In what way do we "outright ban non-conformant users"?
You are making a lot of assumptions with that statement
Our security level setting is low enough that almost nobody would actually get blocked from the site. Anybody could access the contact page and email us or use the live chat
We use Turnstile in a couple of places and we have gotten a couple isolated reports about users being unable to perform actions behind Turnstile but it was always that they had some sketchy extension installed. And the extra security and bot protection we are getting makes those very low false positive rates worth it (we have tens of thousands of users so a couple reports in the last couple years is fine...)
> In what way do we "outright ban non-conformant users"?
You have literally replied to a thread in which we discuss how Cloudflare bans non-conformant users (who live in 3rd world countries, use linux and possibly other non-conformant computer practises according to Cloudflare's product managers). So you outright ban them by using Cloudflare.
-----
You also literally contradict yourself with the following two statements:
> I live on the opposite side of the globe and have no problems using Cloudflare. Also, my SaaS is deployed on Cloudflare and we have users in hundreds of countries who use it with no problem
and
> We use Turnstile in a couple of places and we have gotten a couple isolated reports about users being unable to perform actions behind Turnstile but it was always that they had some sketchy extension installed. And the extra security and bot protection we are getting makes those very low false positive rates worth it (we have tens of thousands of users so a couple reports in the last couple years is fine...)
Make up your mind, which is it? Do you have no problems using Cloudflare and your users in hundreds of countries use it with no problem or not?
-----
These being said, what percentage of lurkers actually contact random online services to let them know that something is wrong? Almost nobody does that.
Personally, I've only contacted Troy Hunt on haveibeenpwned and his blogs, letting him know on several separate occasions that his websites are inaccessible to some users, as far as I could tell, from 3rd world countries. He has deleted all of my comments, he probably deletes all comments critical of his service, since there's only praise allowed in his blog posts. To be able to contact him, I had to borrow a Macbook and use a US vpn, because all of his services are behind enless Cloudflare captchas.
How many website visitors of yours, not users, would be able or willing to do go to that length to contact you about your dysfunctional Cloudflare WAF?
This has nothing to do with Cloudflare WAF. Like I said our security level is very low and the Turnstile handling is done in a Worker
And I'm sorry if you think that 2 users in 2 years having an issue when we have tens of thousands of paying users tips the scale of whether or not it is an overall net benefit for our company. If it wasn't for Cloudflare we simply wouldn't be able to provide the free versions of the software in the same fashion that we do now
It sounds like you're upset at somebody who improperly configured Cloudflare on their sites and now you are blaming the company and everybody that uses it without having a solid understanding of the tech
And I'm sorry if you think that 2 users in 2 years having an issue when we have tens of thousands of paying users tips the scale
I get where they're coming from, but I really hate it when companies take this kind of view. Back when I grew my software company, I cared about every. single. one. of my customers.
You would have to have a very wacky setup to not even be able to pass Cloudflare Turnstile. Having that in place does not mean I don't care about my users. In fact we only put it on the login endpoint to help prevent abuse of people's accounts in the first place...
Also, I want to add that we only put Turnstile on the login page once we had tens of thousands of active users and not a single person had any issue logging into their account. These are paid users, so I can guarantee you they would have been emailing us
See, this is what makes Cloudflare's practises work. You are under the impression that 2 users in 2 years have had issues when, actually, 2 users in 2 years have bothered to jump through lots of hoops to finally contact you about your issues.
Your SaaS business seems profitable, so keep it up! But don't go around claiming only 2 users have had issues, you most definitely don't have a 100% support contact rate for Cloudflare related issues.
Do you fail to comprehend that Cloudflare does not show any captchas and does not block anybody by default? And that blocking entirely depends on the site's settings?
It can be both true that our entire website frontend (such as the contact page...) is behind Cloudflare and that nobody will be blocked. If you don't understand that it's not on me
I've already tried to tell you several times now that we only use TURNSTILE for a couple specific actions in the app and that otherwise nobody is going to be blocked or shown a captcha...
I'm not sure you realize just how flexible Cloudflare's security settings are and that if you are blocked it is entirely because the website owner set it up that way.
I guarantee you that you access a ton of sites behind Cloudflare and you don't even realize it
> Do you fail to comprehend that Cloudflare does not show any captchas and does not block anybody by default? And that blocking entirely depends on the site's settings?
Nope, it would appear that you fail to comprehend that users which are banned from ever reaching your website would never contact you. You can't know what you don't know, it's a natural limitation, you just can't yet wrap your head around this concept. I suggest re-reading the thread.
I told you we don't use their WAF, we use Turnstile. I've tried to explain this many times. Our entire infra runs on Cloudflare Workers but that doesn't mean we block anybody.
You keep failing to understand that there are literally an infinite number of ways to configure Cloudflare and you are making way too many assumptions
You are making a lot of assumptions with that statement
Our security level setting is low enough that almost nobody would actually get blocked from the site. Anybody could access the contact page and email us or use the live chat
We use Turnstile in a couple of places and we have gotten a couple isolated reports about users being unable to perform actions behind Turnstile but it was always that they had some sketchy extension installed. And the extra security and bot protection we are getting makes those very low false positive rates worth it (we have tens of thousands of users so a couple reports in the last couple years is fine...)