1. Home
  2. Companies
  3. Cloudflare
Cloudflare

Cloudflare status: hosting issues and outage reports

No problems detected

If you are having issues, please submit a report below.

Full Outage Map

Cloudflare is a company that provides DDoS mitigation, content delivery network (CDN) services, security and distributed DNS services. Cloudflare's services sit between the visitor and the Cloudflare user's hosting provider, acting as a reverse proxy for websites.

Problems in the last 24 hours

The graph below depicts the number of Cloudflare reports received over the last 24 hours by time of day. When the number of reports exceeds the baseline, represented by the red line, an outage is determined.

At the moment, we haven't detected any problems at Cloudflare. Are you experiencing issues or an outage? Leave a message in the comments section!

Most Reported Problems

The following are the most recent problems reported by Cloudflare users through our website.

  • 41% Domains (41%)
  • 25% Cloud Services (25%)
  • 16% Hosting (16%)
  • 13% Web Tools (13%)
  • 6% E-mail (6%)

Live Outage Map

The most recent Cloudflare outage reports came from the following cities:

CityProblem TypeReport Time
Manchester Domains 11 days ago
Angers Cloud Services 23 days ago
London Domains 25 days ago
Noida Hosting 1 month ago
Jewar E-mail 1 month ago
Braga Web Tools 1 month ago
Full Outage Map

Community Discussion

Tips? Frustrations? Share them here. Useful comments include a description of the problem, city and postal code.

Beware of "support numbers" or "recovery" accounts that might be posted below. Make sure to report and downvote those comments. Avoid posting your personal information.

Cloudflare Issues Reports

Latest outage, problems and issue reports in social media:

  • tamimbuilds
    tamimbuilds (@tamimbuilds) reported

    - Claude = coding. ($20/mo) - Supabase = backend. (Free) - Vercel = deploying. (Free) - Namecheap = domain. ($12/yr) - Stripe = payments. (2.9%/transaction) - GitHub = version control. (Free) - Resend = emails. (Free) - Clerk = auth. (Free) - Cloudflare = DNS. (Free) - PostHog = analytics. (Free) - Sentry = error tracking. (Free) - Upstash = Redis. (Free) - Pinecone = vector DB. (Free) Total monthly cost to run a startup: ~$20 There has never been a cheaper time to build.

  • Awesome_AI_News
    AwesomeAI (@Awesome_AI_News) reported

    Cloudflare has released new service regulations requiring all AI vendors to separate search crawlers from training/agent-specific crawlers by September 15th. Mixed crawlers accessing pages with advertisements will be automatically blocked. This rule applies uniformly to new customers, existing users creating new sites, and all free users; website administrators must manually modify backend configurations to allow crawling, directly affecting the standardization of AI crawlers in the industry. Cloudflare 发布服务新规,要求所有 AI 厂商在 9 月 15 日前拆分搜索爬虫与训练/代理专用爬虫。未区分的混合爬虫访问带广告页面将被自动拦截。该规则对新入驻客户、老用户新建站点及全部免费用户统一生效;网站管理员若要放行,须手动修改后台配置,直接影响 AI 行业爬虫规范。

  • smratitiwa86867
    smrati tiwari (@smratitiwa86867) reported

    Someone made a GitHub repo of every AI API that's actually free forever. Not "free trial." Not "$5 credit then we bill you." Free free. No card. 24k+ stars, updated constantly. I've been paying for API calls like an idiot. Here's what's inside The rule that makes it trustworthy: trials that expire are listed in a totally separate section. The "Free Providers" list is only the permanent tiers. No landmines. The heavy hitters, with real numbers: → Google AI Studio — Gemini 3.x Flash, no card → Groq — Llama, Qwen, gpt-oss, 30 req/min → Cerebras — fastest inference alive, 30 req/min → Cloudflare Workers AI — 10k neurons/day, runs Llama/Qwen/Gemma → OpenRouter — Nemotron, Qwen3-coder, poolside, all :free Most are OpenAI-SDK compatible. Which means: swap the base_url → paste the key → pick a model → done Same code you already wrote. Drop it into Cursor, aider, Claude Code, whatever. Zero refactor. Then the bonus round — the "trial credits" section: Fireworks, Baseten, Nebius, Hyperbolic, SambaNova... $1–$30 each in free credits. Drain the permanent tiers first, then farm these. One README replaces hours of tab-hopping through pricing pages. Links on comment 👇

  • adastroworld
    adas🧦🌹 (@adastroworld) reported

    @PersonaIData It’s been like $10 for the past 10 years so not terrible but yeah it’s just my custom email domain from namecheap Cloudflare allegedly cheaper so I’m gonna transfer out

  • LindaOakland75
    linda (@LindaOakland75) reported

    So Cloudflare is getting into stablecoin payments now? Wonder if this will actually take off or just be another waitlist that never opens.

  • bruteforceart21
    Brute Force Artist (@bruteforceart21) reported

    Claude = coding. ($20/mo) - Supabase = backend. (Free) - Vercel = deploying. (Free) - Namecheap = domain. ($12/yr) - Stripe = payments. (2.9%/transaction) - GitHub = version control. (Free) - Resend = emails. (Free) - Clerk = auth. (Free) - Cloudflare = DNS. (Free) - PostHog = analytics. (Free) - Sentry = error tracking. (Free) - Upstash = Redis. (Free) - Pinecone = vector DB. (Free) Total monthly cost to run a startup: ~$20 There has never been a cheaper time to build.

  • Nitewalkar
    Nitewalkar (@Nitewalkar) reported

    Day 4 of building with Grok Build and using Openclaw to manage what I build. We have made; - Fully Functioning POS App - tailacale - pull from open inv - create new sale - return/refund - Android ready. - Fully Functioning Ops App - work orders - forms - compliance docs - service agreements - calendar - team message board (avail on web) - cloudflare w/ms auth - upload purchases Clawbot Learning - email booking -> work order and draft invoices - email purchase receipt -> update PO, draft purchase/bill - email scan and monitoring - calendar management Websites - hosted docker on backend - rebuilt exclusovely with build - need fine tuning and revision then go live!!!!!!! Next - shared inbox/alias config for custom ms auth logins on one license ms365... ● Saving $700/year in GoDaddy. ● 1.19%/transaction on POS. ● 1-2h/day in admin time saved with OPS ● Clawbot monitors/manages space on always on pc. ● Build script monitors drive and pc it lives on with cron script. Reads logs and fixes issues. SEND MOAR CREDS BROS!!! THIS IS AMAZING!!!!!!! Entrepreneurs ********* @grok @xai @openclaw

  • 0xkatz
    Matt Katz (@0xkatz) reported

    Extremely bullish for x402. I always thought x402 was the best solution, yet feared that adoption may be slowed by integration hassle, compared to (for eg) agent cards. But if everyone using cloudflare (to a first approximation ~= all apps) is able to support x402, this is no longer an issue

  • jp_sdev
    JP | MindRoll (@jp_sdev) reported

    We've been rolling (literally) this week on MindRoll! 📝 - Terms and conditions, because we care - Cloudflare connectivity tests (no more DDoS) - Notifs got a makeover - Homepage got a facelift (twice) - Animations, everywhere - LLm support, because insights just got deeper

  • amirhp771
    amir(❖,❖) inkog.base.eth🟣🟢 (@amirhp771) reported

    The current discourse in decentralized tech frequently misidentifies the final boss of the internet age by focusing on frontend applications or software protocols. The absolute leverage over both real time artificial intelligence processing and crypto node survival sits at the network ingress and edge security proxy tier that dictates which automated entities are allowed to view the web. My pick for the final level is Cloudflare and the centralized web traffic scrubbing layer. Reason one is total data gatekeeping. As autonomous software agents scale, they must continuously ingest real time web information to function. This centralized edge tier completely controls the anti scraping firewalls and cryptographic challenge systems that shield the internet. They unilaterally decide which data ingestion bots get throttled or blocked entirely, controlling the supply chain of raw knowledge before a single model training process even begins. Reason two is validator node architecture survival. The vast majority of decentralized infrastructure networks and remote procedure call providers rely heavily on centralized corporate proxy configurations to shield their systems from malicious traffic. A single policy adjustment or edge routing update from this centralized layer can instantly degrade network latency or isolate distributed nodes globally without warning. Watching who controls the physical edge routing is why influence infrastructure like @RallyOnChain becomes vital. Instead of anchoring evaluation to social leverage or centralized distribution networks, Rally uses intelligent contracts to score content quality programmatically on chain. It bypasses corporate gatekeepers by measuring objective data value directly rather than follower count. If the absolute gatekeeper of the web edge adjusts its validation parameters tomorrow, which decentralized system can actually process real time external data without getting blocked?

  • nirmitkotadiya
    Nirmit Kotadiya (@nirmitkotadiya) reported

    Cloudflare sits in front of millions of websites. So what happens if it goes down? The answer depends on how the website is configured. If Cloudflare experiences an outage: * some websites may become unreachable * pages may load slowly * DNS resolution can fail

  • emot
    João Tomé (@emot) reported

    I was curious whether the earthquake in Venezuela had any lasting Internet impact as well, and it looks like it did, with latency staying higher afterwards. Median latency increased by roughly 15-20%, from around 68 ms to about 80 ms. Latency variability also increased, with the 75th percentile rising from roughly 90 ms to 110-120 ms, suggesting a less stable network. (from Cloudflare Radar’s IQI).

  • eashish93
    Ashish Rawat (@eashish93) reported

    @AniC_dev I like this, I'm building something on cloudflare stack, might wanna use this soon, but things are strictly tied to sandbox + workers etc. If you can natively support cloudflare agents sdk would be helpful.

  • Sangeli7
    Stephen Cefali 🇺🇸🇺🇦🇵🇭 (@Sangeli7) reported

    @ibocodes I ended up migrating workers off Cloudflare to Fly because I had too many OOM errors on random things. The node server used half the memory just to run the app. 128 MB just doesn’t give you enough headroom. But I still love Cloudflare.

  • larsbuilds
    Lars (@larsbuilds) reported

    @hakimuddinkika but tbh I just set cloudflare dns once and never touch it again, so..

  • spagsol
    spaghetti.sol (@spagsol) reported

    Yes, Cloudflare had issues again

  • ProMint_X
    ProMint (@ProMint_X) reported

    Geoblock on Polymarket? The Polymarket API is throwing a hard error: access is blocked because the IP address sending the orders is in a restricted region. The colocation whitelist stopped working, and orders from London-based wallets were rejected, likely due to network infrastructure and maintenance issues. However, this could also be a targeted compliance tightening by the exchange. If you’re still facing this issue, reroute your bot traffic through proxy servers in Ireland (Dublin) or Frankfurt (Germany). These regions aren't blocked yet, have excellent ping to European AWS/Cloudflare data centers, and let you place orders without any issues.

  • jakeb_ray
    Jakeb Ray (@jakeb_ray) reported

    @0xganny @liltheo @BullpenFi It's system architecture and infra issues dude to request load. They’d have to redesign the server-less edge functions, upgrade their ALB’s instance count, reprovision Cloudflare, and account the changes for App Runners. It isn't something that happens in an afternoon.

  • the_real_ori
    orig (@the_real_ori) reported

    @sunglassesface @Cloudflare @PlanetScale Support is always the last unsolved piece, even at companies this good. Infra scales on its own, a Discord full of overworked humans does not. That gap (AI answers first, humans only on escalations) is the whole reason I am building in this space.

  • GyanaR_
    Gyana (@GyanaR_) reported

    @SimonHoiberg Just use cloudflare, and never worry abour pricing

  • the4th_turning
    Siddharth Nag (@the4th_turning) reported

    .@supabase our production app is down on ap-south-1. Frontend/Vercel is healthy, but Supabase Auth + REST are returning Cloudflare 522 after ~20s on both custom domain and raw Supabase URL. Project ref: xilapyewazpzlvqbbtgl

  • AsteroidLabsX
    RAMΞN 🍜 | Asteroid (@AsteroidLabsX) reported

    @world_xyz @worldnetwork the cloudflare outage blocking actual worldcoin network access during this dispute was a mess for users trying to claim

  • Mekto85
    tmikulin (@Mekto85) reported

    @toomaime Dude tryout the new cloudflare Email service, i pay postmark like 15 bucks a month lol

  • stuli1989
    Kshitij Shah (@stuli1989) reported

    Just got a massive Cloudflare bill because of a vibe coded CF bug - damn, this is how vibe coding can bite you in the ***. @CloudflareHelp - could you be generous and give me a one time waiver please?

  • FahadHussa3165
    Fahad Hussain (@FahadHussa3165) reported

    Claude = coding. ($20/mo) GitHub = version control. (Free) Supabase = backend. (Free) Clerk = auth. (Free) Resend = emails. (Free) Vercel = deploying. (Free) Cloudflare = DNS. (Free) Upstash = Redis. (Free) Pinecone = vector DB. (Free) PostHog = analytics. (Free) Sentry = error tracking. (Free) Stripe = payments. (2.9%/transaction) Namecheap = domain. ($12/yr) Total monthly cost to run a startup: ~$20 There has never been a cheaper time to build

  • SwanyTheMaker
    Swany (@SwanyTheMaker) reported

    @jonahbuilds @ibocodes If you need Cloudflare or other service for auth, you should stay away from programming....

  • sp00ky11_
    Spook ✮⋆˙zinemaxxing (@sp00ky11_) reported

    Website is finally working after one million cloudflare issues

  • SYGNITO
    SYGNITO (@SYGNITO) reported

    Especially for the release of Fable 5, I’ve prepared a prompt to audit our web and mobile applications: MASTER SECURITY AUDIT PROMPT - Claude Code Usage: paste the block below into Claude Code at the root of your project. Optionally prepend context: stack (e.g. Next.js + Supabase), deployment target, and whether the app collects user data. You are acting as a senior application security engineer performing a full pre-launch security audit of this codebase. Work systematically through every phase below. For each finding, report: file/location, severity (CRITICAL / HIGH / MEDIUM / LOW), what's wrong, exploit scenario, and the exact fix (code or config). Do not skip a phase because it "looks fine" - verify by reading the actual code and config. Phase 0 - Recon Map the stack: framework, auth provider, database, hosting, payment/AI/third-party APIs. List every API route / server endpoint and every public form. List every place user data is collected, stored, or transmitted. Phase 1 - Legal & Data Exposure (protect the owner, not just the app) Identify all personal data collected (emails, names, IPs, analytics, cookies). Check: is there a privacy policy? Is data storage location/provider documented? Flag anything triggering GDPR/CCPA obligations (EU/CA users, tracking, third-party data sharing) that isn't covered. Output a short "data map": what is stored, where, for how long, and who can access it. Phase 2 - Row Level Security / Data Access If Supabase (or Postgres): verify RLS is enabled on every table and inspect each policy. Flag any table with zero policies or with USING (true) on sensitive data. Verify the anon key cannot read/write anything a logged-out visitor shouldn't touch. Simulate: "what can I fetch with just the anon key from DevTools?" Check for IDOR: can user A read/modify user B's rows by changing an ID in a request? Phase 3 - Auth Failure Paths (not the happy path) Trace the code for each scenario and flag missing/unsafe handling: Wrong password entered 5+ times (lockout / throttling?) Password reset for a non-existent email (does the response reveal account existence?) Verification link clicked twice / expired token reuse Sign-up with an already-registered email (enumeration leak?) Session handling: expiry, invalidation on logout, token storage (localStorage vs cookie) Phase 4 - Security Headers & Baseline Posture Verify presence and correctness of: Content-Security-Policy, Strict-Transport-Security, X-Frame-Options / frame-ancestors, X-Content-Type-Options, Referrer-Policy, Permissions-Policy. Check cookie flags: Secure, HttpOnly, SameSite. Check HTTPS enforcement and any mixed-content risks. Provide the exact header config for this framework (next.config, middleware, vercel.json, etc.). Phase 5 - OWASP Top 10 Sweep Audit explicitly against OWASP Top 10. Prioritize: Injection: raw SQL, string-built queries, unsanitized input reaching DB/OS/shell. XSS: dangerouslySetInnerHTML, unescaped user content, unsafe URL handling. Broken access control: server-side authorization on EVERY protected route/action - not just hidden UI. SSRF, insecure deserialization, vulnerable dependencies (run npm audit / check lockfile). For each hit, show the vulnerable line and the patched version. Phase 6 - Server-Side Validation Rule: client-side validation is UX, not security. For every input the client validates, confirm the server re-validates (type, length, format, ownership) before use. Flag any endpoint that trusts request body/params/headers without a schema (zod/valibot/etc.). Check file uploads: type, size, storage path, filename sanitization. Phase 7 - Secret & Data Leaks (the 3 classic AI-generated leaks) .env values reaching the frontend: audit every NEXT_PUBLIC_ / VITE_ / client-bundled env var. Confirm nothing sensitive is exposed. Grep the build output if possible. API responses over-returning: endpoints that SELECT * or serialize whole objects (password hashes, tokens, internal fields, other users' data). Enforce explicit field allowlists. Secrets in logs: console.log / logger calls printing tokens, request bodies with credentials, full error objects with connection strings. Phase 8 - API Keys in the Browser Any paid/privileged API key referenced in client code = game over. Assume it's already stolen. For each one found: propose the server-side proxy route or edge function that replaces it, with auth + rate limiting on that proxy. Phase 9 - Rate Limiting & Cost Protection Every endpoint hitting a paid API (LLM, email, SMS, storage) MUST have rate limiting. Verify per-IP and per-user limits. Check for unbounded loops/retries that can multiply costs. Verify usage caps/alerts exist at the provider level (Supabase/OpenAI/Anthropic spend limits). Propose concrete middleware (e.g. Upstash Ratelimit, in-memory for small apps) with sensible defaults per endpoint. Phase 10 - Bot Protection & CORS Public forms (signup, contact, waitlist): verify CAPTCHA (Cloudflare Turnstile preferred - free) or equivalent. CORS: must be locked to the production domain(s). Flag *, reflected origins, or missing config. Show the correct config for this stack. Phase 11 - Error Messages That Don't Leak User-facing errors must be generic ("Something went wrong", "Invalid credentials") - never stack traces, SQL, file paths, or library internals. Full errors go to server-side logs only. Auth errors must not enable enumeration ("user not found" vs "wrong password" - use one message). Flag every res.send(error) / throw that surfaces raw error objects to the client. Phase 12 - Dependencies & Supply Chain Run npm audit (or equivalent) and triage results: exploitable in THIS app vs noise. Check lockfile integrity: is it committed? Any dependencies pulled from *** URLs or unpinned versions? Flag abandoned packages (no release in 2+ years) in security-critical paths (auth, crypto, parsing). Check for postinstall scripts in dependencies that could exfiltrate env vars. Phase 13 - *** History & CI/CD Secrets Scan *** history for committed secrets (keys, tokens, .env files) not just current tree. Recommend gitleaks or trufflehog and interpret results. If a secret was EVER committed: it must be rotated, not just deleted. List every secret needing rotation. Audit CI/CD config: secrets exposed in build logs, PR builds from forks with access to secrets, deploy tokens with excessive scope. Phase 14 - Payments & Webhooks (if applicable) Webhook endpoints (Stripe, LemonSqueezy, etc.): verify signature validation on every incoming webhook. Unverified webhook = anyone can grant themselves a paid plan. Idempotency: can a replayed webhook double-credit an account? Price/amount must come from the server, never from the client request. Check for premium-feature gating done only in UI (flag server-side entitlement checks). Phase 15 - Business Logic Abuse Race conditions: double-submit on purchase, redeem, or vote endpoints (parallel requests bypassing "once only" checks). Negative or absurd values: quantity -1, amount 0.001, array of 10,000 items in one request. Workflow skipping: can a user hit step-3 endpoint directly without completing step 1–2 (e.g. unverified email accessing verified-only features)? Coupon/referral/free-tier abuse: what stops one person from creating 500 accounts? Phase 16 - Mobile-Specific (if this is or ships a mobile app: native, React Native, Flutter, Capacitor, Godot export) Secrets in the binary: assume the APK/IPA will be decompiled. Grep bundled code/assets for API keys, endpoints, feature flags. Anything privileged must live behind your server. Secure storage: tokens/credentials in Keychain (iOS) / Keystore (Android) — never SharedPreferences, plain files, or AsyncStorage unencrypted. Transport: TLS everywhere; flag any usesCleartextTraffic=true / ATS exceptions. Consider certificate pinning for high-value APIs and document the tradeoff (pinning + expired cert = bricked app). Deep links / intents: validate and sanitize all deep link parameters; flag exported activities/intents (Android) that expose internal screens or actions. Verify OAuth redirect URIs can't be hijacked by another app claiming the scheme. WebViews: JS bridges (addJavascriptInterface, postMessage) exposing native functions to loaded content; loading remote URLs in privileged WebViews. Permissions: request the minimum; flag any permission not backed by a real feature. Client trust: server must never trust the app's claims (purchases → verify receipts server-side with Apple/Google; game scores/currency → server-authoritative). Update path: can old vulnerable app versions be force-deprecated (minimum version check)? Phase 17 - AI/LLM Endpoints (if the app calls LLMs) Prompt injection: user content concatenated into system prompts; document/URL content passed to the model that can carry instructions. Verify untrusted content is delimited and the system prompt treats it as data. Output handling: LLM output rendered as HTML/markdown (XSS via model output), executed as code, or used in DB queries without validation. Cost abuse: per-user token/request caps, max input length enforced server-side, streaming abort on disconnect. Data leakage: user A's data appearing in context for user B (shared caches, conversation history keyed incorrectly). System prompts containing secrets - assume system prompts can be extracted. Phase 18 - Infrastructure & Storage Storage buckets (Supabase Storage, S3, R2): public/private per bucket verified; signed URLs with sane expiry; no listing enabled on private buckets. Admin panels / internal dashboards: not reachable on production domain without auth; no default credentials. Database: backups enabled and tested; connection not exposed publicly; least-privilege DB roles (app doesn't connect as superuser). Staging/preview environments: same protections as ****, or no real data in them. Preview deployments (Vercel) with **** env vars = shadow ****. Phase 19 - Monitoring & Incident Readiness Would you KNOW if you were breached? Verify: error tracking (Sentry etc.), auth anomaly visibility (mass failed logins), billing alerts on all paid APIs. Audit log for sensitive actions (role changes, data exports, deletions) who did what, when. One-page incident checklist exists: how to rotate every secret, how to invalidate all sessions, how to take the app offline. If not, generate it as part of this audit. Final Output Produce: Executive summary - overall posture in 3 sentences. Findings table sorted by severity: # | Severity | Phase | File | Issue | Fix effort (S/M/L). Fix plan - ordered list starting with CRITICALs; group quick wins (<10 min) separately. Rotation list - every secret that must be rotated (from Phase 13), separate from code fixes. Offer to apply the CRITICAL fixes immediately, one at a time, with a diff for each before applying. Skip phases that don't apply (state why: "Phase 14 skipped - no payments in this app"). Do not invent findings. If a phase is clean, say so explicitly and state what evidence you checked.

  • WaterAarav
    One&OnlyAarav (@WaterAarav) reported

    Claude = coding. ($20/mo) Shypmenta = deploys, connects, and manages every platform below. Basically your Cursor for shipping.($6/yr) Supabase = backend. (Free) Vercel = deploying. (Free) Namecheap = domain. ($12/yr) Stripe = payments. (2.9%/transaction) GitHub = version control. (Free) Resend = emails. (Free) Clerk = auth. (Free) Cloudflare = DNS. (Free) PostHog = analytics. (Free) Sentry = error tracking. (Free) Upstash = Redis. (Free) Pinecone = vector DB. (Free) Total monthly cost to run a startup: ~$20. Building has genuinely never been this affordable, and rarely this effortless either.

  • Onlyhumanme
    Easyjose (@Onlyhumanme) reported

    @world_xyz @worldnetwork @Cloudflare Quite a poor branding and comms. Undermining other just to gain traction.