1. Home
  2. Companies
  3. Cloudflare
  4. Outage Map
Cloudflare

Cloudflare Outage Map

The map below depicts the most recent cities worldwide where Cloudflare users have reported problems and outages. If you are having an issue with Cloudflare, make sure to submit a report below

Loading map, please wait...

The heatmap above shows where the most recent user-submitted and social media reports are geographically clustered. The density of these reports is depicted by the color scale as shown below.

Cloudflare users affected:

Less
More
Check Current Status

Cloudflare is a company that provides DDoS mitigation, content delivery network (CDN) services, security and distributed DNS services. Cloudflare's services sit between the visitor and the Cloudflare user's hosting provider, acting as a reverse proxy for websites.

Most Affected Locations

Outage reports and issues in the past 15 days originated from:

Location Reports
Manchester, England 1
Angers, Pays de la Loire 1
London, England 1
Noida, UP 3
Jewar, UP 1
Braga, Braga 1
Paris, Île-de-France 2
Prievidza, Nitriansky 1
Farmers Branch, TX 1
Helsinki, Uusimaa 1
Crisfield, MD 2
Nanaimo, BC 1
New York City, NY 1
Istanbul, Istanbul 1
Greater Noida, UP 1
Check Current Status

Community Discussion

Tips? Frustrations? Share them here. Useful comments include a description of the problem, city and postal code.

Beware of "support numbers" or "recovery" accounts that might be posted below. Make sure to report and downvote those comments. Avoid posting your personal information.

Cloudflare Issues Reports

Latest outage, problems and issue reports in social media:

  • ZubairIbnZamir
    Zubair Ibn Zamir (@ZubairIbnZamir) reported

    @Cloudflare @CloudflareDev Workers Builds queue stuck: pushes to GitHub main keep creating build records but they stay in queued and never move to running. 3 builds stuck now, oldest 15+ min. Anyone else affected today?

  • ilyesm
    Ilyas (@ilyesm) reported

    @jachands @Cloudflare Damn still seeing a bunch of people leave Cloudflare after the layoffs were announced...

  • 1Adityabhansali
    Aditya Bhansali ➡️ Network School + (@1Adityabhansali) reported

    HTTP 402 "payment required" has sat there, mostly unused, since the 90s. A status code reserved for a native way to pay on the web that never arrived. @Cloudflare just switched it on with stablecoins + x402. Per-request payments, sub-second, no account. The machine-payment internet quietly shipped this week.

  • aditya4f
    Aditya🌪️ (@aditya4f) reported

    - Claude = coding ($20/mo) - Supabase = backend (Free) - Vercel = deploying (Free) - Namecheap = domain ($12/yr) - Stripe = payments (2.9%/transaction) - GitHub = version control (Free) - Resend = emails (Free) - Clerk = auth (Free) - Cloudflare = DNS (Free) - PostHog = analytics (Free) - Sentry = error tracking (Free) - Upstash = Redis (Free) - Pinecone = vector DB (Free) Total monthly cost to run a startup: ~$20 There has never been a cheaper time to build. Who's stopping you?

  • samuelrizzondev
    Samuel Rizzon → thegitcity.com (@samuelrizzondev) reported

    hey @rauchg, @vercel strips the Server-Timing header in ****, which quietly kills Framer's A/B test when you proxy Framer through a Next app. we're stuck seeing ~0.5% of our traffic. cloudflare would fix it but we love being vercel-native. any way to keep the header?

  • mrowmewo
    mrow 🦦🦈 (@mrowmewo) reported

    @sugarsprink Before it was just the Cloudflare image and like 1minute loading times for every button you pressed for the tail end of June and EVEN WORSE for the start of July, this year it’s not even that bad…Dont even joke lad

  • srishticodes
    Srishti (@srishticodes) reported

    Claude = coding. ($20/mo) GitHub = version control. (Free) Supabase = backend. (Free) Clerk = auth. (Free) Resend = emails. (Free) Vercel = deploying. (Free) Cloudflare = DNS. (Free) Upstash = Redis. (Free) Pinecone = vector DB. (Free) PostHog = analytics. (Free) Sentry = error tracking. (Free) Stripe = payments. (2.9%/transaction) Namecheap = domain. ($12/yr) Total monthly cost to run a startup: ~$20 There has never been a cheaper time to build

  • WaterAarav
    One&OnlyAarav (@WaterAarav) reported

    Claude = coding. ($20/mo) Shypmenta = deploys, connects, and manages every platform below. Basically your Cursor for shipping.($6/yr) Supabase = backend. (Free) Vercel = deploying. (Free) Namecheap = domain. ($12/yr) Stripe = payments. (2.9%/transaction) GitHub = version control. (Free) Resend = emails. (Free) Clerk = auth. (Free) Cloudflare = DNS. (Free) PostHog = analytics. (Free) Sentry = error tracking. (Free) Upstash = Redis. (Free) Pinecone = vector DB. (Free) Total monthly cost to run a startup: ~$20. Building has genuinely never been this affordable, and rarely this effortless either.

  • Awesome_AI_News
    AwesomeAI (@Awesome_AI_News) reported

    Cloudflare has released new service regulations requiring all AI vendors to separate search crawlers from training/agent-specific crawlers by September 15th. Mixed crawlers accessing pages with advertisements will be automatically blocked. This rule applies uniformly to new customers, existing users creating new sites, and all free users; website administrators must manually modify backend configurations to allow crawling, directly affecting the standardization of AI crawlers in the industry. Cloudflare 发布服务新规,要求所有 AI 厂商在 9 月 15 日前拆分搜索爬虫与训练/代理专用爬虫。未区分的混合爬虫访问带广告页面将被自动拦截。该规则对新入驻客户、老用户新建站点及全部免费用户统一生效;网站管理员若要放行,须手动修改后台配置,直接影响 AI 行业爬虫规范。

  • GyanaR_
    Gyana (@GyanaR_) reported

    @SimonHoiberg Just use cloudflare, and never worry abour pricing

  • AICultureWorld
    Chris (@AICultureWorld) reported

    So cloudflare is down?

  • aaronware
    Aaron Ware (@aaronware) reported

    @MarkJSzymanski You probably have more volume than the free plan but cloudflare also has email sending if you use their service already. We’ve been using it for a month or so, setup is easy

  • SYGNITO
    SYGNITO (@SYGNITO) reported

    Especially for the release of Fable 5, I’ve prepared a prompt to audit our web and mobile applications: MASTER SECURITY AUDIT PROMPT - Claude Code Usage: paste the block below into Claude Code at the root of your project. Optionally prepend context: stack (e.g. Next.js + Supabase), deployment target, and whether the app collects user data. You are acting as a senior application security engineer performing a full pre-launch security audit of this codebase. Work systematically through every phase below. For each finding, report: file/location, severity (CRITICAL / HIGH / MEDIUM / LOW), what's wrong, exploit scenario, and the exact fix (code or config). Do not skip a phase because it "looks fine" - verify by reading the actual code and config. Phase 0 - Recon Map the stack: framework, auth provider, database, hosting, payment/AI/third-party APIs. List every API route / server endpoint and every public form. List every place user data is collected, stored, or transmitted. Phase 1 - Legal & Data Exposure (protect the owner, not just the app) Identify all personal data collected (emails, names, IPs, analytics, cookies). Check: is there a privacy policy? Is data storage location/provider documented? Flag anything triggering GDPR/CCPA obligations (EU/CA users, tracking, third-party data sharing) that isn't covered. Output a short "data map": what is stored, where, for how long, and who can access it. Phase 2 - Row Level Security / Data Access If Supabase (or Postgres): verify RLS is enabled on every table and inspect each policy. Flag any table with zero policies or with USING (true) on sensitive data. Verify the anon key cannot read/write anything a logged-out visitor shouldn't touch. Simulate: "what can I fetch with just the anon key from DevTools?" Check for IDOR: can user A read/modify user B's rows by changing an ID in a request? Phase 3 - Auth Failure Paths (not the happy path) Trace the code for each scenario and flag missing/unsafe handling: Wrong password entered 5+ times (lockout / throttling?) Password reset for a non-existent email (does the response reveal account existence?) Verification link clicked twice / expired token reuse Sign-up with an already-registered email (enumeration leak?) Session handling: expiry, invalidation on logout, token storage (localStorage vs cookie) Phase 4 - Security Headers & Baseline Posture Verify presence and correctness of: Content-Security-Policy, Strict-Transport-Security, X-Frame-Options / frame-ancestors, X-Content-Type-Options, Referrer-Policy, Permissions-Policy. Check cookie flags: Secure, HttpOnly, SameSite. Check HTTPS enforcement and any mixed-content risks. Provide the exact header config for this framework (next.config, middleware, vercel.json, etc.). Phase 5 - OWASP Top 10 Sweep Audit explicitly against OWASP Top 10. Prioritize: Injection: raw SQL, string-built queries, unsanitized input reaching DB/OS/shell. XSS: dangerouslySetInnerHTML, unescaped user content, unsafe URL handling. Broken access control: server-side authorization on EVERY protected route/action - not just hidden UI. SSRF, insecure deserialization, vulnerable dependencies (run npm audit / check lockfile). For each hit, show the vulnerable line and the patched version. Phase 6 - Server-Side Validation Rule: client-side validation is UX, not security. For every input the client validates, confirm the server re-validates (type, length, format, ownership) before use. Flag any endpoint that trusts request body/params/headers without a schema (zod/valibot/etc.). Check file uploads: type, size, storage path, filename sanitization. Phase 7 - Secret & Data Leaks (the 3 classic AI-generated leaks) .env values reaching the frontend: audit every NEXT_PUBLIC_ / VITE_ / client-bundled env var. Confirm nothing sensitive is exposed. Grep the build output if possible. API responses over-returning: endpoints that SELECT * or serialize whole objects (password hashes, tokens, internal fields, other users' data). Enforce explicit field allowlists. Secrets in logs: console.log / logger calls printing tokens, request bodies with credentials, full error objects with connection strings. Phase 8 - API Keys in the Browser Any paid/privileged API key referenced in client code = game over. Assume it's already stolen. For each one found: propose the server-side proxy route or edge function that replaces it, with auth + rate limiting on that proxy. Phase 9 - Rate Limiting & Cost Protection Every endpoint hitting a paid API (LLM, email, SMS, storage) MUST have rate limiting. Verify per-IP and per-user limits. Check for unbounded loops/retries that can multiply costs. Verify usage caps/alerts exist at the provider level (Supabase/OpenAI/Anthropic spend limits). Propose concrete middleware (e.g. Upstash Ratelimit, in-memory for small apps) with sensible defaults per endpoint. Phase 10 - Bot Protection & CORS Public forms (signup, contact, waitlist): verify CAPTCHA (Cloudflare Turnstile preferred - free) or equivalent. CORS: must be locked to the production domain(s). Flag *, reflected origins, or missing config. Show the correct config for this stack. Phase 11 - Error Messages That Don't Leak User-facing errors must be generic ("Something went wrong", "Invalid credentials") - never stack traces, SQL, file paths, or library internals. Full errors go to server-side logs only. Auth errors must not enable enumeration ("user not found" vs "wrong password" - use one message). Flag every res.send(error) / throw that surfaces raw error objects to the client. Phase 12 - Dependencies & Supply Chain Run npm audit (or equivalent) and triage results: exploitable in THIS app vs noise. Check lockfile integrity: is it committed? Any dependencies pulled from *** URLs or unpinned versions? Flag abandoned packages (no release in 2+ years) in security-critical paths (auth, crypto, parsing). Check for postinstall scripts in dependencies that could exfiltrate env vars. Phase 13 - *** History & CI/CD Secrets Scan *** history for committed secrets (keys, tokens, .env files) not just current tree. Recommend gitleaks or trufflehog and interpret results. If a secret was EVER committed: it must be rotated, not just deleted. List every secret needing rotation. Audit CI/CD config: secrets exposed in build logs, PR builds from forks with access to secrets, deploy tokens with excessive scope. Phase 14 - Payments & Webhooks (if applicable) Webhook endpoints (Stripe, LemonSqueezy, etc.): verify signature validation on every incoming webhook. Unverified webhook = anyone can grant themselves a paid plan. Idempotency: can a replayed webhook double-credit an account? Price/amount must come from the server, never from the client request. Check for premium-feature gating done only in UI (flag server-side entitlement checks). Phase 15 - Business Logic Abuse Race conditions: double-submit on purchase, redeem, or vote endpoints (parallel requests bypassing "once only" checks). Negative or absurd values: quantity -1, amount 0.001, array of 10,000 items in one request. Workflow skipping: can a user hit step-3 endpoint directly without completing step 1–2 (e.g. unverified email accessing verified-only features)? Coupon/referral/free-tier abuse: what stops one person from creating 500 accounts? Phase 16 - Mobile-Specific (if this is or ships a mobile app: native, React Native, Flutter, Capacitor, Godot export) Secrets in the binary: assume the APK/IPA will be decompiled. Grep bundled code/assets for API keys, endpoints, feature flags. Anything privileged must live behind your server. Secure storage: tokens/credentials in Keychain (iOS) / Keystore (Android) — never SharedPreferences, plain files, or AsyncStorage unencrypted. Transport: TLS everywhere; flag any usesCleartextTraffic=true / ATS exceptions. Consider certificate pinning for high-value APIs and document the tradeoff (pinning + expired cert = bricked app). Deep links / intents: validate and sanitize all deep link parameters; flag exported activities/intents (Android) that expose internal screens or actions. Verify OAuth redirect URIs can't be hijacked by another app claiming the scheme. WebViews: JS bridges (addJavascriptInterface, postMessage) exposing native functions to loaded content; loading remote URLs in privileged WebViews. Permissions: request the minimum; flag any permission not backed by a real feature. Client trust: server must never trust the app's claims (purchases → verify receipts server-side with Apple/Google; game scores/currency → server-authoritative). Update path: can old vulnerable app versions be force-deprecated (minimum version check)? Phase 17 - AI/LLM Endpoints (if the app calls LLMs) Prompt injection: user content concatenated into system prompts; document/URL content passed to the model that can carry instructions. Verify untrusted content is delimited and the system prompt treats it as data. Output handling: LLM output rendered as HTML/markdown (XSS via model output), executed as code, or used in DB queries without validation. Cost abuse: per-user token/request caps, max input length enforced server-side, streaming abort on disconnect. Data leakage: user A's data appearing in context for user B (shared caches, conversation history keyed incorrectly). System prompts containing secrets - assume system prompts can be extracted. Phase 18 - Infrastructure & Storage Storage buckets (Supabase Storage, S3, R2): public/private per bucket verified; signed URLs with sane expiry; no listing enabled on private buckets. Admin panels / internal dashboards: not reachable on production domain without auth; no default credentials. Database: backups enabled and tested; connection not exposed publicly; least-privilege DB roles (app doesn't connect as superuser). Staging/preview environments: same protections as ****, or no real data in them. Preview deployments (Vercel) with **** env vars = shadow ****. Phase 19 - Monitoring & Incident Readiness Would you KNOW if you were breached? Verify: error tracking (Sentry etc.), auth anomaly visibility (mass failed logins), billing alerts on all paid APIs. Audit log for sensitive actions (role changes, data exports, deletions) who did what, when. One-page incident checklist exists: how to rotate every secret, how to invalidate all sessions, how to take the app offline. If not, generate it as part of this audit. Final Output Produce: Executive summary - overall posture in 3 sentences. Findings table sorted by severity: # | Severity | Phase | File | Issue | Fix effort (S/M/L). Fix plan - ordered list starting with CRITICALs; group quick wins (<10 min) separately. Rotation list - every secret that must be rotated (from Phase 13), separate from code fixes. Offer to apply the CRITICAL fixes immediately, one at a time, with a diff for each before applying. Skip phases that don't apply (state why: "Phase 14 skipped - no payments in this app"). Do not invent findings. If a phase is clean, say so explicitly and state what evidence you checked.

  • bickov
    Alex @Bickov (@bickov) reported

    @justbyte_ Namecheap for the cheap first year, then transfer to Cloudflare. Cloudflare is at-cost with no markup, so renewals never jump, about $10.44 for a .com forever instead of ballooning year two. Only catch is you have to use their nameservers.

  • hsaffiliate2025
    Diluc (@hsaffiliate2025) reported

    He has only 1 follower on IndieHackers — and his product makes $1,000/month. No hype. No launch party. Just a quiet tool that solves a real pain. Here's the breakdown of PhotoCore 👇 • What it is: A photo management tool optimized for Apple Silicon (M1/M2/M3 Macs). • The pain: He says modern digital archiving is "fundamentally broken" — iCloud and Google Photos are slow, privacy-invasive, or limited. • The edge: Apple Silicon's unified memory and neural engine let PhotoCore run AI tagging, search, and backups blazingly fast — all locally. • Revenue model: Freemium. Basic free, advanced features (AI classification, batch export, multi-device sync) on subscription — estimated $5–10/month or a one-time purchase. • Users: ~100 paying users at $10/mo each. Not a unicorn, but real revenue for a solo dev with zero social proof. Why this matters: Most people think you need a massive following to make money. PhotoCore proves otherwise. He found a niche (Mac power users with huge photo libraries) and built something that works better than the giants — specifically for their hardware. The tech stack (likely): Swift, Core ML, Cloudflare R2 for sync. No fancy AI APIs — just Apple's native frameworks. The hard part: • Competing with iCloud, Google Photos, Lightroom — all free or cheap. • Building trust with 1 follower. He probably relied on IndieHackers, MacRumors, and Reddit r/mac for word-of-mouth. • Keeping costs low. Photo storage and AI inference aren't free. $1k/mo might leave thin margins. Can you replicate this? It's not easy — you need Apple dev skills and ML knowledge. But the lesson is universal: find an underserved niche, optimize for a specific hardware or workflow, and charge for it. Don't code? Use AI tools (Cursor, Claude) to build a prototype, or offer a service around photo management (templates, consulting). Bottom line: $1k/mo is a start, not a finish. But it proves that in the AI era, you don't need an audience — you need a solution. Follow for more real AI money breakdowns. #IndieHackers #AI

Check Current Status