I couldn’t find any support documentation on this, but that might because it’s a very simple question and I just don’t have a grasp on how Cloudflare really works yet.
Say someone visits a website using Cloudflare’s services and enters a password. Does Cloudflare see that password in plaintext? If not why not? Is TLS between the end user and the website, or between the end user and Cloudflare? Does this depend on the settings, what difference do theses make on what Cloudflare sees?
Cloudflare is a proxy service, which allows it to provide all of the features that it does, like HTTPS rewrites/auto-minify/level 7 firewall/etc. This means that all traffic that goes to a website on Cloudflare will be technically readable, and modifiable by Cloudflare.
So yes, CF does see all of the passwords, OAuth tokens, secrets, and PII that go through its systems, however, Cloudflare operates in accordance with the GDPR and isn’t an advertising or data collection company giving them little to no incentive to steal any PII or steal the passwords of customers/website operators.
Using Cloudflare as a CDN and proxy definitely require trusting Cloudflare, but you could say the same thing about Akami, Fastly, AWS, GCP, etc when they host your content and also sometimes act as middlemen in the connection. Discussion on HN… If you don’t trust Cloudflare, you very well could simply use LetsEncrypt and only use Cloudflare as a DNS provider by setting zones to 
.
This topic was automatically closed after 14 days. New replies are no longer allowed.