Cloudflare Law Enforcement Data Request: Police & Government Guide
How investigators work with Cloudflare: why it points you to the hosting provider rather than the content, its abuse versus legal-process channels, emergency disclosure, customer-notice policy, and the MLAT route for non-US agencies.
This guide offers general, professional guidance for law enforcement officers, prosecutors, and cybercrime investigators who need records connected to a website that uses Cloudflare. It is not legal advice. Investigators should act under proper legal authority for their jurisdiction and confirm current procedures directly with the provider before relying on any single step described here.
- Cloudflare usually points you to the host, it is not the host. For most of its products it proxies traffic and does not store the website's content.
- The single most useful thing it can give you is often the identity of the origin hosting provider behind a proxied site, plus the customer's account and billing details.
- Cloudflare distinguishes an abuse report from formal legal process. Subscriber data generally needs a subpoena, and more sensitive records generally need a court order or warrant.
- Cloudflare generally notifies its customer of a legal request unless it is legally prohibited from doing so, which matters when you plan an arrest or seizure.
- Cloudflare is US-based, so non-US agencies generally route formal requests through a US court, often via a mutual legal assistance treaty.
What Cloudflare actually is
Cloudflare is a content delivery network, DNS provider, reverse proxy, and DDoS-protection service. For the large majority of sites that use it, Cloudflare sits in front of a website that is hosted somewhere else. Visitor traffic hits Cloudflare's edge first, and Cloudflare passes it through to the customer's real server, known as the origin. Because of this pass-through model, Cloudflare is not generally the host of the website's content and does not store that content in the traditional sense.
There is an important exception. When a customer uses Cloudflare's own platform products to serve content at the edge, such as Pages, Workers, Workers KV, Stream, Images, or R2 storage, Cloudflare may itself be the origin host for that specific content. For those products, content-related requests can be directed to Cloudflare. For ordinary proxied websites, they cannot.
What Cloudflare holds, and what it does not
Cloudflare keeps limited customer account information. According to its law-enforcement guidelines, that typically includes the customer name, email address, physical address, phone number, and the means or source of payment, along with account-activity details such as login times and associated IP addresses.
What Cloudflare generally does not have for proxied sites is the website's content, and it does not routinely collect or retain data about the end users who visit customer sites. It states that it rarely has data responsive to orders seeking visitor IP logs or access dates, because any such information is retained only for a limited amount of time. Plan accordingly: do not assume Cloudflare can reconstruct who visited a site.
| What you want | Who actually has it | How to get it |
|---|---|---|
| The website's content or files (proxied site) | The origin hosting provider, not Cloudflare | Identify the host via Cloudflare, then serve the host with legal process |
| Customer account, billing, and contact details | Cloudflare | Subpoena (basic subscriber data) to Cloudflare |
| Identity of the origin host behind a proxied domain | Cloudflare | Legal process to Cloudflare, or in urgent cases an emergency request |
| Content served by Pages, Workers, Stream, Images, or R2 | Cloudflare (it is the origin here) | Court order or warrant to Cloudflare |
| Visitor IP logs and access times | Often nobody retains these long-term; check the origin host | Court order, but expect limited or no data |
Why proxying hides the origin, and why investigators come to Cloudflare
When a domain is proxied, public lookups such as WHOIS and DNS resolve to Cloudflare's IP addresses rather than the customer's real server. This is by design and protects the origin from direct attack. The side effect for investigators is that the true hosting location is masked. That is the core reason law enforcement approaches Cloudflare: not to obtain the site's content, but to pierce the proxy and learn which hosting provider sits behind it, so the content and server logs can be pursued at the real host.
Abuse report versus formal legal process
These are two separate channels and they produce very different outcomes.
- Abuse report. Cloudflare operates an abuse reporting form at its abuse page (the Trust Hub reporting-abuse section links to the current form). For proxied sites, Cloudflare typically forwards the complaint to the website operator and the responsible hosting provider, and provides the reporter with the hosting provider's contact information. This is a fast way to identify the host and to get a complaint in front of the party that can actually act on content. It is not a substitute for legal process and will not hand you subscriber records.
- Formal legal process. To compel customer records, you serve valid legal process. Cloudflare's guidelines indicate that basic subscriber data generally requires a subpoena, while more sensitive or additional information generally requires a court-issued warrant or other court order. Officers contact Cloudflare's law-enforcement channel ([email protected]) and should supply identifying details such as badge and case number, rank, agency, and unit.
The practical workflow
- Confirm the site is actually behind Cloudflare (WHOIS or DNS resolving to Cloudflare ranges, response headers).
- Decide what you need. If you want content or server-side logs, your real target is the origin host, not Cloudflare.
- Use Cloudflare to identify the origin. Submit an abuse report to obtain the hosting provider's contact details, or serve legal process to compel the customer's account and origin information.
- Serve the origin host. Once you know the hosting provider, direct your subpoena, court order, or warrant for content and logs to that host.
- In parallel, serve Cloudflare for the records it does hold, namely the customer account, billing, and contact information.
- Send a preservation request early to the relevant parties so data is not lost while legal process is prepared.
Preservation, emergency disclosure, and customer notice
Preservation versus production. A preservation request asks a provider to retain existing records so they are not deleted; it does not by itself disclose anything. Production requires the appropriate legal process. Given Cloudflare's short retention of transient data, send preservation requests promptly.
Emergency disclosure. Where a request involves an imminent danger of death or serious physical injury to a person, Cloudflare may disclose information without delay, evaluated case by case under US law. Use the law-enforcement channel and clearly document the emergency.
Non-US agencies and MLAT
Cloudflare is a US-based company. It expects non-US governments to follow the same due-process requirements and generally prefers requests to come through a US court by way of a diplomatic process such as a mutual legal assistance treaty request. Non-US investigators should factor this routing, and the time it takes, into their plans, while still using the abuse channel to identify the host in the meantime. Cloudflare publishes a transparency report on a recurring basis and maintains public law-enforcement guidelines; review the current versions before submitting.
Frequently asked questions
Can Cloudflare give me the website's content? For ordinary proxied sites, no. Cloudflare does not host that content; it proxies it. You obtain content from the origin hosting provider. The exception is content served through Cloudflare's own edge products such as Pages, Workers, Stream, Images, and R2, where Cloudflare may be the host.
How do I find the real host behind a Cloudflare site? Ask Cloudflare. An abuse report typically yields the hosting provider's contact information, and formal legal process can compel the customer's account and origin details. Then serve that host directly.
What legal process do I need, and will the customer be told? Basic subscriber data generally needs a subpoena; more sensitive records generally need a court order or warrant. Cloudflare generally notifies the customer unless it is legally prohibited, so seek a non-disclosure order if secrecy matters.
I am outside the United States. What do I do? Use the abuse channel to identify the host quickly, but route formal compelled-disclosure requests through the appropriate US legal process, commonly via an MLAT request.
Related guides
- Cloud evidence: getting data from AWS, Azure, and Google Cloud
- IP and domain attribution: turning an address into a suspect
- Getting evidence from social media platforms: records, preservation, and legal process
For the full directory of platform law-enforcement request portals, see our LERS portal hub.