Skip to main content


It's trivial to determine the real IP of a Mastodon server behind Cloudflare. All it takes is one well-crafted request:

gist.github.com/cutiful/4f36da…

I wonder how many instance admins using Cloudflare know about this? My hunch is most do not, because the primary justification I see for using Cloudflare here is DDoS protection.

Cloudflare won't help if the attacker knows your origin IP, and you can't hide that with Cloudflare alone, due to the nature of ActivityPub.

#MastoAdmin #InfoSec

reshared this