[tombrossman]

My primary concern with Cloudflare proxied sites is that I have no way to assess the technical competency of the sites they proxy. I can check most HTTPS sites using an online tool such as SSL Labs or Mozilla's Observatory. For example I discovered a local mobile operator who had not bothered to patch their primary web server against Heartbleed an entire year after the exploit was discovered, which was a real shocker.

Cloudflare are technically competent which is great, but their clients are impossible to assess. I see a lot of formerly insecure local web servers switching over to Cloudflare (and HTTPS), and I know it's the same morons operating the web server. For me the safe default assumption must be that the site behind them is run by people who are not technically competent. I suppose Cloudflare could set a server header indicating the connection between them and the proxied site is HTTPS?

[RKearney]

I put in a support request back in March 2017 asking them to add a header indicating which type of HTTPS setting was used (flexible/full strict/full weak/etc) and this was their response:

Hello Ryan,

This is something we are definitely considering. I will pass your feedback on to our team. Of course, we need to carefully consider the security implications for the millions of sites using Cloudflare before making this change, as it may have unforeseen consequences. Let me know if there's anything else that I can help with at all!

Best Regards,

[oefrha]

Easier for you to assess the technical competency, however nice for you = larger attack surface for the site. Why would anyone in their right mind expose unnecessary info for hackers (whether whitehat or blackhat) to assess whether they’re an easy target? This is like asking people to turn on nginx server_tokens. Also, unnecessary headers -> more bytes transferred -> more bandwidth cost, especially for very short responses (but probably doesn’t matter for Cloudflare.)