Today’s Cloudflare outage illuminates another infrastructure dependency we’ve sleepwalked into: defensive consolidation. Sites adopt Cloudflare not for performance but survival, protection from the automated scraping that feeds AI systems and other bots that now dwarf human traffic.
In defending against automated consumption, most hand control to intermediaries. When Cloudflare stumbled this morning, some sites that delegated DNS entirely couldn’t even disable Cloudflare to restore access. The protection became a jail.
Once again, this isn’t inherently about Cloudflare.
It’s about thoughtful defense architecture versus reactive adoption. The question isn’t only whether to use these services but how to use them while retaining agency.
Before reaching for the CDN, consider the actual threat. Is it sustained abuse or periodic spikes? Are you conflating high traffic with hostile traffic? A statically generated site, if otherwise practical, might simply weather the storm. Rate limiting at your application layer might suffice. Sometimes vertical scaling costs less than the complexity you’re adding (Cloudflare makes it free or cheap for small endeavors, so once again it depends on how you value things and what you can afford).
When you do need stronger defenses, maintain your exits. Keep authoritative DNS separate from your CDN provider. Use CNAMEs, not full delegation. It is too easy to hand over the DNS keys, especially for a simple web site, but this is like a reverse mortgage on your house. Maintain an origin subdomain for direct access. Document your configuration outside your provider’s walled garden. _Test your ability to redirect traffic _ away from your protector.
I’ve found a lot of the kinds of efforts I’ve worked with can get by with fairly humble technical solutions, and commodified technical solutions can do well by them (I worked on, and owned the end-of-life of a platform that was essentially commodified). It still requires having a person on hand who understands what is being paid for and can take ownership of different circumstances that arise, adapt, and when surprised, learn and iterate.
At the very least, consider whether solutions for immediate problems are worth ceding control. In some cases, sure. But if you didn’t even have the resources on hand to intentionally make the choices and if the results caused unexpected pain, start looking for resources that understand the Internet, value lean and independent development, and are interested in what you do and what you need and can interrogate you and the technologies within reach to find an informed and suitable match.
Did I mention that I am, like everyone, looking for new work?