Turning on DNSSEC makes your domain more secure — but if it’s misconfigured, newer certificate validation rules can stop SSL renewals in their tracks. Hey there, You know that satisfying click when you finally turn on DNSSEC? It feels like adding a shiny new deadbolt to your domain’s front door. You’re doing the responsible thing: […]
Tag Archives: security
My Website Is Hosting a Phishing Page – Now What?
Most phishing advice is written for the person staring at a suspicious email. This guide is for the other kind of victim: The website owner whose legitimate site has been quietly turned into the attacker’s weapon. You didn’t send the message or build the fake login page. You just woke up to a browser warning, […]
Beyond Login Screens: Why Access Control Matters
As breach costs go up and attackers focus on common web features like dashboards, admin panels, customer portals, and APIs, weak access control quickly leads to lost data, broken trust, and costly incidents. The worst part is that many failures are not rare technical flaws but simple mistakes, such as missing permission checks, roles with […]
Building a serverless, post-quantum Matrix homeserver
* This post was updated at 11:45 a.m. Pacific time to clarify that the use case described here is a proof of concept and a personal project. Some sections have been updated for clarity. Matrix is the gold standard for decentralized, end-to-end encrypted communication. It powers government messaging systems, open-source communities, and privacy-focused organizations worldwide. […]
How we mitigated a vulnerability in Cloudflare’s ACME validation logic
This post was updated on January 20, 2026. On October 13, 2025, security researchers from FearsOff identified and reported a vulnerability in Cloudflare’s ACME (Automatic Certificate Management Environment) validation logic that disabled some of the WAF features on specific ACME-related paths. The vulnerability was reported and validated through Cloudflare’s bug bounty program. The vulnerability was […]
Astro is joining Cloudflare
The Astro Technology Company, creators of the Astro web framework, is joining Cloudflare. Astro is the web framework for building fast, content-driven websites. Over the past few years, we’ve seen an incredibly diverse range of developers and companies use Astro to build for the web. This ranges from established brands like Porsche and IKEA, to […]
How to Protect Your Site From Content Sniffing with HTTP Security Headers
Ever had a perfectly “safe” page or file turn into an attack vector out of nowhere? That can happen when browsers start guessing what your content is instead of listening to your server. Browsers sometimes try to figure out what kind of file they’re dealing with if the server doesn’t provide the Content-Type header or […]
The 2025 Cloudflare Radar Year in Review: The rise of AI, post-quantum, and record-breaking DDoS attacks
The 2025 Cloudflare Radar Year in Review is here: our sixth annual review of the Internet trends and patterns we observed throughout the year, based on Cloudflare’s expansive network view. Our view is unique, due to Cloudflare’s global network, which has a presence in 330 cities in over 125 countries/regions, handling over 81 million HTTP […]
How Workers VPC Services connects to your regional private networks from anywhere in the world
In April, we shared our vision for a global virtual private cloud on Cloudflare, a way to unlock your applications from regionally constrained clouds and on-premise networks, enabling you to build truly cross-cloud applications. Today, we’re announcing the first milestone of our Workers VPC initiative: VPC Services. VPC Services allow you to connect to your […]
One IP address, many users: detecting CGNAT to reduce collateral effects
IP addresses have historically been treated as stable identifiers for non-routing purposes such as for geolocation and security operations. Many operational and security mechanisms, such as blocklists, rate-limiting, and anomaly detection, rely on the assumption that a single IP address represents a cohesive, accountable entity or even, possibly, a specific user or device. But the […]
