I always feel the turnstyle makes a website feel a bit condescending - you need to test MY connection before I get to your crappy site?

Is there a reason it needs to be visible whilst performing checks? or is it just security theatre?

There are many options to configure it, the main reason to make it always visible and blocking is that the callbacks for managing the hidden/on-demand version are wonky and can break in unexpected ways leaving your site entirely unusable, with the only indication being some errors logged to console.

> or is it just security theatre?

WAF in general is security theatre. If your operation genuinely benefits from one, I dread for what's sleeping underneath. Ph'nglui mglw'nafh Cthulhu R'lyeh wgah'nagl fhtagn.

I always assumed that it is running some client side sanity checks to detect automated user agents but never checked.

It’s just doing hash math (think like bitcoin mining) to make your CPU burn enough processing time to make a layer seven DDoS not worthwhile. It works. Because now the server uses way less processing time than the client did.

That is not true. It does a whole bunch of checks, like fingerprinting your GPU, environment, etc. The checks are even run in a custom VM, and are heavily protected. The gathered data is then sent back to cloudflare, and you either get an access cookie (cf_clearance) back, or not.

it's free advertising

While this is true and worth reminding the ops about, it still sucks because many people don't understand the issues they cause by turning WAF on. CloudFlare should have a big "I understand I'll block many legit clients when I enable this" checkbox. Or you know... fix it in general. Or at least have a "report this block as invalid" link on the page.

Cloudflare WAF doesn't block clients in general, it blocks based on the data the client sends to the server.

Unless your client sends a string which matches one of the WAF patterns the site will work fine. It only blocks individual requests.

Now the problem here is that you probably shouldn't enable the WAF without having it in log only mode for a while if you are operating a site which let's users submit arbitrary text input. Of course it's going to match... You'll have to adjust the configuration.

I’ve yet to see a WAF that wasn’t eventually accidentally triggered by some zip file.

I’ve had to recompress zip files with a higher compression setting to get around whatever string was triggering it.

Agreed, I believe the default Firewall security level is "Medium" and I think that's far too strict. First thing I do when adding a new zone is to set it to "Essentially off"

First thing I do is not use cloudflare when I don't need big brother anyway

Which is easy enough to say, but how do you protect your site from being ddosed?

None of my sites have been in over a decade of hosting from a residential connection

When it's needed, it's needed, but it amazes me how many people feel they need big brother protection for their personal blog and nextcloud

how many people do you piss off with the opinions you post on your blog? enough to warrant being DDoS'd by an emotionally stunted highschooler with their parents/stolen credit card and the ability to Google for a botnet?

Almost nobody who uses big brother as an individual ever does. What would anyone care about a nextcloud login panel? Or a reasonably civil personal blog? And yet they enable cloudflare for yet another small corner of the internet :(