement features effectively.

Cloudflare lacks sufficient DevOps integration and developer platform capabilities compared to competitors, making it less attractive for development teams seeking comprehensive developer tooling.

Managing Cloudflare across many domains or clients is cumbersome due to missing bulk update functionality in the UI. Users are forced to rely on APIs or manual scripts, creating friction for agencies and multi-tenant deployments.

Cloudflare promises DNS firewall features that don't fully materialize in practice, forcing users who attempt migrations to pull back and maintain legacy solutions instead.

Cloudflare's API is incomplete for routine administrative tasks. Common operations like assigning co-hosts can only be done via UI, not programmatically, defeating infrastructure-as-code practices.

Users struggle with the complexity of Cloudflare's configuration, particularly with setting up SSL certificates correctly, requiring navigation of an extensive feature set.

Small businesses struggle with Cloudflare's pricing structure, finding it difficult to balance cost against functionality and security requirements without comprehensive guidance.

Cloudflare dashboard does not provide an easy way to create and share API token permission codes (hashes) that specify exact permissions needed, making it difficult for developers and blog writers to communicate security requirements.