Ezoic integration - Cloudflare access

Is this legit/legal?

Ezoic ask me for my cloudflare credentials (email/password) from their own website

Wow. I just realized that Ezoic is asking customers to hand over their username and password.

Personally, I will avoid using Ezoic in this case as it’s dangerous to hand over our Cloudflare username and password to them - they will have access to everything.


Cloudflare does NOT recommend the sharing of customer credentials with any 3rd party. And I’m personally not pleased that they still have our name spelled with CamelCase :facepalm: …but that’s another discussion.


Just to reiterate, DO NOT share Cloudflare credentials (username/password or the Global API Key) with anyone. Even API Tokens should be given only to trusted parties and limited to the minimum access required.

Not everywhere, they are confused.


They’ve been doing this for years. And then their customers’ sites stop working as expected, so they start asking Cloudflare for help to fix their Ezoic mess.


But Ezoic are a Cloudflare Partner, according to Ezoic at least, and a press release from 7 years ago.

Their standard procedure is to “trick” users into handing over their credentials, and they then create an API Key that they store to continually access a users account. Teaching users that such practices are OK is not good in any world.

Are Ezoic a Cloudflare partner?
If not, it would be nice if Cloudflare stopped them extracting API Keys from users.


They are and the integration they are using is one of the earliest

1 Like

I like (not really) how their messaging is “Hey, we’re a certified Cloudflare partner, it’s ok to give us your username and password.”


For that I would threaten to suspend the partnership. But I am not Cloudflare and I don’t have the contract on hand to read the fine print.

1 Like

As Tim confirmed, they are a partner. I didn’t want to single them out, because we really don’t recommend sharing your credentials with anyone…regardless of any “official” status.

Their standard procedure is to “trick” users into handing over their credentials

Someone from our partner team has already reached out to them to discuss their integration.


What about CamelCase?

I asked the person from our partner team to mention that as well, but I’m not going to hold my breath. There are probably hundreds (if not thousands) of references floating around with the capital F. :man_shrugging:t2:


I know. It’s like a never-ending game of whack-a-mole. Oh, look! There’s another!


StrawBerries and
oh my!

Funny story about that…we had discussed creating a Worker for the blog that automatically changed all cap Fs within CloudFlare to lowercase, but it was decided that since the posts have date/time stamps from before the change we should leave them as they were.

Also, I recognize that I fixate on it more than most people. Very likely because my first tech job was at PayPal, which was acquired by eBay (technically ebay from the original logo, but always written out as eBay), so I’ve been obsessed with CamelCase since before I started here and learned it had an actual name.


Which is the the thing I said to @sdayman when he mentioned this :stuck_out_tongue: I am sure he will think we are the same person, now.

1 Like

I was just messaging Matteo to point out that all other blog posts in that time period are updated. It’s just this one guest post that’s the old way.

1 Like

Which ones are you seeing? I know there have been a handful that we have gone back and changed because they were receiving a lot of traffic still, but I thought the only one from that far back was about free speech.

The first dozen or so. The titles are updated, and I skimmed a few and it looks like lower case as well. Though right now it just started throwing 502 errors.

Yep! they should… finally, they have been caught out; I am happy reading this thread.

I can, along with many others, go on a rant against this company, but that is going far off-topic.

1 Like