I’m not a fan of vendors “not supporting something” as a reason to not use something. Either get a new vendor, put pressure on the vendor, or ignore the feature you want to use.
I personally don’t care about what cloudflare does because I don’t use them.
The rest is RTFM for whatever API you are calling and you usually have to send auth or cookies anyway, so an accept header isn’t that big of a deal.
I dropped Accept header support from https://datasette.io/ because it's open source software that I build for other people to use, and I knew that it was very likely one of my users would choose to run it behind Cloudflare (or run it on a vendor like Vercel who might have a partnership with Cloudflare).
FWIW, WordPress uses the Vary: Accept header for a number of apis and it seems to always work fine behind cloudflare and runs a sufficiently large portion of the internet. But, you're telling me I can hit all these site's public api's that are behind cloudflare and start a DOS by simply sending an uncommon ACCEPT header? Sounds like an easy way to pressure cloudflare to 'do the right thing' if you own a botnet.
Anyway, I guess this is yet another reason to not use cloudflare. Thanks for your comment.
