How to Check if a Website Uses Cloudflare: A Step-by-Step Guide
If you need to check if a website uses Cloudflare, you've come to the right place. Whether you're a developer doing competitive research, a security analyst investigating infrastructure, or a site owner verifying your own setup, confirming Cloudflare's presence on a domain is a straightforward process once you know where to look. This guide walks you through multiple reliable methods — from quick browser tricks to command-line tools and automated checkers — so you can get a definitive answer in minutes.
Why You Might Need to Check If a Website Uses Cloudflare
Before diving into the how-to, it's worth understanding why this matters. Cloudflare sits between a website's origin server and its visitors, acting as a reverse proxy. This means it handles DNS resolution, caches content at edge locations, filters malicious traffic, and terminates SSL connections — all before a request ever reaches the actual web server.
Knowing whether a site uses Cloudflare tells you a lot:
- Security posture: Cloudflare provides DDoS protection, a Web Application Firewall (WAF), and bot mitigation. If a site uses it, direct-to-origin attacks are much harder to execute.
- Performance characteristics: Cloudflare's CDN caches static assets globally, so response times and cache behavior will differ from a non-CDN site.
- IP masking: Cloudflare hides the real origin IP address. If you're trying to find a server's true location, Cloudflare's presence changes your approach entirely.
- Troubleshooting: If a site is returning unexpected errors (like a 522 or 1020), knowing it's behind Cloudflare helps you interpret what those errors mean.
- Competitive analysis: Understanding a competitor's infrastructure stack can inform your own technology decisions.
Method 1: Check HTTP Response Headers
The fastest way to check if a website uses Cloudflare is by inspecting the HTTP response headers. Cloudflare consistently injects specific headers into every response it proxies.
Using Your Browser's Developer Tools
- Open the website in Chrome, Firefox, or Edge.
- Press
F12to open Developer Tools. - Navigate to the Network tab.
- Reload the page (
Ctrl+RorCmd+R). - Click on the first request (usually the HTML document itself).
- Look at the Response Headers section.
You're looking for these Cloudflare-specific headers:
| Header | What It Means |
|---|---|
cf-ray |
A unique Cloudflare request identifier. Always present if Cloudflare is handling the request. |
cf-cache-status |
Indicates whether Cloudflare served the response from cache (HIT, MISS, BYPASS, etc.). |
server: cloudflare |
Cloudflare sets the Server header to "cloudflare" on proxied requests. |
cf-request-id |
Another Cloudflare-specific identifier for internal tracing. |
If you see a cf-ray header, the site is definitively behind Cloudflare. This header is not optional — Cloudflare adds it to every single response it touches, and no other provider uses this exact header name.
Using curl from the Command Line
If you prefer working in a terminal, curl gives you clean header output:
curl -sI https://example.com
The -s flag suppresses progress output, and -I fetches only the response headers (a HEAD request). Your output will look something like:
HTTP/2 200
date: Mon, 15 Jul 2024 10:23:45 GMT
content-type: text/html; charset=UTF-8
server: cloudflare
cf-ray: 7a1b2c3d4e5f6789-LHR
cf-cache-status: HIT
The presence of server: cloudflare and cf-ray confirms Cloudflare is active. The value after the dash in cf-ray (like LHR) is the IATA airport code of the Cloudflare data center that handled your request — London Heathrow in this example.
You can also use curl -v for even more verbose output:
curl -v https://example.com 2>&1 | grep -i "cf-\|server:"
This pipes the verbose output and filters for any header containing "cf-" or "server:", giving you a clean summary.
Method 2: DNS Lookup Analysis
Cloudflare assigns specific IP ranges to proxied domains. When you look up a domain's A or AAAA records, Cloudflare-proxied sites will resolve to IP addresses within Cloudflare's published IP ranges rather than the origin server's actual IP.
Using the dig Command
dig A example.com +short
This returns the IPv4 addresses the domain resolves to. If the site uses Cloudflare's proxy (the orange cloud in Cloudflare's dashboard), you'll get IPs from Cloudflare's ranges, such as:
104.16.x.x104.17.x.x172.67.x.x198.41.x.x
Cloudflare publishes its full list of IP ranges at https://www.cloudflare.com/ips/. You can cross-reference the resolved IP against this list.
# Get the IP
IP=$(dig A example.com +short | head -1)
echo "Resolved IP: $IP"
# Check if it falls in a known Cloudflare range
# (manual check against published ranges)
Using nslookup
On Windows or systems without dig:
nslookup example.com
Look at the "Address" field in the response. Again, cross-reference against Cloudflare's IP ranges.
Important Caveat: DNS-Only vs. Proxied Records
It's critical to understand that not all records in a Cloudflare-managed DNS zone are proxied. In Cloudflare's dashboard, DNS records can be set to "DNS only" (grey cloud) or "Proxied" (orange cloud). If a record is DNS-only, the IP returned will be the actual origin server IP, not a Cloudflare IP — even though Cloudflare is managing the DNS.
So a DNS lookup alone isn't conclusive proof that traffic is flowing through Cloudflare's proxy. The HTTP header method is more reliable for confirming active proxying.
Method 3: Use an Automated Cloudflare Detection Tool
If you don't want to manually run terminal commands or dig through browser developer tools, an automated tool makes the process instant. OpDeck's Cloudflare Detection tool analyzes a domain and checks for Cloudflare's presence by examining DNS records, HTTP response headers, and IP address ranges simultaneously.
This is particularly useful when:
- You need to check multiple domains quickly.
- You're not comfortable with command-line tools.
- You want a consolidated report rather than piecing together individual signals.
The tool checks all the indicators covered in this guide — cf-ray headers, server: cloudflare, IP range matching — and gives you a clear yes/no answer along with supporting evidence. It's a reliable starting point before you dig deeper into any specific aspect of a site's infrastructure.
Method 4: Check the SSL Certificate
Cloudflare issues its own SSL certificates for proxied domains. These certificates are issued by Cloudflare, Inc. and will show specific organizational details that distinguish them from certificates issued directly by Let's Encrypt, DigiCert, or other CAs that an origin server might use.
Using curl to Inspect the Certificate
curl -vI https://example.com 2>&1 | grep -A 10 "Server certificate"
Or use openssl:
echo | openssl s_client -connect example.com:443 -servername example.com 2>/dev/null | openssl x509 -noout -issuer -subject
A Cloudflare-issued certificate will show something like:
issuer=C = US, O = Cloudflare, Inc., CN = Cloudflare Inc ECC CA-3
subject=C = US, ST = California, L = San Francisco, O = Cloudflare, Inc., CN = example.com
The issuer O = Cloudflare, Inc. is the giveaway. However, this method has limitations — site owners can upload custom certificates to Cloudflare, so you might see a DigiCert or other certificate even on a Cloudflare-proxied site. Treat this as supporting evidence, not a standalone confirmation.
Method 5: Look for Cloudflare-Specific Error Pages
If a website is temporarily unreachable or you trigger a WAF block, Cloudflare generates distinctive error pages. These pages have a consistent design and always include the cf-ray ID at the bottom.
Common Cloudflare error codes:
- Error 1020: Access Denied — the WAF blocked your request.
- Error 522: Connection Timed Out — Cloudflare couldn't reach the origin server.
- Error 524: A Timeout Occurred — the origin server took too long to respond.
- Error 1000: DNS points to prohibited IP.
If you encounter any of these pages, the site is definitely behind Cloudflare. The footer of these pages typically reads something like: "Ray ID: 7a1b2c3d4e5f6789 • Your IP: x.x.x.x • Performance & security by Cloudflare."
Method 6: WHOIS and ASN Lookup
Every IP address belongs to an Autonomous System (AS). Cloudflare operates AS13335. If a domain resolves to an IP in AS13335, Cloudflare is in the path.
whois $(dig A example.com +short | head -1) | grep -i "orgname\|org-name\|netname"
Or use an online ASN lookup service and enter the resolved IP. If the result shows "Cloudflare, Inc." as the organization, you've confirmed Cloudflare's involvement.
You can also query this directly:
curl -s "https://ipinfo.io/$(dig A example.com +short | head -1)/org"
This will return something like AS13335 Cloudflare, Inc. if the IP belongs to Cloudflare.
What the cf-ray Header Tells You Beyond Just Detection
The cf-ray header is worth examining more closely. Its format is:
cf-ray: [16-character-hex]-[IATA-code]
For example: cf-ray: 7a1b2c3d4e5f6789-SIN
- The 16-character hex string is a unique identifier for that specific request, useful for debugging and contacting Cloudflare support.
- The IATA code tells you which Cloudflare Point of Presence (PoP) handled your request.
SIN= Singapore,LHR= London Heathrow,JFK= New York JFK,LAX= Los Angeles, etc.
This tells you not just that Cloudflare is present, but which geographic edge node you're connecting to — useful for diagnosing latency issues or verifying that Cloudflare's anycast routing is directing you to the nearest available data center.
Combining Methods for Definitive Confirmation
No single method is 100% foolproof in every edge case. Here's a quick decision framework:
- Start with HTTP headers (
curl -sIor browser DevTools). If you seecf-ray, you're done — it's Cloudflare. - If headers are inconclusive, check the resolved IP against Cloudflare's IP ranges using a DNS lookup.
- Cross-reference with the SSL certificate to see if Cloudflare issued it.
- Use an automated tool like Cloudflare Detection on OpDeck to consolidate all signals at once.
Using two or three of these methods together gives you near-certainty about whether Cloudflare is in the picture.
What If Cloudflare Is Present But Headers Are Missing?
Occasionally, you might find that a site resolves to Cloudflare IPs but the cf-ray header is absent. This can happen in a few scenarios:
- Cloudflare Workers: Custom Worker scripts can modify or strip response headers, including
cf-ray. - Page Rules: Certain Cloudflare configurations can alter header behavior.
- Cloudflare for SaaS: When Cloudflare is used as a SaaS platform for custom hostnames, the behavior can differ.
- Enterprise configurations: Large enterprise Cloudflare customers sometimes have non-standard setups.
In these cases, the DNS/IP method becomes your primary signal. If the IP resolves to AS13335 (Cloudflare), traffic is flowing through their network regardless of header modifications.
Understanding Cloudflare's Role in Performance and Security
Once you've confirmed a site uses Cloudflare, you can interpret its behavior more accurately. Cloudflare's infrastructure affects:
- Response times: Cached responses from a nearby edge node will be significantly faster than uncached origin responses.
- Cache headers: The
cf-cache-statusheader tells you whether you got a cached copy (HIT) or a fresh origin response (MISS). This is directly relevant if you're doing performance analysis. - Security headers: Cloudflare can inject security headers like
X-Frame-Options,X-Content-Type-Options, andStrict-Transport-Securityeven if the origin server doesn't set them. - Bot challenges: Cloudflare may serve JavaScript challenges or CAPTCHAs to suspicious traffic, which affects how automated tools interact with the site.
Practical Use Cases: When to Check for Cloudflare
Penetration Testing and Security Research
Before running any security scans, knowing a target is behind Cloudflare changes your methodology. Direct IP scanning won't reach the origin server. Rate limiting and WAF rules may block automated tools. You need to account for Cloudflare's filtering when interpreting scan results.
Debugging Connectivity Issues
If users report intermittent errors, knowing Cloudflare is in the stack helps you distinguish between origin server problems and Cloudflare-level issues. A 522 error means Cloudflare can't reach your origin — that's a different problem than a 500 from your application.
Competitive Infrastructure Research
If a competitor's site is consistently fast and resilient, confirming Cloudflare usage helps you understand why. It also tells you that their origin server IP is hidden, making direct server analysis impossible without other methods.
Verifying Your Own Setup
After configuring Cloudflare on your own domain, running through these checks confirms that traffic is actually flowing through Cloudflare's proxy as intended, rather than bypassing it due to a misconfiguration.
Conclusion
Checking if a website uses Cloudflare is something you can do in under a minute once you know which signals to look for. The most reliable indicator is the cf-ray response header — if it's present, Cloudflare is handling the request, full stop. DNS lookups, SSL certificate inspection, and ASN lookups provide additional confirmation when headers alone aren't enough.
For the quickest and most comprehensive check, use OpDeck's Cloudflare Detection tool, which automates the entire detection process and surfaces all relevant signals in one place. Whether you're auditing your own infrastructure, researching a competitor, or troubleshooting a production issue, OpDeck gives you the data you need without the manual legwork.