Update: CloudFlare’s CEO’s response at end of post.
CloudFlare is a service that sits in between your web site and its visitors to make pages load faster and defend against malicious users. The first time I heard about CloudFlare, I was enchanted. At Squidoo, I’ve worked for years to develop a rock solid performance and security infrastructure, and all of a sudden a company comes along that offers many of the same features for only $20/mo.
I’ve been eager for the chance to try CloudFlare, and the newly relaunched CollabFinder was the perfect test. Now that I have some experience with it, here is what I love and hate about Cloudflare:
- Instant performance boost for almost any web site: optimized routing, globally distributed caching of static content (CDN), automatic minification of scripts and CSS.
- Basic security protection against email harvesters and spam commenting bots, plus a reCaptcha-based challenge page to allow the good guys through.
- All of the above FOR FREE.
- 5 minute installation. It couldn’t be easier to get up and running.
- For $20/mo, advanced security features like XSS and SQL injection protection.
- For a service that’s all about performance, CloudFlare’s control panel feels pretty slow. The page frame loads first, then the main content Ajaxes in a few seconds later. There’s no loading icon, and when the content does appear it’s a little jarring.
- The Threat Control panel, a radar of suspicious activity identified on your site, is confusing and scary.
Everything is red, and it’s not clear what you’re supposed to do or whether you have been harmed. What makes this especially bad is that CloudFlare is geared toward novices who aren’t as knowledgeable as professional web developers.
- The security features are completely opaque. Options like “Low”, “Medium”, and “High” might be welcoming for newbies, but make it impossible for developers to troubleshoot false positives.
On CollabFinder, quite a few people had trouble uploading photos because CloudFlare blocked the requests. This happened on some photos, but not others, and we couldn’t find a pattern. Turning the security settings to “essentially off” still didn’t help, and CloudFlare provides essentially no documentation about what types of checks are performed at each security level. We eventually implemented a workaround using cross-domain ajax to bypass CloudFlare’s security feature (yuck).
- The documentation needs work. First, why is it a wiki? Do you really want your customers editing your support documentation? It might not be such a bad idea, considering how little detail CloudFlare itself provides. Here is the tiny little description of the advanced security features:
- No 24/7 support options. CloudFlare goes home on the weekends, even though your site does not. Why isn’t there at least an option for premium support?
If I could do it all over…
I’d still pick CloudFlare. For small businesses, side projects, and new ventures, it’s simply the easiest and most effective way to speed up and secure a web site.
Have you tried it? What do you think?
Update: CloudFlare CEO Matthew Prince confirms via Twitter that CloudFlare is working on the negatives I’ve mentioned and that they do have support staff working 7 days a week. The tweet I referenced above is apparently directed only at hosting partners, not standard customers. Prince touts an average turnaround time of 3 hours on support requests, although there are no guarantees (and I’m waiting on an initial response to a ticket posted 22 hours ago). CloudFlare plans to offer a complete SLA sometime in the future.