from Hacker News

Ask HN: Cloudflare WAF Alternatives?

by rco8786 on 12/5/25, 8:10 PM with 16 comments

I don't know if we're ready to pull the trigger yet, but curious if other folks are looking at alternatives.

The WAF is great, but recent events have made it obvious that having a single point of failure entirely defeats the purpose of DNS being a distributed/decentralized service.

Is anyone doing anything creative here? We like the features that the WAF provides - but not at the expense of global outages. If you have a 3 9s availability SLA, you've just blown 90% of your allotted downtime because of Cloudflare's WAF.

  • by mappu on 12/5/25, 9:23 PM

    The ability of a WAF to respond to an 0day incident is rapid rollout, 100% of endpoints, which is a SPOF no matter whether it's done via a big company or by a distributed system.

  • by cport1 on 12/16/25, 2:32 PM

    I have been using https://webdecoy.com and integrating it with Cloudflare WAF.

  • by server_man3000 on 12/6/25, 7:34 AM

    Not worth. Competitors like Bunny CDN which is much smaller will inevitably have a much worse incident as they grow. Every large company will inevitably have a couple bad incidents so asking “what other large company will never have incidents” is a moronic perspective IMO

  • by mindcrash on 12/6/25, 12:35 PM

    some alternatives which can be self hosted:

    open-appsec (by checkpoint), their proxy/gateway integration and your favorite firewall daemon:

    https://docs.openappsec.io/getting-started/start-with-linux

    appsec (by crowdsec), their proxy/gateway integration and your favorite firewall daemon:

    https://docs.crowdsec.net/u/getting_started/installation/lin...

  • by stevefan1999 on 12/6/25, 3:42 AM

    What about open source alternative built with Nginx/OpenResty? I forgot the name but that's the spirit

  • by yearolinuxdsktp on 12/5/25, 9:05 PM

    AWS Route53, built-in DDoS basic protections, plus AWS WAF (can be expensive depending on your budget).

  • by Carriethebest on 12/9/25, 9:55 AM

    I would recommend SafeLine. It's self-hosted and easy to setup

  • by dennis16384 on 12/6/25, 7:51 PM

    Google Cloud Armor plus Load Balancer?

    You can balance traffic to external networks or clouds with it too.

  • by grim_io on 12/5/25, 10:20 PM

    Being down because half the internet is down is an easier sell than being down because you fucked it up yourself.

  • by 3rube on 12/6/25, 2:43 AM

    Fastly (US) and BunnyCDN (EU) are excellent options

  • by 882542F3884314B on 12/6/25, 12:00 AM

    Akamai is a decent alternative.

  • by BOOSTERHIDROGEN on 12/6/25, 12:37 AM

    CrowdSec

  • by tguvot on 12/6/25, 5:52 PM

    imperva