1. Home
  2. Companies
  3. Cloudflare
Cloudflare

Cloudflare status: hosting issues and outage reports

No problems detected

If you are having issues, please submit a report below.

Full Outage Map

Cloudflare is a company that provides DDoS mitigation, content delivery network (CDN) services, security and distributed DNS services. Cloudflare's services sit between the visitor and the Cloudflare user's hosting provider, acting as a reverse proxy for websites.

Problems in the last 24 hours

The graph below depicts the number of Cloudflare reports received over the last 24 hours by time of day. When the number of reports exceeds the baseline, represented by the red line, an outage is determined.

At the moment, we haven't detected any problems at Cloudflare. Are you experiencing issues or an outage? Leave a message in the comments section!

Most Reported Problems

The following are the most recent problems reported by Cloudflare users through our website.

  • 41% Domains (41%)
  • 25% Cloud Services (25%)
  • 16% Hosting (16%)
  • 13% Web Tools (13%)
  • 6% E-mail (6%)

Live Outage Map

The most recent Cloudflare outage reports came from the following cities:

CityProblem TypeReport Time
Manchester Domains 11 days ago
Angers Cloud Services 22 days ago
London Domains 24 days ago
Noida Hosting 1 month ago
Jewar E-mail 1 month ago
Braga Web Tools 1 month ago
Full Outage Map

Community Discussion

Tips? Frustrations? Share them here. Useful comments include a description of the problem, city and postal code.

Beware of "support numbers" or "recovery" accounts that might be posted below. Make sure to report and downvote those comments. Avoid posting your personal information.

Cloudflare Issues Reports

Latest outage, problems and issue reports in social media:

  • FahadHussa3165
    Fahad Hussain (@FahadHussa3165) reported

    Claude = coding. ($20/mo) GitHub = version control. (Free) Supabase = backend. (Free) Clerk = auth. (Free) Resend = emails. (Free) Vercel = deploying. (Free) Cloudflare = DNS. (Free) Upstash = Redis. (Free) Pinecone = vector DB. (Free) PostHog = analytics. (Free) Sentry = error tracking. (Free) Stripe = payments. (2.9%/transaction) Namecheap = domain. ($12/yr) Total monthly cost to run a startup: ~$20 There has never been a cheaper time to build

  • AI_by_yash
    Yash D (@AI_by_yash) reported

    Claude/codex = coding. ($20/mo) GitHub = version control. (Free) Supabase = backend. (Free) Clerk = auth. (Free) Resend = emails. (Free) Vercel = deploying. (Free) Cloudflare = DNS. (Free) Upstash = Redis. (Free) Pinecone = vector DB. (Free) PostHog = analytics. (Free) Sentry = error tracking. (Free) Stripe = payments. (2.9%/transaction) Namecheap = domain. ($12/yr) Total monthly cost to run a startup: ~$20 There has never been a cheaper time to build

  • vermontaigne
    Rex Ratio (Official) (@vermontaigne) reported

    @Cloudflare Why have you decided I'm going to be checked a lot to determine whether I'm a real site visitor or not, and these checks are never going to resolve?

  • Blockcastcc
    BLOCKCAST.CC NEWS (@Blockcastcc) reported

    Cloudflare launched its Monetization Gateway, allowing customers to charge for webpages, APIs, datasets, and MCP tools behind its network. Payments settle instantly in stablecoins using the x402 protocol, an open standard based on HTTP 402 that supports frictionless micropayments down to fractions of a cent without accounts or chargebacks. As Cloudflare protects a large share of the internet, this enables scalable monetization for creators and developers, particularly facilitating AI agents paying per use for data and services.

  • clar1k
    clar (@clar1k) reported

    @world_xyz @worldnetwork @Cloudflare mogged world network too hard

  • buildwithshub
    SHUBHAM (@buildwithshub) reported

    The more I get into system design, the more I realize how many things I was using without really understanding. Reverse proxies are a good example. I've seen Nginx, Cloudflare, and reverse proxies mentioned everywhere while deploying projects, but I never stopped to ask why they existed or what problem they were solving. I'm enjoying this journey because it's filling in a lot of those gaps instead of just introducing new concepts.

  • KingBootoshi
    BOOTOSHI 👑 (@KingBootoshi) reported

    @evanrossdavis @0xSero aghh so frusturating! i sent appeals and contacted some people from cloudflare working to get it back up as fast as possible annoyingly the moment someone reports a site for phishing it's automatically taken down :/

  • GPhoenixForever
    🔥Phoenix (@GPhoenixForever) reported

    @LilithDatura Kind of like encryption with lava lamps at Cloudflare, noise vs signal down to the quantum fluctuations.

  • AtomicSpark
    AtomicSpark (@AtomicSpark) reported

    X (and likely other platforms and apps) will not preview links to your self-hosted websites unless you support TLS version 1.2 @Cloudflare: SSL/TLS > Edge Certificates > Minimum TLS Version Set to TLS 1.2 @nginx: /etc/nginx/nginx.conf ssl_protocols TLSv1.2 TLSv1.3;

  • identityonchain
    Hira Siddiqui (@identityonchain) reported

    <Rant Ahead> Every major AI company is building memory right now. OpenAI just shipped Dreaming V3, which updates your ChatGPT profile automatically after each conversation. Cloudflare launched Agent Memory so AI agents can store context between sessions. X released an official MCP server so agents can read your posts and activity in real time. All of this is genuinely useful. But none of it works together. ChatGPT's memory stays in ChatGPT. Cloudflare's agent memory stays with whatever agent you built on Cloudflare. X knows what you post but that doesn't help Claude understand who you are. Every product is solving memory for itself, inside itself. Which means you're still re-explaining yourself constantly. Your job, your preferences, your current project, your writing style. Every new AI tool you try starts from scratch. If you use five AI tools, you have five separate versions of "you" floating around, none of them in sync. The reason this won't get fixed by the big players is pretty simple: memory is how they keep you around. The better ChatGPT knows you, the less likely you are to switch to something else. That's not a conspiracy, it's just product logic. Sharing memory across tools would hurt retention, so nobody does it. What actually needs to exist is a memory layer that sits outside any individual product. Something you own, that you control, that any AI tool can read from if you give it permission. Not because the companies agreed to share your data, but because the memory never belonged to them in the first place. MCP is already starting to act as the connection layer between AI tools. The infrastructure for retrieval exists. The auth patterns exist. The missing piece is a persistent store that any agent can plug into, that travels with the user rather than living inside any one product. Before DNS, every network handled naming differently and nothing connected cleanly. Then one standard emerged and suddenly the whole thing scaled. AI memory feels like it's at a similar point. The question isn't really whether something like this gets built. It's who builds it and whether it's actually user-owned when they do. </Rant Over>

  • Onlyhumanme
    Easyjose (@Onlyhumanme) reported

    @world_xyz @worldnetwork @Cloudflare Quite a poor branding and comms. Undermining other just to gain traction.

  • lgrdlcs
    lucaslegrand (@lgrdlcs) reported

    Cloudflare Workers gotcha nobody warns you about: you can't hash passwords as strongly there as on a normal server, the runtime caps the work way below the standard. Found out while shipping login. If you build auth on the edge, check this first.

  • vbkotecha
    Vivek Kotecha (@vbkotecha) reported

    Most websites now have llms.txt for AI discovery. Almost none have x402 payment manifests. Discovery without payment is free-riding. The next layer is a per-tool contract. Identity. Price. Cap. Receipt. A /.well-known/x402.json file declares your service, your prices, your spending caps, and your receipt format. A Cloudflare Worker handles the 402 challenge and HMAC verification. Discovery makes you findable. x402 makes you payable. Findable without payable is a business model that does not close.

  • kunchenguid
    Kun Chen (@kunchenguid) reported

    i hope 2026 is the last year where we still have to manually click through any website to set things up in the last month, google cloud and app app review are the two repeated offenders that still need my manual click-throughs - bad by contrast, github, cloudflare, hetner etc are pretty much entirely configurable by agents - good (why not computer use / browser automation? because i don't want to expose secrets in plain text and let the agent type them via keystrokes and capture them into screenshots)

  • 1Adityabhansali
    Aditya Bhansali ➡️ Network School + (@1Adityabhansali) reported

    HTTP 402 "payment required" has sat there, mostly unused, since the 90s. A status code reserved for a native way to pay on the web that never arrived. @Cloudflare just switched it on with stablecoins + x402. Per-request payments, sub-second, no account. The machine-payment internet quietly shipped this week.

  • srishticodes
    Srishti (@srishticodes) reported

    Claude = coding. ($20/mo) GitHub = version control. (Free) Supabase = backend. (Free) Clerk = auth. (Free) Resend = emails. (Free) Vercel = deploying. (Free) Cloudflare = DNS. (Free) Upstash = Redis. (Free) Pinecone = vector DB. (Free) PostHog = analytics. (Free) Sentry = error tracking. (Free) Stripe = payments. (2.9%/transaction) Namecheap = domain. ($12/yr) Total monthly cost to run a startup: ~$20 There has never been a cheaper time to build

  • 0xLoopTheory
    0xLoopTheory (@0xLoopTheory) reported

    Google is moving a number of its TLS certificates from RSA to ECDSA. Not because ECDSA is quantum-safe. It is not. Not because RSA is about to fall. It is not. Not because someone at Google forgot Shor's algorithm exists. They did not. The announcement is easy to misread. Google Trust Services says that during Q2 2026, a number of Google services that have historically provided an RSA leaf certificate will shift to an ECDSA leaf certificate by default. So in the middle of the post-quantum migration, Google moves certificates from one Shor-vulnerable algorithm to another. Under standard resource estimates (Roetteler et al., 2017), breaking P-256 requires fewer logical qubits than breaking RSA-2048. On paper, this is a step toward the more quantum-fragile primitive. It still makes sense, and the reason is the most useful mental model I know for the PQ transition: TLS does not migrate as one block. It migrates in layers, and each layer faces a different threat on a different clock. Key exchange is on the fast clock. Recorded traffic can be decrypted retroactively: harvest now, decrypt later. So it moved first. X25519MLKEM768 is now default or automatically advertised in current major browser stacks: Chrome, Edge, Firefox, and Safari on Apple's 26-generation OS releases. By late October 2025, the majority of human-initiated traffic with Cloudflare was already using post-quantum encryption. Certificates are on the slow clock. For live TLS authentication, a signature must be unforgeable at the moment it is verified, not forever. A quantum computer in 2035 cannot retroactively forge the certificate that authenticated your session today. And the slow clock is forced by a budget nobody can print more of: bytes. An ML-DSA-44 signature is 2,420 bytes. A raw ECDSA P-256 signature is 64 bytes. Cloudflare estimates a drop-in swap would more than double the bytes most QUIC connections transmit over their lifetime. Chrome says plainly it has no immediate plan to add traditional X.509 post-quantum certificates to its root store. Chrome's public-WebPKI plan is Merkle Tree Certificates, now being developed in the IETF PLANTS working group, against Google's broader stated 2029 PQC migration timeline. So the ECDSA move is classical housekeeping. Google's stated rationale is efficiency: smaller to transmit, cheaper to process. The announcement does not mention post-quantum once. Which layer is migrating? Against which threat? With which ecosystem attached? Ask those three questions and most "why not just deploy PQC now" takes dissolve. The honest counterweight: maybe the slow clock is not as slow as the WebPKI assumes. Roots live for decades. Devices outlive their update channels. Gidney's estimate for breaking RSA-2048 dropped from 20 million noisy qubits in 2019 to under one million in 2025. If you think certificate authentication has less time than the ecosystem assumes, that is the argument worth having. I would like to hear it.

  • martinvmorales
    MartinVMorales (@martinvmorales) reported

    @world_xyz @worldnetwork @Cloudflare I ain’t scanning **** 🤨

  • bruteforceart21
    Brute Force Artist (@bruteforceart21) reported

    Claude = coding. ($20/mo) - Supabase = backend. (Free) - Vercel = deploying. (Free) - Namecheap = domain. ($12/yr) - Stripe = payments. (2.9%/transaction) - GitHub = version control. (Free) - Resend = emails. (Free) - Clerk = auth. (Free) - Cloudflare = DNS. (Free) - PostHog = analytics. (Free) - Sentry = error tracking. (Free) - Upstash = Redis. (Free) - Pinecone = vector DB. (Free) Total monthly cost to run a startup: ~$20 There has never been a cheaper time to build.

  • emot
    João Tomé (@emot) reported

    I was curious whether the earthquake in Venezuela had any lasting Internet impact as well, and it looks like it did, with latency staying higher afterwards. Median latency increased by roughly 15-20%, from around 68 ms to about 80 ms. Latency variability also increased, with the 75th percentile rising from roughly 90 ms to 110-120 ms, suggesting a less stable network. (from Cloudflare Radar’s IQI).

  • aditya4f
    Aditya🌪️ (@aditya4f) reported

    - Claude = coding ($20/mo) - Supabase = backend (Free) - Vercel = deploying (Free) - Namecheap = domain ($12/yr) - Stripe = payments (2.9%/transaction) - GitHub = version control (Free) - Resend = emails (Free) - Clerk = auth (Free) - Cloudflare = DNS (Free) - PostHog = analytics (Free) - Sentry = error tracking (Free) - Upstash = Redis (Free) - Pinecone = vector DB (Free) Total monthly cost to run a startup: ~$20 There has never been a cheaper time to build. Who's stopping you?

  • deepanker70
    Deepanker Verma (@deepanker70) reported

    Cloudflare is changing how AI crawlers can access websites. It will now block mixed-use crawlers by default. These are bots that both index sites for search and also collect data for AI training or AI agents. Now that a large part of it is bots used by AI companies, this decision matters. These mixed-use crawlers often use website content to answer user questions directly in chat tools. In many cases, users may never visit the original website. Cloudflare says website owners should have more control. It also says AI companies should clearly separate search, training, and agent use. If your content is used in AI answers, you should have control over it and possibly earn from it. For big publishers, this is a policy shift they can negotiate around. For small publishers, the impact can be much bigger. Small websites depend heavily on search traffic. If AI tools keep answering questions without sending users to the source, traffic can drop. That can directly affect ad revenue and the ability to keep publishing content. This change may help small publishers decide better. They can choose what AI companies can use and what they cannot. But there is also a risk. If they block too much, they may lose visibility in AI-based search systems. There is also a bigger question. Will AI companies follow these rules? #SEO #GEO #Cloudflare

  • dartilesm
    Diego Artiles (@dartilesm) reported

    Cloudflare Agents SDK v0.17.0: background sub-agents that survive deploys, interrupted tool-call repair, and a unified runTurn API. Most agent frameworks treat a crash as expected. This one doesn't. Are you building on something this durable?

  • growthinweb3
    GROWTH IN WEB3 🙂‍↔️ (@growthinweb3) reported

    @Cointelegraph Cloudflare embracing stablecoin payments is another signal that crypto infrastructure is going mainstream. More adoption coming in soon.

  • GlitchyHopkins
    Glitchy Hopkins (@GlitchyHopkins) reported

    Fellowship Hall’s vendor data never needed a SaaS detour. I built their intake automation with n8n, NocoDB, Cloudflare Tunnel, Nginx, and PHP on hardware inside the building. Less manual work. More control. Want that? DM me. #n8n #Automation #DataPrivacy

  • yousefrol
    Yousef Rol (@yousefrol) reported

    i need US hosted agent sanbox service THAT JUST WORKS. daytona, e2b, vercel, cloudflare did not give me what i want. "self host X" No. managed sanbox service.

  • KairaChimera
    🐉Kaira Chimera 🦅 (@KairaChimera) reported

    it's been 10 hours. site is still pretty much constantly down amount of times i've tried to submit an attack and got cloudflare jailed for even thinking about it: 6

  • Suryanshti777
    Suryansh Tiwari (@Suryanshti777) reported

    Someone made a GitHub repo of every AI API that's actually free forever. Not "free trial." Not "$5 credit then we bill you." Free free. No card. 24k+ stars, updated constantly. I've been paying for API calls like an idiot. Here's what's inside The rule that makes it trustworthy: trials that expire are listed in a totally separate section. The "Free Providers" list is only the permanent tiers. No landmines. The heavy hitters, with real numbers: → Google AI Studio — Gemini 3.x Flash, no card → Groq — Llama, Qwen, gpt-oss, 30 req/min → Cerebras — fastest inference alive, 30 req/min → Cloudflare Workers AI — 10k neurons/day, runs Llama/Qwen/Gemma → OpenRouter — Nemotron, Qwen3-coder, poolside, all :free Most are OpenAI-SDK compatible. Which means: swap the base_url → paste the key → pick a model → done Same code you already wrote. Drop it into Cursor, aider, Claude Code, whatever. Zero refactor. Then the bonus round — the "trial credits" section: Fireworks, Baseten, Nebius, Hyperbolic, SambaNova... $1–$30 each in free credits. Drain the permanent tiers first, then farm these. One README replaces hours of tab-hopping through pricing pages. Links on comment 👇

  • SYGNITO
    SYGNITO (@SYGNITO) reported

    Especially for the release of Fable 5, I’ve prepared a prompt to audit our web and mobile applications: MASTER SECURITY AUDIT PROMPT - Claude Code Usage: paste the block below into Claude Code at the root of your project. Optionally prepend context: stack (e.g. Next.js + Supabase), deployment target, and whether the app collects user data. You are acting as a senior application security engineer performing a full pre-launch security audit of this codebase. Work systematically through every phase below. For each finding, report: file/location, severity (CRITICAL / HIGH / MEDIUM / LOW), what's wrong, exploit scenario, and the exact fix (code or config). Do not skip a phase because it "looks fine" - verify by reading the actual code and config. Phase 0 - Recon Map the stack: framework, auth provider, database, hosting, payment/AI/third-party APIs. List every API route / server endpoint and every public form. List every place user data is collected, stored, or transmitted. Phase 1 - Legal & Data Exposure (protect the owner, not just the app) Identify all personal data collected (emails, names, IPs, analytics, cookies). Check: is there a privacy policy? Is data storage location/provider documented? Flag anything triggering GDPR/CCPA obligations (EU/CA users, tracking, third-party data sharing) that isn't covered. Output a short "data map": what is stored, where, for how long, and who can access it. Phase 2 - Row Level Security / Data Access If Supabase (or Postgres): verify RLS is enabled on every table and inspect each policy. Flag any table with zero policies or with USING (true) on sensitive data. Verify the anon key cannot read/write anything a logged-out visitor shouldn't touch. Simulate: "what can I fetch with just the anon key from DevTools?" Check for IDOR: can user A read/modify user B's rows by changing an ID in a request? Phase 3 - Auth Failure Paths (not the happy path) Trace the code for each scenario and flag missing/unsafe handling: Wrong password entered 5+ times (lockout / throttling?) Password reset for a non-existent email (does the response reveal account existence?) Verification link clicked twice / expired token reuse Sign-up with an already-registered email (enumeration leak?) Session handling: expiry, invalidation on logout, token storage (localStorage vs cookie) Phase 4 - Security Headers & Baseline Posture Verify presence and correctness of: Content-Security-Policy, Strict-Transport-Security, X-Frame-Options / frame-ancestors, X-Content-Type-Options, Referrer-Policy, Permissions-Policy. Check cookie flags: Secure, HttpOnly, SameSite. Check HTTPS enforcement and any mixed-content risks. Provide the exact header config for this framework (next.config, middleware, vercel.json, etc.). Phase 5 - OWASP Top 10 Sweep Audit explicitly against OWASP Top 10. Prioritize: Injection: raw SQL, string-built queries, unsanitized input reaching DB/OS/shell. XSS: dangerouslySetInnerHTML, unescaped user content, unsafe URL handling. Broken access control: server-side authorization on EVERY protected route/action - not just hidden UI. SSRF, insecure deserialization, vulnerable dependencies (run npm audit / check lockfile). For each hit, show the vulnerable line and the patched version. Phase 6 - Server-Side Validation Rule: client-side validation is UX, not security. For every input the client validates, confirm the server re-validates (type, length, format, ownership) before use. Flag any endpoint that trusts request body/params/headers without a schema (zod/valibot/etc.). Check file uploads: type, size, storage path, filename sanitization. Phase 7 - Secret & Data Leaks (the 3 classic AI-generated leaks) .env values reaching the frontend: audit every NEXT_PUBLIC_ / VITE_ / client-bundled env var. Confirm nothing sensitive is exposed. Grep the build output if possible. API responses over-returning: endpoints that SELECT * or serialize whole objects (password hashes, tokens, internal fields, other users' data). Enforce explicit field allowlists. Secrets in logs: console.log / logger calls printing tokens, request bodies with credentials, full error objects with connection strings. Phase 8 - API Keys in the Browser Any paid/privileged API key referenced in client code = game over. Assume it's already stolen. For each one found: propose the server-side proxy route or edge function that replaces it, with auth + rate limiting on that proxy. Phase 9 - Rate Limiting & Cost Protection Every endpoint hitting a paid API (LLM, email, SMS, storage) MUST have rate limiting. Verify per-IP and per-user limits. Check for unbounded loops/retries that can multiply costs. Verify usage caps/alerts exist at the provider level (Supabase/OpenAI/Anthropic spend limits). Propose concrete middleware (e.g. Upstash Ratelimit, in-memory for small apps) with sensible defaults per endpoint. Phase 10 - Bot Protection & CORS Public forms (signup, contact, waitlist): verify CAPTCHA (Cloudflare Turnstile preferred - free) or equivalent. CORS: must be locked to the production domain(s). Flag *, reflected origins, or missing config. Show the correct config for this stack. Phase 11 - Error Messages That Don't Leak User-facing errors must be generic ("Something went wrong", "Invalid credentials") - never stack traces, SQL, file paths, or library internals. Full errors go to server-side logs only. Auth errors must not enable enumeration ("user not found" vs "wrong password" - use one message). Flag every res.send(error) / throw that surfaces raw error objects to the client. Phase 12 - Dependencies & Supply Chain Run npm audit (or equivalent) and triage results: exploitable in THIS app vs noise. Check lockfile integrity: is it committed? Any dependencies pulled from *** URLs or unpinned versions? Flag abandoned packages (no release in 2+ years) in security-critical paths (auth, crypto, parsing). Check for postinstall scripts in dependencies that could exfiltrate env vars. Phase 13 - *** History & CI/CD Secrets Scan *** history for committed secrets (keys, tokens, .env files) not just current tree. Recommend gitleaks or trufflehog and interpret results. If a secret was EVER committed: it must be rotated, not just deleted. List every secret needing rotation. Audit CI/CD config: secrets exposed in build logs, PR builds from forks with access to secrets, deploy tokens with excessive scope. Phase 14 - Payments & Webhooks (if applicable) Webhook endpoints (Stripe, LemonSqueezy, etc.): verify signature validation on every incoming webhook. Unverified webhook = anyone can grant themselves a paid plan. Idempotency: can a replayed webhook double-credit an account? Price/amount must come from the server, never from the client request. Check for premium-feature gating done only in UI (flag server-side entitlement checks). Phase 15 - Business Logic Abuse Race conditions: double-submit on purchase, redeem, or vote endpoints (parallel requests bypassing "once only" checks). Negative or absurd values: quantity -1, amount 0.001, array of 10,000 items in one request. Workflow skipping: can a user hit step-3 endpoint directly without completing step 1–2 (e.g. unverified email accessing verified-only features)? Coupon/referral/free-tier abuse: what stops one person from creating 500 accounts? Phase 16 - Mobile-Specific (if this is or ships a mobile app: native, React Native, Flutter, Capacitor, Godot export) Secrets in the binary: assume the APK/IPA will be decompiled. Grep bundled code/assets for API keys, endpoints, feature flags. Anything privileged must live behind your server. Secure storage: tokens/credentials in Keychain (iOS) / Keystore (Android) — never SharedPreferences, plain files, or AsyncStorage unencrypted. Transport: TLS everywhere; flag any usesCleartextTraffic=true / ATS exceptions. Consider certificate pinning for high-value APIs and document the tradeoff (pinning + expired cert = bricked app). Deep links / intents: validate and sanitize all deep link parameters; flag exported activities/intents (Android) that expose internal screens or actions. Verify OAuth redirect URIs can't be hijacked by another app claiming the scheme. WebViews: JS bridges (addJavascriptInterface, postMessage) exposing native functions to loaded content; loading remote URLs in privileged WebViews. Permissions: request the minimum; flag any permission not backed by a real feature. Client trust: server must never trust the app's claims (purchases → verify receipts server-side with Apple/Google; game scores/currency → server-authoritative). Update path: can old vulnerable app versions be force-deprecated (minimum version check)? Phase 17 - AI/LLM Endpoints (if the app calls LLMs) Prompt injection: user content concatenated into system prompts; document/URL content passed to the model that can carry instructions. Verify untrusted content is delimited and the system prompt treats it as data. Output handling: LLM output rendered as HTML/markdown (XSS via model output), executed as code, or used in DB queries without validation. Cost abuse: per-user token/request caps, max input length enforced server-side, streaming abort on disconnect. Data leakage: user A's data appearing in context for user B (shared caches, conversation history keyed incorrectly). System prompts containing secrets - assume system prompts can be extracted. Phase 18 - Infrastructure & Storage Storage buckets (Supabase Storage, S3, R2): public/private per bucket verified; signed URLs with sane expiry; no listing enabled on private buckets. Admin panels / internal dashboards: not reachable on production domain without auth; no default credentials. Database: backups enabled and tested; connection not exposed publicly; least-privilege DB roles (app doesn't connect as superuser). Staging/preview environments: same protections as ****, or no real data in them. Preview deployments (Vercel) with **** env vars = shadow ****. Phase 19 - Monitoring & Incident Readiness Would you KNOW if you were breached? Verify: error tracking (Sentry etc.), auth anomaly visibility (mass failed logins), billing alerts on all paid APIs. Audit log for sensitive actions (role changes, data exports, deletions) who did what, when. One-page incident checklist exists: how to rotate every secret, how to invalidate all sessions, how to take the app offline. If not, generate it as part of this audit. Final Output Produce: Executive summary - overall posture in 3 sentences. Findings table sorted by severity: # | Severity | Phase | File | Issue | Fix effort (S/M/L). Fix plan - ordered list starting with CRITICALs; group quick wins (<10 min) separately. Rotation list - every secret that must be rotated (from Phase 13), separate from code fixes. Offer to apply the CRITICAL fixes immediately, one at a time, with a diff for each before applying. Skip phases that don't apply (state why: "Phase 14 skipped - no payments in this app"). Do not invent findings. If a phase is clean, say so explicitly and state what evidence you checked.

  • agus_build
    Agustin Garcia (@agus_build) reported

    Check these numbers: 104,377 views 52,666 hours watched 8.3 TB delivered 2,863 videos live All running on Rehelios with cloudflare edge network. Here is what that exact traffic would cost on Mux or Cloudflare Stream itself, and what we actually pay 🧵