The past is your future

First: set aside everything that you know and distrust everything that's free and being pushed.

CDNs are being promoted as the solution for web security, performance, and reliability. This isn't unique: many tech companies push their products hard, especially those using a "freemium" model. However, it's important to ask why a service is promoted so heavily. Is it because it truly is the best solution, or because the business model relies on mass adoption (and data)?
Nuance: Cloudflare for example, does offer valuable services, such as DDoS protection and CDN functionality, but choosing Cloudflare (or an alternative) should always be based on a balance of pros and cons, not just marketing.

Cloudflare's "free" model is not without costs. You don't pay in money, but in data. Cloudflare acts as an intermediary between your visitors and your website, meaning they can log, analyze, and potentially use all traffic for their own purposes (e.g., improving services, but also for commercial purposes).
Important point: unlike cookie consent, where users can refuse, Cloudflare offers no opt-out option for visitors. This is a fundamental difference from the GDPR principles of transparency and consent.
Nuance: Cloudflare claims to anonymize personal data and not sell it, but the lack of transparency makes this difficult to verify.

Cloudflare logs a lot of data by default, including IP addresses, request headers, and more. These logs are retained for up to 30 days, according to their own policy. This is a red flag for many privacy-conscious users and organizations, especially because there is little clarity about what exactly happens with this data and who has access to it.
Criticism: there is no independent audit or public reporting on how Cloudflare handles this data, which undermines trust.

Cloudflare encourages the use of its CDN and external resources (e.g., scripts, fonts, images). This can lead to technological lock-in: once dependent on Cloudflare, it's difficult to switch without performance degradation or technical issues.
Risk: if Cloudflare ever changes its policies (e.g., price increases, stricter terms), you, as a user, are in a weaker bargaining position.

This is one of the most concerning points. Cloudflare IPs are often whitelisted by security services because they are considered safe. This makes it easy for malicious actors to conduct scans and attacks from Cloudflare IPs without being blocked. For example: often used scans for WordPress admin- and config-files show that Cloudflare's infrastructure is being actively abused, even if you're not using WordPress. This is a serious risk, especially for less technical users who don't know how to detect or block it.
Solution: Cloudflare should more actively monitor and block abuse from their IP addresses and be more transparent about how they address this.

Cloudflare advertises strong security features, but there are significant risks associated with their service. The fact that their IP addresses are being abused for scans and attacks, and that they don't always proactively respect robots.txt, undermines their claim of security for everyone.

First things first: reject everything third-party, do it step by step, don't force yourself, the rest will follow later.
Concentrate on this only.

Every external resource (whether it's a CDN, a script, a font, or an API) introduces a dependency beyond your control. If that resource fails, is blocked, or hacked, your entire website or application will (partially) fail. This is a design flaw if reliability and security are priorities.
Examples:
A CDN that goes offline (e.g., due to a DDoS attack or technical malfunction) can render your entire site inaccessible.
A compromised external JavaScript library (as happened with BootstrapCDN and Polyfill.io) can expose your visitors to malware.

You can never be certain what's happening behind the scenes with a CDN or external resource. Even if a provider seems trustworthy today, their policies could change tomorrow:
They could start data harvesting (e.g., tracking, logging, or selling data). They can introduce vulnerabilities (e.g., through faulty updates or insecure configurations). They can be blocked (e.g., by governments, as happened with Cloudflare in Russia and China).
Conclusion: If you don't have 100% control over the code and infrastructure, you run unnecessary risks.

External resources can contain trackers or collect data without your knowledge. This is not only a privacy issue but can also lead to GDPR violations if you don't have explicit consent from your visitors.
Example: Many websites load Google Fonts or jQuery from a CDN by default, without realizing that this can leak IP addresses and browser behavior to third parties.

CDNs and external resources add complexity to your stack, without always providing real added value. For most websites, the performance gains from a CDN are minimal if you configure your own server properly (e.g., with HTTP/2, caching, and a fast hosting provider).
Alternative: A properly configured, dedicated server (e.g., with Nginx, Varnish, or LiteSpeed) can often deliver the same performance without the risks.

The use of CDNs and external resources is largely driven by marketing. Companies like Cloudflare, Google, and Akamai have a vested interest in making as many websites as possible dependent on their infrastructure. This isn't a technological necessity, but a commercial strategy.

- No external APIs for critical functionality.
- No CDN for static assets if you don't need global distribution.
- Don't use "free" services that cost you data or control.

- Firewall: Use a local firewall (e.g., ufw, iptables, or Cloudflare alternatives like naxsi for Nginx).
- Rate Limiting: Protect against brute-force attacks with tools like fail2ban.
- Logging: Actively monitor your own logs so you can quickly detect suspicious behavior.

- Teach others about the risks of external dependencies.
- Promote self-hosting as the standard for secure and reliable websites.

Practical Examples

CDNs and external resources are insecure by design. They introduce unnecessary risks, complexity, and dependencies, while the benefits are often overstated. By hosting everything yourself and minimizing dependencies, you build a more secure, reliable, and transparent website.

No third parties: no CDNs, no external scripts, no tracking, no cookies. That means no unexpected changes, no data leaks, no lock-in.
Custom code: you write everything yourself, so you know exactly what's happening. No hidden features, no unexpected updates, no vulnerabilities you don't know about.

The lowest possible load times for your websites with a well-configured server (e.g., with HTTP/2, caching, and a fast backend). This is usually faster and more reliable than a CDN for most use cases.
No JavaScript gives you less complexity, fewer security risks, and a better user experience (especially for privacy-conscious visitors).

No cookies, no tracking: no consent-banner, you're not only GDPR compliant, but you'll be far exceeding it. Visitors don't have to worry about what happens to their data—because no data is collected.
No user input: no forms, no comments, no uploads. This eliminates many security risks (e.g., XSS, SQL injection, spam). There are many ways to still offer interactivity ánd privacy to go with it like BlueSky, Reddit, Wordpress.com, Discord etc.

Less attack surface: No external dependencies = fewer vulnerabilities.
No unnecessary ports open on an unmanaged VPS that only does what you configure is much harder to hack than a server with standard software and open ports.
Active monitoring: handle everything yourself and you'll immediately see if anything suspicious happens.