Cloudflare changelogs | Rules

Rules - New QUIC RTT and delivery rate fields

Wed, 01 Apr 2026 00:00:00 GMT

Two new fields are now available in rule expressions that surface Layer 4 transport telemetry from the client connection. Together with the existing cf.timings.client_tcp_rtt_msec field, these fields give you a complete picture of connection quality for both TCP and QUIC traffic — enabling transport-aware rules without requiring any client-side changes.

Previously, QUIC RTT and delivery rate data was only available via the Server-Timing: cfL4 response header. These new fields make the same data available directly in rule expressions, so you can use them in Transform Rules, WAF Custom Rules, and other phases that support dynamic fields.

New fields

Field	Type	Description
`cf.timings.client_quic_rtt_msec`	Integer	The smoothed QUIC round-trip time (RTT) between Cloudflare and the client in milliseconds. Only populated for QUIC (HTTP/3) connections. Returns `0` for TCP connections.
`cf.edge.l4.delivery_rate`	Integer	The most recent data delivery rate estimate for the client connection, in bytes per second. Returns `0` when L4 statistics are not available for the request.

Example: Route slow connections to a lightweight origin

Use a request header transform rule to tag requests from high-latency connections, so your origin can serve a lighter page variant:

Rule expression:

cf.timings.client_tcp_rtt_msec > 200 or cf.timings.client_quic_rtt_msec > 200

Header modifications:

Operation	Header name	Value
Set	`X-High-Latency`	`true`

Example: Match low-bandwidth connections

cf.edge.l4.delivery_rate > 0 and cf.edge.l4.delivery_rate < 100000

For more information, refer to Request Header Transform Rules and the fields reference.

Rules - New mTLS certificate fields for Transform Rules

Wed, 25 Mar 2026 00:00:00 GMT

Cloudflare now exposes four new fields in the Transform Rules phase that encode client certificate data in RFC 9440 format. Previously, forwarding client certificate information to your origin required custom parsing of PEM-encoded fields or non-standard HTTP header formats. These new fields produce output in the standardized Client-Cert and Client-Cert-Chain header format defined by RFC 9440, so your origin can consume them directly without any additional decoding logic.

Each certificate is DER-encoded, Base64-encoded, and wrapped in colons. For example, :MIIDsT...Vw==:. A chain of intermediates is expressed as a comma-separated list of such values.

New fields

Field	Type	Description
`cf.tls_client_auth.cert_rfc9440`	String	The client leaf certificate in RFC 9440 format. Empty if no client certificate was presented.
`cf.tls_client_auth.cert_rfc9440_too_large`	Boolean	`true` if the leaf certificate exceeded 10 KB and was omitted. In practice this will almost always be `false`.
`cf.tls_client_auth.cert_chain_rfc9440`	String	The intermediate certificate chain in RFC 9440 format as a comma-separated list. Empty if no intermediate certificates were sent or if the chain exceeded 16 KB.
`cf.tls_client_auth.cert_chain_rfc9440_too_large`	Boolean	`true` if the intermediate chain exceeded 16 KB and was omitted.

The chain encoding follows the same ordering as the TLS handshake: the certificate closest to the leaf appears first, working up toward the trust anchor. The root certificate is not included.

Example: Forwarding client certificate headers to your origin server

Add a request header transform rule to set the Client-Cert and Client-Cert-Chain headers on requests forwarded to your origin server. For example, to forward headers for verified, non-revoked certificates:

Rule expression:

cf.tls_client_auth.cert_verified and not cf.tls_client_auth.cert_revoked

Header modifications:

Operation	Header name	Value
Set	`Client-Cert`	`cf.tls_client_auth.cert_rfc9440`
Set	`Client-Cert-Chain`	`cf.tls_client_auth.cert_chain_rfc9440`

To get the most out of these fields, upload your client CA certificate to Cloudflare so that Cloudflare validates the client certificate at the edge and populates cf.tls_client_auth.cert_verified and cf.tls_client_auth.cert_revoked.

For more information, refer to Mutual TLS authentication, Request Header Transform Rules, and the fields reference.

Rules - Worker execution timing field now available in Rules

Wed, 18 Mar 2026 00:00:00 GMT

The cf.timings.worker_msec field is now available in the Ruleset Engine. This field reports the wall-clock time that a Cloudflare Worker spent handling a request, measured in milliseconds.

You can use this field to identify slow Worker executions, detect performance regressions, or build rules that respond differently based on Worker processing time, such as logging requests that exceed a latency threshold.

Field details

Field	Type	Description
`cf.timings.worker_msec`	Integer	The time spent executing a Cloudflare Worker in milliseconds. Returns `0` if no Worker was invoked.

Example filter expression:

cf.timings.worker_msec > 500

For more information, refer to the Fields reference.

Rules - Control request and response body buffering in Configuration Rules

Tue, 27 Jan 2026 00:00:00 GMT

You can now control how Cloudflare buffers HTTP request and response bodies using two new settings in Configuration Rules.

Request body buffering

Controls how Cloudflare buffers HTTP request bodies before forwarding them to your origin server:

Mode	Behavior
Standard (default)	Cloudflare can inspect a prefix of the request body for enabled functionality such as WAF and Bot Management.
Full	Buffers the entire request body before sending to origin.
None	No buffering — the request body streams directly to origin without inspection.

Response body buffering

Controls how Cloudflare buffers HTTP response bodies before forwarding them to the client:

Mode	Behavior
Standard (default)	Cloudflare can inspect a prefix of the response body for enabled functionality.
None	No buffering — the response body streams directly to the client without inspection.

API example

{
  "action": "set_config",
  "action_parameters": {
    "request_body_buffering": "standard",
    "response_body_buffering": "none"
  }
}

For more information, refer to Configuration Rules.

Rules - New cryptographic functions — encode_base64() and sha256()

Thu, 22 Jan 2026 00:00:00 GMT

Cloudflare Rulesets now includes encode_base64() and sha256() functions, enabling you to generate signed request headers directly in rule expressions. These functions support common patterns like constructing a canonical string from request attributes, computing a SHA256 digest, and Base64-encoding the result.

New functions

Function	Description	Availability
`encode_base64(input, flags)`	Encodes a string to Base64 format. Optional `flags` parameter: `u` for URL-safe encoding, `p` for padding (adds `=` characters to make the output length a multiple of 4, as required by some systems). By default, output is standard Base64 without padding.	All plans (in header transform rules)
`sha256(input)`	Computes a SHA256 hash of the input string.	Requires enablement

Examples

Encode a string to Base64 format:

encode_base64("hello world")

Returns: aGVsbG8gd29ybGQ

Encode a string to Base64 format with padding:

encode_base64("hello world", "p")

Returns: aGVsbG8gd29ybGQ=

Perform a URL-safe Base64 encoding of a string:

encode_base64("hello world", "u")

Returns: aGVsbG8gd29ybGQ

Compute the SHA256 hash of a secret token:

sha256("my-token")

Returns a hash that your origin can validate to authenticate requests.

Compute the SHA256 hash of a string and encode the result to Base64 format:

encode_base64(sha256("my-token"))

Combines hashing and encoding for systems that expect Base64-encoded signatures.

For more information, refer to the Functions reference.

Rules - New functions for array and map operations

Tue, 20 Jan 2026 00:00:00 GMT

New functions for array and map operations

Cloudflare Rulesets now include new functions that enable advanced expression logic for evaluating arrays and maps. These functions allow you to build rules that match against lists of values in request or response headers, enabling use cases like country-based blocking using custom headers.

New functions

Function	Description
`split(source, delimiter)`	Splits a string into an array of strings using the specified delimiter.
`join(array, delimiter)`	Joins an array of strings into a single string using the specified delimiter.
`has_key(map, key)`	Returns `true` if the specified key exists in the map.
`has_value(map, value)`	Returns `true` if the specified value exists in the map.

Example use cases

Check if a country code exists in a header list:

has_value(split(http.response.headers["x-allow-country"][0], ","), ip.src.country)

Check if a specific header key exists:

has_key(http.request.headers, "x-custom-header")

Join array values for logging or comparison:

join(http.request.headers.names, ", ")

For more information, refer to the Functions reference.

Rules - Metro code field now available in Rules

Mon, 12 Jan 2026 00:00:00 GMT

The ip.src.metro_code field in the Ruleset Engine is now populated with DMA (Designated Market Area) data.

You can use this field to build rules that target traffic based on geographic market areas, enabling more granular location-based policies for your applications.

Field details

Field	Type	Description
`ip.src.metro_code`	String \| null	The metro code (DMA) of the incoming request's IP address. Returns the designated market area code for the client's location.

Example filter expression:

ip.src.metro_code eq "501"

For more information, refer to the Fields reference.

Rules - New TCP-based fields available in Rulesets

Thu, 30 Oct 2025 00:00:00 GMT

Build rules based on TCP transport and latency

Cloudflare now provides two new request fields in the Ruleset engine that let you make decisions based on whether a request used TCP and the measured TCP round-trip time between the client and Cloudflare. These fields help you understand protocol usage across your traffic and build policies that respond to network performance. For example, you can distinguish TCP from QUIC traffic or route high latency requests to alternative origins when needed.

New fields

Field	Type	Description
`cf.edge.client_tcp`	Boolean	Indicates whether the request used TCP. A value of true means the client connected using TCP instead of QUIC.
`cf.timings.client_tcp_rtt_msec`	Number	Reports the smoothed TCP round-trip time between the client and Cloudflare in milliseconds. For example, a value of 20 indicates roughly twenty milliseconds of RTT.

Example filter expression:

cf.edge.client_tcp && cf.timings.client_tcp_rtt_msec < 100

More information can be found in the Rules language fields reference.

Rules - More flexible fallback handling — Custom Errors now support fetching assets returned with 4xx or 5xx status codes

Mon, 09 Jun 2025 00:00:00 GMT

Custom Errors can now fetch and store assets and error pages from your origin even if they are served with a 4xx or 5xx HTTP status code — previously, only 200 OK responses were allowed.

What’s new:

You can now upload error pages and error assets that return error status codes (for example, 403, 500, 502, 503, 504) when fetched.
These assets are stored and minified at the edge, so they can be reused across multiple Custom Error rules without triggering requests to the origin.

This is especially useful for retrieving error content or downtime banners from your backend when you can’t override the origin status code.

Learn more in the Custom Errors documentation.

Rules - Match Workers subrequests by upstream zone — cf.worker.upstream_zone now supported in Transform Rules

Mon, 09 Jun 2025 00:00:00 GMT

You can now use the cf.worker.upstream_zone field in Transform Rules to control rule execution based on whether a request originates from Workers, including subrequests issued by Workers in other zones.

What's new:

cf.worker.upstream_zone is now supported in Transform Rules expressions.
Skip or apply logic conditionally when handling Workers subrequests.

For example, to add a header when the subrequest comes from another zone:

Text in Expression Editor (replace myappexample.com with your domain):

(cf.worker.upstream_zone != "" and cf.worker.upstream_zone != "myappexample.com")

Selected operation under Modify request header: Set static

Header name: X-External-Workers-Subrequest

Value: 1

This gives you more granular control in how you handle incoming requests for your zone.

Learn more in the Transform Rules documentation and Rules language fields reference.

Rules - Fine-tune image optimization — WebP now supported in Configuration Rules

Fri, 30 May 2025 00:00:00 GMT

You can now enable Polish with the webp format directly in Configuration Rules, allowing you to optimize image delivery for specific routes, user agents, or A/B tests — without applying changes zone-wide.

What’s new:

WebP is now a supported value in the Polish setting for Configuration Rules.

This gives you more precise control over how images are compressed and delivered, whether you're targeting modern browsers, running experiments, or tailoring performance by geography or device type.

Learn more in the Polish and Configuration Rules documentation.

Rules - More ways to match — Snippets now support Custom Lists, Bot Score, and WAF Attack Score

Fri, 09 May 2025 00:00:00 GMT

You can now use IP, Autonomous System (AS), and Hostname custom lists to route traffic to Snippets and Cloud Connector, giving you greater precision and control over how you match and process requests at the edge.

In Snippets, you can now also match on Bot Score and WAF Attack Score, unlocking smarter edge logic for everything from request filtering and mitigation to tarpitting and logging.

What’s new:

Custom lists matching – Snippets and Cloud Connector now support user-created IP, AS, and Hostname lists via dashboard or Lists API. Great for shared logic across zones.
Bot Score and WAF Attack Score – Use Cloudflare’s intelligent traffic signals to detect bots or attacks and take advanced, tailored actions with just a few lines of code.

These enhancements unlock new possibilities for building smarter traffic workflows with minimal code and maximum efficiency.

Learn more in the Snippets and Cloud Connector documentation.

Rules - Custom Errors are now Generally Available

Thu, 24 Apr 2025 00:00:00 GMT

Custom Errors are now generally available for all paid plans — bringing a unified and powerful experience for customizing error responses at both the zone and account levels.

You can now manage Custom Error Rules, Custom Error Assets, and redesigned Error Pages directly from the Cloudflare dashboard. These features let you deliver tailored messaging when errors occur, helping you maintain brand consistency and improve user experience — whether it’s a 404 from your origin or a security challenge from Cloudflare.

What's new:

Custom Errors are now GA – Available on all paid plans and ready for production traffic.
UI for Custom Error Rules and Assets – Manage your zone-level rules from the Rules > Overview and your zone-level assets from the Rules > Settings tabs.
Define inline content or upload assets – Create custom responses directly in the rule builder, upload new or reuse previously stored assets.
Refreshed UI and new name for Error Pages – Formerly known as “Custom Pages,” Error Pages now offer a cleaner, more intuitive experience for both zone and account-level configurations.
Powered by Ruleset Engine – Custom Error Rules support conditional logic and override Error Pages for 500 and 1000 class errors, as well as errors originating from your origin or other Cloudflare products. You can also configure Response Header Transform Rules to add, change, or remove HTTP headers from responses returned by Custom Error Rules.

Learn more in the Custom Errors documentation.

Rules - Cloudflare Snippets are now Generally Available

Wed, 09 Apr 2025 00:00:00 GMT

Cloudflare Snippets are now generally available at no extra cost across all paid plans — giving you a fast, flexible way to programmatically control HTTP traffic using lightweight JavaScript.

You can now use Snippets to modify HTTP requests and responses with confidence, reliability, and scale. Snippets are production-ready and deeply integrated with Cloudflare Rules, making them ideal for everything from quick dynamic header rewrites to advanced routing logic.

What's new:

Snippets are now GA – Available at no extra cost on all Pro, Business, and Enterprise plans.
Ready for production – Snippets deliver a production-grade experience built for scale.
Part of the Cloudflare Rules platform – Snippets inherit request modifications from other Cloudflare products and support sequential execution, allowing you to run multiple Snippets on the same request and apply custom modifications step by step.
Trace integration – Use Cloudflare Trace to see which Snippets were triggered on a request — helping you understand traffic flow and debug more effectively.

Learn more in the launch blog post.

Rules - Increased Cloudflare Rules limits

Wed, 12 Feb 2025 00:00:00 GMT

We have upgraded and streamlined Cloudflare Rules limits across all plans, simplifying rule management and improving scalability for everyone.

New limits by product:

Bulk Redirects
- Free: 20 → 10,000 URL redirects across lists
- Pro: 500 → 25,000 URL redirects across lists
- Business: 500 → 50,000 URL redirects across lists
- Enterprise: 10,000 → 1,000,000 URL redirects across lists
Cloud Connector
- Free: 5 → 10 connectors
- Enterprise: 125 → 300 connectors
Custom Errors
- Pro: 5 → 25 error assets and rules
- Business: 20 → 50 error assets and rules
- Enterprise: 50 → 300 error assets and rules
Snippets
- Pro: 10 → 25 code snippets and rules
- Business: 25 → 50 code snippets and rules
- Enterprise: 50 → 300 code snippets and rules
Cache Rules, Configuration Rules, Compression Rules, Origin Rules, Single Redirects, and Transform Rules
- Enterprise: 125 → 300 rules

Rules - Custom Errors (beta): Stored Assets & Account-level Rules

Tue, 11 Feb 2025 00:00:00 GMT

We're introducing Custom Errors (beta), which builds on our existing Custom Error Responses feature with new asset storage capabilities.

This update allows you to store externally hosted error pages on Cloudflare and reference them in custom error rules, eliminating the need to supply inline content.

This brings the following new capabilities:

Custom error assets – Fetch and store external error pages at the edge for use in error responses.
Account-Level custom errors – Define error handling rules and assets at the account level for consistency across multiple zones. Zone-level rules take precedence over account-level ones, and assets are not shared between levels.

You can use Cloudflare API to upload your existing assets for use with Custom Errors:

curl "https://api.cloudflare.com/client/v4/zones/{zone_id}/custom_pages/assets" \
--header "Authorization: Bearer <API_TOKEN>" \
--header 'Content-Type: application/json' \
--data '{
  "name": "maintenance",
  "description": "Maintenance template page",
  "url": "https://example.com/"
}'

You can then reference the stored asset in a Custom Error rule:

curl --request PUT \
"https://api.cloudflare.com/client/v4/zones/{zone_id}/rulesets/phases/http_custom_errors/entrypoint" \
--header "Authorization: Bearer <API_TOKEN>" \
--header 'Content-Type: application/json' \
--data '{
  "rules": [
    {
      "action": "serve_error",
      "action_parameters": {
        "asset_name": "maintenance",
        "content_type": "text/html",
        "status_code": 503
      },
      "enabled": true,
      "expression": "http.request.uri.path contains \"error\""
    }
  ]
}'

Rules - New Snippets Code Editor

Wed, 29 Jan 2025 00:00:00 GMT

The new Snippets code editor lets you edit Snippet code and rule in one place, making it easier to test and deploy changes without switching between pages.

What’s new:

Single-page editing for code and rule – No need to jump between screens.
Auto-complete & syntax highlighting – Get suggestions and avoid mistakes.
Code formatting & refactoring – Write cleaner, more readable code.

Try it now in Rules > Snippets.

Rules - New Rules Overview Interface

Thu, 09 Jan 2025 00:00:00 GMT

Rules Overview gives you a single page to manage all your Cloudflare Rules.

What you can do:

See all your rules in one place – No more clicking around.
Find rules faster – Search by name.
Understand execution order – See how rules run in sequence.
Debug easily – Use Trace without switching tabs.

Check it out in Rules > Overview.

Rules - Terraform Support for Snippets

Wed, 11 Dec 2024 00:00:00 GMT

Now, you can manage Cloudflare Snippets with Terraform. Use infrastructure-as-code to deploy and update Snippet code and rules without manual changes in the dashboard.

Example Terraform configuration:

resource "cloudflare_snippet" "my_snippet" {
  zone_id  = "<ZONE_ID>"
  name = "my_test_snippet_1"
  main_module = "file1.js"
  files {
    name = "file1.js"
    content = file("file1.js")
  }
}

resource "cloudflare_snippet_rules" "cookie_snippet_rule" {
  zone_id  = "<ZONE_ID>"
  rules {
    enabled = true
    expression = "http.cookie eq \"a=b\""
    description = "Trigger snippet on specific cookie"
    snippet_name = "my_test_snippet_1"
  }
  depends_on = [cloudflare_snippet.my_snippet]
}

Learn more in the Configure Snippets using Terraform documentation.

Rules - Cloud Connector Now Supports R2

Fri, 22 Nov 2024 00:00:00 GMT

Now, you can use Cloud Connector to route traffic to your R2 buckets based on URLs, headers, geolocation, and more.

Example setup:

curl --request PUT \
"https://api.cloudflare.com/client/v4/zones/{zone_id}/cloud_connector/rules" \
--header "Authorization: Bearer <API_TOKEN>" \
--header "Content-Type: application/json" \
--data '[
  {
    "expression": "http.request.uri.path wildcard \"/images/*\"",
    "provider": "cloudflare_r2",
    "description": "Connect to R2 bucket containing images",
    "parameters": {
      "host": "mybucketcustomdomain.example.com"
    }
  }
]'

Get started using Cloud Connector documentation.

Rules - Simplified UI for URL Rewrites

Wed, 23 Oct 2024 00:00:00 GMT

It’s now easy to create wildcard-based URL Rewrites. No need for complex functions—just define your patterns and go.

What’s improved:

Full wildcard support – Create rewrite patterns using intuitive interface.
Simplified rule creation – No need for complex functions.

Try it via creating a Rewrite URL rule in the dashboard.

Rules - New Rules Templates for One-Click Rule Creation

Thu, 05 Sep 2024 00:00:00 GMT

Now, you can create common rule configurations in just one click using Rules Templates.

What you can do:

Pick a pre-built rule – Choose from a library of templates.
One-click setup – Deploy best practices instantly.
Customize as needed – Adjust templates to fit your setup.

Template cards are now also available directly in the rule builder for each product.

Need more ideas? Check out the Examples gallery in our documentation.