1. Home
  2. Companies
  3. Cloudflare
Cloudflare

Cloudflare status: hosting issues and outage reports

No problems detected

If you are having issues, please submit a report below.

Full Outage Map

Cloudflare is a company that provides DDoS mitigation, content delivery network (CDN) services, security and distributed DNS services. Cloudflare's services sit between the visitor and the Cloudflare user's hosting provider, acting as a reverse proxy for websites.

Problems in the last 24 hours

The graph below depicts the number of Cloudflare reports received over the last 24 hours by time of day. When the number of reports exceeds the baseline, represented by the red line, an outage is determined.

At the moment, we haven't detected any problems at Cloudflare. Are you experiencing issues or an outage? Leave a message in the comments section!

Most Reported Problems

The following are the most recent problems reported by Cloudflare users through our website.

  • 41% Domains (41%)
  • 25% Cloud Services (25%)
  • 16% Hosting (16%)
  • 13% Web Tools (13%)
  • 6% E-mail (6%)

Live Outage Map

The most recent Cloudflare outage reports came from the following cities:

CityProblem TypeReport Time
Manchester Domains 11 days ago
Angers Cloud Services 22 days ago
London Domains 24 days ago
Noida Hosting 1 month ago
Jewar E-mail 1 month ago
Braga Web Tools 1 month ago
Full Outage Map

Community Discussion

Tips? Frustrations? Share them here. Useful comments include a description of the problem, city and postal code.

Beware of "support numbers" or "recovery" accounts that might be posted below. Make sure to report and downvote those comments. Avoid posting your personal information.

Cloudflare Issues Reports

Latest outage, problems and issue reports in social media:

  • vermontaigne
    Rex Ratio (Official) (@vermontaigne) reported

    @Cloudflare Why have you decided I'm going to be checked a lot to determine whether I'm a real site visitor or not, and these checks are never going to resolve?

  • jblahs320
    Jblahs320 (@jblahs320) reported

    @philthatremains What happened to parenting. My child doesn't have access to this stuff because I monitor and take active steps to block her. Not only do I run heavy network wide ad blocking but also use Cloudflare DNS families. To completely block adult content. On top of that no Social Media.

  • kanapurottv
    KANAPURO 🎭 TEAM COMEDY (@kanapurottv) reported

    @Cloudflare pls fix workers bro pls pls psl psls pls

  • globaljeff
    Jeff Byer 🐙 (@globaljeff) reported

    I broke my finger, so I built an enterprise-level web app with one voice prompt. Enterprise-grade web infrastructure does not require enterprise complexity. The stack we build and deploy for clients at Byer Co runs on Cloudflare's global edge network, spanning 300+ cities, with no origin server to provision, patch, or babysit. Requests execute at the data center closest to the user. No cold starts. No ops overhead. Monthly cost: $0 Security is built into the network layer, not bolted on. Cloudflare Turnstile handles bot and abuse protection without degrading user experience. Bot Fight Mode challenges known malicious traffic before it ever reaches your application code. You get enterprise-level protection with zero additional vendors to manage. The stack: SvelteKit + Tailwind CSS (lean frontend, no virtual DOM overhead) Cloudflare Workers via Wrangler (edge deployment, global by default) Cloudflare R2 (object storage, no egress fees) Cloudflare D1 (SQLite at the edge, binds directly to Workers) Resend (transactional email) Cloudflare Turnstile + Bot Fight Mode (bot protection at the network level) Fewer libraries. Fewer third-party dependencies. Smaller attack surface. Faster builds and more predictable maintenance across every property we manage. If you are evaluating web infrastructure for a project, a portal, or a product build, this is worth a look before you default to a more complicated setup.

  • boringeng
    Boring Engineer (@boringeng) reported

    founders: what % of your “Direct” traffic do you think is actually people coming from ChatGPT? I couldn’t answer this for my own site. then I found out Cloudflare was blocking ClaudeBot by default and I never knew. feels like we’re all flying blind on the channel that’s replacing search.

  • tomingtoming
    トム (@tomingtoming) reported

    @Cloudflare Japanese UI layout issue in Zero Trust onboarding. The "Get Started" button text is clipped and the button is rendered almost invisible on Chrome. The onboarding cannot be discovered unless the user clicks the empty area.

  • TalhaEjaz07ee
    Talha Ejaz (@TalhaEjaz07ee) reported

    Buy a domain through Cloudflare and use its free reverse proxy service. It lets you securely access your self-hosted services from anywhere using custom subdomains. For example, my Paperless-ngx instance is available globally at: paperless.<mydomain>.com

  • Legates_PePe
    WiLLtHeThRiLL (@Legates_PePe) reported

    @xIsraelExposedx Cloudflare will take this down in 24hrs. Bet on that. You did well with the registration but they own a majority of the hosts. @BasedTorba may be your only hope in hosting. He's at the behest of his ISP's though. I do have a decentralized solution.

  • raunak_yadush
    Raunak Yadush (@raunak_yadush) reported

    * Claude = coding. ($20/mo) * Supabase = backend. (Free) * Vercel = deployment. (Free) * Namecheap = domain. ($12/yr) * Stripe = payments. (2.9% per transaction) * GitHub = version control. (Free) * Resend = email delivery. (Free) * Clerk = authentication. (Free) * Cloudflare = DNS. (Free) * PostHog = analytics. (Free) * Sentry = error monitoring. (Free) * Upstash = Redis. (Free) * Pinecone = vector database. (Free) Total monthly cost to run a startup: around $20. There has never been a more affordable time to build.

  • emot
    João Tomé (@emot) reported

    I was curious whether the earthquake in Venezuela had any lasting Internet impact as well, and it looks like it did, with latency staying higher afterwards. Median latency increased by roughly 15-20%, from around 68 ms to about 80 ms. Latency variability also increased, with the 75th percentile rising from roughly 90 ms to 110-120 ms, suggesting a less stable network. (from Cloudflare Radar’s IQI).

  • growthinweb3
    GROWTH IN WEB3 🙂‍↔️ (@growthinweb3) reported

    @Cointelegraph Cloudflare embracing stablecoin payments is another signal that crypto infrastructure is going mainstream. More adoption coming in soon.

  • lgrdlcs
    lucaslegrand (@lgrdlcs) reported

    Cloudflare Workers gotcha nobody warns you about: you can't hash passwords as strongly there as on a normal server, the runtime caps the work way below the standard. Found out while shipping login. If you build auth on the edge, check this first.

  • kunchenguid
    Kun Chen (@kunchenguid) reported

    i hope 2026 is the last year where we still have to manually click through any website to set things up in the last month, google cloud and app app review are the two repeated offenders that still need my manual click-throughs - bad by contrast, github, cloudflare, hetner etc are pretty much entirely configurable by agents - good (why not computer use / browser automation? because i don't want to expose secrets in plain text and let the agent type them via keystrokes and capture them into screenshots)

  • 0xSalazar
    🐍Salazar.eth 🦇🔊 (@0xSalazar) reported

    Breaking news from yesterday - Robinhood L2 Chain went live on mainnet, built on Arbitrum - Robinhood partnered with Lighter for perps - dYdX rebrands to Arcus, DEX on Robinhood Chain - Drift rebrands to Velocity - World, Solana prediction market app, went live - Ethereum Institutional launched as an independent non-profit to drive institutional Ethereum adoption, anchor-funded by BitMine, SharpLink, and Joseph Lubin. - Ethena partnered with Robinhood, becoming the primary collateral asset issuer for Robinhood’s first crypto earn product via a Steakhouse-curated vault. - Cloudflare opened the waitlist for its Monetization Gateway, letting developers charge for web/API/MCP access with stablecoin settlement via x402. - Circle CEO Jeremy Allaire criticized OUSD, saying consortium stablecoins have a poor track record and that USDC handled 80% of all dollar stablecoin transactions in Q1. - Visa, Stripe, Mastercard, BlackRock, Coinbase and 140+ other firms launched Open USD (OUSD), a stablecoin that shares reserve revenue with partners - Forward Industries grew its Solana treasury to 7.55m SOL (~$576M) - DeFiLlama launched a MiCA exchange dashboard to help EU users compare licensed trading platforms by fees, liquidity, and KYC. - Aave Chan Initiative wound down operations following a governance rift with Aave Labs. - Pumpfun deprecated its Tokenized Agent launch option for new coins after community backlash over PVP dynamics. - Christoph Jentzsch proposed to dissolve the ENS DAO by burning the ENSv2 Universal Router key and distributing remaining funds, arguing the protocol’s goals are already accomplished

  • SYGNITO
    SYGNITO (@SYGNITO) reported

    Especially for the release of Fable 5, I’ve prepared a prompt to audit our web and mobile applications: MASTER SECURITY AUDIT PROMPT - Claude Code Usage: paste the block below into Claude Code at the root of your project. Optionally prepend context: stack (e.g. Next.js + Supabase), deployment target, and whether the app collects user data. You are acting as a senior application security engineer performing a full pre-launch security audit of this codebase. Work systematically through every phase below. For each finding, report: file/location, severity (CRITICAL / HIGH / MEDIUM / LOW), what's wrong, exploit scenario, and the exact fix (code or config). Do not skip a phase because it "looks fine" - verify by reading the actual code and config. Phase 0 - Recon Map the stack: framework, auth provider, database, hosting, payment/AI/third-party APIs. List every API route / server endpoint and every public form. List every place user data is collected, stored, or transmitted. Phase 1 - Legal & Data Exposure (protect the owner, not just the app) Identify all personal data collected (emails, names, IPs, analytics, cookies). Check: is there a privacy policy? Is data storage location/provider documented? Flag anything triggering GDPR/CCPA obligations (EU/CA users, tracking, third-party data sharing) that isn't covered. Output a short "data map": what is stored, where, for how long, and who can access it. Phase 2 - Row Level Security / Data Access If Supabase (or Postgres): verify RLS is enabled on every table and inspect each policy. Flag any table with zero policies or with USING (true) on sensitive data. Verify the anon key cannot read/write anything a logged-out visitor shouldn't touch. Simulate: "what can I fetch with just the anon key from DevTools?" Check for IDOR: can user A read/modify user B's rows by changing an ID in a request? Phase 3 - Auth Failure Paths (not the happy path) Trace the code for each scenario and flag missing/unsafe handling: Wrong password entered 5+ times (lockout / throttling?) Password reset for a non-existent email (does the response reveal account existence?) Verification link clicked twice / expired token reuse Sign-up with an already-registered email (enumeration leak?) Session handling: expiry, invalidation on logout, token storage (localStorage vs cookie) Phase 4 - Security Headers & Baseline Posture Verify presence and correctness of: Content-Security-Policy, Strict-Transport-Security, X-Frame-Options / frame-ancestors, X-Content-Type-Options, Referrer-Policy, Permissions-Policy. Check cookie flags: Secure, HttpOnly, SameSite. Check HTTPS enforcement and any mixed-content risks. Provide the exact header config for this framework (next.config, middleware, vercel.json, etc.). Phase 5 - OWASP Top 10 Sweep Audit explicitly against OWASP Top 10. Prioritize: Injection: raw SQL, string-built queries, unsanitized input reaching DB/OS/shell. XSS: dangerouslySetInnerHTML, unescaped user content, unsafe URL handling. Broken access control: server-side authorization on EVERY protected route/action - not just hidden UI. SSRF, insecure deserialization, vulnerable dependencies (run npm audit / check lockfile). For each hit, show the vulnerable line and the patched version. Phase 6 - Server-Side Validation Rule: client-side validation is UX, not security. For every input the client validates, confirm the server re-validates (type, length, format, ownership) before use. Flag any endpoint that trusts request body/params/headers without a schema (zod/valibot/etc.). Check file uploads: type, size, storage path, filename sanitization. Phase 7 - Secret & Data Leaks (the 3 classic AI-generated leaks) .env values reaching the frontend: audit every NEXT_PUBLIC_ / VITE_ / client-bundled env var. Confirm nothing sensitive is exposed. Grep the build output if possible. API responses over-returning: endpoints that SELECT * or serialize whole objects (password hashes, tokens, internal fields, other users' data). Enforce explicit field allowlists. Secrets in logs: console.log / logger calls printing tokens, request bodies with credentials, full error objects with connection strings. Phase 8 - API Keys in the Browser Any paid/privileged API key referenced in client code = game over. Assume it's already stolen. For each one found: propose the server-side proxy route or edge function that replaces it, with auth + rate limiting on that proxy. Phase 9 - Rate Limiting & Cost Protection Every endpoint hitting a paid API (LLM, email, SMS, storage) MUST have rate limiting. Verify per-IP and per-user limits. Check for unbounded loops/retries that can multiply costs. Verify usage caps/alerts exist at the provider level (Supabase/OpenAI/Anthropic spend limits). Propose concrete middleware (e.g. Upstash Ratelimit, in-memory for small apps) with sensible defaults per endpoint. Phase 10 - Bot Protection & CORS Public forms (signup, contact, waitlist): verify CAPTCHA (Cloudflare Turnstile preferred - free) or equivalent. CORS: must be locked to the production domain(s). Flag *, reflected origins, or missing config. Show the correct config for this stack. Phase 11 - Error Messages That Don't Leak User-facing errors must be generic ("Something went wrong", "Invalid credentials") - never stack traces, SQL, file paths, or library internals. Full errors go to server-side logs only. Auth errors must not enable enumeration ("user not found" vs "wrong password" - use one message). Flag every res.send(error) / throw that surfaces raw error objects to the client. Phase 12 - Dependencies & Supply Chain Run npm audit (or equivalent) and triage results: exploitable in THIS app vs noise. Check lockfile integrity: is it committed? Any dependencies pulled from *** URLs or unpinned versions? Flag abandoned packages (no release in 2+ years) in security-critical paths (auth, crypto, parsing). Check for postinstall scripts in dependencies that could exfiltrate env vars. Phase 13 - *** History & CI/CD Secrets Scan *** history for committed secrets (keys, tokens, .env files) not just current tree. Recommend gitleaks or trufflehog and interpret results. If a secret was EVER committed: it must be rotated, not just deleted. List every secret needing rotation. Audit CI/CD config: secrets exposed in build logs, PR builds from forks with access to secrets, deploy tokens with excessive scope. Phase 14 - Payments & Webhooks (if applicable) Webhook endpoints (Stripe, LemonSqueezy, etc.): verify signature validation on every incoming webhook. Unverified webhook = anyone can grant themselves a paid plan. Idempotency: can a replayed webhook double-credit an account? Price/amount must come from the server, never from the client request. Check for premium-feature gating done only in UI (flag server-side entitlement checks). Phase 15 - Business Logic Abuse Race conditions: double-submit on purchase, redeem, or vote endpoints (parallel requests bypassing "once only" checks). Negative or absurd values: quantity -1, amount 0.001, array of 10,000 items in one request. Workflow skipping: can a user hit step-3 endpoint directly without completing step 1–2 (e.g. unverified email accessing verified-only features)? Coupon/referral/free-tier abuse: what stops one person from creating 500 accounts? Phase 16 - Mobile-Specific (if this is or ships a mobile app: native, React Native, Flutter, Capacitor, Godot export) Secrets in the binary: assume the APK/IPA will be decompiled. Grep bundled code/assets for API keys, endpoints, feature flags. Anything privileged must live behind your server. Secure storage: tokens/credentials in Keychain (iOS) / Keystore (Android) — never SharedPreferences, plain files, or AsyncStorage unencrypted. Transport: TLS everywhere; flag any usesCleartextTraffic=true / ATS exceptions. Consider certificate pinning for high-value APIs and document the tradeoff (pinning + expired cert = bricked app). Deep links / intents: validate and sanitize all deep link parameters; flag exported activities/intents (Android) that expose internal screens or actions. Verify OAuth redirect URIs can't be hijacked by another app claiming the scheme. WebViews: JS bridges (addJavascriptInterface, postMessage) exposing native functions to loaded content; loading remote URLs in privileged WebViews. Permissions: request the minimum; flag any permission not backed by a real feature. Client trust: server must never trust the app's claims (purchases → verify receipts server-side with Apple/Google; game scores/currency → server-authoritative). Update path: can old vulnerable app versions be force-deprecated (minimum version check)? Phase 17 - AI/LLM Endpoints (if the app calls LLMs) Prompt injection: user content concatenated into system prompts; document/URL content passed to the model that can carry instructions. Verify untrusted content is delimited and the system prompt treats it as data. Output handling: LLM output rendered as HTML/markdown (XSS via model output), executed as code, or used in DB queries without validation. Cost abuse: per-user token/request caps, max input length enforced server-side, streaming abort on disconnect. Data leakage: user A's data appearing in context for user B (shared caches, conversation history keyed incorrectly). System prompts containing secrets - assume system prompts can be extracted. Phase 18 - Infrastructure & Storage Storage buckets (Supabase Storage, S3, R2): public/private per bucket verified; signed URLs with sane expiry; no listing enabled on private buckets. Admin panels / internal dashboards: not reachable on production domain without auth; no default credentials. Database: backups enabled and tested; connection not exposed publicly; least-privilege DB roles (app doesn't connect as superuser). Staging/preview environments: same protections as ****, or no real data in them. Preview deployments (Vercel) with **** env vars = shadow ****. Phase 19 - Monitoring & Incident Readiness Would you KNOW if you were breached? Verify: error tracking (Sentry etc.), auth anomaly visibility (mass failed logins), billing alerts on all paid APIs. Audit log for sensitive actions (role changes, data exports, deletions) who did what, when. One-page incident checklist exists: how to rotate every secret, how to invalidate all sessions, how to take the app offline. If not, generate it as part of this audit. Final Output Produce: Executive summary - overall posture in 3 sentences. Findings table sorted by severity: # | Severity | Phase | File | Issue | Fix effort (S/M/L). Fix plan - ordered list starting with CRITICALs; group quick wins (<10 min) separately. Rotation list - every secret that must be rotated (from Phase 13), separate from code fixes. Offer to apply the CRITICAL fixes immediately, one at a time, with a diff for each before applying. Skip phases that don't apply (state why: "Phase 14 skipped - no payments in this app"). Do not invent findings. If a phase is clean, say so explicitly and state what evidence you checked.

  • GooningOnTumblr
    Mersh (@GooningOnTumblr) reported

    @Philo01 @Cloudflare In case you’re poor and your auto renewal doesn’t go through

  • c_s_a_w
    chetansawai (@c_s_a_w) reported

    @alexgroberman The default settings piece is the trap here. Site owners who never open their Cloudflare dashboard are about to have their AI visibility decided for them by whatever the defaults are. Ten minutes checking what's toggled on your zone is cheap insurance.

  • spagsol
    spaghetti.sol (@spagsol) reported

    Yes, Cloudflare had issues again

  • uwillc
    UWillC (@uwillc) reported

    Half the internet blinked last week. The cause was a backhoe, not a model. June 22. A fiber cut on Zayo routes rippled into Cloudflare. X, Reddit, Zoom, Teams. Down. X alone passed 30,000 outage reports before most services recovered in about 20 minutes. Every AIOps dashboard in those companies watched a problem none of them could fix. You cannot reroute around a cut you do not own. You cannot ask an agent to splice glass three states away. We keep automating the control plane. The physical plane stays one excavator from an outage. Your multi-cloud is a logical diagram. Underneath it is often a single carrier. An AI can monitor the fiber. It still cannot splice it. Your redundancy on paper: single-carrier underneath, yes or no?

  • plebo86
    plebo6 (@plebo86) reported

    Per AI: An online cookieless future ahead where internet companies can no longer depend on third-party cookies to follow you across multiple websites for advertising and profiling. Instead, the emphasis shifts toward privacy, user consent, and data that people knowingly share. Even though Google’s plans for Chrome have evolved over time, the industry has largely been moving toward privacy-first approaches because of browser restrictions, regulations, and changing consumer expectations. Here’s what that means in practice: For everyday internet users More privacy: Companies have a harder time tracking your browsing across unrelated websites. Less “creepy” advertising: You may no longer see an ad for a product immediately after viewing it on another site. More consent choices: Websites increasingly ask what types of tracking you’re willing to allow. Slightly less personalized ads: Advertising is more likely to be based on the page you’re viewing or information you’ve voluntarily provided, rather than your browsing history across the web. For businesses Companies are adapting by relying more on: First-party data (information customers provide directly, such as account registrations, purchases, or newsletter signups). Contextual advertising, which places ads based on the content of the webpage rather than the person’s browsing history. Privacy-enhancing technologies, such as aggregated measurement and secure data collaboration, to understand campaign performance without exposing individual identities. Industries likely to benefit Several sectors stand to gain as organizations invest in privacy-first technologies: Cybersecurity and privacy software Identity and authentication services Consent management platforms Cloud data infrastructure Customer relationship management (CRM) software AI-driven marketing analytics Examples of well-known public companies involved in these areas include: Salesforce Adobe Cloudflare Microsoft Oracle Investment implications If privacy-first trends continue over the next several years, companies that help businesses: manage customer data, obtain and document consent, analyze marketing without invasive tracking, and secure digital identities could continue to see growing demand. At the same time, advertising businesses that relied heavily on third-party tracking have had to redesign their technology and measurement approaches. Looking ahead The “cookieless future” is not simply about eliminating cookies. Instead, it’s a shift toward an internet where: users have more control over their data, companies rely more on direct customer relationships, advertising becomes more privacy-conscious, and artificial intelligence plays a larger role in understanding trends from aggregated rather than individually tracked data.

  • AICultureWorld
    Chris (@AICultureWorld) reported

    So cloudflare is down?

  • JoviDeC
    jovi 🐨 (@JoviDeC) reported

    Prompt prefix caching seems very broken on @Cloudflare lately, haven't hit the cache once for the last 3 days for Kimi K2.7-code

  • Zenul_Abidin
    Ali Sherief (@Zenul_Abidin) reported

    @marclou Free plans don't really do much for you unless the service in question is called Cloudflare or Vercel. Or some other IaaS

  • turnpike402
    Turnpike (@turnpike402) reported

    The announcement from Cloudflare today is a huge step forward for the x402 ecosystem. Part of the problem at this early stage is convincing AI companies that they'll need to pay for what they scrape - CF is a loud voice telling them otherwise.

  • Tank23x0
    Joey Romaine 🇺🇸 |=★=| (@Tank23x0) reported

    Cloudflare Status: Billing Invoice UI issue Resilience is security: know what breaks when that platform is unavailable.

  • iMichaelTen
    Michael Ten 🌨🎶🫐🍀 (@iMichaelTen) reported

    @Cloudflare How could a service be built like this with Monero or Bitcoin Cash, those cryptocurrencies? @grok

  • ProMint_X
    ProMint (@ProMint_X) reported

    Geoblock on Polymarket? The Polymarket API is throwing a hard error: access is blocked because the IP address sending the orders is in a restricted region. The colocation whitelist stopped working, and orders from London-based wallets were rejected, likely due to network infrastructure and maintenance issues. However, this could also be a targeted compliance tightening by the exchange. If you’re still facing this issue, reroute your bot traffic through proxy servers in Ireland (Dublin) or Frankfurt (Germany). These regions aren't blocked yet, have excellent ping to European AWS/Cloudflare data centers, and let you place orders without any issues.

  • the_real_ori
    orig (@the_real_ori) reported

    @sunglassesface @Cloudflare @PlanetScale Support is always the last unsolved piece, even at companies this good. Infra scales on its own, a Discord full of overworked humans does not. That gap (AI answers first, humans only on escalations) is the whole reason I am building in this space.

  • m3anf4ce
    mugiwara no mean face (@m3anf4ce) reported

    Now cloudflare blocking me from watching donghua. If they take away my last bit of peace in this ******* country, I can promise I will be a problem.

  • auxten
    auxten (@auxten) reported

    @olvrgln @arundsharma Cloudflare Workers is the next problem we're going to try and solve.