Cloudflare isn't really to blame here when the customer has FULL control over all security settings - they can define rules as they please, and have all the tools (including the API) to do this
This sounds like victim blaming honestly. If Troy Hunt, one of the most well known security researchers around and who's been running HIBP for almost a decade now ends his blog post with effectively a shrug saying "I dunno what happened" how is any reasonable customer who doesn't have access to the Enterprise plan supposed to debug any of this especially when Cloudflare themselves barely admitted fault? They even tried rolling back the OWASP ruleset and it didn't change a thing. He had to manually add the exceptions to the firewall. This is arguably terrible DX
I feel like Cloudflare could do a lot better at letting the customer know they are using rules managed by them and how that affects their traffic. But at the end of the day, enterprise customers should be experts at this (and in many cases have people employed whos job is literally for this) - and they have all the tools available to them
If even Cloudflare admits the error and doesn't even know what triggered it and hadn't fixed the error by the end of the post (which required manual intervention by Troy to bypass), I genuinely don't understand how you expect "experts" to deal with this. This just feels like a non-sequitur
