Methods / L7 / HTTP-CLOUDFLARE
L7 · ApplicationLayer 7HTTP/2Challenge BypassProxied
HTTP-CLOUDFLARE stress test
An HTTP/2 request flood tuned to push through edge challenges so you can verify your Cloudflare and CDN protections hold under realistic stress.
How it works
This method sends HTTP/2 requests that mirror legitimate browser negotiation and challenge-passing behavior, distributed across a proxy pool to spread origin per source. It probes the full edge-to-origin path: challenge pages, bot management scoring, WAF rules, and origin connection limits. Optional crawl and deep-crawl modes discover real URLs on the site so the flood hits cacheable and dynamic endpoints the way live traffic would, validating that your protections shield the origin rather than just the front page.
Parameters
rate125k rq/sRequests per second per worker after edge negotiation.
streams4-100Concurrent HTTP/2 streams multiplexed per connection.
crawl_depthoff / shallow / deepHow aggressively to discover and target real site URLs.
duration30s-30mLength of the sustained test window.
Run it from the CLI
retro-cli
$ retro run http-cloudflare --target https://example.com --rps 800 --duration 120
HTTP-CLOUDFLARE FAQ
Does this validate my Cloudflare setup specifically?+
It validates any CDN or edge protection that uses HTTP/2 negotiation, challenges, and bot scoring. A correctly configured edge should keep challenging or rate-limiting the traffic so your origin stays untouched.
Why does it crawl the site first?+
Crawling finds real URLs, including dynamic and uncacheable endpoints, so the test reflects how a distributed flood would actually exercise your application rather than just hitting a cached homepage.
What outcome means my defenses passed?+
Challenge and rate-limit pages keep serving, origin request volume stays flat, and response times for legitimate users remain stable for the full duration.