Cloudflare Drop is a bare-bones static hosting tool. You drag in a folder, ZIP, or an `index.html`, and Cloudflare serves it on a temporary `workers.dev` URL for 60 minutes with no account required. After that you can claim it. People quickly pinned down the practical limits from trying it. It is for static assets only, it expects an `index.html` at the root, and commenters surfaced limits of 25 megabytes per file, under 2,000 files, and under 100 megabytes total. In plain product terms, this is “Netlify Drop but on Cloudflare’s edge,” aimed squarely at quick demos, throwaway landing pages, and AI-generated mockups that need a public link fast.
Most of the energy went to two things. First, the terms of service. The launch page grants Cloudflare a perpetual, irrevocable, worldwide license, including rights to sublicense, reproduce, distribute, and create derivative works from uploaded content. A lot of people saw that as far broader than what is needed to host static files, especially the “perpetual,” “irrevocable,” and “sublicense” language. Others pointed out that this kind of clause is old boilerplate across hosting platforms and can cover mundane transformations like resizing images or reformatting pages. The practical landing point was not “they are definitely stealing your site,” but that the legal language is broad enough to make people uneasy, especially now that every broad content license gets read through an AI-training lens.
Second, people debated whether this makes the web worse by making phishing and scam hosting even easier. The pushback was that Cloudflare already lets anyone host static sites on `workers.dev`, so this mostly removes UI friction rather than creating a new capability. That said, several commenters argued the friction matters. A no-account, temporary public URL is good enough for spearphishing or short-lived malicious campaigns, especially when paired with Cloudflare’s reputation and hard-to-block infrastructure. Cloudflare likely has the same automated scanning and abuse systems it already uses for Workers and
R2, and people cited examples of Cloudflare quarantining suspicious pages and scanning storage for child sexual abuse material. But that reassurance was undercut by actual user reports of opaque failures and false positives.
That roughness showed up all over the hands-on comments. Multiple people hit generic “Something went wrong” errors. One person traced a 403 block to a default Git sample hook file in a repository. Another got stuck on Cloudflare’s own security verification page. A commenter discovered ZIPs only worked when `index.html` was present. So the product reads as useful but still under-explained and brittle. The comments that liked it were practical, not starry-eyed. This is a fast publishing path for mockups, family-and-friends websites, disposable review links, and simple personal pages. It also feels like a deliberate move toward the “vibe coding” workflow where an
LLM spits out a self-contained HTML app and the user wants a public URL without touching Git, CI, or a dashboard.