Cloudflare Application Security and Performance Pricing Overview

Cloudflare brings a cohesive application security and performance platform that consolidates WAF, bot mitigation, DDoS protection, CDN, and API security under a single, globally distributed edge network, reducing operational sprawl while improving coverage across layers 3 through 7.

The WAF combines Cloudflare‑managed rules, OWASP rulesets, and fully custom rules, with machine learning based detections and attack scoring that catch bypasses and variations beyond static signatures.

Managed updates arrive continuously, including zero‑day protections curated by the security team, which lowers rule maintenance effort and reduces false positives through large‑scale pre‑deployment testing.

Advanced rate limiting supports policies by IP, header, ASN, and country, which helps throttle abuse patterns without blunt blocking, and policies can return actions like block, log, challenge, or CAPTCHA when needed. IP reputation and exposed credential checks feed detections with real‑time intelligence and credential leak signals, which is especially useful for bot‑driven credential stuffing at the application edge.

API protections include schema‑aware and ML‑assisted detection, and the rules interface lets me compose policies from multiple signals such as Bot Score and Attack Score in a single place, which aligns security controls across web and API traffic consistently.

Client‑side security is covered to monitor and block malicious browser‑side resources, tightening the supply chain surface area from third‑party scripts that otherwise go ungoverned.

The platform integrates logging at request payload level with raw log access, SIEM connectors, and Terraform support to embed policies into CI/CD workflows, which keeps security configuration auditable and repeatable across environments. The dashboard’s unified Security rules experience brings WAF custom rules, rate limiting, API sequence rules, and client‑side rules together in one view, making posture and mitigations observable at a glance.

From a performance standpoint, the CDN is built on a very large global footprint, with data centers in over 330 cities and proximity within roughly 50ms to about 95% of the connected population, which materially shortens round trips for both static and dynamic content. Every service runs on every server in every data center, so content typically serves from the nearest location without specialized regional routing, and the scale is designed to handle traffic surges while maintaining latency targets.

Real‑world testimonials cite immediate performance lifts and cache hit improvements after migration, and the platform positioning emphasizes reduced origin requests and lower egress exposure via features like Cache Reserve.

The connectivity cloud framing is more than branding: application services are connected with global threat intelligence that blocks on the order of hundreds of billions of threats daily, and the same backbone used for security is leveraged to accelerate delivery of web apps and APIs. Operationally, deployment is DNS‑level with no hardware, and the service posture includes a 100% uptime guarantee at the service offering level with financial penalties, which is rare and signals confidence in resiliency.

Load balancing, free SSL, and detailed analytics round out the edge feature set, making the stack feel complete for both acceleration and protection in one plane.

What stands out in day‑to‑day use is the consolidated management model: one console, consistent analytics at request granularity, and ML‑assisted policies that reduce busywork without turning the system into a black box.

Platform‑specific WAF rule packs for major CMS and commerce platforms accelerate safe onboarding for typical stacks, while gRPC and WebSocket support means modern protocols are first‑class rather than afterthoughts. The approach scales from simple DNS onboarding to IaC‑driven policy management, which suits mixed teams across operations, security, and development. Review collected by and hosted on G2.com.

Nothing I don’t like or that is not being optimized quickly Review collected by and hosted on G2.com.

Nothing.Nothing.Nothing.Nothing.Nothing. Review collected by and hosted on G2.com.

Cloudflare's "Cancellation" System is a Joke - 35+ Days, Multiple Charges, Still Can't Cancel

TL;DR: Cancelled all Cloudflare subscriptions on December 25th, 2025. Got charged anyway on December 27th AND January 27th. Their support says "engineers cancelled all subscriptions" but the billing page STILL shows an active $240/year subscription that I literally CANNOT edit or remove (the Edit button does nothing). Over a month later, still fighting this.

---

The Timeline of Absurdity

December 25, 2025: I cancel ALL my subscriptions through the Cloudflare dashboard. Everything. Done. Or so I thought.

December 27, 2025: I get charged $10 for "Advanced Certificate Manager" - a service I JUST cancelled 2 days ago. I open a support ticket demanding a full refund, explanation of why a cancelled service was charged, and all payment methods permanently deleted.

December 31, 2025: Support responds saying it's a "system-side issue" and they've "escalated to engineering." They also mention response times might be slow due to holidays. Fair enough, I guess.

January 27, 2026: I GET CHARGED AGAIN. Same subscription. At this point I've been waiting a MONTH.

January 29, 2026: Support claims "Our engineers have cancelled all active subscriptions on the account."

January 31, 2026 (Today): I check my billing page. THERE'S STILL AN ACTIVE SUBSCRIPTION showing $240.00/yr with a renewal date of June 8, 2026. The "Edit" button? Doesn't work. Nothing happens when you click it.

---

What I've Learned

1. Cloudflare's cancellation system doesn't actually cancel billing - They might stop your services, but the billing keeps rolling.

2. The UI is deliberately broken - You literally CANNOT click "Edit" on subscriptions to remove them. It's not a bug, it's a feature (for them).

3. Support plays the "escalated to engineering" card - Classic stalling tactic while they keep charging your card.

4. They ignore requests for legal contact information - I've asked multiple times for their legal representative's contact details. Radio silence.

---

My Response to Their Latest "We cancelled everything" Email

"No, you did not cancel all active subscriptions in my account! Can you see how that subscription is still active? I want that permanently removed."

"You will have to remove my payment method, and permanently delete my account and make sure all subscriptions are canceled!"

---

What's Next

- Filing complaint with ANPC (Romania's consumer protection agency)

- Filing EU consumer protection complaint

- Contacting legal representation

- Documenting EVERYTHING for potential legal action

---

The Real Question

How is a company this big allowed to have billing systems this broken? Or is it "broken" by design?

When you can't cancel a subscription because the Edit button literally doesn't respond to clicks, that's not a bug - that's a dark pattern.

---

Has anyone else experienced this with Cloudflare? I'd love to hear your stories. Maybe we can compile enough cases for a class action.

EDIT: I have the full 5-page support ticket transcript as evidence. Names/emails redacted for privacy but happy to share with anyone who needs it for similar cases.

---

Posted from someone who's been in tech for 30 years and has never seen billing this bad. Review collected by and hosted on G2.com.