Where your traffic goes
This is the fundamental difference. With Cloudflare Tunnel, every request to your app travels through Cloudflare's edge network before reaching your server. With VibeWarden, traffic goes directly to your server and the sidecar handles security locally.
Cloudflare Tunnel: User --> Cloudflare Edge --> cloudflared --> Your App ^ All traffic passes through Cloudflare VibeWarden: User --> VibeWarden (sidecar) --> Your App ^ Runs on your server. Data never leaves your infra.
For many apps, routing through Cloudflare is fine. But if you handle sensitive data, operate under data residency requirements, or simply want to control where your traffic flows, the sidecar model is simpler and more transparent.
Feature comparison
| Capability | Cloudflare Tunnel | VibeWarden |
|---|---|---|
| Expose local service | Yes (via Cloudflare edge) | Yes (direct, with TLS) |
| TLS | Cloudflare-managed (edge cert) | Let's Encrypt (your cert, on your server) |
| Authentication | Cloudflare Access (paid, starts at $7/user/mo on some plans) | Built in (Kratos), free |
| WAF | Cloudflare WAF (paid add-on) | Built in (OWASP rules), free |
| Rate limiting | Cloudflare rules (limited on free plan) | Built in (per-IP, per-user), free |
| DDoS protection | Yes (Cloudflare's global network) | Rate limiting only (no global edge) |
| Global CDN | Yes | No (sidecar runs on your server) |
| AI-readable logs | No (Cloudflare dashboard/API) | Structured JSON events with schemas |
| Prompt injection detection | No | Built in |
| Egress proxy | No | Built in (allowlist, audit) |
| Data residency | Traffic passes through Cloudflare | Traffic stays on your server |
| Open source | cloudflared is OSS; service is proprietary | Fully open source (Apache 2.0) |
| Vendor lock-in | Tied to Cloudflare account and DNS | None (runs anywhere) |
The cost question
Cloudflare Tunnel itself is free. But the security features that make it useful are not:
- Cloudflare Access (authentication) -- paid, per-user pricing on most plans
- Cloudflare WAF -- paid add-on for custom rules
- Advanced rate limiting -- limited on the free plan, paid for granular control
VibeWarden includes auth, WAF, and rate limiting in the single binary. No tiers, no per-user fees, no surprise bills.
What VibeWarden adds that Cloudflare Tunnel does not do
- Egress proxy -- control which external APIs your app can call. Cloudflare Tunnel only handles inbound traffic.
- Prompt injection detection -- inspect requests for LLM injection patterns before they reach your model.
- AI-readable structured logs -- every security event is a JSON document with a published schema, designed for AI agents to parse.
- Full source code access -- audit it, fork it, modify it. No black box.
When Cloudflare Tunnel is the better choice
Cloudflare Tunnel has real advantages that VibeWarden does not try to replicate:
- DDoS protection -- Cloudflare's global edge network absorbs volumetric attacks. VibeWarden cannot do this; it runs on a single server.
- Global CDN -- if you serve static assets to users worldwide, Cloudflare's edge caching reduces latency significantly.
- No open ports -- Cloudflare Tunnel uses outbound connections only, so you never need to open port 443 on your firewall. Useful in restrictive network environments.
- Existing Cloudflare investment -- if your DNS, CDN, and monitoring already run on Cloudflare, the tunnel fits naturally into that stack.
The bottom line
If you want security without third-party dependencies, data routing through your own infrastructure, and built-in features that Cloudflare charges extra for, VibeWarden is the better fit. If you need global DDoS protection or CDN caching, Cloudflare Tunnel does things VibeWarden does not -- and you can always put Cloudflare in front of VibeWarden if you need both.