Question for people willing to visit Cloudflare sites:

How do you determine whether to trust a login page on a CF site? A sloppy or naïve admin would simply take the basic steps to putting their site on Cloudflare, in which case the authentication traffic traverses CF. Diligent admins setup a separate non-CF host for authentication.

Doing a view-source on the login page and inspecting the code seems like a lot of effort. The source for the lemmy.world login page is not humanly readable. It looks as if they obfuscated the URLs to make them less readable. Is there a reasonably convenient way to check where the creds go? Do you supply bogus login info and then check the httpput headers?

  • glowie@h4x0r.host
    link
    fedilink
    English
    arrow-up
    4
    ·
    7 months ago

    Yes, CF can view your login creds as the reverse-proxy effectively acts as a MitM handling the encryption and decryption.

    • coffeeCleanOP
      link
      fedilink
      English
      arrow-up
      2
      arrow-down
      1
      ·
      edit-2
      7 months ago

      It’s not always the case though. If you look at vivaldi.net and stackexchange, the creds take a CF-free path.