1. Home
  2. Companies
  3. Cloudflare
  4. Outage Map
Cloudflare

Cloudflare Outage Map

The map below depicts the most recent cities worldwide where Cloudflare users have reported problems and outages. If you are having an issue with Cloudflare, make sure to submit a report below

Loading map, please wait...

The heatmap above shows where the most recent user-submitted and social media reports are geographically clustered. The density of these reports is depicted by the color scale as shown below.

Cloudflare users affected:

Less
More
Check Current Status

Cloudflare is a company that provides DDoS mitigation, content delivery network (CDN) services, security and distributed DNS services. Cloudflare's services sit between the visitor and the Cloudflare user's hosting provider, acting as a reverse proxy for websites.

Most Affected Locations

Outage reports and issues in the past 15 days originated from:

Location Reports
Manchester, England 1
Angers, Pays de la Loire 1
London, England 1
Noida, UP 2
Jewar, UP 1
Braga, Braga 1
Paris, Île-de-France 2
Prievidza, Nitriansky 1
Farmers Branch, TX 1
Helsinki, Uusimaa 1
Crisfield, MD 2
Nanaimo, BC 1
New York City, NY 1
Istanbul, Istanbul 1
Greater Noida, UP 1
Check Current Status

Community Discussion

Tips? Frustrations? Share them here. Useful comments include a description of the problem, city and postal code.

Beware of "support numbers" or "recovery" accounts that might be posted below. Make sure to report and downvote those comments. Avoid posting your personal information.

Cloudflare Issues Reports

Latest outage, problems and issue reports in social media:

  • samuellhuber
    Samuel 🦤 (🧱,🔥) (@samuellhuber) reported

    @GeoffreyHuntley @Cloudflare Isn’t BGP fundamentally broken? At ETH Zurich they developed the Scion Internet architecture because of it

  • aaronwilldjaba
    Aaron Will Djaba (@aaronwilldjaba) reported

    @Fadel_ibrahim1 @aberba @ibocodes Been using betterauth with cloudflare with no issues.. you're still charged for caching on other services too 🤷🏾.. you can handle that yourself

  • boringeng
    Boring Engineer (@boringeng) reported

    Last night I did something I haven’t done in years: I opened my raw server logs. Not analytics. Not a dashboard. The actual access logs on the box. I was curious about one thing — with everyone saying “people don’t google anymore, they ask ChatGPT” — is any of that actually visible on my site? What I found kind of shook me. GPTBot — OpenAI’s crawler — hit my documentation 400+ times in the last 30 days. Not my homepage. My docs. The quickstart, the API reference, the self-hosting guide. It’s reading the exact pages a developer would read before adopting a tool. PerplexityBot crawls me almost every night around 2am. Quietly building its index of what my product is and does. And then the one that actually got me: a user-agent called ChatGPT-User. It’s not a scheduled crawler. It fires when a real human, mid-conversation, asks ChatGPT something that requires fetching a live page. It hit my pricing page 9 times yesterday. Nine times yesterday, a real person was asking an AI about my product. I will never know who they were, what they asked, or what the AI told them. Here’s the part that bothers me most: NONE of this appears in analytics. Not in GA4, not in Plausible, not anywhere. These bots don’t execute JavaScript, so tracking scripts never fire. As far as every analytics tool I pay for is concerned, this traffic does not exist. The only place it’s recorded is a log file nobody opens. So I kept digging, and it got worse: — Some of my “GPTBot” hits came from IPs that aren’t OpenAI’s. Random scrapers wearing GPTBot’s name as a disguise. I would never have known. — AI crawlers were hitting doc URLs I moved a year ago. 404s. Which means when an AI tries to learn what my product does, some of what it finds is a dead page. That’s not a broken link anymore — that’s a wrong answer being served to my next customer. — And apparently Cloudflare now blocks some AI crawlers by default on new sites. Meaning there are founders out there right now whose docs are invisible to ChatGPT, who opted into that without knowing, and whose analytics will never tell them. Step back and the picture is strange: an entire layer of the funnel — machines reading your site, deciding whether you get recommended, sometimes fetching pages because a human is asking about you at that exact moment — and it is completely invisible to every tool we use. We measure humans obsessively. We measure the thing that increasingly sends the humans not at all. Search had 20 years of tooling built around it. Search Console, rank trackers, an entire industry. This new layer has… grep. I’m not sure what the answer is yet. Maybe it’s a weekend script. Maybe it’s something bigger. But before I build anything, I want to know if this is just me: Have you ever looked at what AI bots do on your site? Do you know if you’re being crawled, cited, blocked? If this is a problem you have — or one you didn’t know you had until this post — reply or DM me. Genuinely trying to figure out what’s worth building here.

  • soad_aerials
    SoaD_Aerials 🌎 (@soad_aerials) reported

    People were really thinking Cloudflare and phishing problem was real?!?! 🤯 Sometimes I don’t get it, for real…

  • anto_edd
    Anto (@anto_edd) reported

    If your sign-up page doesn’t have Cloudflare Turnstile… bots are probably signing up before real users do. Fake accounts. Wasted verification emails. Burnt email quota. ~10 mins to add. One of the highest ROI security fixes for any SaaS. Personally experienced this issue. What are you using?

  • LilithDatura
    Lilith Datura (@LilithDatura) reported

    @thePM_001 @Cloudflare nano-payments, damn I'm behind.

  • jonahbuilds
    Jonah (@jonahbuilds) reported

    if cloudflare just made this searchbar an agent that could do literally anything i type into it they could wipe out lovable and replit overnight. honestly more useful than any ai chatbot on the internet. all they need to do is use the claude code api and give it a master api key to your whole cf account. cloudflare has literally everything you need to do anything on the internet the interface just sucks (even though its better than everyone else’s). make it agentic and they win. massive sell if they don’t. @Cloudflare are you guys going to do this??

  • ShudufhadzoRSA
    Shudufhadzo (@ShudufhadzoRSA) reported

    Apart from anything I tweet out or share on our Tuesday calls, I have decided I will be charging for any knowledge I have with regards to building, data science, and professional (MS foundry) and none professional agent building (Cloudflare, VPS hosted ones, n8n, etc) So if you send a message looking for help, just note you won't get it. Guidance yes, you'll get it.

  • jaykeelinkjuice
    jaykee (@jaykeelinkjuice) reported

    ★ Uploading data to the cloud is free. Downloading it costs $0.09 per GB. Cloudflare analysis shows 8,000% margins over cost. ★ Egress fees eat up 10-15% of total bills, yet most operators never check this line item separately. Path A: Clean up regions, add VPC endpoints, enable CDN reduce costs inside your current cloud. Path B: Shift to egress-free storage like R2 or OCI, or plan migration at contract renewal. First action is the same: Open your cost report and check the “Data Transfer” percentage. Over 5%? Start tracking it.

  • lgrdlcs
    lucaslegrand (@lgrdlcs) reported

    Cloudflare Workers gotcha nobody warns you about: you can't hash passwords as strongly there as on a normal server, the runtime caps the work way below the standard. Found out while shipping login. If you build auth on the edge, check this first.

  • FahadHussa3165
    Fahad Hussain (@FahadHussa3165) reported

    Claude = coding. ($20/mo) GitHub = version control. (Free) Supabase = backend. (Free) Clerk = auth. (Free) Resend = emails. (Free) Vercel = deploying. (Free) Cloudflare = DNS. (Free) Upstash = Redis. (Free) Pinecone = vector DB. (Free) PostHog = analytics. (Free) Sentry = error tracking. (Free) Stripe = payments. (2.9%/transaction) Namecheap = domain. ($12/yr) Total monthly cost to run a startup: ~$20 There has never been a cheaper time to build

  • reed_barnes
    Reed (@reed_barnes) reported

    @skeptrune @Cloudflare damn, and from mr VPS himself

  • SYGNITO
    SYGNITO (@SYGNITO) reported

    Especially for the release of Fable 5, I’ve prepared a prompt to audit our web and mobile applications: MASTER SECURITY AUDIT PROMPT - Claude Code Usage: paste the block below into Claude Code at the root of your project. Optionally prepend context: stack (e.g. Next.js + Supabase), deployment target, and whether the app collects user data. You are acting as a senior application security engineer performing a full pre-launch security audit of this codebase. Work systematically through every phase below. For each finding, report: file/location, severity (CRITICAL / HIGH / MEDIUM / LOW), what's wrong, exploit scenario, and the exact fix (code or config). Do not skip a phase because it "looks fine" - verify by reading the actual code and config. Phase 0 - Recon Map the stack: framework, auth provider, database, hosting, payment/AI/third-party APIs. List every API route / server endpoint and every public form. List every place user data is collected, stored, or transmitted. Phase 1 - Legal & Data Exposure (protect the owner, not just the app) Identify all personal data collected (emails, names, IPs, analytics, cookies). Check: is there a privacy policy? Is data storage location/provider documented? Flag anything triggering GDPR/CCPA obligations (EU/CA users, tracking, third-party data sharing) that isn't covered. Output a short "data map": what is stored, where, for how long, and who can access it. Phase 2 - Row Level Security / Data Access If Supabase (or Postgres): verify RLS is enabled on every table and inspect each policy. Flag any table with zero policies or with USING (true) on sensitive data. Verify the anon key cannot read/write anything a logged-out visitor shouldn't touch. Simulate: "what can I fetch with just the anon key from DevTools?" Check for IDOR: can user A read/modify user B's rows by changing an ID in a request? Phase 3 - Auth Failure Paths (not the happy path) Trace the code for each scenario and flag missing/unsafe handling: Wrong password entered 5+ times (lockout / throttling?) Password reset for a non-existent email (does the response reveal account existence?) Verification link clicked twice / expired token reuse Sign-up with an already-registered email (enumeration leak?) Session handling: expiry, invalidation on logout, token storage (localStorage vs cookie) Phase 4 - Security Headers & Baseline Posture Verify presence and correctness of: Content-Security-Policy, Strict-Transport-Security, X-Frame-Options / frame-ancestors, X-Content-Type-Options, Referrer-Policy, Permissions-Policy. Check cookie flags: Secure, HttpOnly, SameSite. Check HTTPS enforcement and any mixed-content risks. Provide the exact header config for this framework (next.config, middleware, vercel.json, etc.). Phase 5 - OWASP Top 10 Sweep Audit explicitly against OWASP Top 10. Prioritize: Injection: raw SQL, string-built queries, unsanitized input reaching DB/OS/shell. XSS: dangerouslySetInnerHTML, unescaped user content, unsafe URL handling. Broken access control: server-side authorization on EVERY protected route/action - not just hidden UI. SSRF, insecure deserialization, vulnerable dependencies (run npm audit / check lockfile). For each hit, show the vulnerable line and the patched version. Phase 6 - Server-Side Validation Rule: client-side validation is UX, not security. For every input the client validates, confirm the server re-validates (type, length, format, ownership) before use. Flag any endpoint that trusts request body/params/headers without a schema (zod/valibot/etc.). Check file uploads: type, size, storage path, filename sanitization. Phase 7 - Secret & Data Leaks (the 3 classic AI-generated leaks) .env values reaching the frontend: audit every NEXT_PUBLIC_ / VITE_ / client-bundled env var. Confirm nothing sensitive is exposed. Grep the build output if possible. API responses over-returning: endpoints that SELECT * or serialize whole objects (password hashes, tokens, internal fields, other users' data). Enforce explicit field allowlists. Secrets in logs: console.log / logger calls printing tokens, request bodies with credentials, full error objects with connection strings. Phase 8 - API Keys in the Browser Any paid/privileged API key referenced in client code = game over. Assume it's already stolen. For each one found: propose the server-side proxy route or edge function that replaces it, with auth + rate limiting on that proxy. Phase 9 - Rate Limiting & Cost Protection Every endpoint hitting a paid API (LLM, email, SMS, storage) MUST have rate limiting. Verify per-IP and per-user limits. Check for unbounded loops/retries that can multiply costs. Verify usage caps/alerts exist at the provider level (Supabase/OpenAI/Anthropic spend limits). Propose concrete middleware (e.g. Upstash Ratelimit, in-memory for small apps) with sensible defaults per endpoint. Phase 10 - Bot Protection & CORS Public forms (signup, contact, waitlist): verify CAPTCHA (Cloudflare Turnstile preferred - free) or equivalent. CORS: must be locked to the production domain(s). Flag *, reflected origins, or missing config. Show the correct config for this stack. Phase 11 - Error Messages That Don't Leak User-facing errors must be generic ("Something went wrong", "Invalid credentials") - never stack traces, SQL, file paths, or library internals. Full errors go to server-side logs only. Auth errors must not enable enumeration ("user not found" vs "wrong password" - use one message). Flag every res.send(error) / throw that surfaces raw error objects to the client. Phase 12 - Dependencies & Supply Chain Run npm audit (or equivalent) and triage results: exploitable in THIS app vs noise. Check lockfile integrity: is it committed? Any dependencies pulled from *** URLs or unpinned versions? Flag abandoned packages (no release in 2+ years) in security-critical paths (auth, crypto, parsing). Check for postinstall scripts in dependencies that could exfiltrate env vars. Phase 13 - *** History & CI/CD Secrets Scan *** history for committed secrets (keys, tokens, .env files) not just current tree. Recommend gitleaks or trufflehog and interpret results. If a secret was EVER committed: it must be rotated, not just deleted. List every secret needing rotation. Audit CI/CD config: secrets exposed in build logs, PR builds from forks with access to secrets, deploy tokens with excessive scope. Phase 14 - Payments & Webhooks (if applicable) Webhook endpoints (Stripe, LemonSqueezy, etc.): verify signature validation on every incoming webhook. Unverified webhook = anyone can grant themselves a paid plan. Idempotency: can a replayed webhook double-credit an account? Price/amount must come from the server, never from the client request. Check for premium-feature gating done only in UI (flag server-side entitlement checks). Phase 15 - Business Logic Abuse Race conditions: double-submit on purchase, redeem, or vote endpoints (parallel requests bypassing "once only" checks). Negative or absurd values: quantity -1, amount 0.001, array of 10,000 items in one request. Workflow skipping: can a user hit step-3 endpoint directly without completing step 1–2 (e.g. unverified email accessing verified-only features)? Coupon/referral/free-tier abuse: what stops one person from creating 500 accounts? Phase 16 - Mobile-Specific (if this is or ships a mobile app: native, React Native, Flutter, Capacitor, Godot export) Secrets in the binary: assume the APK/IPA will be decompiled. Grep bundled code/assets for API keys, endpoints, feature flags. Anything privileged must live behind your server. Secure storage: tokens/credentials in Keychain (iOS) / Keystore (Android) — never SharedPreferences, plain files, or AsyncStorage unencrypted. Transport: TLS everywhere; flag any usesCleartextTraffic=true / ATS exceptions. Consider certificate pinning for high-value APIs and document the tradeoff (pinning + expired cert = bricked app). Deep links / intents: validate and sanitize all deep link parameters; flag exported activities/intents (Android) that expose internal screens or actions. Verify OAuth redirect URIs can't be hijacked by another app claiming the scheme. WebViews: JS bridges (addJavascriptInterface, postMessage) exposing native functions to loaded content; loading remote URLs in privileged WebViews. Permissions: request the minimum; flag any permission not backed by a real feature. Client trust: server must never trust the app's claims (purchases → verify receipts server-side with Apple/Google; game scores/currency → server-authoritative). Update path: can old vulnerable app versions be force-deprecated (minimum version check)? Phase 17 - AI/LLM Endpoints (if the app calls LLMs) Prompt injection: user content concatenated into system prompts; document/URL content passed to the model that can carry instructions. Verify untrusted content is delimited and the system prompt treats it as data. Output handling: LLM output rendered as HTML/markdown (XSS via model output), executed as code, or used in DB queries without validation. Cost abuse: per-user token/request caps, max input length enforced server-side, streaming abort on disconnect. Data leakage: user A's data appearing in context for user B (shared caches, conversation history keyed incorrectly). System prompts containing secrets - assume system prompts can be extracted. Phase 18 - Infrastructure & Storage Storage buckets (Supabase Storage, S3, R2): public/private per bucket verified; signed URLs with sane expiry; no listing enabled on private buckets. Admin panels / internal dashboards: not reachable on production domain without auth; no default credentials. Database: backups enabled and tested; connection not exposed publicly; least-privilege DB roles (app doesn't connect as superuser). Staging/preview environments: same protections as ****, or no real data in them. Preview deployments (Vercel) with **** env vars = shadow ****. Phase 19 - Monitoring & Incident Readiness Would you KNOW if you were breached? Verify: error tracking (Sentry etc.), auth anomaly visibility (mass failed logins), billing alerts on all paid APIs. Audit log for sensitive actions (role changes, data exports, deletions) who did what, when. One-page incident checklist exists: how to rotate every secret, how to invalidate all sessions, how to take the app offline. If not, generate it as part of this audit. Final Output Produce: Executive summary - overall posture in 3 sentences. Findings table sorted by severity: # | Severity | Phase | File | Issue | Fix effort (S/M/L). Fix plan - ordered list starting with CRITICALs; group quick wins (<10 min) separately. Rotation list - every secret that must be rotated (from Phase 13), separate from code fixes. Offer to apply the CRITICAL fixes immediately, one at a time, with a diff for each before applying. Skip phases that don't apply (state why: "Phase 14 skipped - no payments in this app"). Do not invent findings. If a phase is clean, say so explicitly and state what evidence you checked.

  • UdNtC4r3AnYwHaY
    Milsim Rooster (@UdNtC4r3AnYwHaY) reported

    Scanner/honeypot logger: Last 24h: 10 scanner-probe hits. Since midnight CT: 2. Logged sources include NL, US, HK, and ID. Biggest caught bucket: NL / Limited Network LTD probing hidden config paths. Main bot/challenge countries from Cloudflare: KR, HK, IT, JP, CA, with Italy hitting lots of PHP/WordPress-looking junk.

  • rohit_jsfreaky
    Rohit Kashyap | AI + Full-Stack (@rohit_jsfreaky) reported

    @martindonadieu @Cloudflare local workers analytics would be huge, testing observability against **** is a bad feedback loop

Check Current Status