Cloudflare, Inc. is an American web infrastructure and website security company that provides content delivery network services, DDoS mitigation, Internet security, and distributed domain name server services. Cloudflare's services sit between a website's visitor and the Cloudflare user's hosting provider, acting as a reverse proxy for websites. Cloudflare's headquarters are in San Francisco.


Cloudflare was founded in 2009 by Matthew Prince, Lee Holloway, and Michelle Zatlyn. It received media attention in June 2011 for providing security services to the website of LulzSec, a black hat hacking group. From 2009, the company was venture-capital funded. On August 15, 2019, Cloudflare submitted its S-1 filing for IPO on the New York Stock Exchange under the stock ticker NET. It opened for public trading on September 13, 2019, priced at $15 per share. In February 2014, Cloudflare mitigated what was at the time the largest ever recorded DDoS attack, which peaked at 400 Gigabits per second against an undisclosed customer. In November 2014, Cloudflare reported another massive DDoS attack with independent media sites being targeted at 500 Gbit/s. In March 2013, the company defended The Spamhaus Project from a DDoS attack that exceeded 300 Gbit/s. Akamai's chief architect stated that at the time it was "the largest publicly announced DDoS attack in the history of the Internet". Cloudflare has also reportedly absorbed attacks that have peaked over 400Gbit/s from an NTP Reflection attack. In 2014, Cloudflare introduced an effort called Project Galileo in response to cyberattacks against vulnerable online targets, such as artists, activists, journalists, and human rights groups. Project Galileo provides such groups with free services to protect their websites. In 2019, Cloudflare announced that 600 users and organizations were participating in the project. On April 1, 2019, Cloudflare announced a new freemium Virtual Private Network service named WARP. The service would initially be available through the mobile apps with a desktop app available later. On September 25, 2019, Cloudflare released WARP to the public. The beta for macOS and Windows was announced on April 1, 2020. In 2020, co-founder and COO Michelle Zatlyn was named president, making her one of few women serving as president of a publicly traded technology company in the United States.


Cloudflare acts as a reverse proxy for web traffic. Cloudflare supports web protocols, including SPDY and HTTP/2. In addition to this, Cloudflare offers support for HTTP/2 Server Push.

DDoS Protection

Cloudflare provides DDoS mitigation services which protect customers from distributed denial of service (DDoS) attacks. As of September 2020, the company claims to block "an average of 72 billion threats per day, including some of the largest DDoS attacks in history." On September 6, 2019, Wikipedia became the victim of a DDoS attack. European users were unable to access Wikipedia for several hours. The attack was mitigated after Wikimedia network engineers used Cloudflare's network and DDoS protection services to re-route and filter internet traffic. The specific Cloudflare product used was Magic Transit.

Content Distribution Network

Cloudflare offers a popular Content Distribution Network (CDN) service. The company launched in 2010 and TechCrunch wrote that its goal was to be "a CDN for the masses". Ten years later, the company claimed to support over 25 million internet websites.


Cloudflare for Teams is a suite of authentication and security products aimed at business clients. Teams consists of two parts: Gateway, a highly-customizable dns resolver, and Access, a zero-trust authentication service.


In 2017 Cloudflare launched Cloudflare Workers, a serverless computing platform that allows one to create entirely new applications or augment existing ones without configuring or maintaining infrastructure. Since then, the product has expanded to include Workers KV, a low-latency key-value data store, Cron Triggers for scheduling cron jobs, and additional tooling for developers to deploy and scale their code across the globe.


After being leaked to the press, Cloudflare Pages was launched as a beta in December 2020. The product is a Jamstack platform for front end developers to collaborate and deploy websites on Cloudflare's infrastructure of 200+ data centers worldwide.


The following is a list of acquisitions by Cloudflare: * StopTheHacker (Feb 2014) * CryptoSeal (June 2014) * Eager Platform Co. (December 2016) * Neumob (November 2017) * S2 Systems (January 2020) * Linc (December 2020)

Security and privacy issues

The hacker group UGNazi attacked Cloudflare partially by exploiting flaws in Google's authentication systems in June 2012, gaining administrative access to Cloudflare and using it to deface 4chan. From September 2016 until February 2017, a major Cloudflare bug (nicknamed Cloudbleed) leaked sensitive data, including passwords and authentication tokens, from customer websites by sending extra data in response to web requests. The leaks resulted from a buffer overflow which occurred, according to analysis by Cloudflare, on approximately 1 in every 3,300,000 HTTP requests. In May 2017, ProPublica reported that Cloudflare as a matter of policy relays the names and email addresses of persons complaining about hate sites to the sites in question, which has led to the complainants being harassed. Cloudflare's general counsel defended the company's policies by saying it is "base constitutional law that people can face their accusers". In response to the report, Cloudflare updated their abuse reporting process to provide greater control over who is notified of the complaining party. Cloudflare is cited in reports by The Spamhaus Project, an international spam tracking organization, due to high numbers of cybercriminal botnet operations 'hosted' on Cloudflare services. An October 2015 report found that Cloudflare provisioned 40% of SSL certificates used by phishing sites with deceptive domain names resembling those of banks and payment processors. Cloudflare suffered a major outage on July 2, 2019, which rendered more than 12 million websites (80% of all customers) unreachable for 27 minutes. A similar outage occurred on July 17, 2020, causing a similar effect and impacting approximately the same number of sites. On March 9, 2021, Tillie Kottmann from the hacking collective "Advanced Persistent Threat 69420" revealed to Bloomberg News that the group had gotten root shell access to Cloudflare headquarters' internal network due to a security failure in the company's camera system. This meant that they had complete access to run any commands on the network. The group also accessed video feeds from company cameras monitoring entry points and thoroughfares. Cloudflare confirmed these claims in a blog post, but disputed that the hackers would have been able to access the company's data centers from the corporate network. They also denied Kottmann's claims that they would have been able to access CEO Matthew Prince's laptop from the compromised network, stating that he was out of the office at the time.


Cloudflare has faced several controversies over its unwillingness to monitor content distributed via its network—a stance it has defended based on the principle of free speech. Cloudflare stated that it will "continue to abide by the law" and "serve all customers", further explaining "our proper role is not that of Internet censor". These controversies have involved Cloudflare's policy of content neutrality and subsequent usage of its services by numerous contentious websites, including ''The Daily Stormer'' and 8chan, an imageboard which has been linked to multiple mass shootings in the United States and the Christchurch mosque shootings in New Zealand. Under public pressure, Cloudflare terminated services to ''The Daily Stormer'' in 2017 and to 8chan following the 2019 El Paso shooting. Cloudflare has come under pressure on multiple occasions due to its policies and for refusing to cease technical support (such as DNS routing and DDoS mitigation) of websites such as LulzSec, ''The Daily Stormer'', and 8chan. Some have argued Cloudflare's services allow access to content which spreads hate and has led to harm and deaths. However Cloudflare, as an Internet infrastructure provider, has broad legal immunity from the content produced by its users. Cloudflare provided DNS routing and DoS protection for the white supremacist and neo-Nazi website, ''The Daily Stormer''. In 2017 Cloudflare stopped providing its services to ''The Daily Stormer'' after an announcement on the controversial website asserted that the "upper echelons" of Cloudflare were "secretly supporters of their ideology". Previously Cloudflare had refused to take any action regarding ''The Daily Stormer''. As a self-described "free speech absolutist", Cloudflare's CEO Matthew Prince, in a blog post, vowed never to succumb to external pressure again and sought to create a "political umbrella" for the future. Prince further addressed the dangers of large companies deciding what is allowed to stay online, a concern that is shared by a number of civil liberties groups and privacy experts. The Electronic Frontier Foundation, a US digital rights group, said that services such as Cloudflare "should not be adjudicating what speech is acceptable", adding that "when illegal activity, like inciting violence or defamation, occurs, the proper channel to deal with it is the legal system." ''The Huffington Post'' has alleged that Cloudflare provides services to "at least 7 terrorist groups", as designated by the United States Department of State including the Taliban, Hamas, and the al-Quds Brigades, and has been aware since at least 2012, and has taken no action. However, according to Cloudflare's CEO, no law enforcement agency has asked the company to discontinue these services. In 2019, Cloudflare was criticized for providing services to the discussion and imageboard 8chan, which allows users to post and discuss any content with minimal interference from site administrators. The message board has been linked to mass shootings in the United States and the Christchurch mosque shootings in New Zealand. In addition, a number of news organizations including ''The Washington Post'' and ''The Daily Dot'' have reported the existence of child pornography and child sexual abuse discussion boards. A Cloudflare representative has been quoted by the BBC saying that the platform "does not host the referenced websites, cannot block websites, and is not in the business of hiding companies that host illegal content". In an August 3 interview with ''The Guardian'', immediately following the 2019 El Paso shooting, CEO Matthew Prince defended Cloudflare's support of 8chan, stating that he had a "moral obligation" to keep the site online. In August 2019, Cloudflare terminated services to 8chan, an American imageboard, after the perpetrator of the 2019 El Paso shooting allegedly used the website to upload his manifesto. Cloudflare services have been used by Rescator, a carding website that sells stolen payment card data. Two of the top three online chat forums belonging to the Islamic State of Iraq and the Levant (ISIL) are guarded by Cloudflare. According to Prince, U.S. law enforcement has not asked Cloudflare to discontinue the service, and it has not chosen to do so itself. In November 2015, hacktivist group Anonymous discouraged the use of Cloudflare's services following the ISIL attacks in Paris and the renewed accusation that Cloudflare aids terrorists. Cloudflare responded by calling the group "15-year-old kids in Guy Fawkes masks", and saying that whenever such concerns are raised it consults anti-terrorism experts and abides by the law. In late 2019, Cloudflare was criticized for providing services to the anti-black website Chimpmania. Hundreds of thousands signed a petition on Change.org urging Prince to terminate services to Chimpmania. The petition was created by the parents of a biracial baby who was born with gastroschisis and who was mocked as a "mulatto monkey baby" by site users, and whose pictures were posted on the site. Over the ten years the site has been active, numerous other petitions have also been leveled against it, none of which were successful.


External links

Cloudflare WorkersCloudflare PagesCloudflare TV
{{Authority control Category:2009 establishments in California Category:2019 initial public offerings Category:American companies established in 2009 Category:Companies based in San Francisco Category:Companies listed on the New York Stock Exchange Category:Content delivery networks Category:DDoS mitigation companies Category:Domain name registrars Category:Freedom of speech in the United States Category:Internet properties established in 2009 Category:Internet security Category:Internet technology companies of the United States Category:Reverse proxy Category:Technology companies based in the San Francisco Bay Area Category:Virtual private network services