Hims & Hers Hims & Hers × Cloudflare
Talk to Cloudflare →
Executive Brief · Vendor Consolidation

One network for Hims’s edge, security, images, storage & AI.

Cloudflare already sits in front of www.hims.com and api.forhims.com. Fold the images, storage, API protection and the AI Health Companion onto that same network — fewer vendors, one control plane, and HIPAA-aligned logging for a telehealth business carrying PHI on every request.

See the 8 plays → View the roadmap

From vendor sprawl to one network

Identified on hims.com today (DNS, headers & the homepage app config), plus the SSE incumbent (*per account-team). The right is where it all can live.
7 vendors → 1 network
Cloudflarewww + api · today
Cloudinaryimage delivery
Fastlyapex CDN
AWS S3 / CloudFrontmedia · storage
reCAPTCHAbot / captcha
Health Companionself-hosted AI
NetskopeSSE / ZTNA*
Cloudflare one network · one bill · one control plane
Goal: cut annual vendor spend 50%+

Nine consolidation plays

Each maps to something Hims is running today — observed on hims.com or in the app config.
01

Consolidate the edge

↳ folds the Fastly apex into Cloudflare

www.hims.com and api.forhims.com already run on Cloudflare — but the apex still resolves to Fastly. Move it onto the same edge for one CDN, one WAF, and one set of logs.

  • Identified: apex 151.101.x (Fastly) + via: varnish
  • www + api already server: cloudflare
  • One cache, one ruleset, one bill
02

Cloudflare Images

↳ replaces Cloudinary

Same URL-based resize, crop and format-shifting for product, before/after and editorial imagery — delivered from the very CDN already serving hims.com. One bill instead of a separate media SaaS.

  • Identified: cloudinary.forhims.com (og:image + assets)
  • Per-image pricing, no egress surprises
  • Auto AVIF/WebP for a faster mobile intake flow
03

R2 — egress-free storage

↳ offloads AWS S3 / CloudFront

Lab results, visit recordings, prescription docs and the media archive carry recurring egress tax on S3/CloudFront. R2 charges $0 egress — a HIPAA-aware origin feeding the web, Images and AI stack.

  • S3-compatible API; zero egress fees
  • Natural origin for Images & AI Gateway
  • Encrypted object store for PHI artifacts
04

Firewall for AI + AI Gateway — govern the Health Companion

PHI protection · cost control · audit logging

Hims runs a self-hosted Health Companion ML service that talks to patients. AI Gateway puts a governed front door on every LLM call — caching, rate-limits, spend caps and full request logging a regulated provider needs. Firewall for AI blocks prompt injection and PHI leakage before it reaches a model.

  • Identified: health-companion-service…himshers.com
  • PII/PHI redaction + prompt-injection defense
  • One HIPAA-aware log across any model provider
  • Pairs with R2 + Vectorize for retrieval on your own data
05

API Protection

↳ Cloudflare API Shield

Hims runs on APIs — intake, accounts, pharmacy and EMR integrations carrying PHI. API Shield discovers every endpoint and enforces schema, auth and volumetric limits inline at the edge.

  • Identified: GraphQL at api.forhims.com/graphql
  • mTLS & JWT validation; block BOLA / abuse
  • Schema validation on pharmacy / EMR partner APIs
06

Mobile App Security

↳ secures the Hims & Hers mobile app

Issue per-app credentials to the Hims & Hers iOS / Android app so only the genuine app can call your APIs — backed by bot, automation and account-takeover defenses tuned for consumer health and PHI.

  • API Shield mobile SDK → mTLS client attestation
  • Bot Management blocks emulators & scripted abuse
  • Account-takeover & fraud signals at login / refill
07

Bot Management + Turnstile

↳ replaces Google reCAPTCHA

Swap reCAPTCHA for privacy-first Turnstile and point Bot Management at the intake and checkout funnel — stopping fake consultations, promo abuse and account-takeover for a subscription DTC health brand.

  • Identified: reCAPTCHA keys in the app config
  • No user-facing puzzles; better intake conversion
  • ML bot scoring on login, intake & checkout
08

Page Shield — payment & PHI pages

↳ client-side / Magecart defense

Real-time JavaScript supply-chain monitoring on the Adyen / Stripe checkout and intake pages — catching skimmers before they touch patient payment data or PHI. PCI + HIPAA in one control.

  • Identified: Adyen + Stripe live keys in app config
  • Detects unauthorized third-party scripts
  • Audit trail of every script on sensitive pages
09

Cloudflare One — Zero Trust for PHI / retire Netskope

↳ Access + Gateway + CASB + DLP + Email Security

Collapse Secure Web Gateway, DNS filtering, CASB, DLP and ZTNA onto Cloudflare One — gating internal clinical, EMR and engineering tools, with AI Prompt Protection so PHI never leaks into consumer ChatGPT. One agent, one policy engine, one set of logs for auditors.

  • Access (ZTNA) in front of clinical & eng tools
  • DLP + AI Prompt Protection on outbound PHI
  • Email Security (Auth0 SSO via Access) stops BEC
  • Runs on the same edge as your web & API security

Consolidation roadmap

A staged path — protect the Health Companion and land quick wins first, expand security & API coverage, then displace the big SSE spend.
First 6 months

Protect AI & quick wins

  • AI Gateway + Firewall for AI on the Health Companion
  • Cloudinary → Cloudflare Images
  • Stand up R2; move egress-heavy media off AWS
  • API Shield discovery + schema on the GraphQL API
  • Consolidate the Fastly apex onto Cloudflare
By 12 months

Expand & secure

  • reCAPTCHA → Turnstile + Bot Management on intake
  • Page Shield on Adyen / Stripe checkout & PHI pages
  • Zero Trust (Access) for clinical & eng tools
  • mTLS on pharmacy / EMR partner APIs
  • "Ask Hims" AutoRAG copilot on R2 + Vectorize
Within 2 years

Consolidate & displace

  • Full Cloudflare One — retire Netskope (SWG/CASB/DLP/ZTNA)
  • DLP + AI Prompt Protection on outbound PHI
  • Email Security in front of the inbox
  • One control plane + HIPAA-aligned unified logging
  • Single vendor relationship & commercial agreement

Consolidation snapshot

Current-state vendors are evidence-based — identified from DNS, HTTP headers and the live hims.com app configuration.
FunctionTodayHow it was identifiedOn Cloudflare
CDN / edge Cloudflare + Fastly www/api: server cloudflare; apex 151.101 (Fastly) Consolidate on Cloudflare
Image delivery Cloudinary identified cloudinary.forhims.com (og:image) Cloudflare Images
Object storage AWS S3 / CloudFront Media / lab-result archive R2 (egress-free)
AI traffic control Self-hosted Health Companion health-companion-service…himshers.com AI Gateway + Firewall for AI
API protection App proxies / manual rules GraphQL at api.forhims.com/graphql API Shield
Mobile app security In-app / 3rd-party SDKs Consumer iOS / Android health app API Shield mobile SDK + Bot Mgmt
Bot / captcha Google reCAPTCHA reCAPTCHA keys in app config Bot Management + Turnstile
Payments / client-side Adyen + Stripe Live client keys in app config Page Shield
Identity / SSO Auth0 prod-forhims.us.auth0.com Access (SSO front door)
SSE / Zero Trust Netskope (NG-SWG + NPA) Account-team input Cloudflare One

How we know — observed on hims.com

No assumptions: every current-state vendor below was identified from public DNS, HTTP response headers, and the live hims.com homepage application configuration.
Cloudflare www + api (cf-ray) Fastly apex 151.101 · via varnish Cloudinary cloudinary.forhims.com Auth0 prod-forhims.us.auth0.com Adyen + Stripe live keys Datadog hims-prod RUM Zendesk support.hims.com
LIVE Checking the Cloudflare edge serving this page…