Cloudflare Is the Biggest Man-in-the-Middle in History (And You're OK With It)

How Cloudflare's Proxy Actually Works#

When you put a site behind Cloudflare, your domain's DNS points to Cloudflare's edge servers instead of your origin. A visitor's browser establishes a TLS connection with Cloudflare, not with you. Cloudflare terminates that connection, reads the plaintext HTTP request, applies its WAF and caching logic, then opens a second TLS connection to your server.

This is called TLS termination, and it is not a bug or a side effect. Cloudflare cannot inspect traffic for malicious payloads, cache responses, or apply rate limiting without first decrypting the request. The same is true for Akamai, Fastly, and every other reverse-proxy CDN.

The difference is scale. No other CDN sits in front of 20% of the web.

Your visitor's browser shows a green padlock and the connection is encrypted. But the encryption terminates at Cloudflare's server in one of their 330+ data centers, not at your origin. For a brief moment, the full plaintext request and response exist in Cloudflare's memory.

The Scale Nobody Thinks About#

Cloudflare handles more than 20% of all global web requests. They operate in over 330 cities across 120+ countries, within 50 milliseconds of 95% of the world's internet-connected population. Over 20 million websites and applications sit behind their network.

If Cloudflare were a government surveillance program, it would be the most wide-reaching signals intelligence operation ever constructed. It would cover a larger share of global communications than anything the NSA has publicly disclosed. The difference is that Cloudflare is a private company you opted into, not a classified program you discovered through leaks.

Cloudflare is also the largest managed DNS provider in the world, with their 1.1.1.1 resolver handling billions of queries daily. If you use their CDN and their DNS resolver, Cloudflare sees both the domain you are visiting and the full contents of the request. That is a staggering amount of data flowing through a single company.

The Privacy Tradeoff#

Cloudflare's privacy policy states they are a "data processor," not a "data controller." They say they do not sell personal data and do not use customer traffic data for advertising. For 1.1.1.1 DNS, they commit to not logging source IPs in non-volatile storage beyond 25 hours, with KPMG auditing the claim annually.

That is reassuring, but it is a policy, not an architecture. Policies change, companies get acquired, and governments issue national security letters. The technical reality is that Cloudflare can see everything passing through their network, and the only thing preventing them from doing so is their word.

Here is what Cloudflare can technically access for any proxied request:

• Full request and response bodies (HTML, JSON, form data, file uploads)
• Authentication headers, session cookies, and API tokens
• The client's real IP address, geolocation, and TLS fingerprint
• URL paths, query parameters, and request timing

Cloudflare has introduced features to mitigate parts of this: Keyless SSL keeps your private key on your own hardware, Geo Key Manager restricts where keys are stored, and Encrypted Client Hello (ECH) hides the SNI field from passive observers. But none of these change the fundamental architecture. Cloudflare still terminates TLS on their infrastructure.

Why We Accept It Anyway#

Because the alternative is getting DDoSed off the internet. Cloudflare's free tier offers DDoS protection, WAF rules, CDN caching, and managed DNS that would cost thousands per month to replicate independently. For a solo developer or small business, the tradeoff is not even close.

• DDoS mitigation that absorbs multi-terabit attacks without any configuration
• Global CDN with 330+ PoPs, reducing latency for visitors worldwide
• Free SSL certificates with automatic renewal and zero setup
• WAF rules that block SQLi, XSS, and known CVEs out of the box
• DNS that resolves in under 15ms from nearly anywhere on Earth
• The price for all of this on the free tier: $0

I use Cloudflare on my own projects, including this site. Running your own DDoS-resistant edge infrastructure is a full-time job that costs real money. The privacy cost is real, but so is the cost of your site being offline.

The Alternatives (and Why Most People Don't Switch)#

If the privacy tradeoff genuinely concerns you, alternatives exist. None of them offer the same combination of free, fast, and complete. That is part of why Cloudflare's position is so durable.

Fastly gives you programmable edge compute with VCL or Compute@Edge and sub-millisecond cache purges. It is the best option for teams that want CDN power without Cloudflare lock-in. Pricing starts at $50/month and scales with bandwidth.

Bunny.net (BunnyCDN) offers flat-rate bandwidth pricing starting at $0.01/GB, a pull-zone CDN with edge rules, and a simpler feature set. It handles caching and acceleration well. It does not include the WAF or DDoS protection you get from Cloudflare for free.

Self-hosted reverse proxy stacks like Nginx + Varnish + fail2ban give you full control over TLS termination and logging. You also handle every attack, every certificate renewal, and every server that needs patching at 2 AM. If you are already running your own infrastructure, this is feasible, but for everyone else it is a significant ops burden.

Note: Every CDN and reverse proxy that offers caching or WAF features requires TLS termination. The privacy difference between Cloudflare and Fastly is not architectural. It is about scale, market share, and how much trust you place in a single provider.

Where This Leaves Us#

Cloudflare built something genuinely useful. Free DDoS protection and a global CDN democratized infrastructure that was previously reserved for enterprises with six-figure budgets. Millions of sites that would have been knocked offline by a bored teenager with a botnet are now protected.

The uncomfortable part is that this protection came with a quiet centralization of the web's trust model. We moved from a world where TLS meant end-to-end encryption between you and a server, to one where TLS usually means end-to-Cloudflare-to-server. The padlock in your browser does not mean what you think it means for roughly one in five websites.

I am not arguing you should stop using Cloudflare. I use it, and the company's track record on privacy is, as of early 2026, credible. But you should understand the architecture you are opting into.

TLS termination is not a conspiracy theory or an edge case. It is how the product works. The green padlock means your connection is encrypted to Cloudflare, and what happens after that is a matter of trust.