Comment by LoganDark
I've set up CF for a personal site and I even tell CF to use a client certificate (called "Origin CA") so nothing else can even connect to it.
I've set up CF for a personal site and I even tell CF to use a client certificate (called "Origin CA") so nothing else can even connect to it.
Have they started to use per-domain certificates for this, or can anyone who finds the origin bypass the check by creating their own (different) Cloudflare domain and pointing it at your origin?
Edit: Looks still the same by default, but at least they're (somewhat obscurely) documenting the issue and providing the option to use a custom cert now...
https://developers.cloudflare.com/ssl/origin-configuration/a...