Improving Flarum speed with Cloudflare cache

[deleted] Application layer attacks would require the CF WAF, which isn't free.

Actually I was referring to L7 DDoS, which unfortunately on Cloudflare are mitigated only if they're very impacting. For example, if you get 100 requests per seconds Cloudflare doesn't mitigate it, although your server would be certainly KO because PHP is heavy. If you get 1000 r/s, they probably would.

My understanding is that this kind of attack is better handled by Bot Management, which is an Enterprise feature unfortunately.

matteocontrini My understanding is that this kind of attack is better handled by Bot Management, which is an Enterprise feature unfortunately.

Correct, but L7 in the OSI model is in fact application - the topmost tier, so the WAF ruleset would actually apply. However, you can have even a basic ruleset operating on your own host to mitigate some of this traffic at least. The free version has basic BOT detection, but you're right - you'd have to pay to get anything decent.

[deleted] I agree with you 100%

[deleted] "There's no such thing as a free lunch"

I agree with this 100000000%

@[deleted] Also a quick question as you are a big, good and specialist in security so can you please tell me is it really safe and using it is good or not?

matteocontrini Yes, I agree with you this time!
that's good to know you are also using CloudFlare.

[deleted] yes, although I'm one of those that think that application attacks should be handled in the application

matteocontrini You're not alone in that thought !

[deleted] It's not a Captcha. It's the initial loading of the site

Your "initial loading" returns 403 status code? That's unusual

rob006 It does the same on all sites - even those without CF it seems and it's the same with discuss. I do get your point though - it certainly looks like a Captcha request but I can't see any matching logs at CF for my sites.

1Dot Because that's the Windows Live Writer file, which in retrospect is almost harmless as it will attempt to use xmlrpc, which is disabled. Obscurity is not security.

1Dot Yes, but note the 403 error code. You can't rely on this site to present real figures unless you whitelist the IP address at CF. On investigation, it's being blocked by the Browser integrity check but the traffic request does make it to my server which responds.

Very odd. 100% unreliable test in this case though.

[deleted] It does the same on all sites - even those without CF it seems and it's the same with discuss.

Disqus is behind Cloudflare. My blog isn't and it is working fine:

rob006 Very interesting. I see your site is also WordPress - impressive !

1Dot Phenomlab But I can see the ip accessed my server in my server logs and also screenshot is of site not that access denied.

Same here

1Dot Yes but there are a lot of differences I used that pingdom you share see what I got

Yes, but look at your load time ! Anything over 1 second these days is considered slow.

[deleted] Yes, but look at your load time ! Anything over 1 second these days is considered slow.

Hmm Any tips to improve this and what's the problem with gtmetrix I always get A

1Dot also screenshot is of site not that access denied.

Screenshot is provided by different service in different data center.

My website have a C grade on GT Metrix. I don't use Cloudflare.
https://gtmetrix.com/reports/discuss.stylix.ynh.fr/jEwisSKD/