Cloudflare is deprecating the __cfduid cookie. Starting on 10 May 2021, we will stop adding a “Set-Cookie” header on all HTTP responses. The last __cfduid cookies will expire 30 days after that.

We never used the __cfduid cookie for any purpose other than providing critical performance and security services on behalf of our customers. Although, we must admit, calling it something with “uid” in it really made it sound like it was some sort of user ID. It wasn’t. Cloudflare never tracks end users across sites or sells their personal data. However, we didn’t want there to be any questions about our cookie use, and we don’t want any customer to think they need a cookie banner because of what we do.

Here’s what a request to a Cloudflare-proxied site looks like right now. Notice the __cfuid cookie. By the time next summer rolls around (if the world hasn’t ended by then), this cookie will no longer exist for sites using Cloudflare.

brianli@Brians-MacBook-Pro ~ % curl -I
HTTP/2 200
date: Thu, 10 Dec 2020 04:47:28 GMT
content-type: text/html; charset=utf8
set-cookie: __cfduid=de24d1642cc1eecc33da2815f437111f91607575648; expires=Sat, 09-Jan-21 04:47:28 GMT; path=/;; HttpOnly; SameSite=Lax; Secure
accept-ranges: bytes
cf-cache-status: MISS
referrer-policy: unsafe-url
x-content-type-options: nosniff
x-frame-options: DENY
x-xss-protection: 1; mode=block
cf-request-id: 06ec92cf2800001d77d4054000000001
expect-ct: max-age=604800, report-uri=""
report-to: {"endpoints":[{"url":"https:\/\/\/report?s=S4f5sa95l%2ByibGNy5na6EofNEJ9NGyN%2BFv8hpZYUjfRHNpf72k3os8VnDqSSwarW4ar8UthzvWL5lE%2BMCXhctmuxP%2Bnh4jP2Swc2rQ%3D%3D"}],"group":"cf-nel","max_age":604800}
nel: {"report_to":"cf-nel","max_age":604800}
strict-transport-security: max-age=15552000; includeSubDomains; preload
server: cloudflare
cf-ray: 5ff453f83fc51d77-NRT

This is a great move by Cloudflare. Even though Cloudflare explicitly stated that “they never used the __cfuid cookie for any purpose other than providing critical performance and security services”, some people seemed to think it was part of some grand user behavior tracking scheme – which is a silly and ironic concern in the first place because Cloudflare is literally a proxy service.

The removal of the __cfuid cookie will also please web performance enthusiasts who are still stuck in their ways and optimizing for legacy conventions. After this cookie is removed from HTTP responses, it’ll finally be possible to avoid the “use cookie-free domains” suggestion when using the GTmetrix performance testing tool – not that it really matters from a technical standpoint because the __cfuid cookie was never a performance-inhibiting factor in the first place. With that said, I guess it’s nice to optimize for cosmetic metrics if you’re into that sort of thing.

Anyway, a win-win situation for Cloudflare.

« Permalink »