Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

How do you check if a website uses cloudflare ? Any scripts that do that ?


Response headers will contain a "cf-ray" header or "server: cloudflare-nginx"


Both should be there, as well as 'Set-Cookie: __cfduid=...'

  $ curl -I okcupid.com
  Set-Cookie: __cfduid=...
  Server: cloudflare-nginx
  CF-RAY: 335f033b77742b76-AMS
EDIT: Better yet, make that 'curl -IL domain.com' to follow redirects because it may not show in the first response.


There is no reliable way to check. The problem is that even if you verify that a site isn't using CloudFlare now, that doesn't mean that they didn't use it in the past (and you'd still be affected).

In other words: Just assume that everything has been compromised. With how much of the web CloudFlare controls nowadays, you're not going to be far off anyway.


Icon lights up if the current site is on Cloudflare proxy.

https://chrome.google.com/webstore/detail/claire/fgbpcgddpmj...


$ host -t NS digitalocean.com

digitalocean.com name server walt.ns.cloudflare.com.

digitalocean.com name server kim.ns.cloudflare.com.


That may not necessarily work. Example:

  $ host -t NS okcupid.com
  okcupid.com name server nameserver2.okcupid.com.
  okcupid.com name server nameserver1.okcupid.com.
But if you check the response headers you'll see 'CF-RAY:...' and 'Server: cloudflare-nginx'


There's this browser addon

https://chrome.google.com/webstore/detail/claire/fgbpcgddpmj...


$ dig example.com

to get the A Record, then

$ whois 1.2.3.4|grep Cloudflare

Not 100% reliable, but should do the Job.


    whois $(dig +short yoursitehere.com) | grep -i 'Cloudflare' 1>/dev/null; if [[ $? -eq 1 ]]; then echo 'Didnt find CloudFlare'; else echo 'Found CloudFlare'; fi
Not at a terminal now, but this long one-liner should work.

Like you said, not 100% reliable though. For example, I'm pretty sure Reddit uses CloudFlare, but their whois mentions Fastly, which is a competitor.


We moved off of CloudFlare to Fastly before this vulnerability.


Confirmed, reddit.com was removed from the list. My mistake for not double checking this one.


If you find any domains with this please add them to the list:

https://github.com/pirate/sites-using-cloudflare


I know it's kinda late,but there is one more way to find if a site is using Cloudflare

append /cdn-cgi/trace to the URL and you will some debug info

Ex:

https://cloud.digitalocean.com/cdn-cgi/trace

https://news.ycombinator.com/cdn-cgi/trace


http://www.doesitusecloudflare.com/




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: