You move your site behind Cloudflare (or CloudFront, or any CDN/WAF), watch the dashboard light up green, and feel safe. The edge will soak up the floods now. Right? Mostly. But there is a quiet failure mode that undoes the whole thing in one step, and almost nobody tests for it: origin IP exposure . The problem in one sentence A CDN only filters the traffic that actually passes through it. If your origin server still answers on its own public IP, an attacker who learns that IP just connects str