# Should I use Cloudflare in front of Vercel?

**Author:** Justin Vitale

---

Using reverse proxies like Cloudflare will limit Vercel's traffic visibility for security measures, introduce latency that degrades performance, and create cache management issues that may affect reliability. We [**do not recommend**](https://vercel.com/guides/can-i-use-a-proxy-on-top-of-my-vercel-deployment) using a reverse proxy in front of Vercel.

## DNS

We recommend moving to Vercel as your DNS provider. [Learn more](https://vercel.com/docs/projects/domains/managing-dns-records).

## Bot Protection

We discourage using reverse proxies (e.g. Cloudflare, Azure, or other CDNs) in front of Vercel when [Bot Protection](/docs/bot-management#bot-protection-managed-ruleset) is enabled. This setup significantly degrades detection accuracy and performance, resulting in a poor end-user experience.

Reverse proxies interfere with Vercel's ability to reliably identify bots:

- **Obscured detection signals** – Legitimate users may be incorrectly challenged because the proxy masks signals that Bot Protection relies on.
  
- **Frequent re-challenges** – Some proxies rotate their exit node IPs frequently, forcing Vercel to re-initiate the challenge on every IP change.
  

## Reverse Proxies

Vercel offers [native support for using a reverse proxy](https://vercel.com/guides/vercel-reverse-proxy-rewrites-external) through rewrites and our Edge Network is both a Content Delivery Network (CDN) and a globally distributed platform for running compute in regions around the globe.

While it is possible to stack an external proxy or load balancer in front of Vercel, **we do not recommend this approach**. The biggest disadvantage is that Vercel no longer has full traffic visibility, which prevents the Vercel Firewall and our threat intelligence products from working to their full potential. This includes our ability to automatically challenge requests, prevent DDoS attacks, and more.

Learn more about [reverse proxies with Vercel](https://vercel.com/guides/can-i-use-a-proxy-on-top-of-my-vercel-deployment).

## Wildcard Domains

Vercel offers native support for wildcard domains.

Enterprise plan customers can issue a [Cloudflare Origin CA certificate](https://developers.cloudflare.com/ssl/origin-configuration/origin-ca/) with a wildcard SAN (Subject Alternative Name) and [upload it on Vercel](https://vercel.com/docs/projects/domains/custom-SSL-certificate), if required to use Cloudflare.

---

[View full KB sitemap](/kb/sitemap.md)
