Cloudflare changelogs | Core platform

Rules - New QUIC RTT and delivery rate fields

Wed, 01 Apr 2026 00:00:00 GMT

Two new fields are now available in rule expressions that surface Layer 4 transport telemetry from the client connection. Together with the existing cf.timings.client_tcp_rtt_msec field, these fields give you a complete picture of connection quality for both TCP and QUIC traffic — enabling transport-aware rules without requiring any client-side changes.

Previously, QUIC RTT and delivery rate data was only available via the Server-Timing: cfL4 response header. These new fields make the same data available directly in rule expressions, so you can use them in Transform Rules, WAF Custom Rules, and other phases that support dynamic fields.

New fields

Field	Type	Description
`cf.timings.client_quic_rtt_msec`	Integer	The smoothed QUIC round-trip time (RTT) between Cloudflare and the client in milliseconds. Only populated for QUIC (HTTP/3) connections. Returns `0` for TCP connections.
`cf.edge.l4.delivery_rate`	Integer	The most recent data delivery rate estimate for the client connection, in bytes per second. Returns `0` when L4 statistics are not available for the request.

Example: Route slow connections to a lightweight origin

Use a request header transform rule to tag requests from high-latency connections, so your origin can serve a lighter page variant:

Rule expression:

cf.timings.client_tcp_rtt_msec > 200 or cf.timings.client_quic_rtt_msec > 200

Header modifications:

Operation	Header name	Value
Set	`X-High-Latency`	`true`

Example: Match low-bandwidth connections

cf.edge.l4.delivery_rate > 0 and cf.edge.l4.delivery_rate < 100000

For more information, refer to Request Header Transform Rules and the fields reference.

logpush, Logs - Logpush — More granular timestamps

Wed, 25 Mar 2026 00:00:00 GMT

Logpush now supports higher-precision timestamp formats for log output. You can configure jobs to output timestamps at millisecond or nanosecond precision. This is available in both the Logpush UI in the Cloudflare dashboard and the Logpush API.

To use the new formats, set timestamp_format in your Logpush job's output_options:

rfc3339ms — 2024-02-17T23:52:01.123Z
rfc3339ns — 2024-02-17T23:52:01.123456789Z

Default timestamp formats apply unless explicitly set. The dashboard defaults to rfc3339 and the API defaults to unixnano.

For more information, refer to the Log output options documentation.

Rules - New mTLS certificate fields for Transform Rules

Wed, 25 Mar 2026 00:00:00 GMT

Cloudflare now exposes four new fields in the Transform Rules phase that encode client certificate data in RFC 9440 format. Previously, forwarding client certificate information to your origin required custom parsing of PEM-encoded fields or non-standard HTTP header formats. These new fields produce output in the standardized Client-Cert and Client-Cert-Chain header format defined by RFC 9440, so your origin can consume them directly without any additional decoding logic.

Each certificate is DER-encoded, Base64-encoded, and wrapped in colons. For example, :MIIDsT...Vw==:. A chain of intermediates is expressed as a comma-separated list of such values.

New fields

Field	Type	Description
`cf.tls_client_auth.cert_rfc9440`	String	The client leaf certificate in RFC 9440 format. Empty if no client certificate was presented.
`cf.tls_client_auth.cert_rfc9440_too_large`	Boolean	`true` if the leaf certificate exceeded 10 KB and was omitted. In practice this will almost always be `false`.
`cf.tls_client_auth.cert_chain_rfc9440`	String	The intermediate certificate chain in RFC 9440 format as a comma-separated list. Empty if no intermediate certificates were sent or if the chain exceeded 16 KB.
`cf.tls_client_auth.cert_chain_rfc9440_too_large`	Boolean	`true` if the intermediate chain exceeded 16 KB and was omitted.

The chain encoding follows the same ordering as the TLS handshake: the certificate closest to the leaf appears first, working up toward the trust anchor. The root certificate is not included.

Example: Forwarding client certificate headers to your origin server

Add a request header transform rule to set the Client-Cert and Client-Cert-Chain headers on requests forwarded to your origin server. For example, to forward headers for verified, non-revoked certificates:

Rule expression:

cf.tls_client_auth.cert_verified and not cf.tls_client_auth.cert_revoked

Header modifications:

Operation	Header name	Value
Set	`Client-Cert`	`cf.tls_client_auth.cert_rfc9440`
Set	`Client-Cert-Chain`	`cf.tls_client_auth.cert_chain_rfc9440`

To get the most out of these fields, upload your client CA certificate to Cloudflare so that Cloudflare validates the client certificate at the edge and populates cf.tls_client_auth.cert_verified and cf.tls_client_auth.cert_revoked.

For more information, refer to Mutual TLS authentication, Request Header Transform Rules, and the fields reference.

AI Crawl Control - Advanced WAF customization for AI Crawl Control blocks

Tue, 24 Mar 2026 00:00:00 GMT

AI Crawl Control now supports extending the underlying WAF rule with custom modifications. Any changes you make directly in the WAF custom rules editor — such as adding path-based exceptions, extra user agents, or additional expression clauses — are preserved when you update crawler actions in AI Crawl Control.

If the WAF rule expression has been modified in a way AI Crawl Control cannot parse, a warning banner appears on the Crawlers page with a link to view the rule directly in WAF.

For more information, refer to WAF rule management.

Cloudflare Tunnel, Cloudflare Tunnel for SASE - Stream logs from multiple replicas of Cloudflare Tunnel simultaneously

Fri, 20 Mar 2026 00:00:00 GMT

In the Cloudflare One dashboard, the overview page for a specific Cloudflare Tunnel now shows all replicas of that tunnel and supports streaming logs from multiple replicas at once.

Previously, you could only stream logs from one replica at a time. With this update:

Replicas on the tunnel overview — All active replicas for the selected tunnel now appear on that tunnel's overview page under Connectors. Select any replica to stream its logs.
Multi-connector log streaming — Stream logs from multiple replicas simultaneously, making it easier to correlate events across your infrastructure during debugging or incident response. To try it out, log in to Cloudflare One and go to Networks > Connectors > Cloudflare Tunnels. Select View logs next to the tunnel you want to monitor.

For more information, refer to Tunnel log streams and Deploy replicas.

Cloudflare Fundamentals - Service Key authentication deprecated

Thu, 19 Mar 2026 00:00:00 GMT

Service Key authentication for the Cloudflare API is deprecated. Service Keys will stop working on September 30, 2026.

API Tokens replace Service Keys with fine-grained permissions, expiration, and revocation.

What you need to do

Replace any use of the X-Auth-User-Service-Key header with an API Token scoped to the permissions your integration requires.

If you use cloudflared, update to a version from November 2022 or later. These versions already use API Tokens.

If you use origin-ca-issuer, update to a version that supports API Token authentication.

For more information, refer to API deprecations.

Cloudflare Tunnel, Workers - Manage Cloudflare Tunnels with Wrangler

Thu, 19 Mar 2026 00:00:00 GMT

You can now manage Cloudflare Tunnels directly from Wrangler, the CLI for the Cloudflare Developer Platform. The new wrangler tunnel commands let you create, run, and manage tunnels without leaving your terminal.

Available commands:

wrangler tunnel create — Create a new remotely managed tunnel.
wrangler tunnel list — List all tunnels in your account.
wrangler tunnel info — Display details about a specific tunnel.
wrangler tunnel delete — Delete a tunnel.
wrangler tunnel run — Run a tunnel using the cloudflared daemon.
wrangler tunnel quick-start — Start a free, temporary tunnel without an account using Quick Tunnels.

Wrangler handles downloading and managing the cloudflared binary automatically. On first use, you will be prompted to download cloudflared to a local cache directory.

These commands are currently experimental and may change without notice.

To get started, refer to the Wrangler tunnel commands documentation.

Cloudflare Fundamentals - SCIM provisioning for Authentik is now Generally Available

Wed, 18 Mar 2026 00:00:00 GMT

Cloudflare dashboard SCIM provisioning now supports Authentik as an identity provider, joining Okta and Microsoft Entra ID as explicitly supported providers.

Customers can now sync users and group information from Authentik to Cloudflare, apply Permission Policies to those groups, and manage the lifecycle of users & groups directly from your Authentik Identity Provider.

For more information:

Cloudflare Fundamentals - SCIM audit logging Support

Wed, 18 Mar 2026 00:00:00 GMT

Cloudflare dashboard SCIM provisioning operations are now captured in Audit Logs v2, giving you visibility into user and group changes made by your identity provider.

Logged actions:

Action Type	Description
Create SCIM User	User provisioned from IdP
Replace SCIM User	User fully replaced (PUT)
Update SCIM User	User attributes modified (PATCH)
Delete SCIM User	Member deprovisioned
Create SCIM Group	Group provisioned from IdP
Update SCIM Group	Group membership or attributes modified
Delete SCIM Group	Group deprovisioned

For more details, refer to the Audit Logs v2 documentation.

Rules - Worker execution timing field now available in Rules

Wed, 18 Mar 2026 00:00:00 GMT

The cf.timings.worker_msec field is now available in the Ruleset Engine. This field reports the wall-clock time that a Cloudflare Worker spent handling a request, measured in milliseconds.

You can use this field to identify slow Worker executions, detect performance regressions, or build rules that respond differently based on Worker processing time, such as logging requests that exceed a latency threshold.

Field details

Field	Type	Description
`cf.timings.worker_msec`	Integer	The time spent executing a Cloudflare Worker in milliseconds. Returns `0` if no Worker was invoked.

Example filter expression:

cf.timings.worker_msec > 500

For more information, refer to the Fields reference.

Cloudflare Fundamentals - Retry-After HTTP header for retryable 1xxx errors

Thu, 12 Mar 2026 00:00:00 GMT

Cloudflare-generated 1xxx error responses now include a standard Retry-After HTTP header when the error is retryable. Agents and HTTP clients can read the recommended wait time from response headers alone — no body parsing required.

Changes

Seven retryable error codes now emit Retry-After:

Error code	Retry-After (seconds)	Error name
1004	120	DNS resolution error
1005	120	Banned zone
1015	30	Rate limited
1033	120	Argo Tunnel error
1038	60	HTTP headers limit exceeded
1200	60	Cache connection limit
1205	5	Too many redirects

The header value matches the existing retry_after body field in JSON and Markdown responses.

If a WAF rate limiting rule has already set a dynamic Retry-After value on the response, that value takes precedence.

Availability

Available for all zones on all plans.

Verify

Check for the header on any retryable error:

curl -s --compressed -D - -o /dev/null -H "Accept: application/json" -A "TestAgent/1.0" -H "Accept-Encoding: gzip, deflate" "<YOUR_DOMAIN>/cdn-cgi/error/1015" | grep -i retry-after

References:

Cloudflare Fundamentals - JSON responses and RFC 9457 support for Cloudflare 1xxx errors

Wed, 11 Mar 2026 00:00:00 GMT

Cloudflare-generated 1xxx errors now return structured JSON when clients send Accept: application/json or Accept: application/problem+json. JSON responses follow RFC 9457 (Problem Details for HTTP APIs), so any HTTP client that understands Problem Details can parse the base members without Cloudflare-specific code.

Breaking change

The Markdown frontmatter field http_status has been renamed to status. Agents consuming Markdown frontmatter should update parsers accordingly.

Changes

JSON format. Clients sending Accept: application/json or Accept: application/problem+json now receive a structured JSON object with the same operational fields as Markdown frontmatter, plus RFC 9457 standard members.

RFC 9457 standard members (JSON only):

type — URI pointing to Cloudflare documentation for the specific error code
status — HTTP status code (matching the response status)
title — short, human-readable summary
detail — human-readable explanation specific to this occurrence
instance — Ray ID identifying this specific error occurrence

Field renames:

http_status -> status (JSON and Markdown)
what_happened -> detail (JSON only — Markdown prose sections are unchanged)

Content-Type mirroring. Clients sending Accept: application/problem+json receive Content-Type: application/problem+json; charset=utf-8 back; Accept: application/json receives application/json; charset=utf-8. Same body in both cases.

Negotiation behavior

Request header sent	Response format
`Accept: application/json`	JSON (`application/json` content type)
`Accept: application/problem+json`	JSON (`application/problem+json` content type)
`Accept: application/json, text/markdown;q=0.9`	JSON
`Accept: text/markdown`	Markdown
`Accept: text/markdown, application/json`	Markdown (equal `q`, first-listed wins)
`Accept: /`	HTML (default)

Availability

Available now for Cloudflare-generated 1xxx errors.

Get started

curl -s --compressed -H "Accept: application/json" -A "TestAgent/1.0" -H "Accept-Encoding: gzip, deflate" "<YOUR_DOMAIN>/cdn-cgi/error/1015" | jq .

curl -s --compressed -H "Accept: application/problem+json" -A "TestAgent/1.0" -H "Accept-Encoding: gzip, deflate" "<YOUR_DOMAIN>/cdn-cgi/error/1015" | jq .

References:

Log Explorer - Ingest field selection for Log Explorer

Wed, 11 Mar 2026 00:00:00 GMT

Cloudflare Log Explorer now allows you to customize exactly which data fields are ingested and stored when enabling or managing log datasets.

Previously, ingesting logs often meant taking an "all or nothing" approach to data fields. With Ingest Field Selection, you can now choose from a list of available and recommended fields for each dataset. This allows you to reduce noise, focus on the metrics that matter most to your security and performance analysis, and manage your data footprint more effectively.

Key capabilities

Granular control: Select only the specific fields you need when enabling a new dataset.
Dynamic updates: Update fields for existing, already enabled logstreams at any time.
Historical consistency: Even if you disable a field later, you can still query and receive results for that field for the period it was captured.
Data integrity: Core fields, such as Timestamp, are automatically retained to ensure your logs remain searchable and chronologically accurate.

Example configuration

When configuring a dataset via the dashboard or API, you can define a specific set of fields. The Timestamp field remains mandatory to ensure data indexability.

{
  "dataset": "firewall_events",
  "enabled": true,
  "fields": [
    "Timestamp",
    "ClientRequestHost",
    "ClientIP",
    "Action",
    "EdgeResponseStatus",
    "OriginResponseStatus"
  ]
}

For more information, refer to the Log Explorer documentation.

Audit Logs - Audit logs (version 2) - General Availability

Tue, 10 Mar 2026 00:00:00 GMT

Audit Logs v2 is now generally available to all Cloudflare customers.

Audit Logs v2 provides a unified and standardized system for tracking and recording all user and system actions across Cloudflare products. Built on Cloudflare's API Shield / OpenAPI gateway, logs are generated automatically without requiring manual instrumentation from individual product teams, ensuring consistency across ~95% of Cloudflare products.

What's available at GA:

Standardized logging — Audit logs follow a consistent format across all Cloudflare products, making it easier to search, filter, and investigate activity.
Expanded product coverage — ~95% of Cloudflare products covered, up from ~75% in v1.
Granular filtering — Filter by actor, action type, action result, resource, raw HTTP method, zone, and more. Over 20 filter parameters available via the API.
Enhanced context — Each log entry includes authentication method, interface (API or dashboard), Cloudflare Ray ID, and actor token details.
18-month retention — Logs are retained for 18 months. Full history is accessible via the API or Logpush.

Access:

Dashboard: Go to Manage Account > Audit Logs. Audit Logs v2 is shown by default.
API: GET https://api.cloudflare.com/client/v4/accounts/{account_id}/logs/audit
Logpush: Available via the audit_logs_v2 account-scoped dataset.

Important notes:

Approximately 30 days of logs from the Beta period (back to ~February 8, 2026) are available at GA. These Beta logs will expire on ~April 9, 2026. Logs generated after GA will be retained for the full 18 months. Older logs remain available in Audit Logs v1.
The UI query window is limited to 90 days for performance reasons. Use the API or Logpush for access to the full 18-month history.
GET requests (view actions) and 4xx error responses are not logged at GA. GET logging will be selectively re-enabled for sensitive read operations in a future release.
Audit Logs v1 continues to run in parallel. A deprecation timeline will be communicated separately.
Before and after values — the ability to see what a value changed from and to — is a highly requested feature and is on our roadmap for a post-GA release. In the meantime, we recommend using Audit Logs v1 for before and after values. Audit Logs v1 will continue to run in parallel until this feature is available in v2.

For more details, refer to the Audit Logs v2 documentation.

Logs - New MCP Portal Logs dataset and new fields across multiple Logpush datasets in Cloudflare Logs

Mon, 09 Mar 2026 00:00:00 GMT

Cloudflare has added new fields across multiple Logpush datasets:

New dataset

MCP Portal Logs: A new dataset with fields including ClientCountry, ClientIP, ColoCode, Datetime, Error, Method, PortalAUD, PortalID, PromptGetName, ResourceReadURI, ServerAUD, ServerID, ServerResponseDurationMs, ServerURL, SessionID, Success, ToolCallName, UserEmail, and UserID.

New fields in existing datasets

DEX Application Tests: HTTPRedirectEndMs, HTTPRedirectStartMs, HTTPResponseBody, and HTTPResponseHeaders.
DEX Device State Events: ExperimentalExtra.
Firewall Events: FraudUserID.
Gateway HTTP: AppControlInfo and ApplicationStatuses.
Gateway DNS: InternalDNSDurationMs.
HTTP Requests: FraudEmailRisk, FraudUserID, and PayPerCrawlStatus.
Network Analytics Logs: DNSQueryName, DNSQueryType, and PFPCustomTag.
WARP Toggle Changes: UserEmail.
WARP Config Changes: UserEmail.
Zero Trust Network Session Logs: SNI.

For the complete field definitions for each dataset, refer to Logpush datasets.

Cloudflare Fundamentals - Markdown responses for Cloudflare 1xxx errors

Thu, 26 Feb 2026 00:00:00 GMT

Cloudflare now returns structured Markdown responses for Cloudflare-generated 1xxx errors when clients send Accept: text/markdown.

Each response includes YAML frontmatter plus guidance sections (What happened / What you should do) so agents can make deterministic retry and escalation decisions without parsing HTML.

In measured 1,015 comparisons, Markdown reduced payload size and token footprint by over 98% versus HTML.

Included frontmatter fields:

error_code, error_name, error_category, http_status
ray_id, timestamp, zone
cloudflare_error, retryable, retry_after (when applicable), owner_action_required

Default behavior is unchanged: clients that do not explicitly request Markdown continue to receive HTML error pages.

Negotiation behavior

Cloudflare uses standard HTTP content negotiation on the Accept header.

Accept: text/markdown -> Markdown
Accept: text/markdown, text/html;q=0.9 -> Markdown
Accept: text/* -> Markdown
Accept: */* -> HTML (default browser behavior)

When multiple values are present, Cloudflare selects the highest-priority supported media type using q values. If Markdown is not explicitly preferred, HTML is returned.

Availability

Available now for Cloudflare-generated 1xxx errors.

Get started

curl -H "Accept: text/markdown" https://<your-domain>/cdn-cgi/error/1015

Reference: Cloudflare 1xxx error documentation

Cloudflare Tunnel, Cloudflare Tunnel for SASE - Manage Cloudflare Tunnel directly from the main Cloudflare Dashboard

Fri, 20 Feb 2026 00:00:00 GMT

Cloudflare Tunnel is now available in the main Cloudflare Dashboard at Networking > Tunnels, bringing first-class Tunnel management to developers using Tunnel for securing origin servers.

This new experience provides everything you need to manage Tunnels for public applications, including:

Full Tunnel lifecycle management: Create, configure, delete, and monitor all your Tunnels in one place.
Native integrations: View Tunnels by name when configuring DNS records and Workers VPC — no more copy-pasting UUIDs.
Real-time visibility: Monitor replicas and Tunnel health status directly in the dashboard.
Routing map: Manage all ingress routes for your Tunnel, including public applications, private hostnames, private CIDRs, and Workers VPC services, from a single interactive interface.

Choose the right dashboard for your use case

Core Dashboard: Navigate to Networking > Tunnels to manage Tunnels for:

Securing origin servers and public applications with CDN, WAF, Load Balancing, and DDoS protection
Connecting Workers to private services via Workers VPC

Cloudflare One Dashboard: Navigate to Zero Trust > Networks > Connectors to manage Tunnels for:

Securing your public applications with Zero Trust access policies
Connecting users to private applications
Building a private mesh network

Both dashboards provide complete Tunnel management capabilities — choose based on your primary workflow.

Get started

New to Tunnel? Learn how to get started with Cloudflare Tunnel or explore advanced use cases like securing SSH servers or running Tunnels in Kubernetes.

Analytics - New cfWorker metric in Server-Timing header

Wed, 18 Feb 2026 00:00:00 GMT

The Server-Timing header now includes a new cfWorker metric that measures time spent executing Cloudflare Workers, including any subrequests performed by the Worker. This helps developers accurately identify whether high Time to First Byte (TTFB) is caused by Worker processing or slow upstream dependencies.

Previously, Worker execution time was included in the edge metric, making it harder to identify true edge performance. The new cfWorker metric provides this visibility:

Metric	Description
`edge`	Total time spent on the Cloudflare edge, including Worker execution
`origin`	Time spent fetching from the origin server
`cfWorker`	Time spent in Worker execution, including subrequests but excluding origin fetch time

Example response

Server-Timing: cdn-cache; desc=DYNAMIC, edge; dur=20, origin; dur=100, cfWorker; dur=7

In this example, the edge took 20ms, the origin took 100ms, and the Worker added just 7ms of processing time.

Availability

The cfWorker metric is enabled by default if you have Real User Monitoring (RUM) enabled. Otherwise, you can enable it using Rules.

This metric is particularly useful for:

Performance debugging: Quickly determine if latency is caused by Worker code, external API calls within Workers, or slow origins.
Optimization targeting: Identify which component of your request path needs optimization.
Real User Monitoring (RUM): Access detailed timing breakdowns directly from response headers for client-side analytics.

For more information about Server-Timing headers, refer to the W3C Server Timing specification.

Cloudflare Fundamentals - Content encoding support for Markdown for Agents and other improvements

Mon, 16 Feb 2026 00:00:00 GMT

When AI systems request pages from any website that uses Cloudflare and has Markdown for Agents enabled, they can express the preference for text/markdown in the request: our network will automatically and efficiently convert the HTML to markdown, when possible, on the fly.

This release adds the following improvements:

The origin response limit was raised from 1 MB to 2 MB (2,097,152 bytes).
We no longer require the origin to send the content-length header.
We now support content encoded responses from the origin.

If you haven’t enabled automatic Markdown conversion yet, visit the AI Crawl Control section of the Cloudflare dashboard and enable Markdown for Agents.

Refer to our developer documentation for more details.

Cloudflare Fundamentals, Access - Fine-grained permissions for Access policies and service tokens

Fri, 13 Feb 2026 00:00:00 GMT

Fine-grained permissions for Access policies and Access service tokens are available. These new resource-scoped roles expand the existing RBAC model, enabling administrators to grant permissions scoped to individual resources.

New roles

Cloudflare Access policy admin: Can edit a specific Access policy in an account.
Cloudflare Access service token admin: Can edit a specific Access service token in an account.

These roles complement the existing resource-scoped roles for Access applications, identity providers, and infrastructure targets.

For more information:

Cloudflare Fundamentals, SDK - Cloudflare Python SDK v5.0.0-beta.1 now available

Fri, 13 Feb 2026 00:00:00 GMT

Disclaimer: Please note that v5.0.0-beta.1 is in Beta and we are still testing it for stability.

Full Changelog: v4.3.1...v5.0.0-beta.1

In this release, you'll see a large number of breaking changes. This is primarily due to a change in OpenAPI definitions, which our libraries are based off of, and codegen updates that we rely on to read those OpenAPI definitions and produce our SDK libraries. As the codegen is always evolving and improving, so are our code bases.

There may be changes that are not captured in this changelog. Feel free to open an issue to report any inaccuracies, and we will make sure it gets into the changelog before the v5.0.0 release.

Most of the breaking changes below are caused by improvements to the accuracy of the base OpenAPI schemas, which sometimes translates to breaking changes in downstream clients that depend on those schemas.

Please ensure you read through the list of changes below and the migration guide before moving to this version - this will help you understand any down or upstream issues it may cause to your environments.

Breaking Changes

The following resources have breaking changes. See the v5 Migration Guide for detailed migration instructions.

abusereports
acm.totaltls
apigateway.configurations
cloudforceone.threatevents
d1.database
intel.indicatorfeeds
logpush.edge
origintlsclientauth.hostnames
queues.consumers
radar.bgp
rulesets.rules
schemavalidation.schemas
snippets
zerotrust.dlp
zerotrust.networks

Features

New API Resources

abusereports - Abuse report management
abusereports.mitigations - Abuse report mitigation actions
ai.tomarkdown - AI-powered markdown conversion
aigateway.dynamicrouting - AI Gateway dynamic routing configuration
aigateway.providerconfigs - AI Gateway provider configurations
aisearch - AI-powered search functionality
aisearch.instances - AI Search instance management
aisearch.tokens - AI Search authentication tokens
alerting.silences - Alert silence management
brandprotection.logomatches - Brand protection logo match detection
brandprotection.logos - Brand protection logo management
brandprotection.matches - Brand protection match results
brandprotection.queries - Brand protection query management
cloudforceone.binarystorage - CloudForce One binary storage
connectivity.directory - Connectivity directory services
d1.database - D1 database management
diagnostics.endpointhealthchecks - Endpoint health check diagnostics
fraud - Fraud detection and prevention
iam.sso - IAM Single Sign-On configuration
loadbalancers.monitorgroups - Load balancer monitor groups
organizations - Organization management
organizations.organizationprofile - Organization profile settings
origintlsclientauth.hostnamecertificates - Origin TLS client auth hostname certificates
origintlsclientauth.hostnames - Origin TLS client auth hostnames
origintlsclientauth.zonecertificates - Origin TLS client auth zone certificates
pipelines - Data pipeline management
pipelines.sinks - Pipeline sink configurations
pipelines.streams - Pipeline stream configurations
queues.subscriptions - Queue subscription management
r2datacatalog - R2 Data Catalog integration
r2datacatalog.credentials - R2 Data Catalog credentials
r2datacatalog.maintenanceconfigs - R2 Data Catalog maintenance configurations
r2datacatalog.namespaces - R2 Data Catalog namespaces
radar.bots - Radar bot analytics
radar.ct - Radar certificate transparency data
radar.geolocations - Radar geolocation data
realtimekit.activesession - Real-time Kit active session management
realtimekit.analytics - Real-time Kit analytics
realtimekit.apps - Real-time Kit application management
realtimekit.livestreams - Real-time Kit live streaming
realtimekit.meetings - Real-time Kit meeting management
realtimekit.presets - Real-time Kit preset configurations
realtimekit.recordings - Real-time Kit recording management
realtimekit.sessions - Real-time Kit session management
realtimekit.webhooks - Real-time Kit webhook configurations
tokenvalidation.configuration - Token validation configuration
tokenvalidation.rules - Token validation rules
workers.beta - Workers beta features

New Endpoints (Existing Resources)

`acm.totaltls`

edit()
update()

`cloudforceone.threatevents`

list()

`contentscanning`

create()
get()
update()

`dns.records`

scan_list()
scan_review()
scan_trigger()

`intel.indicatorfeeds`

create()
delete()
list()

`leakedcredentialchecks.detections`

get()

`queues.consumers`

list()

`radar.ai`

summary()
timeseries()
timeseries_groups()

`radar.bgp`

changes()
snapshot()

`workers.subdomains`

delete()

`zerotrust.networks`

create()
delete()
edit()
get()
list()

General Fixes and Improvements

Type System & Compatibility

Type inference improvements: Allow Pyright to properly infer TypedDict types within SequenceNotStr
Type completeness: Add missing types to method arguments and response models
Pydantic compatibility: Ensure compatibility with Pydantic versions prior to 2.8.0 when using additional fields

Request/Response Handling

Multipart form data: Correctly handle sending multipart/form-data requests with JSON data
Header handling: Do not send headers with default values set to omit
GET request headers: Don't send Content-Type header on GET requests
Response body model accuracy: Broad improvements to the correctness of models

Parsing & Data Processing

Discriminated unions: Correctly handle nested discriminated unions in response parsing
Extra field types: Parse extra field types correctly
Empty metadata: Ignore empty metadata fields during parsing
Singularization rules: Update resource name singularization rules for better consistency

Cloudflare Fundamentals - Introducing Markdown for Agents

Thu, 12 Feb 2026 00:00:00 GMT

Cloudflare's network now supports real-time content conversion at the source, for enabled zones using content negotiation headers. When AI systems request pages from any website that uses Cloudflare and has Markdown for Agents enabled, they can express the preference for text/markdown in the request: our network will automatically and efficiently convert the HTML to markdown, when possible, on the fly.

Here is a curl example with the Accept negotiation header requesting this page from our developer documentation:

curl https://developers.cloudflare.com/fundamentals/reference/markdown-for-agents/ \
  -H "Accept: text/markdown"

The response to this request is now formatted in markdown:

HTTP/2 200
date: Wed, 11 Feb 2026 11:44:48 GMT
content-type: text/markdown; charset=utf-8
content-length: 2899
vary: accept
x-markdown-tokens: 725
content-signal: ai-train=yes, search=yes, ai-input=yes

---
title: Markdown for Agents · Cloudflare Agents docs
---

## What is Markdown for Agents

Markdown has quickly become the lingua franca for agents and AI systems
as a whole. The format’s explicit structure makes it ideal for AI processing,
ultimately resulting in better results while minimizing token waste.
...

Refer to our developer documentation and our blog announcement for more details.

Cloudflare Fundamentals, Terraform - Terraform v5.17.0 now available

Thu, 12 Feb 2026 00:00:00 GMT

In January 2025, we announced the launch of the new Terraform v5 Provider. We greatly appreciate the proactive engagement and valuable feedback from the Cloudflare community following the v5 release. In response, we have established a consistent and rapid 2-3 week cadence for releasing targeted improvements, demonstrating our commitment to stability and reliability.

With the help of the community, we have a growing number of resources that we have marked as stable, with that list continuing to grow with every release. The most used resources are on track to be stable by the end of March 2026, when we will also be releasing a new migration tool to help you migrate from v4 to v5 with ease.

This release brings new capabilities for AI Search, enhanced Workers Script placement controls, and numerous bug fixes based on community feedback. We also begun laying foundational work for improving the v4 to v5 migration process. Stay tuned for more details as we approach the March 2026 release timeline.

Thank you for continuing to raise issues. They make our provider stronger and help us build products that reflect your needs.

Features

ai_search_instance: add data source for querying AI Search instances
ai_search_token: add data source for querying AI Search tokens
account: add support for tenant unit management with new unit field
account: add automatic mapping from managed_by.parent_org_id to unit.id
authenticated_origin_pulls_certificate: add data source for querying authenticated origin pull certificates
authenticated_origin_pulls_hostname_certificate: add data source for querying hostname-specific authenticated origin pull certificates
authenticated_origin_pulls_settings: add data source for querying authenticated origin pull settings
workers_kv: add value field to data source to retrieve KV values directly
workers_script: add script field to data source to retrieve script content
workers_script: add support for simple rate limit binding
workers_script: add support for targeted placement mode with placement.target array for specifying placement targets (region, hostname, host)
workers_script: add placement_mode and placement_status computed fields
zero_trust_dex_test: add data source with filter support for finding specific tests
zero_trust_dlp_predefined_profile: add enabled_entries field for flexible entry management

Bug Fixes

account: map managed_by.parent_org_id to unit.id in unmarshall and add acceptance tests
authenticated_origin_pulls_certificate: add certificate normalization to prevent drift
authenticated_origin_pulls: handle array response and implement full lifecycle
authenticated_origin_pulls_hostname_certificate: fix resource and tests
cloudforce_one_request_message: use correct request_id field instead of id in API calls
dns_zone_transfers_incoming: use correct zone_id field instead of id in API calls
dns_zone_transfers_outgoing: use correct zone_id field instead of id in API calls
email_routing_settings: use correct zone_id field instead of id in API calls
hyperdrive_config: add proper handling for write-only fields to prevent state drift
hyperdrive_config: add normalization for empty mtls objects to prevent unnecessary diffs
magic_network_monitoring_rule: use correct account_id field instead of id in API calls
mtls_certificates: fix resource and test
pages_project: revert build_config to computed optional
stream_key: use correct account_id field instead of id in API calls
total_tls: use upsert pattern for singleton zone setting
waiting_room_rules: use correct waiting_room_id field instead of id in API calls
workers_script: add support for placement mode/status
zero_trust_access_application: update v4 version on migration tests
zero_trust_device_posture_rule: update tests to match API
zero_trust_dlp_integration_entry: use correct entry_id field instead of id in API calls
zero_trust_dlp_predefined_entry: use correct entry_id field instead of id in API calls
zero_trust_organization: fix plan issues

Chores

add state upgraders to 95+ resources to lay the foundation for replacing Grit (still under active development)
certificate_pack: add state migration handler for SDKv2 to Framework conversion
custom_hostname_fallback_origin: add comprehensive lifecycle test and migration support
dns_record: add state migration handler for SDKv2 to Framework conversion
leaked_credential_check: add import functionality and tests
load_balancer_pool: add state migration handler with detection for v4 vs v5 format
pages_project: add state migration handlers
tiered_cache: add state migration handlers
zero_trust_dlp_predefined_profile: deprecate entries field in favor of enabled_entries

For more information

AI Crawl Control - Analytics enhancements

Mon, 09 Feb 2026 00:00:00 GMT

AI Crawl Control metrics have been enhanced with new views, improved filtering, and better data visualization.

Path pattern grouping

In the Metrics tab > Most popular paths table, use the new Patterns tab that groups requests by URI pattern (/blog/*, /api/v1/*, /docs/*) to identify which site areas crawlers target most. Refer to the screenshot above.

Enhanced referral analytics

Destination patterns show which site areas receive AI-driven referral traffic.
In the Metrics tab, a new Referrals over time chart shows trends by operator or source.

Data transfer metrics

In the Metrics tab > Allowed requests over time chart, toggle Bytes to show bandwidth consumption.
In the Crawlers tab, a new Bytes Transferred column shows bandwidth per crawler.

Image exports

Export charts and tables as images for reports and presentations.

Learn more about analyzing AI traffic.

Log Explorer - Tabs and pivots

Mon, 09 Feb 2026 00:00:00 GMT

Log Explorer now supports multiple concurrent queries with the new Tabs feature. Work with multiple queries simultaneously and pivot between datasets to investigate malicious activity more effectively.

Key capabilities

Multiple tabs: Open and switch between multiple query tabs to compare results across different datasets.
Quick filtering: Select the filter button from query results to add a value as a filter to your current query.
Pivot to new tab: Use Cmd + click on the filter button to start a new query tab with that filter applied.
Preserved progress: Your query progress is preserved on each tab if you navigate away and return.

For more information, refer to the Log Explorer documentation.

AI Crawl Control - New reference documentation

Wed, 04 Feb 2026 00:00:00 GMT

New reference documentation is now available for AI Crawl Control:

GraphQL API reference — Query examples for crawler requests, top paths, referral traffic, and data transfer. Includes key filters for detection IDs, user agents, and referrer domains.
Bot reference — Detection IDs and user agents for major AI crawlers from OpenAI, Anthropic, Google, Meta, and others.
Worker templates — Deploy the x402 Payment-Gated Proxy to monetize crawler access or charge bots while letting humans through free.

Cloudflare Fundamentals - Added Timezone preferences settings

Tue, 27 Jan 2026 00:00:00 GMT

You can now set the timezone in the Cloudflare dashboard as Coordinated Universal Time (UTC) or your browser or system's timezone.

What's New

Unless otherwise specified in the user interface, all dates and times in the Cloudflare dashboard are now displayed in the selected timezone.

You can change the timezone setting from the user profile dropdown.

The page will reload to apply the new timezone setting.

Rules - Control request and response body buffering in Configuration Rules

Tue, 27 Jan 2026 00:00:00 GMT

You can now control how Cloudflare buffers HTTP request and response bodies using two new settings in Configuration Rules.

Request body buffering

Controls how Cloudflare buffers HTTP request bodies before forwarding them to your origin server:

Mode	Behavior
Standard (default)	Cloudflare can inspect a prefix of the request body for enabled functionality such as WAF and Bot Management.
Full	Buffers the entire request body before sending to origin.
None	No buffering — the request body streams directly to origin without inspection.

Response body buffering

Controls how Cloudflare buffers HTTP response bodies before forwarding them to the client:

Mode	Behavior
Standard (default)	Cloudflare can inspect a prefix of the response body for enabled functionality.
None	No buffering — the response body streams directly to the client without inspection.

API example

{
  "action": "set_config",
  "action_parameters": {
    "request_body_buffering": "standard",
    "response_body_buffering": "none"
  }
}

For more information, refer to Configuration Rules.

Cloudflare Fundamentals - New 2FA Experience for Login

Fri, 23 Jan 2026 00:00:00 GMT

In an effort to improve overall user security, users without 2FA will be prompted upon login to enroll in email 2FA. This will improve user security posture while minimizing friction. Users without email 2FA enabled will see a prompt to secure their account with additional factors upon logging in. Enrolling in 2FA remains optional, but strongly encouraged as it is the best way to prevent account takeovers.

We also made changes to existing 2FA screens to improve the user experience. Now we have distinct experiences for each 2FA factor type, reflective of the way that factor works.

For more information

Configure Email Two Factor Authentication

Rules - New cryptographic functions — encode_base64() and sha256()

Thu, 22 Jan 2026 00:00:00 GMT

Cloudflare Rulesets now includes encode_base64() and sha256() functions, enabling you to generate signed request headers directly in rule expressions. These functions support common patterns like constructing a canonical string from request attributes, computing a SHA256 digest, and Base64-encoding the result.

New functions

Function	Description	Availability
`encode_base64(input, flags)`	Encodes a string to Base64 format. Optional `flags` parameter: `u` for URL-safe encoding, `p` for padding (adds `=` characters to make the output length a multiple of 4, as required by some systems). By default, output is standard Base64 without padding.	All plans (in header transform rules)
`sha256(input)`	Computes a SHA256 hash of the input string.	Requires enablement

Examples

Encode a string to Base64 format:

encode_base64("hello world")

Returns: aGVsbG8gd29ybGQ

Encode a string to Base64 format with padding:

encode_base64("hello world", "p")

Returns: aGVsbG8gd29ybGQ=

Perform a URL-safe Base64 encoding of a string:

encode_base64("hello world", "u")

Returns: aGVsbG8gd29ybGQ

Compute the SHA256 hash of a secret token:

sha256("my-token")

Returns a hash that your origin can validate to authenticate requests.

Compute the SHA256 hash of a string and encode the result to Base64 format:

encode_base64(sha256("my-token"))

Combines hashing and encoding for systems that expect Base64-encoded signatures.

For more information, refer to the Functions reference.

Rules - New functions for array and map operations

Tue, 20 Jan 2026 00:00:00 GMT

New functions for array and map operations

Cloudflare Rulesets now include new functions that enable advanced expression logic for evaluating arrays and maps. These functions allow you to build rules that match against lists of values in request or response headers, enabling use cases like country-based blocking using custom headers.

New functions

Function	Description
`split(source, delimiter)`	Splits a string into an array of strings using the specified delimiter.
`join(array, delimiter)`	Joins an array of strings into a single string using the specified delimiter.
`has_key(map, key)`	Returns `true` if the specified key exists in the map.
`has_value(map, value)`	Returns `true` if the specified value exists in the map.

Example use cases

Check if a country code exists in a header list:

has_value(split(http.response.headers["x-allow-country"][0], ","), ip.src.country)

Check if a specific header key exists:

has_key(http.request.headers, "x-custom-header")

Join array values for logging or comparison:

join(http.request.headers.names, ", ")

For more information, refer to the Functions reference.

Cloudflare Fundamentals, SDK - Cloudflare Typescript SDK v6.0.0-beta.1 now available

Tue, 20 Jan 2026 00:00:00 GMT

Disclaimer: Please note that v6.0.0-beta.1 is in Beta and we are still testing it for stability.

Full Changelog: v5.2.0...v6.0.0-beta.1

Some breaking changes were introduced due to bug fixes, also listed below.

Please ensure you read through the list of changes below before moving to this version - this will help you understand any down or upstream issues it may cause to your environments.

Breaking Changes

Addressing - Parameter Requirements Changed

BGPPrefixCreateParams.cidr: optional → required
PrefixCreateParams.asn: number | null → number
PrefixCreateParams.loa_document_id: required → optional
ServiceBindingCreateParams.cidr: optional → required
ServiceBindingCreateParams.service_id: optional → required

API Gateway

ConfigurationUpdateResponse removed
PublicSchema → OldPublicSchema
SchemaUpload → UserSchemaCreateResponse
ConfigurationUpdateParams.properties removed; use normalize

CloudforceOne - Response Type Changes

ThreatEventBulkCreateResponse: number → complex object with counts and errors

D1 Database - Query Parameters

DatabaseQueryParams: simple interface → union type (D1SingleQuery | MultipleQueries)
DatabaseRawParams: same change
Supports batch queries via batch array

DNS Records - Type Renames (21 types)

All record type interfaces renamed from *Record to short names:

RecordResponse.ARecord → RecordResponse.A
RecordResponse.AAAARecord → RecordResponse.AAAA
RecordResponse.CNAMERecord → RecordResponse.CNAME
RecordResponse.MXRecord → RecordResponse.MX
RecordResponse.NSRecord → RecordResponse.NS
RecordResponse.PTRRecord → RecordResponse.PTR
RecordResponse.TXTRecord → RecordResponse.TXT
RecordResponse.CAARecord → RecordResponse.CAA
RecordResponse.CERTRecord → RecordResponse.CERT
RecordResponse.DNSKEYRecord → RecordResponse.DNSKEY
RecordResponse.DSRecord → RecordResponse.DS
RecordResponse.HTTPSRecord → RecordResponse.HTTPS
RecordResponse.LOCRecord → RecordResponse.LOC
RecordResponse.NAPTRRecord → RecordResponse.NAPTR
RecordResponse.SMIMEARecord → RecordResponse.SMIMEA
RecordResponse.SRVRecord → RecordResponse.SRV
RecordResponse.SSHFPRecord → RecordResponse.SSHFP
RecordResponse.SVCBRecord → RecordResponse.SVCB
RecordResponse.TLSARecord → RecordResponse.TLSA
RecordResponse.URIRecord → RecordResponse.URI
RecordResponse.OpenpgpkeyRecord → RecordResponse.Openpgpkey

IAM Resource Groups

ResourceGroupCreateResponse.scope: optional single → required array
ResourceGroupCreateResponse.id: optional → required

Origin CA Certificates - Parameter Requirements Changed

OriginCACertificateCreateParams.csr: optional → required
OriginCACertificateCreateParams.hostnames: optional → required
OriginCACertificateCreateParams.request_type: optional → required

Pipelines - v0 to v1 Migration

Entire v0 API deprecated; use v1 methods (createV1, listV1, etc.)
New sub-resources: Sinks, Streams

R2

EventNotificationUpdateParams.rules: optional → required
Super Slurper: bucket, secret now required in source params

Radar

dataSource: string → typed enum (23 values)
eventType: string → typed enum (6 values)
V2 methods require dimension parameter (breaking signature change)

Resource Sharing

Removed: status_message field from all recipient response types

Schema Validation

Consolidated SchemaCreateResponse, SchemaListResponse, SchemaEditResponse, SchemaGetResponse → PublicSchema
Renamed: SchemaListResponsesV4PagePaginationArray → PublicSchemasV4PagePaginationArray

Spectrum

Renamed union members: AppListResponse.UnionMember0 → SpectrumConfigAppConfig
Renamed union members: AppListResponse.UnionMember1 → SpectrumConfigPaygoAppConfig

Workers

Removed: WorkersBindingKindTailConsumer type (all occurrences)
Renamed: ScriptsSinglePage → ScriptListResponsesSinglePage
Removed: DeploymentsSinglePage

Zero-Trust DLP

datasets.create(), update(), get() return types changed
PredefinedGetResponse union members renamed to UnionMember0-5

Zero-Trust Tunnels

Removed: CloudflaredCreateResponse, CloudflaredListResponse, CloudflaredDeleteResponse, CloudflaredEditResponse, CloudflaredGetResponse
Removed: CloudflaredListResponsesV4PagePaginationArray

Features

Abuse Reports (`client.abuseReports`)

Reports: create, list, get
Mitigations: sub-resource for abuse mitigations

AI Search (`client.aisearch`)

Instances: create, update, list, delete, read, stats
Items: list, get
Jobs: create, list, get, logs
Tokens: create, update, list, delete, read

Connectivity (`client.connectivity`)

Directory Services: create, update, list, delete, get
Supports IPv4, IPv6, dual-stack, and hostname configurations

Organizations (`client.organizations`)

Organizations: create, update, list, delete, get
OrganizationProfile: update, get
Hierarchical organization support with parent/child relationships

R2 Data Catalog (`client.r2DataCatalog`)

Catalog: list, enable, disable, get
Credentials: create
MaintenanceConfigs: update, get
Namespaces: list
Tables: list, maintenance config management
Apache Iceberg integration

Realtime Kit (`client.realtimeKit`)

Apps: get, post
Meetings: create, get, participant management
Livestreams: 10+ methods for streaming
Recordings: start, pause, stop, get
Sessions: transcripts, summaries, chat
Webhooks: full CRUD
ActiveSession: polls, kick participants
Analytics: organization analytics

Token Validation (`client.tokenValidation`)

Configuration: create, list, delete, edit, get
Credentials: update
Rules: create, list, delete, bulkCreate, bulkEdit, edit, get
JWT validation with RS256/384/512, PS256/384/512, ES256, ES384

Alerting Silences (`client.alerting.silences`)

create, update, list, delete, get

IAM SSO (`client.iam.sso`)

create, update, list, delete, get, beginVerification

Pipelines v1 (`client.pipelines`)

Sinks: create, list, delete, get
Streams: create, update, list, delete, get

Zero-Trust AI Controls / MCP (`client.zeroTrust.access.aiControls.mcp`)

Portals: create, update, list, delete, read
Servers: create, update, list, delete, read, sync

Accounts

managed_by field with parent_org_id, parent_org_name

Addressing LOA Documents

auto_generated field on LOADocumentCreateResponse

Addressing Prefixes

delegate_loa_creation, irr_validation_state, ownership_validation_state, ownership_validation_token, rpki_validation_state

AI

Added toMarkdown.supported() method to get all supported conversion formats

AI Gateway

zdr field added to all responses and params

Alerting

New alert type: abuse_report_alert
type field added to PolicyFilter

Browser Rendering

ContentCreateParams: refined to discriminated union (Variant0 | Variant1)
Split into URL-based and HTML-based parameter variants for better type safety

Client Certificates

reactivate parameter in edit

CloudforceOne

ThreatEventCreateParams.indicatorType: required → optional
hasChildren field added to all threat event response types
datasetIds query parameter on AttackerListParams, CategoryListParams, TargetIndustryListParams
categoryUuid field on TagCreateResponse
indicators array for multi-indicator support per event
uuid and preserveUuid fields for UUID preservation in bulk create
format query parameter ('json' | 'stix2') on ThreatEventListParams
createdAt, datasetId fields on ThreatEventEditParams

Content Scanning

Added create(), update(), get() methods

Custom Pages

New page types: basic_challenge, under_attack, waf_challenge

D1

served_by_colo - colo that handled query
jurisdiction - 'eu' | 'fedramp'
Time Travel (client.d1.database.timeTravel): getBookmark(), restore() - point-in-time recovery

Email Security

New fields on InvestigateListResponse/InvestigateGetResponse: envelope_from, envelope_to, postfix_id_outbound, replyto
New detection classification: 'outbound_ndr'
Enhanced Finding interface with attachment, detection, field, portion, reason, score
Added cursor query parameter to InvestigateListParams

Gateway Lists

New list types: CATEGORY, LOCATION, DEVICE

Intel

New issue type: 'configuration_suggestion'
payload field: unknown → typed Payload interface with detection_method, zone_tag

Leaked Credential Checks

Added detections.get() method

Logpush

New datasets: dex_application_tests, dex_device_state_events, ipsec_logs, warp_config_changes, warp_toggle_changes

Load Balancers

Monitor.port: number → number | null
Pool.load_shedding: LoadShedding → LoadShedding | null
Pool.origin_steering: OriginSteering → OriginSteering | null

Magic Transit

license_key field on connectors
provision_license parameter for auto-provisioning
IPSec: custom_remote_identities with FQDN support
Snapshots: Bond interface, probed_mtu field

Queues

Added subscriptions.get() method
Enhanced SubscriptionGetResponse with typed event source interfaces
New event source types: Images, KV, R2, Vectorize, Workers AI, Workers Builds, Workflows

R2

Sippy: new provider s3 (S3-compatible endpoints)
Sippy: bucketUrl field for S3-compatible sources
Super Slurper: keys field on source response schemas (specify specific keys to migrate)
Super Slurper: pathPrefix field on source schemas
Super Slurper: region field on S3 source params

Radar

Added geolocations.list(), geolocations.get() methods
Added V2 dimension-based methods (summaryV2, timeseriesGroupsV2) to radar sub-resources

Resource Sharing

Added terminal boolean field to Resource Error interfaces

Rules

Added id field to ItemDeleteParams.Item

Rulesets

New buffering fields on SetConfigRule: request_body_buffering, response_body_buffering

Secrets Store

New scopes: 'dex', 'access' (in addition to 'workers', 'ai_gateway')

SSL Certificate Packs

Response types now proper interfaces (was unknown)
Fields now required: id, certificates, hosts, status, type

Security Center

payload field: unknown → typed Payload interface with detection_method, zone_tag

Shared Types

Added: CloudflareTunnelsV4PagePaginationArray pagination class

Workers

Added subdomains.delete() method
Worker.references - track external dependencies (domains, Durable Objects, queues)
Worker.startup_time_ms - startup timing
Script.observability - observability settings with logging
Script.tag, Script.tags - immutable ID and tags
Placement: support for region, hostname, host-based placement
tags, tail_consumers now accept | null
Telemetry: traces field, $containers event info, durableObjectId, transactionName, abr_level fields

Workers for Platforms

ScriptUpdateResponse: new fields entry_point, observability, tag, tags
placement field now union of 4 variants (smart mode, region, hostname, host)
tags, tail_consumers now nullable
TagUpdateParams.body now accepts null

Workflows

instance_retention: unknown → typed InstanceRetention interface with error_retention, success_retention
New status option: 'restart' added to StatusEditParams.status

Zero-Trust Devices

External emergency disconnect settings (4 new fields)
antivirus device posture check type
os_version_extra documentation improvements

Zones

New response types: SubscriptionCreateResponse, SubscriptionUpdateResponse, SubscriptionGetResponse

Zero-Trust Access Applications

New ApplicationType values: 'mcp', 'mcp_portal', 'proxy_endpoint'
New destination type: ViaMcpServerPortalDestination for MCP server access

Zero-Trust Gateway

Added rules.listTenant() method

Zero-Trust Gateway - Proxy Endpoints

ProxyEndpoint: interface → discriminated union (ZeroTrustGatewayProxyEndpointIP | ZeroTrustGatewayProxyEndpointIdentity)
ProxyEndpointCreateParams: interface → union type
Added kind field: 'ip' | 'identity'

Zero-Trust Tunnels

WARPConnector*Response: union type → interface

Deprecations

API Gateway: UserSchemas, Settings, SchemaValidation resources
Audit Logs: auditLogId.not (use id.not)
CloudforceOne: ThreatEvents.get(), IndicatorTypes.list()
Devices: public_ip field (use DEX API)
Email Security: item_count field in Move responses
Pipelines: v0 methods (use v1)
Radar: old summary() and timeseriesGroups() methods (use V2)
Rulesets: disable_apps, mirage fields
WARP Connector: connections field
Workers: environment parameter in Domains
Zones: ResponseBuffering page rule

Bug Fixes

mcp: correct code tool API endpoint (599703c)
mcp: return correct lines on typescript errors (5d6f999)
organization_profile: fix bad reference (d84ea77)
schema_validation: correctly reflect model to openapi mapping (bb86151)
workers: fix tests (2ee37f7)

Documentation

Added deprecation notices with migration paths
api_gateway: deprecate API Shield Schema Validation resources (8a4b20f)
Improved JSDoc examples across all resources
workers: expose subdomain delete documentation (4f7cc1f)

Cloudflare Fundamentals, Terraform - Terraform v5.16.0 now available

Tue, 20 Jan 2026 00:00:00 GMT

In January 2025, we announced the launch of the new Terraform v5 Provider. We greatly appreciate the proactive engagement and valuable feedback from the Cloudflare community following the v5 release. In response, we've established a consistent and rapid 2-3 week cadence for releasing targeted improvements, demonstrating our commitment to stability and reliability.

Thank you for continuing to raise issues. They make our provider stronger and help us build products that reflect your needs.

This release includes bug fixes, the stabilization of even more popular resources, and more.

Features

custom_pages: add "waf_challenge" as new supported error page type identifier in both resource and data source schemas
list: enhance CIDR validator to check for normalized CIDR notation requiring network address for IPv4 and IPv6
magic_wan_gre_tunnel: add automatic_return_routing attribute for automatic routing control
magic_wan_gre_tunnel: add BGP configuration support with new BGP model attribute
magic_wan_gre_tunnel: add bgp_status computed attribute for BGP connection status information
magic_wan_gre_tunnel: enhance schema with BGP-related attributes and validators
magic_wan_ipsec_tunnel: add automatic_return_routing attribute for automatic routing control
magic_wan_ipsec_tunnel: add BGP configuration support with new BGP model attribute
magic_wan_ipsec_tunnel: add bgp_status computed attribute for BGP connection status information
magic_wan_ipsec_tunnel: add custom_remote_identities attribute for custom identity configuration
magic_wan_ipsec_tunnel: enhance schema with BGP and identity-related attributes
ruleset: add request body buffering support
ruleset: enhance ruleset data source with additional configuration options
workers_script: add observability logs attributes to list data source model
workers_script: enhance list data source schema with additional configuration options

Bug Fixes

account_member: fix resource importability issues
dns_record: remove unnecessary fmt.Sprintf wrapper around LoadTestCase call in test configuration helper function
load_balancer: fix session_affinity_ttl type expectations to match Float64 in initial creation and Int64 after migration
workers_kv: handle special characters correctly in URL encoding

Documentation

account_subscription: update schema description for rate_plan.sets attribute to clarify it returns an array of strings
api_shield: add resource-level description for API Shield management of auth ID characteristics
api_shield: enhance auth_id_characteristics.name attribute description to include JWT token configuration format requirements
api_shield: specify JSONPath expression format for JWT claim locations
hyperdrive_config: add description attribute to name attribute explaining its purpose in dashboard and API identification
hyperdrive_config: apply description improvements across resource, data source, and list data source schemas
hyperdrive_config: improve schema descriptions for cache settings to clarify default values
hyperdrive_config: update port description to clarify defaults for different database types

For more information

Cloudflare Fundamentals - Enhanced HTTP/3 request cancellation visibility

Mon, 19 Jan 2026 00:00:00 GMT

Enhanced HTTP/3 request cancellation visibility

Cloudflare now provides more accurate visibility into HTTP/3 client request cancellations, giving you better insight into real client behavior and reducing unnecessary load on your origins.

Previously, when an HTTP/3 client cancelled a request, the cancellation was not always actioned immediately. This meant requests could continue through the CDN — potentially all the way to your origin — even after the client had abandoned them. In these cases, logs would show the upstream response status (such as 200 or a timeout-related code) rather than reflecting the client cancellation.

Now, Cloudflare terminates cancelled HTTP/3 requests immediately and accurately logs them with a 499 status code.

Better observability for client behavior

When HTTP/3 clients cancel requests, Cloudflare now immediately reflects this in your logs with a 499 status code. This gives you:

More accurate traffic analysis: Understand exactly when and how often clients cancel requests.
Clearer debugging: Distinguish between true errors and intentional client cancellations.
Better availability metrics: Separate client-initiated cancellations from server-side issues.

Reduced origin load

Cloudflare now terminates cancelled requests faster, which means:

Less wasted compute: Your origin no longer processes requests that clients have already abandoned.
Lower bandwidth usage: Responses are no longer generated and transmitted for cancelled requests.
Improved efficiency: Resources are freed up to handle active requests.

What to expect in your logs

You may notice an increase in 499 status codes for HTTP/3 traffic. For HTTP/3, a 499 indicates the client cancelled the request stream before receiving a complete response — the underlying connection may remain open. This is a normal part of web traffic.

Tip: If you use 499 codes in availability calculations, consider whether client-initiated cancellations should be excluded from error rates. These typically represent normal user behavior — such as closing a browser, navigating away from a page, mobile network drops, or cancelling a download — rather than service issues.

For more information, refer to Error 499.

Cloudflare Tunnel, Cloudflare Tunnel for SASE - Verify WARP Connector connectivity with a simple ping

Thu, 15 Jan 2026 00:00:00 GMT

We have made it easier to validate connectivity when deploying WARP Connector as part of your software-defined private network.

You can now ping the WARP Connector host directly on its LAN IP address immediately after installation. This provides a fast, familiar way to confirm that the Connector is online and reachable within your network before testing access to downstream services.

Starting with version 2025.10.186.0, WARP Connector responds to traffic addressed to its own LAN IP, giving you immediate visibility into Connector reachability.

Learn more about deploying WARP Connector and building private network connectivity with Cloudflare One.

AI Crawl Control - AI Crawl Control Read Only role now available

Tue, 13 Jan 2026 00:00:00 GMT

Account administrators can now assign the AI Crawl Control Read Only role to provide read-only access to AI Crawl Control at the domain level.

Users with this role can view the Overview, Crawlers, Metrics, Robots.txt, and Settings tabs but cannot modify crawler actions or settings.

This role is specific for AI Crawl Control. You still require correct permissions to access other areas / features of the dashboard.

To assign, go to Manage Account > Members and add a policy with the AI Crawl Control Read Only role scoped to the desired domain.

Rules - Metro code field now available in Rules

Mon, 12 Jan 2026 00:00:00 GMT

The ip.src.metro_code field in the Ruleset Engine is now populated with DMA (Designated Market Area) data.

You can use this field to build rules that target traffic based on geographic market areas, enabling more granular location-based policies for your applications.

Field details

Field	Type	Description
`ip.src.metro_code`	String \| null	The metro code (DMA) of the incoming request's IP address. Returns the designated market area code for the client's location.

Example filter expression:

ip.src.metro_code eq "501"

For more information, refer to the Fields reference.

Cloudflare Fundamentals, Terraform - Terraform v5.15.0 now available

Fri, 19 Dec 2025 00:00:00 GMT

Earlier this year, we announced the launch of the new Terraform v5 Provider. We are aware of the high number of issues reported by the Cloudflare community related to the v5 release. We have committed to releasing improvements on a 2-3 week cadence to ensure its stability and reliability, including the v5.15 release. We have also pivoted from an issue-to-issue approach to a resource-per-resource approach - we will be focusing on specific resources to not only stabilize the resource but also ensure it is migration-friendly for those migrating from v4 to v5.

Thank you for continuing to raise issues. They make our provider stronger and help us build products that reflect your needs.

This release includes bug fixes, the stabilization of even more popular resources, and more.

Features

ai_search: Add AI Search endpoints (6f02adb)
certificate_pack: Ensure proper Terraform resource ID handling for path parameters in API calls (081f32a)
worker_version: Support startup_time_ms (286ab55)
zero_trust_dlp_custom_entry: Support upload_status (7dc0fe3)
zero_trust_dlp_entry: Support upload_status (7dc0fe3)
zero_trust_dlp_integration_entry: Support upload_status (7dc0fe3)
zero_trust_dlp_predefined_entry: Support upload_status (7dc0fe3)
zero_trust_gateway_policy: Support forensic_copy (5741fd0)
zero_trust_list: Support additional types (category, location, device) (5741fd0)

Bug fixes

access_rules: Add validation to prevent state drift. Ideally, we'd use Semantic Equality but since that isn't an option, this will remove a foot-gun. (4457791)
cloudflare_pages_project: Addressing drift issues (6edffcf) (3db318e)
cloudflare_worker: Can be cleanly imported (4859b52)
cloudflare_worker: Ensure clean imports (5b525bc)
list_items: Add validation for IP List items to avoid inconsistent state (b6733dc)
zero_trust_access_application: Remove all conditions from sweeper (3197f1a)
spectrum_application: Map missing fields during spectrum resource import (#6495) (ddb4e72)

Upgrade to newer version

We suggest waiting to migrate to v5 while we work on stabilization. This helps with avoiding any blocking issues while the Terraform resources are actively being stabilized. We will be releasing a new migration tool in March 2026 to help support v4 to v5 transitions for our most popular resources.

For more information

AI Crawl Control - New AI Crawl Control Overview tab

Thu, 18 Dec 2025 00:00:00 GMT

The Overview tab is now the default view in AI Crawl Control. The previous default view with controls for individual AI crawlers is available in the Crawlers tab.

What's new

Executive summary — Monitor total requests, volume change, most common status code, most popular path, and high-volume activity
Operator grouping — Track crawlers by their operating companies (OpenAI, Microsoft, Google, ByteDance, Anthropic, Meta)
Customizable filters — Filter your snapshot by date range, crawler, operator, hostname, or path

Get started

Log in to the Cloudflare dashboard and select your account and domain.
Go to AI Crawl Control, where the Overview tab opens by default with your activity snapshot.
Use filters to customize your view by date range, crawler, operator, hostname, or path.
Navigate to the Crawlers tab to manage controls for individual crawlers.

Learn more about analyzing AI traffic and managing AI crawlers.

Analytics - Improved accuracy of cached request classification in analytics

Thu, 18 Dec 2025 00:00:00 GMT

The cached/uncached classification logic used in Zone Overview analytics has been updated to improve accuracy.

Previously, requests were classified as "cached" based on an overly broad condition that included blocked 403 responses, Snippets requests, and other non-cache request types. This caused inflated cache hit ratios — in some cases showing near-100% cached — and affected approximately 15% of requests classified as cached in rollups.

The condition has been removed from the Zone Overview page. Cached/uncached classification now aligns with the heuristics used in HTTP Analytics, so only requests genuinely served from cache are counted as cached.

What changed:

Zone Overview — Cache ratios now reflect actual cache performance.
HTTP Analytics — No change. HTTP Analytics already used the correct classification logic.
Historical data — This fix applies to new requests only. Previously logged data is not retroactively updated.

Logs - SentinelOne as Logpush destination

Thu, 11 Dec 2025 00:00:00 GMT

Cloudflare Logpush now supports SentinelOne as a native destination.

Logs from Cloudflare can be sent to SentinelOne AI SIEM via Logpush. The destination can be configured through the Logpush UI in the Cloudflare dashboard or by using the Logpush API.

For more information, refer to the Destination Configuration documentation.

AI Crawl Control - Pay Per Crawl (Private beta) - Discovery API, custom pricing, and advanced configuration

Wed, 10 Dec 2025 00:00:00 GMT

Pay Per Crawl is introducing enhancements for both AI crawler operators and site owners, focusing on programmatic discovery, flexible pricing models, and granular configuration control.

For AI crawler operators

Discovery API

A new authenticated API endpoint allows verified crawlers to programmatically discover domains participating in Pay Per Crawl. Crawlers can use this to build optimized crawl queues, cache domain lists, and identify new participating sites. This eliminates the need to discover payable content through trial requests.

The API endpoint is GET https://crawlers-api.ai-audit.cfdata.org/charged_zones and requires Web Bot Auth authentication. Refer to Discover payable content for authentication steps, request parameters, and response schema.

Payment header signature requirement

Payment headers (crawler-exact-price or crawler-max-price) must now be included in the Web Bot Auth signature-input header components. This security enhancement prevents payment header tampering, ensures authenticated payment intent, validates crawler identity with payment commitment, and protects against replay attacks with modified pricing. Crawlers must add their payment header to the list of signed components when constructing the signature-input header.

New `crawler-error` header

Pay Per Crawl error responses now include a new crawler-error header with 11 specific error codes for programmatic handling. Error response bodies remain unchanged for compatibility. These codes enable robust error handling, automated retry logic, and accurate spending tracking.

For site owners

Configure free pages

Site owners can now offer free access to specific pages like homepages, navigation, or discovery pages while charging for other content. Create a Configuration Rule in Rules > Configuration Rules, set your URI pattern using wildcard, exact, or prefix matching on the URI Full field, and enable the Disable Pay Per Crawl setting. When disabled for a URI pattern, crawler requests pass through without blocking or charging.

Some paths are always free to crawl. These paths are: /robots.txt, /sitemap.xml, /security.txt, /.well-known/security.txt, /crawlers.json.

Get started

AI crawler operators: Discover payable content | Crawl pages

Site owners: Advanced configuration

Cloudflare Fundamentals, Terraform - Terraform v5.14.0 now available

Fri, 05 Dec 2025 00:00:00 GMT

Earlier this year, we announced the launch of the new Terraform v5 Provider. We are aware of the high number of issues reported by the Cloudflare community related to the v5 release. We have committed to releasing improvements on a 2-3 week cadence to ensure its stability and reliability, including the v5.14 release. We have also pivoted from an issue-to-issue approach to a resource-per-resource approach - we will be focusing on specific resources to not only stabilize the resource but also ensure it is migration-friendly for those migrating from v4 to v5.

Thank you for continuing to raise issues. They make our provider stronger and help us build products that reflect your needs.

This release includes bug fixes, the stabilization of even more popular resources, and more.

Deprecation notice

Resource affected: api_shield_discovery_operation

Cloudflare continuously discovers and updates API endpoints and web assets of your web applications. To improve the maintainability of these dynamic resources, we are working on reducing the need to actively engage with discovered operations.

The corresponding public API endpoint of discovered operations is not affected and will continue to be supported.

Features

pages_project: Add v4 -> v5 migration tests (#6506)

Bug fixes

account_members: Makes member policies a set (#6488)
pages_project: Ensures non empty refresh plans (#6515)
R2: Improves sweeper (#6512)
workers_kv: Ignores value import state for verify (#6521)
workers_script: No longer treats the migrations attribute as WriteOnly (#6489)
workers_script: Resolves resource drift when worker has unmanaged secret (#6504)
zero_trust_device_posture_rule: Preserves input.version and other fields (#6500) and (#6503)
zero_trust_dlp_custom_profile: Adds sweepers for dlp_custom_profile
zone_subscription|account_subscription: Adds partners_ent as valid enum for rate_plan.id (#6505)
zone: Ensures datasource model schema parity (#6487)
subscription: Updates import signature to accept account_id/subscription_id to import account subscription (#6510)

Upgrade to newer version

For more information

Cloudflare Fundamentals, Terraform - Terraform v5.13.0 now available

Thu, 20 Nov 2025 00:00:00 GMT

Earlier this year, we announced the launch of the new Terraform v5 Provider. We are aware of the high number of issues reported by the Cloudflare community related to the v5 release. We have committed to releasing improvements on a 2-3 week cadence to ensure its stability and reliability, including the v5.13 release. We have also pivoted from an issue-to-issue approach to a resource-per-resource approach - we will be focusing on specific resources to not only stabilize the resource but also ensure it is migration-friendly for those migrating from v4 to v5.

Thank you for continuing to raise issues. They make our provider stronger and help us build products that reflect your needs.

This release includes new features, new resources and data sources, bug fixes, updates to our Developer Documentation, and more.

Breaking Change

Please be aware that there are breaking changes for the cloudflare_api_token and cloudflare_account_token resources. These changes eliminate configuration drift caused by policy ordering differences in the Cloudflare API.

For more specific information about the changes or the actions required, please see the detailed Repository changelog.

Features

New resources and data sources added
- cloudflare_connectivity_directory
- cloudflare_sso_connector
- cloudflare_universal_ssl_setting
api_token+account_tokens: state upgrader and schema bump (#6472)
docs: make docs explicit when a resource does not have import support
magic_transit_connector: support self-serve license key (#6398)
worker_version: add content_base64 support
worker_version: boolean support for run_worker_first (#6407)
workers_script_subdomains: add import support (#6375)
zero_trust_access_application: add proxy_endpoint for ZT Access Application (#6453)
zero_trust_dlp_predefined_profile: Switch DLP Predefined Profile endpoints, introduce enabled_entries attribut

Bug Fixes

account_token: token policy order and nested resources (#6440)
allow r2_bucket_event_notification to be applied twice without failing (#6419)
cloudflare_worker+cloudflare_worker_version: import for the resources (#6357)
dns_record: inconsistent apply error (#6452)
pages_domain: resource tests (#6338)
pages_project: unintended resource state drift (#6377)
queue_consumer: id population (#6181)
workers_kv: multipart request (#6367)
workers_kv: updating workers metadata attribute to be read from endpoint (#6386)
workers_script_subdomain: add note to cloudflare_workers_script_subdomain about redundancy with cloudflare_worker (#6383)
workers_script: allow config.run_worker_first to accept list input
zero_trust_device_custom_profile_local_domain_fallback: drift issues (#6365)
zero_trust_device_custom_profile: resolve drift issues (#6364)
zero_trust_dex_test: correct configurability for 'targeted' attribute to fix drift
zero_trust_tunnel_cloudflared_config: remove warp_routing from cloudflared_config (#6471)

Upgrading

We suggest holding off on migration to v5 while we work on stabilization. This help will you avoid any blocking issues while the Terraform resources are actively being stabilized. We will be releasing a new migration tool in March 2026 to help support v4 to v5 transitions for our most popular resources.

For more info

Log Explorer - Fixed custom SQL date picker inconsistencies

Thu, 13 Nov 2025 00:00:00 GMT

We've resolved a bug in Log Explorer that caused inconsistencies between the custom SQL date field filters and the date picker dropdown. Previously, users attempting to filter logs based on a custom date field via a SQL query sometimes encountered unexpected results or mismatching dates when using the interactive date picker.

This fix ensures that the custom SQL date field filters now align correctly with the selection made in the date picker dropdown, providing a reliable and predictable filtering experience for your log data. This is particularly important for users creating custom log views based on time-sensitive fields.

Log Explorer - Log Explorer adds 14 new datasets

Thu, 13 Nov 2025 00:00:00 GMT

We've significantly enhanced Log Explorer by adding support for 14 additional Cloudflare product datasets.

This expansion enables Operations and Security Engineers to gain deeper visibility and telemetry across a wider range of Cloudflare services. By integrating these new datasets, users can now access full context to efficiently investigate security incidents, troubleshoot application performance issues, and correlate logged events across different layers (like application and network) within a single interface. This capability is crucial for a complete and cohesive understanding of event flows across your Cloudflare environment.

The newly supported datasets include:

Zone Level

Dns_logs
Nel_reports
Page_shield_events
Spectrum_events
Zaraz_events

Account Level

Audit Logs
Audit_logs_v2
Biso_user_actions
DNS firewall logs
Email_security_alerts
Magic Firewall IDS
Network Analytics
Sinkhole HTTP
ipsec_logs

Example: Correlating logs

You can now use Log Explorer to query and filter with each of these datasets. For example, you can identify an IP address exhibiting suspicious behavior in the FW_event logs, and then instantly pivot to the Network Analytics logs or Access logs to see its network-level traffic profile or if it bypassed a corporate policy.

To learn more and get started, refer to the Log Explorer documentation and the Cloudflare Logs documentation.

Log Explorer - Resize your custom SQL window in Log Explorer

Tue, 11 Nov 2025 00:00:00 GMT

We're excited to announce a quality-of-life improvement for Log Explorer users. You can now resize the custom SQL query window to accommodate longer and more complex queries.

Previously, if you were writing a long custom SQL query, the fixed-size window required excessive scrolling to view the full query. This update allows you to easily drag the bottom edge of the query window to make it taller. This means you can view your entire custom query at once, improving the efficiency and experience of writing and debugging complex queries.

To learn more and get started, refer to the Log Explorer documentation.

Logs - Logpush Health Dashboards

Tue, 11 Nov 2025 00:00:00 GMT

We’re excited to introduce Logpush Health Dashboards, giving customers real-time visibility into the status, reliability, and performance of their Logpush jobs. Health dashboards make it easier to detect delivery issues, monitor job stability, and track performance across destinations. The dashboards are divided into two sections:

Upload Health: See how much data was successfully uploaded, where drops occurred, and how your jobs are performing overall. This includes data completeness, success rate, and upload volume.
Upload Reliability – Diagnose issues impacting stability, retries, or latency, and monitor key metrics such as retry counts, upload duration, and destination availability.

Health Dashboards can be accessed from the Logpush page in the Cloudflare dashboard at the account or zone level, under the Health tab. For more details, refer to our Logpush Health Dashboards documentation, which includes a comprehensive troubleshooting guide to help interpret and resolve common issues.

Cloudflare Tunnel, Cloudflare Tunnel for SASE - cloudflared proxy-dns command will be removed starting February 2, 2026

Tue, 11 Nov 2025 00:00:00 GMT

Starting February 2, 2026, the cloudflared proxy-dns command will be removed from all new cloudflared releases.

This change is being made to enhance security and address a potential vulnerability in an underlying DNS library. This vulnerability is specific to the proxy-dns command and does not affect any other cloudflared features, such as the core Cloudflare Tunnel service.

The proxy-dns command, which runs a client-side DNS-over-HTTPS (DoH) proxy, has been an officially undocumented feature for several years. This functionality is fully and securely supported by our actively developed products.

Versions of cloudflared released before this date will not be affected and will continue to operate. However, note that our official support policy for any cloudflared release is one year from its release date.

Migration paths

We strongly advise users of this undocumented feature to migrate to one of the following officially supported solutions before February 2, 2026, to continue benefiting from secure DNS-over-HTTPS.

End-user devices

The preferred method for enabling DNS-over-HTTPS on user devices is the Cloudflare WARP client. The WARP client automatically secures and proxies all DNS traffic from your device, integrating it with your organization's Zero Trust policies and posture checks.

Servers, routers, and IoT devices

For scenarios where installing a client on every device is not possible (such as servers, routers, or IoT devices), we recommend using the WARP Connector.

Instead of running cloudflared proxy-dns on a machine, you can install the WARP Connector on a single Linux host within your private network. This connector will act as a gateway, securely routing all DNS and network traffic from your entire subnet to Cloudflare for filtering and logging.

AI Crawl Control - Crawler drilldowns with extended actions menu

Mon, 10 Nov 2025 00:00:00 GMT

AI Crawl Control now supports per-crawler drilldowns with an extended actions menu and status code analytics. Drill down into Metrics, Cloudflare Radar, and Security Analytics, or export crawler data for use in WAF custom rules, Redirect Rules, and robots.txt files.

What's new

Status code distribution chart

The Metrics tab includes a status code distribution chart showing HTTP response codes (2xx, 3xx, 4xx, 5xx) over time. Filter by individual crawler, category, operator, or time range to analyze how specific crawlers interact with your site.

Extended actions menu

Each crawler row includes a three-dot menu with per-crawler actions:

View Metrics — Filter the AI Crawl Control Metrics page to the selected crawler.
View on Cloudflare Radar — Access verified crawler details on Cloudflare Radar.
Copy User Agent — Copy user agent strings for use in WAF custom rules, Redirect Rules, or robots.txt files.
View in Security Analytics — Filter Security Analytics by detection IDs (Bot Management customers).
Copy Detection ID — Copy detection IDs for use in WAF custom rules (Bot Management customers).

Get started

Log in to the Cloudflare dashboard, and select your account and domain.
Go to AI Crawl Control > Metrics to access the status code distribution chart.
Go to AI Crawl Control > Crawlers and select the three-dot menu for any crawler to access per-crawler actions.
Select multiple crawlers to use bulk copy buttons for user agents or detection IDs.

Learn more about AI Crawl Control.

Logs - Logpush Permission Update for Zero Trust Datasets

Wed, 05 Nov 2025 00:00:00 GMT

Permissions for managing Logpush jobs related to Zero Trust datasets (Access, Gateway, and DEX) have been updated to improve data security and enforce appropriate access controls.

To view, create, update, or delete Logpush jobs for Zero Trust datasets, users must now have both of the following permissions:

Logs Edit
Zero Trust: PII Read

Log Explorer - Log Explorer now supports query cancellation

Tue, 04 Nov 2025 00:00:00 GMT

We're excited to announce that Log Explorer users can now cancel queries that are currently running.

This new feature addresses a common pain point: waiting for a long, unintended, or misconfigured query to complete before you can submit a new, correct one. With query cancellation, you can immediately stop the execution of any undesirable query, allowing you to quickly craft and submit a new query, significantly improving your investigative workflow and productivity within Log Explorer.

Log Explorer - Log Explorer now shows query result distribution

Tue, 04 Nov 2025 00:00:00 GMT

We're excited to announce a new feature in Log Explorer that significantly enhances how you analyze query results: the Query results distribution chart.

This new chart provides a graphical distribution of your results over the time window of the query. Immediately after running a query, you will see the distribution chart above your result table. This visualization allows Log Explorer users to quickly spot trends, identify anomalies, and understand the temporal concentration of log events that match their criteria. For example, you can visually confirm if a spike in traffic or errors occurred at a specific time, allowing you to focus your investigation efforts more effectively. This feature makes it faster and easier to extract meaningful insights from your vast log data.

The chart will dynamically update to reflect the logs matching your current query.

Cloudflare Fundamentals - Introducing email two-factor authentication

Thu, 30 Oct 2025 00:00:00 GMT

Two-factor authentication (2FA) is one of the best ways to protect your account from the risk of account takeover. Cloudflare has offered phishing resistant 2FA options including hardware based keys (for example, a Yubikey) and app based TOTP (time-based one-time password) options which use apps like Google or Microsoft's Authenticator app. Unfortunately, while these solutions are very secure, they can be lost if you misplace the hardware based key, or lose the phone which includes that app. The result is that users sometimes get locked out of their accounts and need to contact support.

Today, we are announcing the addition of email as a 2FA factor for all Cloudflare accounts. Email 2FA is in wide use across the industry as a least common denominator for 2FA because it is low friction, loss resistant, and still improves security over username/password login only. We also know that most commercial email providers already require 2FA, so your email address is usually well protected already.

You can now enable email 2FA on the Cloudflare dashboard:

Go to Profile at the top right corner.
Select Authentication.
Under Two-Factor Authentication, select Set up.

Sign-in security best practices

Cloudflare is critical infrastructure, and you should protect it as such. Review the following best practices and make sure you are doing your part to secure your account:

Use a unique password for every website, including Cloudflare, and store it in a password manager like 1Password or Keeper. These services are cross-platform and simplify the process of managing secure passwords.
Use 2FA to make it harder for an attacker to get into your account in the event your password is leaked.
Store your backup codes securely. A password manager is the best place since it keeps the backup codes encrypted, but you can also print them and put them somewhere safe in your home.
If you use an app to manage your 2FA keys, enable cloud backup, so that you don't lose your keys in the event you lose your phone.
If you use a custom email domain to sign in, configure SSO.
If you use a public email domain like Gmail or Hotmail, you can also use social login with Apple, GitHub, or Google to sign in.
If you manage a Cloudflare account for work:
- Have at least two administrators in case one of them unexpectedly leaves your company.
- Use SCIM to automate permissions management for members in your Cloudflare account.

Cloudflare Fundamentals - Revamped Member Management UI

Thu, 30 Oct 2025 00:00:00 GMT

As Cloudflare's platform has grown, so has the need for precise, role-based access control. We’ve redesigned the Member Management experience in the Dashboard to help administrators more easily discover, assign, and refine permissions for specific principals.

What's New

Refreshed member invite flow

We overhauled the Invite Members UI to simplify inviting users and assigning permissions.

Refreshed Members Overview Page

We've updated the Members Overview Page to clearly display:

Member 2FA status
Which members hold Super Admin privileges
API access settings per member
Member onboarding state (accepted vs pending invite)

New Member Permission Policies Details View

We've created a new member details screen that shows all permission policies associated with a member; including policies inherited from group associations to make it easier for members to understand the effective permissions they have.

Improved Member Permission Workflow

We redesigned the permission management experience to make it faster and easier for administrators to review roles and grant access.

Account-scoped Policies Restrictions Relaxed

Previously, customers could only associate a single account-scoped policy with a member. We've relaxed this restriction, and now Administrators can now assign multiple account-scoped policies to the same member; bringing policy assignment behavior in-line with user-groups and providing greater flexibility in managing member permissions.

Rules - New TCP-based fields available in Rulesets

Thu, 30 Oct 2025 00:00:00 GMT

Build rules based on TCP transport and latency

Cloudflare now provides two new request fields in the Ruleset engine that let you make decisions based on whether a request used TCP and the measured TCP round-trip time between the client and Cloudflare. These fields help you understand protocol usage across your traffic and build policies that respond to network performance. For example, you can distinguish TCP from QUIC traffic or route high latency requests to alternative origins when needed.

New fields

Field	Type	Description
`cf.edge.client_tcp`	Boolean	Indicates whether the request used TCP. A value of true means the client connected using TCP instead of QUIC.
`cf.timings.client_tcp_rtt_msec`	Number	Reports the smoothed TCP round-trip time between the client and Cloudflare in milliseconds. For example, a value of 20 indicates roughly twenty milliseconds of RTT.

Example filter expression:

cf.edge.client_tcp && cf.timings.client_tcp_rtt_msec < 100

More information can be found in the Rules language fields reference.

Logs - Azure Sentinel Connector

Mon, 27 Oct 2025 00:00:00 GMT

Logpush now supports integration with Microsoft Sentinel.The new Azure Sentinel Connector built on Microsoft’s Codeless Connector Framework (CCF), is now avaialble. This solution replaces the previous Azure Functions-based connector, offering significant improvements in security, data control, and ease of use for customers. Logpush customers can send logs to Azure Blob Storage and configure this new Sentinel Connector to ingest those logs directly into Microsoft Sentinel.

This upgrade significantly streamlines log ingestion, improves security, and provides greater control:

Simplified Implementation: Easier for engineering teams to set up and maintain.
Cost Control: New support for Data Collection Rules (DCRs) allows you to filter and transform logs at ingestion time, offering potential cost savings.
Enhanced Security: CCF provides a higher level of security compared to the older Azure Functions connector.
ata Lake Integration: Includes native integration with Data Lake.

Find the new solution here and refer to the Cloudflare's developer documentionfor more information on the connector, including setup steps, supported logs and Microsfot's resources.

AI Crawl Control - New Robots.txt tab for tracking crawler compliance

Tue, 21 Oct 2025 00:00:00 GMT

AI Crawl Control now includes a Robots.txt tab that provides insights into how AI crawlers interact with your robots.txt files.

What's new

The Robots.txt tab allows you to:

Monitor the health status of robots.txt files across all your hostnames, including HTTP status codes, and identify hostnames that need a robots.txt file.
Track the total number of requests to each robots.txt file, with breakdowns of successful versus unsuccessful requests.
Check whether your robots.txt files contain Content Signals directives for AI training, search, and AI input.
Identify crawlers that request paths explicitly disallowed by your robots.txt directives, including the crawler name, operator, violated path, specific directive, and violation count.
Filter robots.txt request data by crawler, operator, category, and custom time ranges.

Take action

When you identify non-compliant crawlers, you can:

Block the crawler in the Crawlers tab
Create custom WAF rules for path-specific security
Use Redirect Rules to guide crawlers to appropriate areas of your site

To get started, go to AI Crawl Control > Robots.txt in the Cloudflare dashboard. Learn more in the Track robots.txt documentation.

Cloudflare Fundamentals - Increased HTTP header size limit to 128 KB

Thu, 16 Oct 2025 00:00:00 GMT

CDN now supports 128 KB request and response headers 🚀

We're excited to announce a significant increase in the maximum header size supported by Cloudflare's Content Delivery Network (CDN). Cloudflare now supports up to 128 KB for both request and response headers.

Previously, customers were limited to a total of 32 KB for request or response headers, with a maximum of 16 KB per individual header. Larger headers could cause requests to fail with HTTP 413 (Request Header Fields Too Large) errors.

What's new?

Support for large headers: You can now utilize much larger headers, whether as a single large header up to 128 KB or split over multiple headers.
Reduces 413 and 520 HTTP errors: This change drastically reduces the likelihood of customers encountering HTTP 413 errors from large request headers or HTTP 520 errors caused by oversized response headers, improving the overall reliability of your web applications.
Enhanced functionality: This is especially beneficial for applications that rely on:
- A large number of cookies.
- Large Content-Security-Policy (CSP) response headers.
- Advanced use cases with Cloudflare Workers that generate large response headers.

This enhancement improves compatibility with Cloudflare's CDN, enabling more use cases that previously failed due to header size limits.

To learn more and get started, refer to the Cloudflare Fundamentals documentation.

AI Crawl Control - Enhanced AI Crawl Control metrics with new drilldowns and filters

Tue, 14 Oct 2025 00:00:00 GMT

AI Crawl Control now provides enhanced metrics and CSV data exports to help you better understand AI crawler activity across your sites.

What's new

Track crawler requests over time

Visualize crawler activity patterns over time, and group data by different dimensions:

By Crawler — Track activity from individual AI crawlers (GPTBot, ClaudeBot, Bytespider)
By Category — Analyze crawler purpose or type
By Operator — Discover which companies (OpenAI, Anthropic, ByteDance) are crawling your site
By Host — Break down activity across multiple subdomains
By Status Code — Monitor HTTP response codes to crawlers (200s, 300s, 400s, 500s)

Analyze referrer data (Paid plans)

Identify traffic sources with referrer analytics:

View top referrers driving traffic to your site
Understand discovery patterns and content popularity from AI operators

Export data

Download your filtered view as a CSV:

Includes all applied filters and groupings
Useful for custom reporting and deeper analysis

Get started

Log in to the Cloudflare dashboard, and select your account and domain.
Go to AI Crawl Control > Metrics.
Use the grouping tabs to explore different views of your data.
Apply filters to focus on specific crawlers, time ranges, or response codes.
Select Download CSV to export your filtered data for further analysis.

Learn more about AI Crawl Control.

Cloudflare Fundamentals - Single sign-on now manageable in the user experience

Tue, 14 Oct 2025 00:00:00 GMT

During Birthday Week, we announced that single sign-on (SSO) is available for free to everyone who signs in with a custom email domain and maintains a compatible identity provider. SSO minimizes user friction around login and provides the strongest security posture available. At the time, this could only be configured using the API.

Today, we are launching a new user experience which allows users to manage their SSO configuration from within the Cloudflare dashboard. You can access this by going to Manage account > Members > Settings.

For more information

Cloudflare dashboard SSO

Cloudflare Fundamentals - Automated reminders for backup codes

Tue, 07 Oct 2025 00:00:00 GMT

The most common reason users contact Cloudflare support is lost two-factor authentication (2FA) credentials. Cloudflare supports both app-based and hardware keys for 2FA, but you could lose access to your account if you lose these. Over the past few weeks, we have been rolling out email and in-product reminders that remind you to also download backup codes (sometimes called recovery keys) that can get you back into your account in the event you lose your 2FA credentials. Download your backup codes now by logging into Cloudflare, then navigating to Profile > Security & Authentication > Backup codes.

Sign-in security best practices

Cloudflare is critical infrastructure, and you should protect it as such. Please review the following best practices and make sure you are doing your part to secure your account.

Use a unique password for every website, including Cloudflare, and store it in a password manager like 1Password or Keeper. These services are cross-platform and simplify the process of managing secure passwords.
Use 2FA to make it harder for an attacker to get into your account in the event your password is leaked
Store your backup codes securely. A password manager is the best place since it keeps the backup codes encrypted, but you can also print them and put them somewhere safe in your home.
If you use an app to manage your 2FA keys, enable cloud backup, so that you don't lose your keys in the event you lose your phone.
If you use a custom email domain to sign in, configure SSO.
If you use a public email domain like Gmail or Hotmail, you can also use social login with Apple, GitHub, or Google to sign in.
If you manage a Cloudflare account for work:
- Have at least two administrators in case one of them unexpectedly leaves your company
- Use SCIM to automate permissions management for members in your Cloudflare account

Cloudflare Fundamentals, Access - Fine-grained Permissioning for Access for Apps, IdPs, & Targets now in Public Beta

Thu, 02 Oct 2025 00:00:00 GMT

Fine-grained permissions for Access Applications, Identity Providers (IdPs), and Targets is now available in Public Beta. This expands our RBAC model beyond account & zone-scoped roles, enabling administrators to grant permissions scoped to individual resources.

What's New

Access Applications: Grant admin permissions to specific Access Applications.
Identity Providers: Grant admin permissions to individual Identity Providers.
Targets: Grant admin rights to specific Targets

For more info:

Analytics - New Confidence Intervals in GraphQL Analytics API

Wed, 01 Oct 2025 00:00:00 GMT

The GraphQL Analytics API now supports confidence intervals for sum and count fields on adaptive (sampled) datasets. Confidence intervals provide a statistical range around sampled results, helping verify accuracy and quantify uncertainty.

Supported datasets: Adaptive (sampled) datasets only.
Supported fields: All sum and count fields.
Usage: The confidence level must be provided as a decimal between 0 and 1 (e.g. 0.90, 0.95, 0.99).
Default: If no confidence level is specified, no intervals are returned.

For examples and more details, see the GraphQL Analytics API documentation.

Cloudflare Fundamentals - Return markdown

Wed, 01 Oct 2025 00:00:00 GMT

Users can now specify that they want to retrieve Cloudflare documentation as markdown rather than the previous HTML default. This can significantly reduce token consumption when used alongside Large Language Model (LLM) tools.

curl https://developers.cloudflare.com/workers/ -H 'Accept: text/markdown'  -v

If you maintain your own site and want to adopt this practice using Cloudflare Workers for your own users you can follow the example here.

Cloudflare Fundamentals - Sign in with GitHub

Thu, 25 Sep 2025 00:00:00 GMT

Cloudflare has launched sign in with GitHub as a log in option. This feature is available to all users with a verified email address who are not using SSO. To use it, simply click on the Sign in with GitHub button on the dashboard login page. You will be logged in with your primary GitHub email address.

For more information

Cloudflare Fundamentals - SSO for all

Thu, 25 Sep 2025 00:00:00 GMT

Single sign-on (SSO) streamlines the process of logging into Cloudflare for Enterprise customers who manage a custom email domain and manage their own identity provider. Instead of managing a password and two-factor authentication credentials directly for Cloudflare, SSO lets you reuse your existing login infrastructure to seamlessly log in. SSO also provides additional security opportunities such as device health checks which are not available natively within Cloudflare.

Historically, SSO was only available for Enterprise accounts. Today, we are announcing that we are making SSO available to all users for free. We have also added the ability to directly manage SSO configurations using the API. This removes the previous requirement to contact support to configure SSO.

For more information

Cloudflare Tunnel, Cloudflare Tunnel for SASE - Connect and secure any private or public app by hostname, not IP — with hostname routing for Cloudflare Tunnel

Thu, 18 Sep 2025 00:00:00 GMT

You can now route private traffic to Cloudflare Tunnel based on a hostname or domain, moving beyond the limitations of IP-based routing. This new capability is free for all Cloudflare One customers.

Previously, Tunnel routes could only be defined by IP address or CIDR range. This created a challenge for modern applications with dynamic or ephemeral IP addresses, often forcing administrators to maintain complex and brittle IP lists.

What’s new:

Hostname & Domain Routing: Create routes for individual hostnames (e.g., payroll.acme.local) or entire domains (e.g., *.acme.local) and direct their traffic to a specific Tunnel.
Simplified Zero Trust Policies: Build resilient policies in Cloudflare Access and Gateway using stable hostnames, making it dramatically easier to apply per-resource authorization for your private applications.
Precise Egress Control: Route traffic for public hostnames (e.g., bank.example.com) through a specific Tunnel to enforce a dedicated source IP, solving the IP allowlist problem for third-party services.
No More IP Lists: This feature makes the workaround of maintaining dynamic IP Lists for Tunnel connections obsolete.

Get started in the Tunnels section of the Zero Trust dashboard with your first private hostname or public hostname route.

Learn more in our blog post.

Log Explorer - Contextual pivots

Thu, 11 Sep 2025 00:00:00 GMT

Directly from Log Search results, customers can pivot to other parts of the Cloudflare dashboard to immediately take action as a result of their investigation.

From the http_requests or fw_events dataset results, right click on an IP Address or JA3 Fingerprint to pivot to the Investigate portal to lookup the reputation of an IP address or JA3 fingerprint.

Easily learn about error codes by linking directly to our documentation from the EdgeResponseStatus or OriginResponseStatus fields.

From the gateway_http dataset, click on a policyid to link directly to the Zero Trust dashboard to review or make changes to a specific Gateway policy.

Log Explorer - New results table view

Thu, 11 Sep 2025 00:00:00 GMT

The results table view of Log Search has been updated with additional functionality and a more streamlined user experience. Users can now easily:

Remove/add columns.
Resize columns.
Sort columns.
Copy values from any field.

Cloudflare Fundamentals - Reminders about two-factor authentication backup codes

Mon, 08 Sep 2025 00:00:00 GMT

Two-factor authentication is the best way to help protect your account from account takeovers, but if you lose your second factor, you could be locked out of your account. Lock outs are one of the top reasons customers contact Cloudflare support, and our policies often don't allow us to bypass two-factor authentication for customers that are locked out. Today we are releasing an improvement where Cloudflare will periodically remind you to securely save your backup codes so you don't get locked out in the future.

For more information

Two-factor authentication

Cloudflare Fundamentals - Introducing new headers for rate limiting on Cloudflare's API

Wed, 03 Sep 2025 00:00:00 GMT

Cloudflare's API now supports rate limiting headers using the pattern developed by the IETF draft on rate limiting. This allows API consumers to know how many more calls are left until the rate limit is reached, as well as how long you will need to wait until more capacity is available.

Our SDKs automatically work with these new headers, backing off when rate limits are approached. There is no action required for users of the latest Cloudflare SDKs to take advantage of this.

As always, if you need any help with rate limits, please contact Support.

Changes

New Headers

Headers that are always returned:

Ratelimit: List of service limit items, composed of the limit name, the remaining quota (r) and the time next window resets (t). For example: "default";r=50;t=30
Ratelimit-Policy: List of quota policy items, composed of the policy name, the total quota (q) and the time window the quota applies to (w). For example: "burst";q=100;w=60

Returned only when a rate limit has been reached (error code: 429):

Retry-After: Number of Seconds until more capacity is available, rounded up

SDK Back offs

All of Cloudflare's latest SDKs will automatically respond to the headers, instituting a backoff when limits are approached.

GraphQL and Edge APIs

These new headers and back offs are only available for Cloudflare REST APIs, and will not affect GraphQL.

For more information

Rate limits at Cloudflare

Log Explorer - Logging headers and cookies using custom fields

Wed, 03 Sep 2025 00:00:00 GMT

Log Explorer now supports logging and filtering on header or cookie fields in the http_requests dataset.

Create a custom field to log desired header or cookie values into the http_requests dataset and Log Explorer will import these as searchable fields. Once configured, use the custom SQL editor in Log Explorer to view or filter on these requests.

For more details, refer to Headers and cookies.

Cloudflare Tunnel, Cloudflare Tunnel for SASE - Cloudflare Tunnel and Networks API will no longer return deleted resources by default starting December 1, 2025

Tue, 02 Sep 2025 00:00:00 GMT

Starting December 1, 2025, list endpoints for the Cloudflare Tunnel API and Zero Trust Networks API will no longer return deleted tunnels, routes, subnets and virtual networks by default. This change makes the API behavior more intuitive by only returning active resources unless otherwise specified.

No action is required if you already explicitly set is_deleted=false or if you only need to list active resources.

This change affects the following API endpoints:

List all tunnels: GET /accounts/{account_id}/tunnels
List Cloudflare Tunnels: GET /accounts/{account_id}/cfd_tunnel
List WARP Connector tunnels: GET /accounts/{account_id}/warp_connector
List tunnel routes: GET /accounts/{account_id}/teamnet/routes
List subnets: GET /accounts/{account_id}/zerotrust/subnets
List virtual networks: GET /accounts/{account_id}/teamnet/virtual_networks

What is changing?

The default behavior of the is_deleted query parameter will be updated.

Scenario	Previous behavior (before December 1, 2025)	New behavior (from December 1, 2025)
`is_deleted` parameter is omitted	Returns active & deleted tunnels, routes, subnets and virtual networks	Returns only active tunnels, routes, subnets and virtual networks

Action required

If you need to retrieve deleted (or all) resources, please update your API calls to explicitly include the is_deleted parameter before December 1, 2025.

To get a list of only deleted resources, you must now explicitly add the is_deleted=true query parameter to your request:

# Example: Get ONLY deleted Tunnels
curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/tunnels?is_deleted=true" \
     -H "Authorization: Bearer $API_TOKEN"

# Example: Get ONLY deleted Virtual Networks
curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/teamnet/virtual_networks?is_deleted=true" \
     -H "Authorization: Bearer $API_TOKEN"

Following this change, retrieving a complete list of both active and deleted resources will require two separate API calls: one to get active items (by omitting the parameter or using is_deleted=false) and one to get deleted items (is_deleted=true).

Why we’re making this change

This update is based on user feedback and aims to:

Create a more intuitive default: Aligning with common API design principles where list operations return only active resources by default.
Reduce unexpected results: Prevents users from accidentally operating on deleted resources that were returned unexpectedly.
Improve performance: For most users, the default query result will now be smaller and more relevant.

To learn more, please visit the Cloudflare Tunnel API and Zero Trust Networks API documentation.

Cloudflare Fundamentals, Terraform - Terraform v5.9 now available

Fri, 29 Aug 2025 00:00:00 GMT

Earlier this year, we announced the launch of the new Terraform v5 Provider. We are aware of the high number of issues reported by the Cloudflare community related to the v5 release. We have committed to releasing improvements on a 2 week cadence to ensure its stability and reliability, including the v5.9 release. We have also pivoted from an issue-to-issue approach to a resource-per-resource approach - we will be focusing on specific resources for every release, stabilizing the release, and closing all associated bugs with that resource before moving onto resolving migration issues.

Thank you for continuing to raise issues. We triage them weekly and they help make our products stronger.

This release includes a new resource, cloudflare_snippet, which replaces cloudflare_snippets. cloudflare_snippet is now considered deprecated but can still be used. Please utilize cloudflare_snippet as soon as possible.

Changes

Resources stabilized:
- cloudflare_zone_setting
- cloudflare_worker_script
- cloudflare_worker_route
- tiered_cache
NEW resource cloudflare_snippet which should be used in place of cloudflare_snippets. cloudflare_snippets is now deprecated. This enables the management of Cloudflare's snippet functionality through Terraform.
DNS Record Improvements: Enhanced handling of DNS record drift detection
Load Balancer Fixes: Resolved created_on field inconsistencies and improved pool configuration handling
Bot Management: Enhanced auto-update model state consistency and fight mode configurations
Other bug fixes

For a more detailed look at all of the changes, refer to the changelog in GitHub.

Issues Closed

If you have an unaddressed issue with the provider, we encourage you to check the open issues and open a new issue if one does not already exist for what you are experiencing.

Upgrading

We suggest holding off on migration to v5 while we work on stabilization. This help will you avoid any blocking issues while the Terraform resources are actively being stabilized.

If you'd like more information on migrating from v4 to v5, please make use of the migration guide. We have provided automated migration scripts using Grit which simplify the transition. These do not support implementations which use Terraform modules, so customers making use of modules need to migrate manually. Please make use of terraform plan to test your changes before applying, and let us know if you encounter any additional issues by reporting to our GitHub repository.

For more info

AI Crawl Control - Enhanced crawler insights and custom 402 responses

Wed, 27 Aug 2025 00:00:00 GMT

We improved AI crawler management with detailed analytics and introduced custom HTTP 402 responses for blocked crawlers. AI Audit has been renamed to AI Crawl Control and is now generally available.

Enhanced Crawlers tab:

View total allowed and blocked requests for each AI crawler
Trend charts show crawler activity over your selected time range per crawler

Custom block responses (paid plans): You can now return HTTP 402 "Payment Required" responses when blocking AI crawlers, enabling direct communication with crawler operators about licensing terms.

For users on paid plans, when blocking AI crawlers you can configure:

Response code: Choose between 403 Forbidden or 402 Payment Required
Response body: Add a custom message with your licensing contact information

Example 402 response:

HTTP 402 Payment Required
Date: Mon, 24 Aug 2025 12:56:49 GMT
Content-type: application/json
Server: cloudflare
Cf-Ray: 967e8da599d0c3fa-EWR
Cf-Team: 2902f6db750000c3fa1e2ef400000001

{
  "message": "Please contact the site owner for access."
}

Audit Logs - Audit logs (version 2) - Logpush Beta Release

Fri, 22 Aug 2025 00:00:00 GMT

Audit Logs v2 dataset is now available via Logpush.

This expands on earlier releases of Audit Logs v2 in the API and Dashboard UI.

We recommend creating a new Logpush job for the Audit Logs v2 dataset.

Timelines for General Availability (GA) of Audit Logs v2 and the retirement of Audit Logs v1 will be shared in upcoming updates.

For more details on Audit Logs v2, refer to the Audit Logs documentation.

Logs - Dedicated Egress IP for Logpush

Fri, 22 Aug 2025 00:00:00 GMT

Cloudflare Logpush can now deliver logs from using fixed, dedicated egress IPs. By routing Logpush traffic through a Cloudflare zone enabled with Aegis IP, your log destination only needs to allow Aegis IPs making setup more secure.

Highlights:

Fixed egress IPs ensure your destination only accepts traffic from known addresses.
Works with any supported Logpush destination.
Recommended to use a dedicated zone as a proxy for easier management.

To get started, work with your Cloudflare account team to provision Aegis IPs, then configure your Logpush job to deliver logs through the proxy zone. For full setup instructions, refer to the Logpush documentation.

Log Explorer - Extended retention

Fri, 15 Aug 2025 00:00:00 GMT

Customers can now rely on Log Explorer to meet their log retention compliance requirements.

Contract customers can choose to store their logs in Log Explorer for up to two years, at an additional cost of $0.10 per GB per month. Customers interested in this feature can contact their account team to have it added to their contract.

Cloudflare Fundamentals, Terraform - Terraform v5.8.4 now available

Fri, 15 Aug 2025 00:00:00 GMT

Earlier this year, we announced the launch of the new Terraform v5 Provider. We are aware of the high number of issues reported by the Cloudflare Community related to the v5 release. We have committed to releasing improvements on a two week cadence to ensure stability and reliability.

One key change we adopted in recent weeks is a pivot to more comprehensive, test-driven development. We are still evaluating individual issues, but are also investing in much deeper testing to drive our stabilization efforts. We will subsequently be investing in comprehensive migration scripts. As a result, you will see several of the highest traffic APIs have been stabilized in the most recent release, and are supported by comprehensive acceptance tests.

Thank you for continuing to raise issues. We triage them weekly and they help make our products stronger.

Changes

Resources stabilized:
- cloudflare_argo_smart_routing
- cloudflare_bot_management
- cloudflare_list
- cloudflare_list_item
- cloudflare_load_balancer
- cloudflare_load_balancer_monitor
- cloudflare_load_balancer_pool
- cloudflare_spectrum_application
- cloudflare_managed_transforms
- cloudflare_url_normalization_settings
- cloudflare_snippet
- cloudflare_snippet_rules
- cloudflare_zero_trust_access_application
- cloudflare_zero_trust_access_group
- cloudflare_zero_trust_access_identity_provider
- cloudflare_zero_trust_access_mtls_certificate
- cloudflare_zero_trust_access_mtls_hostname_settings
- cloudflare_zero_trust_access_policy
- cloudflare_zone
Multipart handling restored for cloudflare_snippet
cloudflare_bot_management diff issues resolves when running terraform plan and terraform apply
Other bug fixes

For a more detailed look at all of the changes, refer to the changelog in GitHub.

Issues Closed

If you have an unaddressed issue with the provider, we encourage you to check the open issues and open a new one if one does not already exist for what you are experiencing.

Upgrading

We suggest holding off on migration to v5 while we work on stablization. This help will you avoid any blocking issues while the Terraform resources are actively being stablized.

If you'd like more information on migrating to v5, please make use of the migration guide. We have provided automated migration scripts using Grit which simplify the transition. These migration scripts do not support implementations which use Terraform modules, so customers making use of modules need to migrate manually. Please make use of terraform plan to test your changes before applying, and let us know if you encounter any additional issues by reporting to our GitHub repository.

For more info

Logs - IBM Cloud Logs as Logpush destination

Wed, 13 Aug 2025 00:00:00 GMT

Cloudflare Logpush now supports IBM Cloud Logs as a native destination.

Logs from Cloudflare can be sent to IBM Cloud Logs via Logpush. The setup can be done through the Logpush UI in the Cloudflare Dashboard or by using the Logpush API. The integration requires IBM Cloud Logs HTTP Source Address and an IBM API Key. The feature also allows for filtering events and selecting specific log fields.

For more information, refer to Destination Configuration documentation.

Cloudflare Fundamentals, Terraform - Terraform v5.8.2 now available

Fri, 01 Aug 2025 00:00:00 GMT

Earlier this year, we announced the launch of the new Terraform v5 Provider. We are aware of the high mumber of issues reported by the Cloudflare community related to the v5 release. We have committed to releasing improvements on a 2 week cadeance to ensure it's stability and reliability. We have also pivoted from an issue-to-issue approach to a resource-per-resource approach - we will be focusing on specific resources for every release, stablizing the release and closing all associated bugs with that resource before moving onto resolving migration issues.

Thank you for continuing to raise issues. We triage them weekly and they help make our products stronger.

Changes

Resources stablized:
- cloudflare_custom_pages
- cloudflare_page_rule
- cloudflare_dns_record
- cloudflare_argo_tiered_caching
Addressed chronic drift issues in cloudflare_logpush_job, cloudflare_zero_trust_dns_location, cloudflare_ruleset & cloudflare_api_token
cloudflare_zone_subscripton returns expected values rate_plan.id from former versions
cloudflare_workers_script can now successfully be destroyed with bindings & migration for Durable Objects now recorded in tfstate
Ability to configure add_headers under cloudflare_zero_trust_gateway_policy
Other bug fixes

For a more detailed look at all of the changes, see the changelog in GitHub.

Issues Closed

If you have an unaddressed issue with the provider, we encourage you to check the open issues and open a new one if one does not already exist for what you are experiencing.

Upgrading

We suggest holding off on migration to v5 while we work on stablization. This help will you avoid any blocking issues while the Terraform resources are actively being stablized.

If you'd like more information on migrating from v4 to v5, please make use of the migration guide. We have provided automated migration scripts using Grit which simplify the transition, although these do not support implementations which use Terraform modules, so customers making use of modules need to migrate manually. Please make use of terraform plan to test your changes before applying, and let us know if you encounter any additional issues by reporting to our GitHub repository.

For more info

Audit Logs - Audit logs (version 2) - UI Beta Release

Tue, 29 Jul 2025 00:00:00 GMT

The Audit Logs v2 UI is now available to all Cloudflare customers in Beta. This release builds on the public Beta of the Audit Logs v2 API and introduces a redesigned user interface with powerful new capabilities to make it easier to investigate account activity.

Enabling the new UI

To try the new user interface, go to Manage Account > Audit Logs. The previous version of Audit Logs remains available and can be re-enabled at any time using the Switch back to old Audit Logs link in the banner at the top of the page.

New Features:

Advanced Filtering: Filter logs by actor, resource, method, and more for faster insights.
On-hover filter controls: Easily include or exclude values in queries by hovering over fields within a log entry.
Detailed Log Sidebar: View rich context for each log entry without leaving the main view.
JSON Log View: Inspect the raw log data in a structured JSON format.
Custom Time Ranges: Define your own time windows to view historical activity.
Infinite Scroll: Seamlessly browse logs without clicking through pages.

For more details on Audit Logs v2, see the Audit Logs documentation.

Known issues

A small number of audit logs may currently be unavailable in Audit Logs v2. In some cases, certain fields such as actor information may be missing in certain audit logs. We are actively working to improve coverage and completeness for General Availability.
Export to CSV is not supported in the new UI.

We are actively refining the Audit Logs v2 experience and welcome your feedback. You can share overall feedback by clicking the thumbs up or thumbs down icons at the top of the page, or provide feedback on specific audit log entries using the thumbs icons next to each audit log line or by filling out our feedback form.

Cloudflare Tunnel, Cloudflare Tunnel for SASE - Faster, more reliable UDP traffic for Cloudflare Tunnel

Tue, 15 Jul 2025 00:00:00 GMT

Your real-time applications running over Cloudflare Tunnel are now faster and more reliable. We've completely re-architected the way cloudflared proxies UDP traffic in order to isolate it from other traffic, ensuring latency-sensitive applications like private DNS are no longer slowed down by heavy TCP traffic (like file transfers) on the same Tunnel.

This is a foundational improvement to Cloudflare Tunnel, delivered automatically to all customers. There are no settings to configure — your UDP traffic is already flowing faster and more reliably.

What’s new:

Faster UDP performance: We've significantly reduced the latency for establishing new UDP sessions, making applications like private DNS much more responsive.
Greater reliability for mixed traffic: UDP packets are no longer affected by heavy TCP traffic, preventing timeouts and connection drops for your real-time services.

Learn more about running TCP or UDP applications and private networks through Cloudflare Tunnel.

Cloudflare Fundamentals, Terraform - Terraform v5.7.0 now available

Mon, 14 Jul 2025 00:00:00 GMT

Earlier this year, we announced the launch of the new Terraform v5 Provider. We are aware of the high mumber of issues reported by the Cloudflare community related to the v5 release, with 13.5% of resources impacted. We have committed to releasing improvements on a 2 week cadeance to ensure it's stability and relability, including the v5.7 release.

Thank you for continuing to raise issues and please keep an eye on this changelog for more information about upcoming releases.

Changes

Addressed permanent diff bug on Cloudflare Tunnel config
State is now saved correctly for Zero Trust Access applications
Exact match is now working as expected within data.cloudflare_zero_trust_access_applications
cloudflare_zero_trust_access_policy now supports OIDC claims & diff issues resolved
Self hosted applications with private IPs no longer require a public domain for cloudflare_zero_trust_access_application.
New resource:
- cloudflare_zero_trust_tunnel_warp_connector
Other bug fixes

For a more detailed look at all of the changes, see the changelog in GitHub.

Issues Closed

If you have an unaddressed issue with the provider, we encourage you to check the open issues and open a new one if one does not already exist for what you are experiencing.

Upgrading

We suggest holding on migration to v5 while we work on stablization of the v5 provider. This will ensure Cloudflare can work ahead and avoid any blocking issues.

If you'd like more information on migrating from v4 to v5, please make use of the migration guide. We have provided automated migration scripts using Grit which simplify the transition, although these do not support implementations which use Terraform modules, so customers making use of modules need to migrate manually. Please make use of terraform plan to test your changes before applying, and let us know if you encounter any additional issues by reporting to our GitHub repository.

For more info

Log Explorer - Usage tracking

Wed, 09 Jul 2025 00:00:00 GMT

Log Explorer customers can now monitor their data ingestion volume to keep track of their billing. Monthly usage is displayed at the top of the Log Search and Manage Datasets screens in Log Explorer.

AI Crawl Control - Introducing Pay Per Crawl (private beta)

Tue, 01 Jul 2025 00:00:00 GMT

We are introducing a new feature of AI Crawl Control — Pay Per Crawl. Pay Per Crawl enables site owners to require payment from AI crawlers every time the crawlers access their content, thereby fostering a fairer Internet by enabling site owners to control and monetize how their content gets used by AI.

For Site Owners:

Set pricing and select which crawlers to charge for content access
Manage payments via Stripe
Monitor analytics on successful content deliveries

For AI Crawler Owners:

Use HTTP headers to request and accept pricing
Receive clear confirmations on charges for accessed content

Learn more in the Pay Per Crawl documentation.

AI Crawl Control - AI Crawl Control refresh

Tue, 01 Jul 2025 00:00:00 GMT

We redesigned the AI Crawl Control dashboard to provide more intuitive and granular control over AI crawlers.

From the new AI Crawlers tab: block specific AI crawlers.
From the new Metrics tab: view AI Crawl Control metrics.

To get started, explore:

Cloudflare Fundamentals - Cloudflare User Groups & SCIM User Groups are now in GA

Mon, 23 Jun 2025 00:00:00 GMT

We're announcing the GA of User Groups for Cloudflare Dashboard and System for Cross Domain Identity Management (SCIM) User Groups, strengthening our RBAC capabilities with stable, production-ready primitives for managing access at scale.

What's New

User Groups [GA]: User Groups are a new Cloudflare IAM primitive that enable administrators to create collections of account members that are treated equally from an access control perspective. User Groups can be assigned permission policies, with individual members in the group inheriting all permissions granted to the User Group. User Groups can be created manually or via our APIs.

SCIM User Groups [GA]: Centralize & simplify your user and group management at scale by syncing memberships directly from your upstream identity provider (like Okta or Entra ID) to the Cloudflare Platform. This ensures Cloudflare stays in sync with your identity provider, letting you apply Permission Policies to those synced groups directly within the Cloudflare Dashboard.

Stability & Scale: These features have undergone extensive testing during the Public Beta period and are now ready for production use across enterprises of all sizes.

For more info:

Log Explorer - Log Explorer is GA

Wed, 18 Jun 2025 00:00:00 GMT

Log Explorer is now GA, providing native observability and forensics for traffic flowing through Cloudflare.

Search and analyze your logs, natively in the Cloudflare dashboard. These logs are also stored in Cloudflare's network, eliminating many of the costs associated with other log providers.

With Log Explorer, you can now:

Monitor security and performance issues with custom dashboards – use natural language to define charts for measuring response time, error rates, top statistics and more.
Investigate and troubleshoot issues with Log Search – use data type-aware search filters or custom sql to investigate detailed logs.
Save time and collaborate with saved queries – save Log Search queries for repeated use or sharing with other users in your account.
Access Log Explorer at the account and zone level – easily find Log Explorer at the account and zone level for querying any dataset.

For help getting started, refer to our documentation.

Cloudflare Fundamentals, Terraform - Terraform v5.6.0 now available

Tue, 17 Jun 2025 00:00:00 GMT

Earlier this year, we announced the launch of the new Terraform v5 Provider. Unlike the earlier Terraform providers, v5 is automatically generated based on the OpenAPI Schemas for our REST APIs. Since launch, we have seen an unexpectedly high number of issues reported by customers. These issues currently impact about 15% of resources. We have been working diligently to address these issues across the company, and have released the v5.6.0 release which includes a number of bug fixes. Please keep an eye on this changelog for more information about upcoming releases.

Changes

Broad fixes across resources with recurring diffs, including, but not limited to:
- cloudflare_zero_trust_access_identity_provider
  - cloudflare_zone
cloudflare_page_rules runtime panic when setting cache_level to cache_ttl_by_status
Failure to serialize requests in cloudflare_zero_trust_tunnel_cloudflared_config
Undocumented field 'priority' on zone_lockdown resource
Missing importability for cloudflare_zero_trust_device_default_profile_local_domain_fallback and cloudflare_account_subscription
New resources:
- cloudflare_schema_validation_operation_settings
- cloudflare_schema_validation_schemas
- cloudflare_schema_validation_settings
- cloudflare_zero_trust_device_settings
Other bug fixes

For a more detailed look at all of the changes, see the changelog in GitHub.

Issues Closed

If you have an unaddressed issue with the provider, we encourage you to check the open issues and open a new one if one does not already exist for what you are experiencing.

Upgrading

If you are evaluating a move from v4 to v5, please make use of the migration guide. We have provided automated migration scripts using Grit which simplify the transition, although these do not support implementations which use Terraform modules, so customers making use of modules need to migrate manually. Please make use of terraform plan to test your changes before applying, and let us know if you encounter any additional issues by reporting to our GitHub repository.

For more info

Rules - More flexible fallback handling — Custom Errors now support fetching assets returned with 4xx or 5xx status codes

Mon, 09 Jun 2025 00:00:00 GMT

Custom Errors can now fetch and store assets and error pages from your origin even if they are served with a 4xx or 5xx HTTP status code — previously, only 200 OK responses were allowed.

What’s new:

You can now upload error pages and error assets that return error status codes (for example, 403, 500, 502, 503, 504) when fetched.
These assets are stored and minified at the edge, so they can be reused across multiple Custom Error rules without triggering requests to the origin.

This is especially useful for retrieving error content or downtime banners from your backend when you can’t override the origin status code.

Learn more in the Custom Errors documentation.

Rules - Match Workers subrequests by upstream zone — cf.worker.upstream_zone now supported in Transform Rules

Mon, 09 Jun 2025 00:00:00 GMT

You can now use the cf.worker.upstream_zone field in Transform Rules to control rule execution based on whether a request originates from Workers, including subrequests issued by Workers in other zones.

What's new:

cf.worker.upstream_zone is now supported in Transform Rules expressions.
Skip or apply logic conditionally when handling Workers subrequests.

For example, to add a header when the subrequest comes from another zone:

Text in Expression Editor (replace myappexample.com with your domain):

(cf.worker.upstream_zone != "" and cf.worker.upstream_zone != "myappexample.com")

Selected operation under Modify request header: Set static

Header name: X-External-Workers-Subrequest

Value: 1

This gives you more granular control in how you handle incoming requests for your zone.

Learn more in the Transform Rules documentation and Rules language fields reference.

Cloudflare Fundamentals - Cloudflare User Groups & Enhanced Permission Policies are now in Beta

Mon, 02 Jun 2025 00:00:00 GMT

We're excited to announce the Public Beta launch of User Groups for Cloudflare Dashboard and System for Cross Domain Identity Management (SCIM) User Groups, expanding our RBAC capabilities to simplify user and group management at scale.

We've also visually overhauled the Permission Policies UI to make defining permissions more intuitive.

What's New

User Groups [BETA]: User Groups are a new Cloudflare IAM primitive that enable administrators to create collections of account members that are treated equally from an access control perspective. User Groups can be assigned permission policies, with individual members in the group inheriting all permissions granted to the User Group. User Groups can be created manually or via our APIs.

SCIM User Groups [BETA]: Centralize & simplify your user and group management at scale by syncing memberships directly from your upstream identity provider (like Okta or Entra ID) to the Cloudflare Platform. This ensures Cloudflare stays in sync with your identity provider, letting you apply Permission Policies to those synced groups directly within the Cloudflare Dashboard.

Revamped Permission Policies UI [BETA]: As Cloudflare's services have grown, so has the need for precise, role-based access control. We've given the Permission Policies builder a visual overhaul to make it much easier for administrators to find and define the exact permissions they want for specific principals.

For more info:

Rules - Fine-tune image optimization — WebP now supported in Configuration Rules

Fri, 30 May 2025 00:00:00 GMT

You can now enable Polish with the webp format directly in Configuration Rules, allowing you to optimize image delivery for specific routes, user agents, or A/B tests — without applying changes zone-wide.

What’s new:

WebP is now a supported value in the Polish setting for Configuration Rules.

This gives you more precise control over how images are compressed and delivered, whether you're targeting modern browsers, running experiments, or tailoring performance by geography or device type.

Learn more in the Polish and Configuration Rules documentation.

Analytics - New GraphQL Analytics API Explorer and MCP Server

Fri, 23 May 2025 00:00:00 GMT

We’ve launched two powerful new tools to make the GraphQL Analytics API more accessible:

GraphQL API Explorer

The new GraphQL API Explorer helps you build, test, and run queries directly in your browser. Features include:

In-browser schema documentation to browse available datasets and fields
Interactive query editor with autocomplete and inline documentation
A "Run in GraphQL API Explorer" button to execute example queries from our docs
Seamless OAuth authentication — no manual setup required

GraphQL Model Context Protocol (MCP) Server

MCP Servers let you use natural language tools like Claude to generate structured queries against your data. See our blog post for details on how they work and which servers are available. The new GraphQL MCP server helps you discover and generate useful queries for the GraphQL Analytics API. With this server, you can:

Explore what data is available to query
Generate and refine queries using natural language, with one-click links to run them in the API Explorer
Build dashboards and visualizations from structured query outputs

Example prompts include:

“Show me HTTP traffic for the last 7 days for example.com”
“What GraphQL node returns firewall events?”
“Can you generate a link to the Cloudflare GraphQL API Explorer with a pre-populated query and variables?”

We’re continuing to expand these tools, and your feedback helps shape what’s next. Explore the documentation to learn more and get started.

Cloudflare Fundamentals, Terraform - Terraform v5.5.0 now available

Mon, 19 May 2025 00:00:00 GMT

Earlier this year, we announced the launch of the new Terraform v5 Provider. Unlike the earlier Terraform providers, v5 is automatically generated based on the OpenAPI Schemas for our REST APIs. Since launch, we have seen an unexpectedly high number of issues reported by customers. These issues currently impact about 15% of resources. We have been working diligently to address these issues across the company, and have released the v5.5.0 release which includes a number of bug fixes. Please keep an eye on this changelog for more information about upcoming releases.

Changes

Broad fixes across resources with recurring diffs, including, but not limited to:
- cloudflare_zero_trust_gateway_policy
- cloudflare_zero_trust_access_application
- cloudflare_zero_trust_tunnel_cloudflared_route
- cloudflare_zone_setting
- cloudflare_ruleset
- cloudflare_page_rule
Zone settings can be re-applied without client errors
Page rules conversion errors are fixed
Failure to apply changes to cloudflare_zero_trust_tunnel_cloudflared_route
Other bug fixes

For a more detailed look at all of the changes, see the changelog in GitHub.

Issues Closed

If you have an unaddressed issue with the provider, we encourage you to check the open issues and open a new one if one does not already exist for what you are experiencing.

Upgrading

For more info

Rules - More ways to match — Snippets now support Custom Lists, Bot Score, and WAF Attack Score

Fri, 09 May 2025 00:00:00 GMT

You can now use IP, Autonomous System (AS), and Hostname custom lists to route traffic to Snippets and Cloud Connector, giving you greater precision and control over how you match and process requests at the edge.

In Snippets, you can now also match on Bot Score and WAF Attack Score, unlocking smarter edge logic for everything from request filtering and mitigation to tarpitting and logging.

What’s new:

Custom lists matching – Snippets and Cloud Connector now support user-created IP, AS, and Hostname lists via dashboard or Lists API. Great for shared logic across zones.
Bot Score and WAF Attack Score – Use Cloudflare’s intelligent traffic signals to detect bots or attacks and take advanced, tailored actions with just a few lines of code.

These enhancements unlock new possibilities for building smarter traffic workflows with minimal code and maximum efficiency.

Learn more in the Snippets and Cloud Connector documentation.

Cloudflare Fundamentals, Terraform - Terraform v5.4.0 now available

Tue, 06 May 2025 00:00:00 GMT

Earlier this year, we announced the launch of the new Terraform v5 Provider. Unlike the earlier Terraform providers, v5 is automatically generated based on the OpenAPI Schemas for our REST APIs. Since launch, we have seen an unexpectedly high number of issues reported by customers. These issues currently impact about 15% of resources. We have been working diligently to address these issues across the company, and have released the v5.4.0 release which includes a number of bug fixes. Please keep an eye on this changelog for more information about upcoming releases.

Changes

Removes the worker_platforms_script_secret resource from the provider (see migration guide for alternatives—applicable to both Workers and Workers for Platforms)
Removes duplicated fields in cloudflare_cloud_connector_rules resource
Fixes cloudflare_workers_route id issues #5134 #5501
Fixes issue around refreshing resources that have unsupported response types
Affected resources
- cloudflare_certificate_pack
- cloudflare_registrar_domain
- cloudflare_stream_download
- cloudflare_stream_webhook
- cloudflare_user
- cloudflare_workers_kv
- cloudflare_workers_script
Fixes cloudflare_workers_kv state refresh issues
Fixes issues around configurability of nested properties without computed values for the following resources
Affected resources
- cloudflare_account
- cloudflare_account_dns_settings
- cloudflare_account_token
- cloudflare_api_token
- cloudflare_cloud_connector_rules
- cloudflare_custom_ssl
- cloudflare_d1_database
- cloudflare_dns_record
- email_security_trusted_domains
- cloudflare_hyperdrive_config
- cloudflare_keyless_certificate
- cloudflare_list_item
- cloudflare_load_balancer
- cloudflare_logpush_dataset_job
- cloudflare_magic_network_monitoring_configuration
- cloudflare_magic_transit_site
- cloudflare_magic_transit_site_lan
- cloudflare_magic_transit_site_wan
- cloudflare_magic_wan_static_route
- cloudflare_notification_policy
- cloudflare_pages_project
- cloudflare_queue
- cloudflare_queue_consumer
- cloudflare_r2_bucket_cors
- cloudflare_r2_bucket_event_notification
- cloudflare_r2_bucket_lifecycle
- cloudflare_r2_bucket_lock
- cloudflare_r2_bucket_sippy
- cloudflare_ruleset
- cloudflare_snippet_rules
- cloudflare_snippets
- cloudflare_spectrum_application
- cloudflare_workers_deployment
- cloudflare_zero_trust_access_application
- cloudflare_zero_trust_access_group
Fixed defaults that made cloudflare_workers_script fail when using Assets
Fixed Workers Logpush setting in cloudflare_workers_script mistakenly being readonly
Fixed cloudflare_pages_project broken when using "source"

The detailed changelog is available on GitHub.

Upgrading

For more info

Rules - Custom Errors are now Generally Available

Thu, 24 Apr 2025 00:00:00 GMT

Custom Errors are now generally available for all paid plans — bringing a unified and powerful experience for customizing error responses at both the zone and account levels.

You can now manage Custom Error Rules, Custom Error Assets, and redesigned Error Pages directly from the Cloudflare dashboard. These features let you deliver tailored messaging when errors occur, helping you maintain brand consistency and improve user experience — whether it’s a 404 from your origin or a security challenge from Cloudflare.

What's new:

Custom Errors are now GA – Available on all paid plans and ready for production traffic.
UI for Custom Error Rules and Assets – Manage your zone-level rules from the Rules > Overview and your zone-level assets from the Rules > Settings tabs.
Define inline content or upload assets – Create custom responses directly in the rule builder, upload new or reuse previously stored assets.
Refreshed UI and new name for Error Pages – Formerly known as “Custom Pages,” Error Pages now offer a cleaner, more intuitive experience for both zone and account-level configurations.
Powered by Ruleset Engine – Custom Error Rules support conditional logic and override Error Pages for 500 and 1000 class errors, as well as errors originating from your origin or other Cloudflare products. You can also configure Response Header Transform Rules to add, change, or remove HTTP headers from responses returned by Custom Error Rules.

Learn more in the Custom Errors documentation.

Logs - Custom fields raw and transformed values support

Fri, 18 Apr 2025 00:00:00 GMT

Custom Fields now support logging both raw and transformed values for request and response headers in the HTTP requests dataset.

These fields are configured per zone and apply to all Logpush jobs in that zone that include request headers, response headers. Each header can be logged in only one format—either raw or transformed—not both.

By default:

Request headers are logged as raw values
Response headers are logged as transformed values

These defaults can be overidden to suit your logging needs.

For more information refer to Custom fields documentation

Rules - Cloudflare Snippets are now Generally Available

Wed, 09 Apr 2025 00:00:00 GMT

Cloudflare Snippets are now generally available at no extra cost across all paid plans — giving you a fast, flexible way to programmatically control HTTP traffic using lightweight JavaScript.

You can now use Snippets to modify HTTP requests and responses with confidence, reliability, and scale. Snippets are production-ready and deeply integrated with Cloudflare Rules, making them ideal for everything from quick dynamic header rewrites to advanced routing logic.

What's new:

Snippets are now GA – Available at no extra cost on all Pro, Business, and Enterprise plans.
Ready for production – Snippets deliver a production-grade experience built for scale.
Part of the Cloudflare Rules platform – Snippets inherit request modifications from other Cloudflare products and support sequential execution, allowing you to run multiple Snippets on the same request and apply custom modifications step by step.
Trace integration – Use Cloudflare Trace to see which Snippets were triggered on a request — helping you understand traffic flow and debug more effectively.

Learn more in the launch blog post.

Registrar - Register and renew .ai and .shop domains at cost

Thu, 27 Mar 2025 10:00:00 GMT

Cloudflare Registrar now supports .ai and .shop domains. These are two of our most highly-requested top-level domains (TLDs) and are great additions to the 300+ other TLDs we support.

Starting today, customers can:

Register and renew these domains at cost without any markups or add-on fees
Enjoy best-in-class security and performance with native integrations with Cloudflare DNS, CDN, and SSL services like one-click DNSSEC
Combat domain hijacking with Custom Domain Protection (available on enterprise plans)

We can't wait to see what AI and e-commerce projects you deploy on Cloudflare. To get started, transfer your domains to Cloudflare or search for new ones to register.

Audit Logs - Audit logs (version 2) - Beta Release

Thu, 27 Mar 2025 00:00:00 GMT

The latest version of audit logs streamlines audit logging by automatically capturing all user and system actions performed through the Cloudflare Dashboard or public APIs. This update leverages Cloudflare’s existing API Shield to generate audit logs based on OpenAPI schemas, ensuring a more consistent and automated logging process.

Availability: Audit logs (version 2) is now in Beta, with support limited to API access.

Use the following API endpoint to retrieve audit logs:

GET https://api.cloudflare.com/client/v4/accounts/<account_id>/logs/audit?since=<date>&before=<date>

You can access detailed documentation for audit logs (version 2) Beta API release here.

Key Improvements in the Beta Release:

Automated & standardized logging: Logs are now generated automatically using a standardized system, replacing manual, team-dependent logging. This ensures consistency across all Cloudflare services.
Expanded product coverage: Increased audit log coverage from 75% to 95%. Key API endpoints such as /accounts, /zones, and /organizations are now included.
Granular filtering: Logs now follow a uniform format, enabling precise filtering by actions, users, methods, and resources—allowing for faster and more efficient investigations.
Enhanced context and traceability: Each log entry now includes detailed context, such as the authentication method used, the interface (API or Dashboard) through which the action was performed, and mappings to Cloudflare Ray IDs for better traceability.
Comprehensive activity capture: Expanded logging to include GET requests and failed attempts, ensuring that all critical activities are recorded.

Known Limitations in Beta

Error handling for the API is not implemented.
There may be gaps or missing entries in the available audit logs.
UI is unavailable in this Beta release.
System-level logs and User-Activity logs are not included.

Support for these features is coming as part of the GA release later this year. For more details, including a sample audit log, check out our blog post: Introducing Automatic Audit Logs

Cloudflare Fundamentals - Updates to Account Home - Quick actions, traffic insights, Workers projects, and more

Wed, 26 Mar 2025 06:00:00 GMT

Recently, Account Home has been updated to streamline your workflows:

Recent Workers projects: You'll now find your projects readily accessible from a new Developer Platform tab on Account Home. See recently-modified projects and explore what you can work our developer-focused products.
Traffic and security insights: Get a snapshot of domain performance at a glance with key metrics and trends.
Quick actions: You can now perform common actions for your account, domains, and even Workers in just 1-2 clicks from the 3-dot menu.
Keep starred domains front and center: Now, when you filter for starred domains on Account Home, we'll save your preference so you'll continue to only see starred domains by default.

We can't wait for you to take the new Account Home for a spin.

For more info:

Cloudflare Fundamentals, Terraform - Dozens of Cloudflare Terraform Provider resources now have proper drift detection

Fri, 21 Mar 2025 00:00:00 GMT

In Cloudflare Terraform Provider versions 5.2.0 and above, dozens of resources now have proper drift detection. Before this fix, these resources would indicate they needed to be updated or replaced — even if there was no real change. Now, you can rely on your terraform plan to only show what resources are expected to change.

This issue affected resources related to these products and features:

API Shield
Argo Smart Routing
Argo Tiered Caching
Bot Management
BYOIP
D1
DNS
Email Routing
Hyperdrive
Observatory
Pages
R2
Rules
SSL/TLS
Waiting Room
Workers
Zero Trust

Cloudflare Fundamentals, Terraform - Cloudflare Terraform Provider now properly redacts sensitive values

Fri, 21 Mar 2025 00:00:00 GMT

In the Cloudflare Terraform Provider versions 5.2.0 and above, sensitive properties of resources are redacted in logs. Sensitive properties in Cloudflare's OpenAPI Schema are now annotated with x-sensitive: true. This results in proper auto-generation of the corresponding Terraform resources, and prevents sensitive values from being shown when you run Terraform commands.

This issue affected resources related to these products and features:

Alerts and Audit Logs
Device API
DLP
DNS
Magic Visibility
Magic WAN
TLS Certs and Hostnames
Tunnels
Turnstile
Workers
Zaraz

Logs - One-click Logpush Setup with R2 Object Storage

Thu, 06 Mar 2025 00:00:00 GMT

We’ve streamlined the Logpush setup process by integrating R2 bucket creation directly into the Logpush workflow!

Now, you no longer need to navigate multiple pages to manually create an R2 bucket or copy credentials. With this update, you can seamlessly configure a Logpush job to R2 in just one click, reducing friction and making setup faster and easier.

This enhancement makes it easier for customers to adopt Logpush and R2.

For more details refer to our Logs documentation.

Rules - Increased Cloudflare Rules limits

Wed, 12 Feb 2025 00:00:00 GMT

We have upgraded and streamlined Cloudflare Rules limits across all plans, simplifying rule management and improving scalability for everyone.

New limits by product:

Bulk Redirects
- Free: 20 → 10,000 URL redirects across lists
- Pro: 500 → 25,000 URL redirects across lists
- Business: 500 → 50,000 URL redirects across lists
- Enterprise: 10,000 → 1,000,000 URL redirects across lists
Cloud Connector
- Free: 5 → 10 connectors
- Enterprise: 125 → 300 connectors
Custom Errors
- Pro: 5 → 25 error assets and rules
- Business: 20 → 50 error assets and rules
- Enterprise: 50 → 300 error assets and rules
Snippets
- Pro: 10 → 25 code snippets and rules
- Business: 25 → 50 code snippets and rules
- Enterprise: 50 → 300 code snippets and rules
Cache Rules, Configuration Rules, Compression Rules, Origin Rules, Single Redirects, and Transform Rules
- Enterprise: 125 → 300 rules

Rules - Custom Errors (beta): Stored Assets & Account-level Rules

Tue, 11 Feb 2025 00:00:00 GMT

We're introducing Custom Errors (beta), which builds on our existing Custom Error Responses feature with new asset storage capabilities.

This update allows you to store externally hosted error pages on Cloudflare and reference them in custom error rules, eliminating the need to supply inline content.

This brings the following new capabilities:

Custom error assets – Fetch and store external error pages at the edge for use in error responses.
Account-Level custom errors – Define error handling rules and assets at the account level for consistency across multiple zones. Zone-level rules take precedence over account-level ones, and assets are not shared between levels.

You can use Cloudflare API to upload your existing assets for use with Custom Errors:

curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/custom_pages/assets" \
--header "Authorization: Bearer <API_TOKEN>" \
--header 'Content-Type: application/json' \
--data '{
  "name": "maintenance",
  "description": "Maintenance template page",
  "url": "https://example.com/"
}'

You can then reference the stored asset in a Custom Error rule:

curl --request PUT \
"https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets/phases/http_custom_errors/entrypoint" \
--header "Authorization: Bearer <API_TOKEN>" \
--header 'Content-Type: application/json' \
--data '{
  "rules": [
    {
      "action": "serve_error",
      "action_parameters": {
        "asset_name": "maintenance",
        "content_type": "text/html",
        "status_code": 503
      },
      "enabled": true,
      "expression": "http.request.uri.path contains \"error\""
    }
  ]
}'

Cloudflare Fundamentals, Terraform - Terraform v5 Provider is now generally available

Mon, 03 Feb 2025 00:00:00 GMT

Cloudflare's v5 Terraform Provider is now generally available. With this release, Terraform resources are now automatically generated based on OpenAPI Schemas. This change brings alignment across our SDKs, API documentation, and now Terraform Provider. The new provider boosts coverage by increasing support for API properties to 100%, adding 25% more resources, and more than 200 additional data sources. Going forward, this will also reduce the barriers to bringing more resources into Terraform across the broader Cloudflare API. This is a small, but important step to making more of our platform manageable through GitOps, making it easier for you to manage Cloudflare just like you do your other infrastructure.

The Cloudflare Terraform Provider v5 is a ground-up rewrite of the provider and introduces breaking changes for some resource types. Please refer to the upgrade guide for best practices, or the blog post on automatically generating Cloudflare's Terraform Provider for more information about the approach.

For more info

Rules - New Snippets Code Editor

Wed, 29 Jan 2025 00:00:00 GMT

The new Snippets code editor lets you edit Snippet code and rule in one place, making it easier to test and deploy changes without switching between pages.

What’s new:

Single-page editing for code and rule – No need to jump between screens.
Auto-complete & syntax highlighting – Get suggestions and avoid mistakes.
Code formatting & refactoring – Write cleaner, more readable code.

Try it now in Rules > Snippets.

Rules - New Rules Overview Interface

Thu, 09 Jan 2025 00:00:00 GMT

Rules Overview gives you a single page to manage all your Cloudflare Rules.

What you can do:

See all your rules in one place – No more clicking around.
Find rules faster – Search by name.
Understand execution order – See how rules run in sequence.
Debug easily – Use Trace without switching tabs.

Check it out in Rules > Overview.

Cloudflare Tunnel, Cloudflare Tunnel for SASE - Troubleshoot tunnels with diagnostic logs

Thu, 19 Dec 2024 00:00:00 GMT

The latest cloudflared build 2024.12.2 introduces the ability to collect all the diagnostic logs needed to troubleshoot a cloudflared instance.

A diagnostic report collects data from a single instance of cloudflared running on the local machine and outputs it to a cloudflared-diag file.

For more information, refer to Diagnostic logs.

Rules - Terraform Support for Snippets

Wed, 11 Dec 2024 00:00:00 GMT

Now, you can manage Cloudflare Snippets with Terraform. Use infrastructure-as-code to deploy and update Snippet code and rules without manual changes in the dashboard.

Example Terraform configuration:

resource "cloudflare_snippet" "my_snippet" {
  zone_id  = "<ZONE_ID>"
  name = "my_test_snippet_1"
  main_module = "file1.js"
  files {
    name = "file1.js"
    content = file("file1.js")
  }
}

resource "cloudflare_snippet_rules" "cookie_snippet_rule" {
  zone_id  = "<ZONE_ID>"
  rules {
    enabled = true
    expression = "http.cookie eq \"a=b\""
    description = "Trigger snippet on specific cookie"
    snippet_name = "my_test_snippet_1"
  }
  depends_on = [cloudflare_snippet.my_snippet]
}

Learn more in the Configure Snippets using Terraform documentation.

Rules - Cloud Connector Now Supports R2

Fri, 22 Nov 2024 00:00:00 GMT

Now, you can use Cloud Connector to route traffic to your R2 buckets based on URLs, headers, geolocation, and more.

Example setup:

curl --request PUT \
"https://api.cloudflare.com/client/v4/zones/{zone_id}/cloud_connector/rules" \
--header "Authorization: Bearer <API_TOKEN>" \
--header "Content-Type: application/json" \
--data '[
  {
    "expression": "http.request.uri.path wildcard \"/images/*\"",
    "provider": "cloudflare_r2",
    "description": "Connect to R2 bucket containing images",
    "parameters": {
      "host": "mybucketcustomdomain.example.com"
    }
  }
]'

Get started using Cloud Connector documentation.

Rules - Simplified UI for URL Rewrites

Wed, 23 Oct 2024 00:00:00 GMT

It’s now easy to create wildcard-based URL Rewrites. No need for complex functions—just define your patterns and go.

What’s improved:

Full wildcard support – Create rewrite patterns using intuitive interface.
Simplified rule creation – No need for complex functions.

Try it via creating a Rewrite URL rule in the dashboard.

Logs - New fields added to Gateway-related datasets in Cloudflare Logs

Tue, 08 Oct 2024 00:00:00 GMT

Cloudflare has introduced new fields to two Gateway-related datasets in Cloudflare Logs:

Gateway HTTP: ApplicationIDs, ApplicationNames, CategoryIDs, CategoryNames, DestinationIPContinentCode, DestinationIPCountryCode, ProxyEndpoint, SourceIPContinentCode, SourceIPCountryCode, VirtualNetworkID, and VirtualNetworkName.
Gateway Network: ApplicationIDs, ApplicationNames, DestinationIPContinentCode, DestinationIPCountryCode, ProxyEndpoint, SourceIPContinentCode, SourceIPCountryCode, TransportProtocol, VirtualNetworkID, and VirtualNetworkName.

AI Crawl Control - AI Crawl Control

Mon, 23 Sep 2024 00:00:00 GMT

Every site on Cloudflare now has access to AI Audit, which summarizes the crawling behavior of popular and known AI services.

You can use this data to:

Understand how and how often crawlers access your site (and which content is the most popular).
Block specific AI bots accessing your site.
Use Cloudflare to enforce your robots.txt policy via an automatic WAF rule.

To get started, explore AI audit.

Rules - New Rules Templates for One-Click Rule Creation

Thu, 05 Sep 2024 00:00:00 GMT

Now, you can create common rule configurations in just one click using Rules Templates.

What you can do:

Pick a pre-built rule – Choose from a library of templates.
One-click setup – Deploy best practices instantly.
Customize as needed – Adjust templates to fit your setup.

Template cards are now also available directly in the rule builder for each product.

Need more ideas? Check out the Examples gallery in our documentation.