You move your site behind Cloudflare (or CloudFront, or any CDN/WAF), watch the dashboard light up green, and feel safe. The edge will soak up the floods now. Right?
Mostly. But there is a quiet failure mode that undoes the whole thing in one step, and almost nobody tests for it: origin IP exposure.
The problem in one sentence
A CDN only filters the traffic that actually passes through it. If your origin server still answers on its own public IP, an attacker who learns that IP just connects straight to it, and every layer of DDoS and WAF protection you are paying for is bypassed.
The edge is protecting a secret (your origin IP), not a wall. And secrets leak.






