Cloudflare changelogs | Application performance

DNS - Internal DNS - now in open beta

Tue, 31 Mar 2026 00:00:00 GMT

Internal DNS is now in open beta.

Who can use it?

Internal DNS is bundled as a part of Cloudflare Gateway and is now available to every Enterprise customer with one of the following subscriptions:

Cloudflare Zero Trust Enterprise
Cloudflare Gateway Enterprise

To learn more and get started, refer to the Internal DNS documentation.

Cache - Cache Response Rules

Tue, 24 Mar 2026 00:00:00 GMT

You can now control how Cloudflare handles origin responses without changing your origin. Cache Response Rules let you modify Cache-Control directives, manage cache tags, and strip headers like Set-Cookie from origin responses before they reach Cloudflare's cache. Whether traffic is cached or passed through dynamically, these rules give you control over origin response behavior that was previously out of reach.

What changed

Cache Rules previously only operated on request attributes. Cache Response Rules introduce a new response phase that evaluates origin responses and lets you act on them before caching. You can now:

Modify Cache-Control directives: Set or remove individual directives like no-store, no-cache, max-age, s-maxage, stale-while-revalidate, immutable, and more. For example, remove a no-cache directive your origin sends so Cloudflare can cache the asset, or set an s-maxage to control how long Cloudflare stores it.
Set a different browser Cache-Control: Send a different Cache-Control header downstream to browsers and other clients than what Cloudflare uses internally, giving you independent control over edge and browser caching strategies.
Manage cache tags: Add, set, or remove cache tags on responses, including converting tags from another CDN's header format into Cloudflare's Cache-Tag header. This is especially useful if you are migrating from a CDN that uses a different tag header or delimiter.
Strip headers that block caching: Remove Set-Cookie, ETag, or Last-Modified headers from origin responses before caching, so responses that would otherwise be treated as uncacheable can be stored and served from cache.

Benefits

No origin changes required: Fix caching behavior entirely from Cloudflare, even when your origin configuration is locked down or managed by a different team.
Simpler CDN migration: Match caching behavior from other CDN providers without rewriting your origin. Translate cache tag formats and override directives that do not align with Cloudflare's defaults.
Native support, fewer workarounds: Functionality that previously required workarounds is now built into Cache Rules with full Tiered Cache compatibility.
Fine-grained control: Use expressions to match on request and response attributes, then apply precise cache settings per rule. Rules are stackable and composable with existing Cache Rules.

Get started

Configure Cache Response Rules in the Cloudflare dashboard under Caching > Cache Rules, or via the Rulesets API. For more details, refer to the Cache Rules documentation.

DNS - DNS Analytics for Customer Metadata Boundary set to EU region

Fri, 20 Mar 2026 00:00:00 GMT

DNS Analytics is now available for customers with Customer Metadata Boundary (CMB) set to EU. Query your DNS analytics data while keeping metadata stored in the EU region.

This update includes:

DNS Analytics — Access the same DNS analytics experience for zones in CMB=EU accounts.
EU data residency — Analytics data is stored and queried from the EU region, meeting data localization requirements.
DNS Firewall Analytics — DNS Firewall analytics is now supported for CMB=EU customers.

Availability

Available to customers with the Data Localization Suite who have Customer Metadata Boundary configured for the EU region.

Where to find it

Authoritative DNS: In the Cloudflare dashboard, select your zone and go to the Analytics page.
Go to Analytics
DNS Firewall: In the Cloudflare dashboard, go to the DNS Firewall Analytics page.
Go to Analytics

For more information, refer to DNS Analytics and DNS Firewall Analytics.

Cache - Asynchronous stale-while-revalidate

Thu, 26 Feb 2026 00:00:00 GMT

Cloudflare's stale-while-revalidate support is now fully asynchronous. Previously, the first request for a stale (expired) asset in cache had to wait for an origin response, after which that visitor received a REVALIDATED or EXPIRED status. Now, the first request after the asset expires triggers revalidation in the background and immediately receives stale content with an UPDATING status. All following requests also receive stale content with an UPDATING status until the origin responds, after which subsequent requests receive fresh content with a HIT status.

stale-while-revalidate is a Cache-Control directive set by your origin server that allows Cloudflare to serve an expired cached asset while a fresh copy is fetched from the origin.

Asynchronous revalidation brings:

Lower latency: No visitor is waiting for the origin when the asset is already in cache. Every request is served from cache during revalidation.
Consistent experience: All visitors receive the same cached response during revalidation.
Reduced error exposure: The first request is no longer vulnerable to origin timeouts or errors. All visitors receive a cached response while revalidation happens in the background.

Availability

This change is live for all Free, Pro, and Business zones. Approximately 75% of Enterprise zones have been migrated, with the remaining zones rolling out throughout the quarter.

Get started

To use this feature, make sure your origin includes the stale-while-revalidate directive in the Cache-Control header. Refer to the Cache-Control documentation for details.

Cache - Audit Logs for Cache Purge Events

Tue, 25 Nov 2025 00:00:00 GMT

You can now review detailed audit logs for cache purge events, giving you visibility into what purge requests were sent, what they contained, and by whom. Audit your purge requests via the Dashboard or API for all purge methods:

Purge everything
List of prefixes
List of tags
List of hosts
List of files

Example

The detailed audit payload is visible within the Cloudflare Dashboard (under Manage Account > Audit Logs) and via the API. Below is an example of the Audit Logs v2 payload structure:

{
  "action": {
    "result": "success",
    "type": "create"
  },
  "actor": {
    "id": "1234567890abcdef",
    "email": "user@example.com",
    "type": "user"
  },
  "resource": {
    "product": "purge_cache",
    "request": {
      "files": [
        "https://example.com/images/logo.png",
        "https://example.com/css/styles.css"
      ]
    }
  },
  "zone": {
    "id": "023e105f4ecef8ad9ca31a8372d0c353",
    "name": "example.com"
  }
}

Get started

To get started, refer to the Audit Logs documentation.

Cache - Inspect Cache Keys with Cloudflare Trace

Fri, 07 Nov 2025 00:00:00 GMT

You can now see the exact cache key generated for any request directly in Cloudflare Trace. This visibility helps you troubleshoot cache hits and misses, and verify that your Custom Cache Keys — configured via Cache Rules or Page Rules — are working as intended.

Previously, diagnosing caching behavior required inferring the key from configuration settings. Now, you can confirm that your custom logic for headers, query strings, and device types is correctly applied.

Access Trace via the dashboard or API, either manually for ad-hoc debugging or automated as part of your quality-of-service monitoring.

Example scenario

If you have a Cache Rule that segments content based on a specific cookie (for example, user_region), run a Trace with that cookie present to confirm the user_region value appears in the resulting cache key.

The Trace response includes the cache key in the cache object:

{
  "step_name": "request",
  "type": "cache",
  "matched": true,
  "public_name": "Cache Parameters",
  "cache": {
    "key": {
      "zone_id": "023e105f4ecef8ad9ca31a8372d0c353",
      "scheme": "https",
      "host": "example.com",
      "uri": "/images/hero.jpg"
    },
    "key_string": "023e105f4ecef8ad9ca31a8372d0c353::::https://example.com/images/hero.jpg:::::"
  }
}

Get started

To learn more, refer to the Trace documentation and our guide on Custom Cache Keys.

Load Balancing - Monitor Groups for Advanced Health Checking With Load Balancing

Thu, 16 Oct 2025 00:00:00 GMT

Cloudflare Load Balancing now supports Monitor Groups, a powerful new way to combine multiple health monitors into a single, logical group. This allows you to create sophisticated health checks that more accurately reflect the true availability of your applications by assessing multiple services at once.

With Monitor Groups, you can ensure that all critical components of an application are healthy before sending traffic to an origin pool, enabling smarter failover decisions and greater resilience. This feature is now available via the API for customers with an Enterprise Load Balancing subscription.

What you can do:

Combine Multiple Monitors: Group different health monitors (for example, HTTP, TCP) that check various application components, like a primary API gateway and a specific /login service.
Isolate Monitors for Observation: Mark a monitor as "monitoring only" to receive alerts and data without it affecting a pool's health status or traffic steering. This is perfect for testing new checks or observing non-critical dependencies.
Improve Steering Intelligence: Latency for Dynamic Steering is automatically averaged across all active monitors in a group, providing a more holistic view of an origin's performance.

This enhancement is ideal for complex, multi-service applications where the health of one component depends on another. By aggregating health signals, Monitor Groups provide a more accurate and comprehensive assessment of your application's true status.

For detailed information and API configuration guides, please visit our developer documentation for Monitor Groups.

DNS - DNS Firewall Analytics — now in the Cloudflare dashboard

Tue, 16 Sep 2025 00:00:00 GMT

What's New

Access GraphQL-powered DNS Firewall analytics directly in the Cloudflare dashboard.

Explore Four Interactive Panels

Query summary: Describes trends over time, segmented by dimensions.
Query statistics: Describes totals, cached/uncached queries, and processing/response times.
DNS queries by data center: Describes global view and the top 10 data centers.
Top query statistics: Shows a breakdown by key dimensions, with search and expand options (up to top 100 items).

Additional features:

Apply filters and time ranges once. Changes reflect across all panels.
Filter by dimensions like query name, query type, cluster, data center, protocol (UDP/TCP), IP version, response code/reason, and more.
Access up to 62 days of historical data with flexible intervals.

Availability

Available to all DNS Firewall customers as part of their existing subscription.

Where to Find It

In the Cloudflare dashboard, go to the DNS Firewall page.
Go to Analytics
Refer to the DNS Firewall Analytics to learn more.

Cache - Smart Tiered Cache Fallback to Generic

Fri, 29 Aug 2025 00:00:00 GMT

Smart Tiered Cache now falls back to Generic Tiered Cache when the origin location cannot be determined, improving cache precision for your content.

Previously, when Smart Tiered Cache was unable to select the optimal upper tier (such as when origins are masked by Anycast IPs), latency could be negatively impacted. This fallback now uses Generic Tiered Cache instead, providing better performance and cache efficiency.

How it works

When Smart Tiered Cache falls back to Generic Tiered Cache:

Multiple upper-tiers: Uses all of Cloudflare's global data centers as a network of upper-tiers instead of a single optimal location.
Distributed cache requests: Lower-tier data centers can query any available upper-tier for cached content.
Improved global coverage: Provides better cache hit ratios across geographically distributed visitors.
Automatic fallback: Seamlessly transitions when origin location cannot be determined, such as with Anycast-masked origins.

Benefits

Preserves high performance during fallback: Smart Tiered Cache now maintains strong cache efficiency even when optimal upper tier selection is not possible.
Minimizes latency impact: Automatically uses Generic Tiered Cache topology to keep performance high when origin location cannot be determined.
Seamless experience: No configuration changes or intervention required when fallback occurs.
Improved resilience: Smart Tiered Cache remains effective across diverse origin infrastructure, including Anycast-masked origins.

Get started

This improvement is automatically applied to all zones using Smart Tiered Cache. No action is required on your part.

Secrets Store, AI Gateway, SSL/TLS - Manage and deploy your AI provider keys through Bring Your Own Key (BYOK) with AI Gateway, now powered by Cloudflare Secrets Store

Mon, 25 Aug 2025 11:00:00 GMT

Cloudflare Secrets Store is now integrated with AI Gateway, allowing you to store, manage, and deploy your AI provider keys in a secure and seamless configuration through Bring Your Own Key. Instead of passing your AI provider keys directly in every request header, you can centrally manage each key with Secrets Store and deploy in your gateway configuration using only a reference, rather than passing the value in plain text.

You can now create a secret directly from your AI Gateway in the dashboard by navigating into your gateway -> Provider Keys -> Add.

You can also create your secret with the newly available ai_gateway scope via wrangler, the Secrets Store dashboard, or the API.

Then, pass the key in the request header using its Secrets Store reference:

curl -X POST https://gateway.ai.cloudflare.com/v1/<ACCOUNT_ID>/my-gateway/anthropic/v1/messages \
 --header 'cf-aig-authorization: ANTHROPIC_KEY_1 \
 --header 'anthropic-version: 2023-06-01' \
 --header 'Content-Type: application/json' \
 --data  '{"model": "claude-3-opus-20240229", "messages": [{"role": "user", "content": "What is Cloudflare?"}]}'

Or, using Javascript:

import Anthropic from '@anthropic-ai/sdk';


const anthropic = new Anthropic({
 apiKey: "ANTHROPIC_KEY_1",
 baseURL: "https://gateway.ai.cloudflare.com/v1/<ACCOUNT_ID>/my-gateway/anthropic",
});


const message = await anthropic.messages.create({
 model: 'claude-3-opus-20240229',
 messages: [{role: "user", content: "What is Cloudflare?"}],
 max_tokens: 1024
});

For more information, check out the blog!

Load Balancing - Steer Traffic by AS Number in Load Balancing Custom Rules

Fri, 15 Aug 2025 00:00:00 GMT

You can now create more granular, network-aware Custom Rules in Cloudflare Load Balancing using the Autonomous System Number (ASN) of an incoming request.

This allows you to steer traffic with greater precision based on the network source of a request. For example, you can route traffic from specific Internet Service Providers (ISPs) or enterprise customers to dedicated infrastructure, optimize performance, or enforce compliance by directing certain networks to preferred data centers.

To get started, create a Custom Rule in your Load Balancer and select AS Num from the Field dropdown.

Load Balancing - Improvements to Monitoring Using Zone Settings

Wed, 06 Aug 2025 00:00:00 GMT

Cloudflare Load Balancing Monitors support loading and applying settings for a specific zone to monitoring requests to origin endpoints. This feature has been migrated to new infrastructure to improve reliability, performance, and accuracy.

All zone monitors have been tested against the new infrastructure. There should be no change to health monitoring results of currently healthy and active pools. Newly created or re-enabled pools may need validation of their monitor zone settings before being introduced to service, especially regarding correct application of mTLS.

What you can expect:

More reliable application of zone settings to monitoring requests, including
- Authenticated Origin Pulls
- Aegis Egress IP Pools
- Argo Smart Routing
- HTTP/2 to Origin
Improved support and bug fixes for retries, redirects, and proxied origin resolution
Improved performance and reliability of monitoring requests withing the Cloudflare network
Unrelated CDN or WAF configuration changes should have no risk of impact to pool health

DNS - Account-level DNS analytics now available via GraphQL Analytics API

Thu, 19 Jun 2025 00:00:00 GMT

Authoritative DNS analytics are now available on the account level via the Cloudflare GraphQL Analytics API.

This allows users to query DNS analytics across multiple zones in their account, by using the accounts filter.

Here is an example to retrieve the most recent DNS queries across all zones in your account that resulted in an NXDOMAIN response over a given time frame. Please replace a30f822fcd7c401984bf85d8f2a5111c with your actual account ID.

query GetLatestNXDOMAINResponses {
  viewer {
    accounts(filter: { accountTag: "a30f822fcd7c401984bf85d8f2a5111c" }) {
      dnsAnalyticsAdaptive(
        filter: {
          date_geq: "2025-06-16"
          date_leq: "2025-06-18"
          responseCode: "NXDOMAIN"
        }
        limit: 10000
        orderBy: [datetime_DESC]
      ) {
        zoneTag
        queryName
        responseCode
        queryType
        datetime
      }
    }
  }
}

Run in GraphQL API Explorer

To learn more and get started, refer to the DNS Analytics documentation.

DNS - Internal DNS (beta) now manageable in the Cloudflare dashboard

Mon, 16 Jun 2025 00:00:00 GMT

Participating beta testers can now fully configure Internal DNS directly in the Cloudflare dashboard.

Internal DNS enables customers to:

Map internal hostnames to private IPs for services, devices, and applications not exposed to the public Internet
Resolve internal DNS queries securely through Cloudflare Gateway
Use split-horizon DNS to return different responses based on network context
Consolidate internal and public DNS zones within a single management platform

What’s new in this release:

Beta participants can now create and manage internal zones and views in the Cloudflare dashboard

To learn more and get started, refer to the Internal DNS documentation.

DNS - NSEC3 support for DNSSEC

Wed, 11 Jun 2025 00:00:00 GMT

Enterprise customers can now select NSEC3 as method for proof of non-existence on their zones.

What's new:

NSEC3 support for live-signed zones – For both primary and secondary zones that are configured to be live-signed (also known as "on-the-fly signing"), NSEC3 can now be selected as proof of non-existence.
NSEC3 support for pre-signed zones – Secondary zones that are transferred to Cloudflare in a pre-signed setup now also support NSEC3 as proof of non-existence.

For more information and how to enable NSEC3, refer to the NSEC3 documentation.

Load Balancing - New Account-Level Load Balancing UI and Private Load Balancers

Wed, 04 Jun 2025 00:00:00 GMT

We've made two large changes to load balancing:

Redesigned the user interface, now centralized at the account level.
Introduced Private Load Balancers to the UI, enabling you to manage traffic for all of your external and internal applications in a single spot.

This update streamlines how you manage load balancers across multiple zones and extends robust traffic management to your private network infrastructure.

Key Enhancements:

Account-Level UI Consolidation:
- Unified Management: Say goodbye to navigating individual zones for load balancing tasks. You can now view, configure, and monitor all your load balancers across every zone in your account from a single, intuitive interface at the account level.
- Improved Efficiency: This centralized approach provides a more streamlined workflow, making it faster and easier to manage both your public-facing and internal traffic distribution.
Private Network Load Balancing:
- Secure Internal Application Access: Create Private Load Balancers to distribute traffic to applications hosted within your private network, ensuring they are not exposed to the public Internet.
- WARP & Magic WAN Integration: Effortlessly direct internal traffic from users connected via Cloudflare WARP or through your Magic WAN infrastructure to the appropriate internal endpoint pools.
- Enhanced Security for Internal Resources: Combine reliable Load Balancing with Zero Trust access controls to ensure your internal services are both performant and only accessible by verified users.

DNS - Improved onboarding for Shopify merchants

Tue, 03 Jun 2025 00:00:00 GMT

Shopify merchants can now onboard to O2O automatically, without needing to contact support or community members.

What's new:

Automatic enablement – O2O is available for all mutual Cloudflare and Shopify customers.
Branded record display – Merchants see a Shopify logo in DNS records, complete with helpful tooltips.
Checkout protection – Workers and Snippets are blocked from running on the checkout path to reduce risk and improve security.

For more information, refer to the provider guide.

SSL/TLS, Cloudflare for SaaS, Secrets Store - Increased limits for Cloudflare for SaaS and Secrets Store free and pay-as-you-go plans

Tue, 27 May 2025 11:00:00 GMT

With upgraded limits to all free and paid plans, you can now scale more easily with Cloudflare for SaaS and Secrets Store.

Cloudflare for SaaS allows you to extend the benefits of Cloudflare to your customers via their own custom or vanity domains. Now, the limit for custom hostnames on a Cloudflare for SaaS pay-as-you-go plan has been raised from 5,000 custom hostnames to 50,000 custom hostnames.

With custom origin server -- previously an enterprise-only feature -- you can route traffic from one or more custom hostnames somewhere other than your default proxy fallback. Custom origin server is now available to Cloudflare for SaaS customers on Free, Pro, and Business plans.

You can enable custom origin server on a per-custom hostname basis via the API or the UI:

Currently in beta with a Workers integration, Cloudflare Secrets Store allows you to store, manage, and deploy account level secrets from a secure, centralized platform your Cloudflare Workers. Now, you can create and deploy 100 secrets per account. Try it out in the dashboard, with Wrangler, or via the API today.

Load Balancing - UDP and ICMP Monitor Support for Private Load Balancing Endpoints

Tue, 06 May 2025 00:00:00 GMT

Cloudflare Load Balancing now supports UDP (Layer 4) and ICMP (Layer 3) health monitors for private endpoints. This makes it simple to track the health and availability of internal services that don’t respond to HTTP, TCP, or other protocol probes.

What you can do:

Set up ICMP ping monitors to check if your private endpoints are reachable.
Use UDP monitors for lightweight health checks on non-TCP workloads, such as DNS, VoIP, or custom UDP-based services.
Gain better visibility and uptime guarantees for services running behind Private Network Load Balancing, without requiring public IP addresses.

This enhancement is ideal for internal applications that rely on low-level protocols, especially when used in conjunction with Cloudflare Tunnel, WARP, and Magic WAN to create a secure and observable private network.

Learn more about Private Network Load Balancing or view the full list of supported health monitor protocols.

Secrets Store, SSL/TLS - Cloudflare Secrets Store now available in Beta

Wed, 09 Apr 2025 00:00:00 GMT

Cloudflare Secrets Store is available today in Beta. You can now store, manage, and deploy account level secrets from a secure, centralized platform to your Workers.

To spin up your Cloudflare Secrets Store, simply click the new Secrets Store tab in the dashboard or use this Wrangler command:

wrangler secrets-store store create <name> --remote

The following are supported in the Secrets Store beta:

Secrets Store UI & API: create your store & create, duplicate, update, scope, and delete a secret
Workers UI: bind a new or existing account level secret to a Worker and deploy in code
Wrangler: create your store & create, duplicate, update, scope, and delete a secret
Account Management UI & API: assign Secrets Store permissions roles & view audit logs for actions taken in Secrets Store core platform

For instructions on how to get started, visit our developer documentation.

Cache - Workers Fetch API can override Cache Rules

Fri, 04 Apr 2025 00:00:00 GMT

You can now programmatically override Cache Rules using the cf object in the fetch() command. This feature gives you fine-grained control over caching behavior on a per-request basis, allowing Workers to customize cache settings dynamically based on request properties, user context, or business logic.

How it works

Using the cf object in fetch(), you can override specific Cache Rules settings by:

Setting custom cache options: Pass cache properties in the cf object as the second argument to fetch() to override default Cache Rules.
Dynamic cache control: Apply different caching strategies based on request headers, cookies, or other runtime conditions.
Per-request customization: Bypass or modify Cache Rules for individual requests while maintaining default behavior for others.
Programmatic cache management: Implement complex caching logic that adapts to your application's needs.

What can be configured

Workers can override the following Cache Rules settings through the cf object:

cacheEverything: Treat all content as static and cache all file types beyond the default cached content.
cacheTtl: Set custom time-to-live values in seconds for cached content at the edge, regardless of origin headers.
cacheTtlByStatus: Set different TTLs based on the response status code (for example, { "200-299": 86400, 404: 1, "500-599": 0 }).
cacheKey: Customize cache keys to control which requests are treated as the same for caching purposes (Enterprise only).
cacheTags: Append additional cache tags for targeted cache purging operations.

Benefits

Enhanced flexibility: Customize cache behavior without modifying zone-level Cache Rules.
Dynamic optimization: Adjust caching strategies in real-time based on request context.
Simplified configuration: Reduce the number of Cache Rules needed by handling edge cases programmatically.
Improved performance: Fine-tune cache behavior for specific use cases to maximize hit rates.

Get started

To get started, refer to the Workers Fetch API documentation and the cf object properties documentation.

Cache - All cache purge methods now available for all plans

Thu, 03 Apr 2025 00:00:00 GMT

You can now access all Cloudflare cache purge methods — no matter which plan you’re on. Whether you need to update a single asset or instantly invalidate large portions of your site’s content, you now have the same powerful tools previously reserved for Enterprise customers.

Anyone on Cloudflare can now:

Purge Everything: Clears all cached content associated with a website.
Purge by Prefix: Targets URLs sharing a common prefix.
Purge by Hostname: Invalidates content by specific hostnames.
Purge by URL (single-file purge): Precisely targets individual URLs.
Purge by Tag: Uses Cache-Tag response headers to invalidate grouped assets, offering flexibility for complex cache management scenarios.

Want to learn how each purge method works, when to use them, or what limits apply to your plan? Dive into our purge cache documentation and API reference for all the details.

SSL/TLS - Upload a certificate bundle with an RSA and ECDSA certificate per custom hostname

Fri, 14 Feb 2025 00:00:00 GMT

Cloudflare has supported both RSA and ECDSA certificates across our platform for a number of years. Both certificates offer the same security, but ECDSA is more performant due to a smaller key size. However, RSA is more widely adopted and ensures compatibility with legacy clients. Instead of choosing between them, you may want both – that way, ECDSA is used when clients support it, but RSA is available if not.

Now, you can upload both an RSA and ECDSA certificate on a custom hostname via the API.

curl -X POST https://api.cloudflare.com/client/v4/zones/$ZONE_ID/custom_hostnames \
    -H 'Content-Type: application/json' \
    -H "X-Auth-Email: $CLOUDFLARE_EMAIL" \
    -H "X-Auth-Key: $CLOUDFLARE_API_KEY" \
    -d '{
    "hostname": "hostname",
    "ssl": {
        "custom_cert_bundle": [
            {
                "custom_certificate": "RSA Cert",
                "custom_key": "RSA Key"
            },
            {
                "custom_certificate": "ECDSA Cert",
                "custom_key": "ECDSA Key"
            }
        ],
        "bundle_method": "force",
        "wildcard": false,
        "settings": {
            "min_tls_version": "1.0"
        }
    }
}’

You can also:

Upload an RSA or ECDSA certificate to a custom hostname with an existing ECDSA or RSA certificate, respectively.
Replace the RSA or ECDSA certificate with a certificate of its same type.
Delete the RSA or ECDSA certificate (if the custom hostname has both an RSA and ECDSA uploaded).

This feature is available for Business and Enterprise customers who have purchased custom certificates.

Cache - Configurable multiplexing HTTP/2 to Origin

Wed, 12 Feb 2025 00:00:00 GMT

You can now configure HTTP/2 multiplexing settings for origin connections on Enterprise plans. This feature allows you to optimize how Cloudflare manages concurrent requests over HTTP/2 connections to your origin servers, improving cache efficiency and reducing connection overhead.

How it works

HTTP/2 multiplexing allows multiple requests to be sent over a single TCP connection. With this configuration option, you can:

Control concurrent streams: Adjust the maximum number of concurrent streams per connection.
Optimize connection reuse: Fine-tune connection pooling behavior for your origin infrastructure.
Reduce connection overhead: Minimize the number of TCP connections required between Cloudflare and your origin.
Improve cache performance: Better connection management can enhance cache fetch efficiency.

Benefits

Customizable performance: Tailor multiplexing settings to your origin's capabilities.
Reduced latency: Fewer connection handshakes improve response times.
Lower origin load: More efficient connection usage reduces server resource consumption.
Enhanced scalability: Better connection management supports higher traffic volumes.

Get started

Enterprise customers can configure HTTP/2 multiplexing settings in the Cloudflare Dashboard or through our API.

Cache - Fight CSAM More Easily Than Ever

Tue, 04 Feb 2025 00:00:00 GMT

You can now implement our child safety tooling, the CSAM Scanning Tool, more easily. Instead of requiring external reporting credentials, you only need a verified email address for notifications to onboard. This change makes the tool more accessible to a wider range of customers.

How It Works

When enabled, the tool automatically hashes images for enabled websites as they enter the Cloudflare cache. These hashes are then checked against a database of known abusive images.

Potential match detected?
- The content URL is blocked, and
- Cloudflare will notify you about the found matches via the provided email address.

Updated Service-Specific Terms

We have also made updates to our Service-Specific Terms to reflect these changes.

DNS - Removed unused meta fields from DNS records

Sun, 02 Feb 2025 00:00:00 GMT

Cloudflare is removing five fields from the meta object of DNS records. These fields have been unused for more than a year and are no longer set on new records. This change may take up to four weeks to fully roll out.

The affected fields are:

the auto_added boolean
the managed_by_apps boolean and corresponding apps_install_id
the managed_by_argo_tunnel boolean and corresponding argo_tunnel_id

An example record returned from the API would now look like the following:

{
  "result": {
    "id": "<ID>",
    "zone_id": "<ZONE_ID>",
    "zone_name": "example.com",
    "name": "www.example.com",
    "type": "A",
    "content": "192.0.2.1",
    "proxiable": true,
    "proxied": false,
    "ttl": 1,
    "locked": false,
    "meta": {
      "auto_added": false,
      "managed_by_apps": false,
      "managed_by_argo_tunnel": false,
      "source": "primary"
    },
    "comment": null,
    "tags": [],
    "created_on": "2025-03-17T20:37:05.368097Z",
    "modified_on": "2025-03-17T20:37:05.368097Z"
  },
  "success": true,
  "errors": [],
  "messages": []
}

For more guidance, refer to Manage DNS records.

Cache - Smart Tiered Cache optimizes Load Balancing Pools

Wed, 08 Jan 2025 00:00:00 GMT

You can now achieve higher cache hit rates and reduce origin load when using Load Balancing with Smart Tiered Cache. Cloudflare automatically selects a single, optimal tiered data center for all origins in your Load Balancing Pool.

How it works

When you use Load Balancing with Smart Tiered Cache, Cloudflare analyzes performance metrics across your pool's origins and automatically selects the optimal Upper Tier data center for the entire pool. This means:

Consistent cache location: All origins in the pool share the same Upper Tier cache.
Higher HIT rates: Requests for the same content hit the cache more frequently.
Reduced origin requests: Fewer requests reach your origin servers.
Improved performance: Faster response times for cache HITs.

Example workflow

Load Balancing Pool: api-pool
├── Origin 1: api-1.example.com
├── Origin 2: api-2.example.com
└── Origin 3: api-3.example.com
    ↓
Selected Upper Tier: [Optimal data center based on pool performance]

Get started

To get started, enable Smart Tiered Cache on your zone and configure your Load Balancing Pool.

Cache - Smart Tiered Cache automatically optimizes R2 caching

Wed, 20 Nov 2024 00:00:00 GMT

You can now reduce latency and lower R2 egress costs automatically when using Smart Tiered Cache with R2. Cloudflare intelligently selects a tiered data center close to your R2 bucket location, creating an efficient caching topology without additional configuration.

How it works

When you enable Smart Tiered Cache for zones using R2 as an origin, Cloudflare automatically:

Identifies your R2 bucket location: Determines the geographical region where your R2 bucket is stored.
Selects an optimal Upper Tier: Chooses a data center close to your bucket as the common Upper Tier cache.
Routes requests efficiently: All cache misses in edge locations route through this Upper Tier before reaching R2.

Benefits

Automatic optimization: No manual configuration required.
Lower egress costs: Fewer requests to R2 reduce egress charges.
Improved hit ratio: Common Upper Tier increases cache efficiency.
Reduced latency: Upper Tier proximity to R2 minimizes fetch times.

Get started

To get started, enable Smart Tiered Cache on your zone using R2 as an origin.

Cache - Stage and test cache configurations safely

Thu, 07 Nov 2024 00:00:00 GMT

You can now stage and test cache configurations before deploying them to production. Versioned environments let you safely validate cache rules, purge operations, and configuration changes without affecting live traffic.

How it works

With versioned environments, you can:

Create staging versions of your cache configuration.
Test cache rules in a non-production environment.
Purge staged content independently from production.
Validate changes before promoting to production.

This capability integrates with Cloudflare's broader versioning system, allowing you to manage cache configurations alongside other zone settings.

Benefits

Risk-free testing: Validate configuration changes without impacting production.
Independent purging: Clear staging cache without affecting live content.
Deployment confidence: Catch issues before they reach end users.
Team collaboration: Multiple team members can work on different versions.

Get started

To get started, refer to the version management documentation.

Cache - Shard cache using custom cache key values

Thu, 07 Nov 2024 00:00:00 GMT

Enterprise customers can now optimize cache hit ratios for content that varies by device, language, or referrer by sharding cache using up to ten values from previously restricted headers with custom cache keys.

How it works

When configuring custom cache keys, you can now include values from these headers to create distinct cache entries:

accept* headers (for example, accept, accept-encoding, accept-language): Serve different cached versions based on content negotiation.
referer header: Cache content differently based on the referring page or site.
user-agent header: Maintain separate caches for different browsers, devices, or bots.

When to use cache sharding

Content varies significantly by device type (mobile vs desktop).
Different language or encoding preferences require distinct responses.
Referrer-specific content optimization is needed.

Example configuration

{
  "cache_key": {
    "custom_key": {
      "header": {
        "include": ["accept-language", "user-agent"],
        "check_presence": ["referer"]
      }
    }
  }
}

This configuration creates separate cache entries based on the accept-language and user-agent headers, while also considering whether the referer header is present.

Get started

To get started, refer to the custom cache keys documentation.

Cache - One-click Cache Rules templates now available

Thu, 05 Sep 2024 00:00:00 GMT

You can now create optimized cache rules instantly with one-click templates, eliminating the complexity of manual rule configuration.

How it works

Navigate to Rules > Templates in your Cloudflare dashboard.
Select a template for your use case.
Click to apply the template with sensible defaults.
Customize as needed for your specific requirements.

Available cache templates

Cache everything: Adjust the cache level for all requests.
Bypass cache for everything: Bypass cache for all requests.
Cache default file extensions: Replicate Page Rules caching behavior by making only default extensions eligible for cache.
Bypass cache on cookie: Bypass cache for requests containing specific cookies.
Set edge cache time: Cache responses with status code between 200 and 599 on the Cloudflare edge.
Set browser cache time: Adjust how long a browser should cache a resource.

Get started

To get started, go to Rules > Templates in the dashboard. For more information, refer to the Cache Rules documentation.

Cache - Regionalized Generic Tiered Cache for higher hit ratios

Fri, 19 Jul 2024 00:00:00 GMT

You can now achieve higher cache hit ratios with Generic Global Tiered Cache. Regional content hashing routes content consistently to the same upper-tier data centers, eliminating redundant caching and reducing origin load.

How it works

Regional content hashing groups data centers by region and uses consistent hashing to route content to designated upper-tier caches:

Same content always routes to the same upper-tier data center within a region.
Eliminates redundant copies across multiple upper-tier caches.
Increases the likelihood of cache HITs for the same content.

Example

A popular image requested from multiple edge locations in a region:

Before: Cached at 3-4 different upper-tier data centers
After: Cached at 1 designated upper-tier data center
Result: 3-4x fewer cache MISSes, reducing origin load and improving performance

Get started

To get started, enable Generic Global Tiered Cache on your zone.

Cloudflare Web Analytics - Easily Exclude EU Visitors from RUM

Mon, 26 Feb 2024 00:00:00 GMT

You can now easily enable Real User Monitoring (RUM) monitoring for your hostnames, while safely dropping requests from visitors in the European Union to comply with GDPR and CCPA.

Our Web Analytics product has always been centered on giving you insights into your users' experience that you need to provide the best quality experience, without sacrificing user privacy in the process.

To help with that aim, you can now selectively enable RUM monitoring for your hostname and exclude EU visitor data in a single click. If you opt for this option, we will drop all metrics collected by our EU data centeres automatically.

You can learn more about what metrics are reported by Web Analytics and how it is collected in the Web Analytics documentation. You can enable Web Analytics on any hostname by going to the Web Analytics section of the dashboard, selecting "Manage Site" for the hostname you want to monitor, and choosing the appropriate enablement option.