[hibernator935]

Wait, does not mean that Cloudflare (or AWS) can read and modify all the user input inluding passwords?

Genuine question, I never used one of these services.

[the_duke]

Yes, Cloudflare stores the SSL the private keys. CDNs really need to read and modify the requests and responses for most of their functionality, like caching, load balancing, DOS mitigation, ...

You can always use a separate, not CDN protected domain for your API if this is a threat vector you care about.

[stedaniels]

Yes. It depends on your threat model. You have to just someone at some point of you're not running your own datacentres.