Cloudflare IP ranges & what they mean for fraud
Cloudflare publishes the egress ranges of its CDN and WARP infrastructure. Most traffic you see *through* Cloudflare carries the visitor’s real IP in headers — these ranges matter when a request *originates* from Cloudflare infrastructure itself.
How Sentinel uses these ranges
Because Cloudflare is a CDN, the useful distinction is traffic originating from these ranges versus traffic merely served through them — Sentinel's signal applies to the former. The numbers above come from Cloudflare's own published range feed — the same feed Sentinel's verdict pipeline refreshes continuously, so a new range is scored within hours of publication, not whenever a static database ships.
Range data adds a signal; it never overrides deeper network detection. VPN exits live in datacenters, so a range hit doesn't short-circuit tunnel analysis — an IP in Cloudflare's ranges that is also a VPN exit gets both signals, and your policy sees the full picture in the reasons array.
Should you block Cloudflare traffic?
A request originating from CDN infrastructure (rather than being proxied through it for a website) is unusual for a human visitor — commonly a Worker, a WARP exit, or automation.
The honest answer is: it depends on the surface. A datacenter IP on a signup, login, or checkout is a strong review signal — humans overwhelmingly arrive from residential and mobile networks. The same IP calling your API is often just a legitimate backend. Sentinel returns the raw signal so you can apply exactly that asymmetric policy instead of a blanket block.
curl -X POST https://sntlhq.com/v1/evaluate \ -H "Authorization: Bearer sk_test_sandbox" \ -H "Content-Type: application/json" \ -d '{"token":"test_datacenter"}'
The sandbox key returns the documented datacenter-verdict shape (decision, risk_score, network.datacenter) — no signup required. Details in the API docs.
Free tier: 1,000 requests/hour. No card, no expiry.