Cloudflare enables this behaviour. They are not guiltfree in this regard.

They enable what exactly? It's a useful tool and should definitely be activated in some use cases.

We might argue about whether it should come turned on by default or not, but as far as I remember the default setting is not a strict but a moderate protection level anyway.

From parent:

> But they will harass your visitors with captchas for no good reason.

Not sure what point we're trying to make here. Any other firewall/CDN/WAF enable you to do the same thing, to the point of many also providing ready-made protection profiles... what makes this specific member of that group special? Can you clarify?

This is so true. In general, enablers do have a moral obligation over whatever they enable. People shouldn't ignore that.