Cloudflare status: hosting issues and outage reports
No problems detected
If you are having issues, please submit a report below.
Cloudflare is a company that provides DDoS mitigation, content delivery network (CDN) services, security and distributed DNS services. Cloudflare's services sit between the visitor and the Cloudflare user's hosting provider, acting as a reverse proxy for websites.
Problems in the last 24 hours
The graph below depicts the number of Cloudflare reports received over the last 24 hours by time of day. When the number of reports exceeds the baseline, represented by the red line, an outage is determined.
At the moment, we haven't detected any problems at Cloudflare. Are you experiencing issues or an outage? Leave a message in the comments section!
Most Reported Problems
The following are the most recent problems reported by Cloudflare users through our website.
- Domains (41%)
- Cloud Services (25%)
- Hosting (16%)
- Web Tools (13%)
- E-mail (6%)
Live Outage Map
The most recent Cloudflare outage reports came from the following cities:
| City | Problem Type | Report Time |
|---|---|---|
|
|
Domains | 10 days ago |
|
|
Cloud Services | 22 days ago |
|
|
Domains | 24 days ago |
|
|
Hosting | 1 month ago |
|
|
1 month ago | |
|
|
Web Tools | 1 month ago |
Community Discussion
Tips? Frustrations? Share them here. Useful comments include a description of the problem, city and postal code.
Beware of "support numbers" or "recovery" accounts that might be posted below. Make sure to report and downvote those comments. Avoid posting your personal information.
Cloudflare Issues Reports
Latest outage, problems and issue reports in social media:
-
Viswa Reddy (@lviswanath) reportedSo I made the pragmatic call: Moving the main customer-facing application to Vercel + Cloudflare. Not because self-hosting is wrong — but because for this workload right now, the velocity gain is massive. GitHub-native CI/CD that just works, instant previews, edge performance, and zero time fighting tunnels or rate limits during deploys. My brain stays on the actual product.
-
Boring Engineer (@boringeng) reportedLast night I did something I haven’t done in years: I opened my raw server logs. Not analytics. Not a dashboard. The actual access logs on the box. I was curious about one thing — with everyone saying “people don’t google anymore, they ask ChatGPT” — is any of that actually visible on my site? What I found kind of shook me. GPTBot — OpenAI’s crawler — hit my documentation 400+ times in the last 30 days. Not my homepage. My docs. The quickstart, the API reference, the self-hosting guide. It’s reading the exact pages a developer would read before adopting a tool. PerplexityBot crawls me almost every night around 2am. Quietly building its index of what my product is and does. And then the one that actually got me: a user-agent called ChatGPT-User. It’s not a scheduled crawler. It fires when a real human, mid-conversation, asks ChatGPT something that requires fetching a live page. It hit my pricing page 9 times yesterday. Nine times yesterday, a real person was asking an AI about my product. I will never know who they were, what they asked, or what the AI told them. Here’s the part that bothers me most: NONE of this appears in analytics. Not in GA4, not in Plausible, not anywhere. These bots don’t execute JavaScript, so tracking scripts never fire. As far as every analytics tool I pay for is concerned, this traffic does not exist. The only place it’s recorded is a log file nobody opens. So I kept digging, and it got worse: — Some of my “GPTBot” hits came from IPs that aren’t OpenAI’s. Random scrapers wearing GPTBot’s name as a disguise. I would never have known. — AI crawlers were hitting doc URLs I moved a year ago. 404s. Which means when an AI tries to learn what my product does, some of what it finds is a dead page. That’s not a broken link anymore — that’s a wrong answer being served to my next customer. — And apparently Cloudflare now blocks some AI crawlers by default on new sites. Meaning there are founders out there right now whose docs are invisible to ChatGPT, who opted into that without knowing, and whose analytics will never tell them. Step back and the picture is strange: an entire layer of the funnel — machines reading your site, deciding whether you get recommended, sometimes fetching pages because a human is asking about you at that exact moment — and it is completely invisible to every tool we use. We measure humans obsessively. We measure the thing that increasingly sends the humans not at all. Search had 20 years of tooling built around it. Search Console, rank trackers, an entire industry. This new layer has… grep. I’m not sure what the answer is yet. Maybe it’s a weekend script. Maybe it’s something bigger. But before I build anything, I want to know if this is just me: Have you ever looked at what AI bots do on your site? Do you know if you’re being crawled, cited, blocked? If this is a problem you have — or one you didn’t know you had until this post — reply or DM me. Genuinely trying to figure out what’s worth building here.
-
Danielle Morrill (@DanielleMorrill) reportedwtf happened at Cloudflare? shipped like a ******* monster for the last 6 months, dominating my feed with new stuff daily. Now my feed is full of departures?
-
Jordan (@jstamby) reportedRebuilt a plumber's website last week. The old site scored 31/100 on a technical SEO audit. The new one scored 94. What changed: → 6 pages became 69 (every service × every city he covers) → Correct schema on every page (the old one literally geolocated him to the wrong state) → JSON-LD that makes each page citable by AI engines the day it deploys → Astro static + Cloudflare Pages, push-to-main to ship Six AI agents built it in parallel — one researched keywords, one designed, one wrote, one validated schema, one reviewed, one ran the launch gate. I didn't write 69 pages. I orchestrated the swarm that did. So glad I left Wordpress behind in 2025. Now I'm 10,000% more productive as a solopreneur.
-
Yash D (@AI_by_yash) reportedClaude/codex = coding. ($20/mo) GitHub = version control. (Free) Supabase = backend. (Free) Clerk = auth. (Free) Resend = emails. (Free) Vercel = deploying. (Free) Cloudflare = DNS. (Free) Upstash = Redis. (Free) Pinecone = vector DB. (Free) PostHog = analytics. (Free) Sentry = error tracking. (Free) Stripe = payments. (2.9%/transaction) Namecheap = domain. ($12/yr) Total monthly cost to run a startup: ~$20 There has never been a cheaper time to build
-
Kauft Körrie! (@KauftKoerrie) reportedHi @nikitabier, what's going on with Cloudflare right now? It keeps freezing during the “verify you're human” step, and why do you assume that everyone has a cell phone with a camera? Unfortunately, I can't open @X and log in on my desktop. @Support
-
Glitchy Hopkins (@GlitchyHopkins) reportedFellowship Hall’s vendor data never needed a SaaS detour. I built their intake automation with n8n, NocoDB, Cloudflare Tunnel, Nginx, and PHP on hardware inside the building. Less manual work. More control. Want that? DM me. #n8n #Automation #DataPrivacy
-
Jeff Nolan (@jeffnolan) reportedSo I switched to a static file site on Cloudflare Pages, deployed from GitHub. → Claude Design for the visual layer → Claude CLI to edit files and commit directly to *** → Cloudflare to deploy on every push Idea to live site: seconds. No CMS. No login. No plugin conflicts. No $50/month.
-
adas🧦🌹 (@adastroworld) reported@PersonaIData It’s been like $10 for the past 10 years so not terrible but yeah it’s just my custom email domain from namecheap Cloudflare allegedly cheaper so I’m gonna transfer out
-
KANAPURO 🎭 TEAM COMEDY (@kanapurottv) reported@Cloudflare pls fix workers bro pls pls psl psls pls
-
Chinsanity (@chinsanity) reported@world_xyz @worldnetwork @Cloudflare the scanning of the eyeball never sit right with me tbh lol
-
0xLoopTheory (@0xLoopTheory) reportedGoogle is moving a number of its TLS certificates from RSA to ECDSA. Not because ECDSA is quantum-safe. It is not. Not because RSA is about to fall. It is not. Not because someone at Google forgot Shor's algorithm exists. They did not. The announcement is easy to misread. Google Trust Services says that during Q2 2026, a number of Google services that have historically provided an RSA leaf certificate will shift to an ECDSA leaf certificate by default. So in the middle of the post-quantum migration, Google moves certificates from one Shor-vulnerable algorithm to another. Under standard resource estimates (Roetteler et al., 2017), breaking P-256 requires fewer logical qubits than breaking RSA-2048. On paper, this is a step toward the more quantum-fragile primitive. It still makes sense, and the reason is the most useful mental model I know for the PQ transition: TLS does not migrate as one block. It migrates in layers, and each layer faces a different threat on a different clock. Key exchange is on the fast clock. Recorded traffic can be decrypted retroactively: harvest now, decrypt later. So it moved first. X25519MLKEM768 is now default or automatically advertised in current major browser stacks: Chrome, Edge, Firefox, and Safari on Apple's 26-generation OS releases. By late October 2025, the majority of human-initiated traffic with Cloudflare was already using post-quantum encryption. Certificates are on the slow clock. For live TLS authentication, a signature must be unforgeable at the moment it is verified, not forever. A quantum computer in 2035 cannot retroactively forge the certificate that authenticated your session today. And the slow clock is forced by a budget nobody can print more of: bytes. An ML-DSA-44 signature is 2,420 bytes. A raw ECDSA P-256 signature is 64 bytes. Cloudflare estimates a drop-in swap would more than double the bytes most QUIC connections transmit over their lifetime. Chrome says plainly it has no immediate plan to add traditional X.509 post-quantum certificates to its root store. Chrome's public-WebPKI plan is Merkle Tree Certificates, now being developed in the IETF PLANTS working group, against Google's broader stated 2029 PQC migration timeline. So the ECDSA move is classical housekeeping. Google's stated rationale is efficiency: smaller to transmit, cheaper to process. The announcement does not mention post-quantum once. Which layer is migrating? Against which threat? With which ecosystem attached? Ask those three questions and most "why not just deploy PQC now" takes dissolve. The honest counterweight: maybe the slow clock is not as slow as the WebPKI assumes. Roots live for decades. Devices outlive their update channels. Gidney's estimate for breaking RSA-2048 dropped from 20 million noisy qubits in 2019 to under one million in 2025. If you think certificate authentication has less time than the ecosystem assumes, that is the argument worth having. I would like to hear it.
-
ProxyStats (@ProxyStats) reported@getpaidfirlive Not only you - its been down for everyone since June 28. We pulled the registry records to check the "seizure" rumors: routine registrar lock (not serverHold), Cloudflare nameservers untouched, domain paid through 2027. Looks like an outage, not a takedown.
-
mrow 🦦🦈 (@mrowmewo) reported@sugarsprink Before it was just the Cloudflare image and like 1minute loading times for every button you pressed for the tail end of June and EVEN WORSE for the start of July, this year it’s not even that bad…Dont even joke lad
-
Pasha Khoshkebari (@PashaHasHOPE) reportedI'm not sure what to do. Cloudflare D1 is down. My services depend on it. What do I do?
-
Clara Bennett (@CodeswithClara) reported- Claude = coding. ($20/mo) - Supabase = backend. (Free) - Vercel = deploying. (Free) - Namecheap = domain. ($12/yr) - Stripe = payments. (2.9%/transaction) - GitHub = version control. (Free) - Resend = emails. (Free) - Clerk = auth. (Free) - Cloudflare = DNS. (Free) - PostHog = analytics. (Free) - Sentry = error tracking. (Free) - Upstash = Redis. (Free) - Pinecone = vector DB. (Free) Total monthly cost to run a startup: ~$20 There has never been a cheaper time to build.
-
Gyana (@GyanaR_) reported@SimonHoiberg Just use cloudflare, and never worry abour pricing
-
SYGNITO (@SYGNITO) reportedEspecially for the release of Fable 5, I’ve prepared a prompt to audit our web and mobile applications: MASTER SECURITY AUDIT PROMPT - Claude Code Usage: paste the block below into Claude Code at the root of your project. Optionally prepend context: stack (e.g. Next.js + Supabase), deployment target, and whether the app collects user data. You are acting as a senior application security engineer performing a full pre-launch security audit of this codebase. Work systematically through every phase below. For each finding, report: file/location, severity (CRITICAL / HIGH / MEDIUM / LOW), what's wrong, exploit scenario, and the exact fix (code or config). Do not skip a phase because it "looks fine" - verify by reading the actual code and config. Phase 0 - Recon Map the stack: framework, auth provider, database, hosting, payment/AI/third-party APIs. List every API route / server endpoint and every public form. List every place user data is collected, stored, or transmitted. Phase 1 - Legal & Data Exposure (protect the owner, not just the app) Identify all personal data collected (emails, names, IPs, analytics, cookies). Check: is there a privacy policy? Is data storage location/provider documented? Flag anything triggering GDPR/CCPA obligations (EU/CA users, tracking, third-party data sharing) that isn't covered. Output a short "data map": what is stored, where, for how long, and who can access it. Phase 2 - Row Level Security / Data Access If Supabase (or Postgres): verify RLS is enabled on every table and inspect each policy. Flag any table with zero policies or with USING (true) on sensitive data. Verify the anon key cannot read/write anything a logged-out visitor shouldn't touch. Simulate: "what can I fetch with just the anon key from DevTools?" Check for IDOR: can user A read/modify user B's rows by changing an ID in a request? Phase 3 - Auth Failure Paths (not the happy path) Trace the code for each scenario and flag missing/unsafe handling: Wrong password entered 5+ times (lockout / throttling?) Password reset for a non-existent email (does the response reveal account existence?) Verification link clicked twice / expired token reuse Sign-up with an already-registered email (enumeration leak?) Session handling: expiry, invalidation on logout, token storage (localStorage vs cookie) Phase 4 - Security Headers & Baseline Posture Verify presence and correctness of: Content-Security-Policy, Strict-Transport-Security, X-Frame-Options / frame-ancestors, X-Content-Type-Options, Referrer-Policy, Permissions-Policy. Check cookie flags: Secure, HttpOnly, SameSite. Check HTTPS enforcement and any mixed-content risks. Provide the exact header config for this framework (next.config, middleware, vercel.json, etc.). Phase 5 - OWASP Top 10 Sweep Audit explicitly against OWASP Top 10. Prioritize: Injection: raw SQL, string-built queries, unsanitized input reaching DB/OS/shell. XSS: dangerouslySetInnerHTML, unescaped user content, unsafe URL handling. Broken access control: server-side authorization on EVERY protected route/action - not just hidden UI. SSRF, insecure deserialization, vulnerable dependencies (run npm audit / check lockfile). For each hit, show the vulnerable line and the patched version. Phase 6 - Server-Side Validation Rule: client-side validation is UX, not security. For every input the client validates, confirm the server re-validates (type, length, format, ownership) before use. Flag any endpoint that trusts request body/params/headers without a schema (zod/valibot/etc.). Check file uploads: type, size, storage path, filename sanitization. Phase 7 - Secret & Data Leaks (the 3 classic AI-generated leaks) .env values reaching the frontend: audit every NEXT_PUBLIC_ / VITE_ / client-bundled env var. Confirm nothing sensitive is exposed. Grep the build output if possible. API responses over-returning: endpoints that SELECT * or serialize whole objects (password hashes, tokens, internal fields, other users' data). Enforce explicit field allowlists. Secrets in logs: console.log / logger calls printing tokens, request bodies with credentials, full error objects with connection strings. Phase 8 - API Keys in the Browser Any paid/privileged API key referenced in client code = game over. Assume it's already stolen. For each one found: propose the server-side proxy route or edge function that replaces it, with auth + rate limiting on that proxy. Phase 9 - Rate Limiting & Cost Protection Every endpoint hitting a paid API (LLM, email, SMS, storage) MUST have rate limiting. Verify per-IP and per-user limits. Check for unbounded loops/retries that can multiply costs. Verify usage caps/alerts exist at the provider level (Supabase/OpenAI/Anthropic spend limits). Propose concrete middleware (e.g. Upstash Ratelimit, in-memory for small apps) with sensible defaults per endpoint. Phase 10 - Bot Protection & CORS Public forms (signup, contact, waitlist): verify CAPTCHA (Cloudflare Turnstile preferred - free) or equivalent. CORS: must be locked to the production domain(s). Flag *, reflected origins, or missing config. Show the correct config for this stack. Phase 11 - Error Messages That Don't Leak User-facing errors must be generic ("Something went wrong", "Invalid credentials") - never stack traces, SQL, file paths, or library internals. Full errors go to server-side logs only. Auth errors must not enable enumeration ("user not found" vs "wrong password" - use one message). Flag every res.send(error) / throw that surfaces raw error objects to the client. Phase 12 - Dependencies & Supply Chain Run npm audit (or equivalent) and triage results: exploitable in THIS app vs noise. Check lockfile integrity: is it committed? Any dependencies pulled from *** URLs or unpinned versions? Flag abandoned packages (no release in 2+ years) in security-critical paths (auth, crypto, parsing). Check for postinstall scripts in dependencies that could exfiltrate env vars. Phase 13 - *** History & CI/CD Secrets Scan *** history for committed secrets (keys, tokens, .env files) not just current tree. Recommend gitleaks or trufflehog and interpret results. If a secret was EVER committed: it must be rotated, not just deleted. List every secret needing rotation. Audit CI/CD config: secrets exposed in build logs, PR builds from forks with access to secrets, deploy tokens with excessive scope. Phase 14 - Payments & Webhooks (if applicable) Webhook endpoints (Stripe, LemonSqueezy, etc.): verify signature validation on every incoming webhook. Unverified webhook = anyone can grant themselves a paid plan. Idempotency: can a replayed webhook double-credit an account? Price/amount must come from the server, never from the client request. Check for premium-feature gating done only in UI (flag server-side entitlement checks). Phase 15 - Business Logic Abuse Race conditions: double-submit on purchase, redeem, or vote endpoints (parallel requests bypassing "once only" checks). Negative or absurd values: quantity -1, amount 0.001, array of 10,000 items in one request. Workflow skipping: can a user hit step-3 endpoint directly without completing step 1–2 (e.g. unverified email accessing verified-only features)? Coupon/referral/free-tier abuse: what stops one person from creating 500 accounts? Phase 16 - Mobile-Specific (if this is or ships a mobile app: native, React Native, Flutter, Capacitor, Godot export) Secrets in the binary: assume the APK/IPA will be decompiled. Grep bundled code/assets for API keys, endpoints, feature flags. Anything privileged must live behind your server. Secure storage: tokens/credentials in Keychain (iOS) / Keystore (Android) — never SharedPreferences, plain files, or AsyncStorage unencrypted. Transport: TLS everywhere; flag any usesCleartextTraffic=true / ATS exceptions. Consider certificate pinning for high-value APIs and document the tradeoff (pinning + expired cert = bricked app). Deep links / intents: validate and sanitize all deep link parameters; flag exported activities/intents (Android) that expose internal screens or actions. Verify OAuth redirect URIs can't be hijacked by another app claiming the scheme. WebViews: JS bridges (addJavascriptInterface, postMessage) exposing native functions to loaded content; loading remote URLs in privileged WebViews. Permissions: request the minimum; flag any permission not backed by a real feature. Client trust: server must never trust the app's claims (purchases → verify receipts server-side with Apple/Google; game scores/currency → server-authoritative). Update path: can old vulnerable app versions be force-deprecated (minimum version check)? Phase 17 - AI/LLM Endpoints (if the app calls LLMs) Prompt injection: user content concatenated into system prompts; document/URL content passed to the model that can carry instructions. Verify untrusted content is delimited and the system prompt treats it as data. Output handling: LLM output rendered as HTML/markdown (XSS via model output), executed as code, or used in DB queries without validation. Cost abuse: per-user token/request caps, max input length enforced server-side, streaming abort on disconnect. Data leakage: user A's data appearing in context for user B (shared caches, conversation history keyed incorrectly). System prompts containing secrets - assume system prompts can be extracted. Phase 18 - Infrastructure & Storage Storage buckets (Supabase Storage, S3, R2): public/private per bucket verified; signed URLs with sane expiry; no listing enabled on private buckets. Admin panels / internal dashboards: not reachable on production domain without auth; no default credentials. Database: backups enabled and tested; connection not exposed publicly; least-privilege DB roles (app doesn't connect as superuser). Staging/preview environments: same protections as ****, or no real data in them. Preview deployments (Vercel) with **** env vars = shadow ****. Phase 19 - Monitoring & Incident Readiness Would you KNOW if you were breached? Verify: error tracking (Sentry etc.), auth anomaly visibility (mass failed logins), billing alerts on all paid APIs. Audit log for sensitive actions (role changes, data exports, deletions) who did what, when. One-page incident checklist exists: how to rotate every secret, how to invalidate all sessions, how to take the app offline. If not, generate it as part of this audit. Final Output Produce: Executive summary - overall posture in 3 sentences. Findings table sorted by severity: # | Severity | Phase | File | Issue | Fix effort (S/M/L). Fix plan - ordered list starting with CRITICALs; group quick wins (<10 min) separately. Rotation list - every secret that must be rotated (from Phase 13), separate from code fixes. Offer to apply the CRITICAL fixes immediately, one at a time, with a diff for each before applying. Skip phases that don't apply (state why: "Phase 14 skipped - no payments in this app"). Do not invent findings. If a phase is clean, say so explicitly and state what evidence you checked.
-
DO-SAY-GO (@realdosaygo) reportedyou can't. you'll spend a month chasing down all the things. then get insta banned by CloudFlare or Datadome. I'm deep in this tech and it still took me 300 hours. Even if you're a 10x engineer vs me, you're still droppin 30 hours on this. At 200-500 an hour that's 6-15K. Or you could just pay me the equivalent of 30 minutes, and you can have it right now. Up to you, bad ;)
-
AwesomeAI (@Awesome_AI_News) reportedCloudflare has released new service regulations requiring all AI vendors to separate search crawlers from training/agent-specific crawlers by September 15th. Mixed crawlers accessing pages with advertisements will be automatically blocked. This rule applies uniformly to new customers, existing users creating new sites, and all free users; website administrators must manually modify backend configurations to allow crawling, directly affecting the standardization of AI crawlers in the industry. Cloudflare 发布服务新规,要求所有 AI 厂商在 9 月 15 日前拆分搜索爬虫与训练/代理专用爬虫。未区分的混合爬虫访问带广告页面将被自动拦截。该规则对新入驻客户、老用户新建站点及全部免费用户统一生效;网站管理员若要放行,须手动修改后台配置,直接影响 AI 行业爬虫规范。
-
Daniel Norkin (@DanielNorkin) reportedCloudflare just turned "charge for any request" into a setting at the edge. Web pages, APIs, even MCP tools, paid per call in USDC over x402, settled straight to your wallet. AWS shipped the same thing through its firewall. The payment problem for the agent economy is basically solved. But paying isn't trusting. When the buyer is an autonomous agent with no account, the payment IS the credential. You know it paid. You know nothing about who it is, whether it's a good actor, or what the thing was actually worth. The gate is done. The hard part was never moving the money. It's trust: who is this agent, can I deal with it, and what's a fair price? That's the layer nobody owns yet. Curious how people see it shaking out.
-
トム (@tomingtoming) reported@Cloudflare Japanese UI layout issue in Zero Trust onboarding. The "Get Started" button text is clipped and the button is rendered almost invisible on Chrome. The onboarding cannot be discovered unless the user clicks the empty area.
-
Hot Aisle (@HotAisle) reported@jachands @Cloudflare I guess this explains the outage yesterday.
-
CARTIST (@cartist00) reported@world_xyz @worldnetwork @Cloudflare lmao wtf
-
⛓️ FetteredRat🐀⛓️ (@RatShattered) reported@citcsmobile Damn, cloudflare having a rough year for real 😭
-
Hermann (@dhlotter) reportedStopping the bad guys with Cloudflare: 644 malicious requests blocked or challenged in the last month #cloudflare
-
UWillC (@uwillc) reportedHalf the internet blinked last week. The cause was a backhoe, not a model. June 22. A fiber cut on Zayo routes rippled into Cloudflare. X, Reddit, Zoom, Teams. Down. X alone passed 30,000 outage reports before most services recovered in about 20 minutes. Every AIOps dashboard in those companies watched a problem none of them could fix. You cannot reroute around a cut you do not own. You cannot ask an agent to splice glass three states away. We keep automating the control plane. The physical plane stays one excavator from an outage. Your multi-cloud is a logical diagram. Underneath it is often a single carrier. An AI can monitor the fiber. It still cannot splice it. Your redundancy on paper: single-carrier underneath, yes or no?
-
Easyjose (@Onlyhumanme) reported@world_xyz @worldnetwork @Cloudflare Quite a poor branding and comms. Undermining other just to gain traction.
-
Nirmit Kotadiya (@nirmitkotadiya) reportedCloudflare sits in front of millions of websites. So what happens if it goes down? The answer depends on how the website is configured. If Cloudflare experiences an outage: * some websites may become unreachable * pages may load slowly * DNS resolution can fail
-
Raunak Yadush (@raunak_yadush) reported* Claude = coding. ($20/mo) * Supabase = backend. (Free) * Vercel = deployment. (Free) * Namecheap = domain. ($12/yr) * Stripe = payments. (2.9% per transaction) * GitHub = version control. (Free) * Resend = email delivery. (Free) * Clerk = authentication. (Free) * Cloudflare = DNS. (Free) * PostHog = analytics. (Free) * Sentry = error monitoring. (Free) * Upstash = Redis. (Free) * Pinecone = vector database. (Free) Total monthly cost to run a startup: around $20. There has never been a more affordable time to build.