Is Cloudflare Quantum Safe?
Partially. Cloudflare has been a PQC leader — deploying experimental hybrid PQC key exchange (X25519+ML-KEM-768) on its edge network since 2022. However, full PQC coverage across all Cloudflare products is not yet complete.
Key Takeaway: Cloudflare is only partially quantum safe. Scan your Cloudflare-protected infrastructure with QScout. Verify PQC key exchange is active on edge connections. Audit origin server TLS for PQC readiness. Monitor Cloudflare blog for product-level PQC announcements.
- Modality
- Infrastructure
- Vulnerability
- Cloudflare edge supports hybrid PQC TLS for capable clients. Origin connections and many Cloudflare products still use classical key exchange vulnerable to quantum attack.
- NIST status
- Cloudflare is aligned with NIST FIPS 203 (ML-KEM). Hybrid PQC deployed on edge network. Full product-wide PQC coverage in progress.
- Replaced by
- Cloudflare is deploying ML-KEM-768 (FIPS 203) across its network in hybrid mode with X25519
- Deprecation
- Cloudflare has deployed PQC on the edge but full product coverage timeline is not published.
Technical Analysis
Cloudflare is partially quantum safe and is one of the most advanced infrastructure providers in PQC deployment.
Current State
Cloudflare's edge network supports hybrid PQC TLS key exchange (X25519+ML-KEM-768) for connections from browsers that support it (Chrome 124+, Firefox experimental). Origin-to-Cloudflare connections and many Cloudflare products still use classical TLS.
PQC Progress
Cloudflare has been a consistent PQC pioneer:
- Edge TLS: Hybrid X25519+ML-KEM-768 key exchange deployed on Cloudflare's edge for supporting clients.
- Research: Cloudflare published extensive PQC performance research and benchmarks.
- CIRCL: Cloudflare's cryptographic library includes ML-KEM and ML-DSA implementations.
- Origin connections: TLS from Cloudflare to customer origin servers typically uses classical key exchange.
- Cloudflare Tunnel: Uses classical TLS for tunnel connections.
HNDL Risk
Edge-to-client connections with PQC-capable browsers are protected. However, origin-to-Cloudflare connections, Cloudflare Workers, and API calls to Cloudflare services still use classical key exchange in most cases.
What Organizations Should Do
Verify that your Cloudflare configuration enables PQC key exchange on the edge. Audit origin server TLS configurations. Use QScout to map your complete Cloudflare-connected cryptographic surface.
At a glance
| Full Name | Cloudflare CDN and Security |
| Category | infrastructure |
| Quantum Vulnerability | Cloudflare edge supports hybrid PQC TLS for capable clients. Origin connections and many Cloudflare products still use classical key exchange vulnerable to quantum attack. |
| NIST Status | Cloudflare is aligned with NIST FIPS 203 (ML-KEM). Hybrid PQC deployed on edge network. Full product-wide PQC coverage in progress. |
| Deprecation Timeline | Cloudflare has deployed PQC on the edge but full product coverage timeline is not published. |
| Replaced By | Cloudflare is deploying ML-KEM-768 (FIPS 203) across its network in hybrid mode with X25519 |
Migration Guidance
Scan your Cloudflare-protected infrastructure with QScout. Verify PQC key exchange is active on edge connections. Audit origin server TLS for PQC readiness. Monitor Cloudflare blog for product-level PQC announcements.
How Qtonic Quantum Can Help
Don’t Know Where Cloudflare Lives in Your Stack?
QScout discovers instances of Cloudflare across your infrastructure in 7 days — designed to minimize operational disruption. 72-hour time to first findings.