Nowadays, attackers are more and more eager to get your website down, to gather your data, to exploit every little vulnerability you might have. It has become a major concern for every company to protect itself against any malicious activity.
When thinking about what to put in place to improve your security, you have mainly two situations:
- You're big enough and have the knowledge in-house to manage the whole security stack
- You don't have the expertise or you don't want to spend a huge human effort on setting up the security
In the first case, you need to have one or multiple teams dedicated to the security to build a safe and secure infrastructure and to keep it up to date with the latest vulnerabilities found. Knowing that you should ask yourself "when" and not "if" you're going to be attacked, this team should also know how to react when something goes south at each security level.
For small companies or companies that don't want to invest in a highly-skilled security team, you will probably search for market solutions and providers that are able to handle these concerns for you, or at least that are going to ease the management of many security aspects. Nevertheless, it won’t prevent you from having security dedicated people to manage the selected solutions as well as other security aspects, like people awareness to prevent phishing for example.
Beware that choosing a third party comes with its downsides: you become, at a certain level, dependent of their infrastructure, their partners and their problems (availability, security). Thus, you can encounter issues over which you have no control.
Migros Online and Cloudflare
At Migros Online, we decided a few years back to work with Cloudflare to have a unique entrypoint for our infrastructure (on-premises back then, in the cloud today).
Using such a tool brought us many security and performance aspects for our website and our mobile applications:
- Content Delivery Network (CDN): edge caching allows us to serve assets without hitting the backend on every requests
- Web Application Firewall (WAF): we are able to protect our public endpoints with simple rules in a few clicks (or a few Terraform line of code ;-))
- Basic sets of rules that are managed by Cloudflare directly allowing us to fix deeper issues with serenity (as an example, the log4Shell vulnerability was automatically handled by Cloudflare, giving us the time to patch our backend systems without pressure)
- Bot protection: automatic categorization of the traffic and possibility to easily act on requests based on the rating done by the platform
- Distributed Denial of Service (DDoS) protection: automatic discovery of DDoS attacks and direct mitigation
- Zero Trust mechanisms: we are able to expose private endpoints, but secure them behind the Zero Trust product, bound with our authentication provider
- Cloudflare Warp: a tunneling solution to access internal resources that we don't want to expose publicly, even behind Zero Trust
Thanks to Cloudflare, we were able to consolidate our public exposure, simplify its management and get confidence that we are in good hands when problems arise.
Cloudflare Immerse 2025
As an example of Cloudflare's usage for Migros Online, I went on stage (for the first time!) during the Cloudflare Immerse 2025 event in Zurich to present how Cloudflare helped us in mitigating DDoS attacks we faced in the past.
The recording is available below and outlines the Migros Online context, what issues we faced and how Cloudflare was a key element in solving the problem.
Top comments (0)