[ckuehl]

Also keep in mind that if you use IP-based whitelisting, an attacker can register their own CF/Fastly account and target your origin server with whatever CDN settings they want (assuming they can discover your origin server). With Fastly at least you can even do this from the free tier.

[jaywalk]

Took me a second to wrap my head around what you were saying, so I'll point it out: they'd be pointing their CDN account to your origin server, and making requests through it.

[judge2020]

Same for Cloudflare - to mitigate this your server should only respond to the correct HOST header for your website.