Who said it is incompetent? Why is it incompetence? It's possible someone has their cloudflare security turned up to 11. Maybe they have hacker problems and would rather risk a few less clicks than getting completed p0wned.

Also keep in mind that just because it's "RSS" doesn't mean there is a quick and easy way to exclude it from security. On your average Wordpress blog the URL is /somethingradom/feed/. So either Cloudflare assumes every URL of /feed/ should be exempt, or it should read the contents of every page to check for exclusions?

Also do keep in mind that if you're a Cloudflare customer you can easily exclude specific URLS from this type of security scrutiny. So perhaps the blog owner is incompetent? Perhaps this person posting this is on a network with a computer thats infected with a botnet.

Who knows. This "article" is shit.

Here's the thing: most website owners don't know any better, it's all up to their CDN providers, like Cloudflare, to provide adequate features for security preconfigurations. Don't make it a user's responsibility. At the end of the day I'm annoyed by Cloudflare, forcing me to enable javascript, not by any of their customers.

When the website owner decides to use Cloudflare in front of their site, it is absolutely their responsibility to ensure that it's configured properly. Not Cloudflare's and certainly not the user's.

And for that matter, it's entirely possible that they consider this correct behaviour. They may have a poorly written dynamic RSS feed that doesn't cache for instance, and want it protected.

Moreover, Cloudflare provides plenty of ways for the website owner to avoid this behaviour - the global security level can be adjusted, settings for individual endpoints can be adjusted, even settings for individual IP ranges can be adjusted.

As a user, you have no idea what settings the website owner has selected; it seems rash to blame Cloudflare in that context.

There is no one else to blame. Website owners are just people, most will never be able to understand the service and all of the implications of the configurations it provides. Cloudflare is the only one here able to do something about it, not their customers or users.

I don't even know why this is a discussion. Not blaming customers and users for anything is a common sense.

The only reason the CAPTCHAs exist is incompetence, do you see any of cloudflares competitors doing that? No? It's because they don't need to.