We’ve standardised our default Cloudflare security configuration for Passenger websites to ensure high availability and security. This change only affects Passenger websites that use Cloudflare.

Passenger websites are largely protected against serious attacks by the hardened security model of Passenger systems. We further use Cloudflare where possible to add an additional layer of security by making use of their Web Application Firewall. Previously we’ve retroactively enabled rate limits/captchas for websites when requested by operators or when an attack is underway/has taken place.

Attacks on websites can range from lesser issues such as spam to larger issues such as denial of service attacks (DoS) and software exploitation.

Recently, we’ve seen a rise in distributed denial of service attacks (DDoS) across Passenger websites. We do not believe these attacks are targeted at us/our customers, and are commonplace occurrences.  In one example, a website begins receiving 24x the usual traffic from illegitimate users (bots). If left unchecked, this could cause the website to become unavailable for legitimate users, but by blocking the requests we can negate the impact of the attack. 

To proactively address these, we’re now applying a standard Cloudflare firewall configuration to all Passenger websites. This will ensure that websites are kept available during attacks and help prevent spam via form submissions.

This will have no effect on the majority of users, but people on some connections/pages may see an interstitial page before they access some pages on the site.

This standard firewall configuration consists of firewall rules and rate limits, which perform actions when triggered. Some customers may add additional rules where requested. Rules can be disabled where required. 

We’re rolling these changes out gradually and will update them as we monitor their impact. Let us know if you have any questions at all.