Implemented Option to globally disable ability to upload from URL


Well-known member
As title says because when using CloudFlare to protect your server from DDoS attacks the "Upload from URL" feature is an easy way for atackers to find your real IP


Well-known member
The image proxy, if a forum is using it, provides another way to retrieve the server's IP address, because it must reach out to third-party hosts to download image files and any logs will show this information.

I'm just getting familiar with CloudFlare, but I presume the best practice is to use the server's firewall to restrict incoming traffic from CloudFlare servers and a small subset of other trusted services which need to access it. That way, even though your server's public IP is known, it will be much easier to mitigate any attacks.