How Cloudflare protects customers from cache poisoning

On August 20, 2018, a "practical" cache poisoning attack was discovered by Cloudflare and the rest of the world. This type of attack involves a malicious user crafting an HTTP request that tricks the origin into producing a "poisoned" version of a file with the same cache key as an innocuous request. To mitigate this vulnerability, Cloudflare has taken several steps including notifying customers who are at risk and blocking all requests containing obviously malicious content in an HTTP header. Additionally, they have included "interesting" header values in the cache key to prevent unnecessary cache sharding.