Skip to content
Cloudflare Docs

Changelog

New updates and improvements at Cloudflare.

Subscribe to RSS View RSS feeds
All products
hero image

  1. Removed unused meta fields from DNS records

    DNS

    Cloudflare is removing five fields from the meta object of DNS records. These fields have been unused for more than a year and are no longer set on new records. This change may take up to four weeks to fully roll out.

    The affected fields are:

    • the auto_added boolean
    • the managed_by_apps boolean and corresponding apps_install_id
    • the managed_by_argo_tunnel boolean and corresponding argo_tunnel_id

    An example record returned from the API would now look like the following:

    Updated API Response
    {
      "result": {
        "id": "<ID>",
        "zone_id": "<ZONE_ID>",
        "zone_name": "example.com",
        "name": "www.example.com",
        "type": "A",
        "content": "192.0.2.1",
        "proxiable": true,
        "proxied": false,
        "ttl": 1,
        "locked": false,
        "meta": {
          "auto_added": false,
          "managed_by_apps": false,
          "managed_by_argo_tunnel": false,
          "source": "primary"
        },
        "comment": null,
        "tags": [],
        "created_on": "2025-03-17T20:37:05.368097Z",
        "modified_on": "2025-03-17T20:37:05.368097Z"
      },
      "success": true,
      "errors": [],
      "messages": []
    }

    For more guidance, refer to Manage DNS records.

  1. Workers for Platforms now supports Static Assets

    Workers for Platforms

    Workers for Platforms customers can now attach static assets (HTML, CSS, JavaScript, images) directly to User Workers, removing the need to host separate infrastructure to serve the assets.

    This allows your platform to serve entire front-end applications from Cloudflare's global edge, utilizing caching for fast load times, while supporting dynamic logic within the same Worker. Cloudflare automatically scales its infrastructure to handle high traffic volumes, enabling you to focus on building features without managing servers.

    What you can build

    Static Sites: Host and serve HTML, CSS, JavaScript, and media files directly from Cloudflare's network, ensuring fast loading times worldwide. This is ideal for blogs, landing pages, and documentation sites because static assets can be efficiently cached and delivered closer to the user, reducing latency and enhancing the overall user experience.

    Full-Stack Applications: Combine asset hosting with Cloudflare Workers to power dynamic, interactive applications. If you're an e-commerce platform, you can serve your customers' product pages and run inventory checks from within the same Worker.

    index.js
    export default {
      async fetch(request, env) {
        const url = new URL(request.url);
    

        // Check real-time inventory
        if (url.pathname === "/api/inventory/check") {
          const product = url.searchParams.get("product");
          const inventory = await env.INVENTORY_KV.get(product);
          return new Response(inventory);
        }
    

        // Serve static assets (HTML, CSS, images)
        return env.ASSETS.fetch(request);
      },
    };

    Get Started: Upload static assets using the Workers for Platforms API or Wrangler. For more information, visit our Workers for Platforms documentation.

  1. Transform HTML quickly with streaming content

    Workers

    You can now transform HTML elements with streamed content using HTMLRewriter.

    Methods like replace, append, and prepend now accept Response and ReadableStream values as Content.

    This can be helpful in a variety of situations. For instance, you may have a Worker in front of an origin, and want to replace an element with content from a different source. Prior to this change, you would have to load all of the content from the upstream URL and convert it into a string before replacing the element. This slowed down overall response times.

    Now, you can pass the Response object directly into the replace method, and HTMLRewriter will immediately start replacing the content as it is streamed in. This makes responses faster.

    index.js
    class ElementRewriter {
      async element(element) {
        // able to replace elements while streaming content
        // the fetched body is not buffered into memory as part
        // of the replace
        let res = await fetch("https://upstream-content-provider.example");
        element.replace(res);
      }
    }
    

    export default {
      async fetch(request, env, ctx) {
        let response = await fetch("https://site-to-replace.com");
        return new HTMLRewriter()
          .on("[data-to-replace]", new ElementRewriter())
          .transform(response);
      },
    };

    For more information, see the HTMLRewriter documentation.

  1. AI Gateway Introduces New Worker Binding Methods

    AI Gateway

    We have released new Workers bindings API methods, allowing you to connect Workers applications to AI Gateway directly. These methods simplify how Workers calls AI services behind your AI Gateway configurations, removing the need to use the REST API and manually authenticate.

    To add an AI binding to your Worker, include the following in your Wrangler configuration file:

    Add an AI binding to your Worker.

    With the new AI Gateway binding methods, you can now:

    • Send feedback and update metadata with patchLog.
    • Retrieve detailed log information using getLog.
    • Execute universal requests to any AI Gateway provider with run.

    For example, to send feedback and update metadata using patchLog:

    Send feedback and update metadata using patchLog:

  1. Increased Browser Rendering limits!

    Workers Browser Rendering

    Browser Rendering now supports 10 concurrent browser instances per account and 10 new instances per minute, up from the previous limits of 2.

    This allows you to launch more browser tasks from Cloudflare Workers.

    To manage concurrent browser sessions, you can use Queues or Workflows:

    index.js
    export default {
      async queue(batch, env) {
        for (const message of batch.messages) {
          const browser = await puppeteer.launch(env.BROWSER);
          const page = await browser.newPage();
    

          try {
            await page.goto(message.url, {
              waitUntil: message.waitUntil,
            });
            // Process page...
          } finally {
            await browser.close();
          }
        }
      },
    };

  1. Expanded language support for Stream AI Generated Captions

    Stream

    Stream's generated captions leverage Workers AI to automatically transcribe audio and provide captions to the player experience. We have added support for these languages:

    • cs - Czech
    • nl - Dutch
    • fr - French
    • de - German
    • it - Italian
    • ja - Japanese
    • ko - Korean
    • pl - Polish
    • pt - Portuguese
    • ru - Russian
    • es - Spanish

    For more information, learn about adding captions to videos.

  1. New Snippets Code Editor

    Rules

    The new Snippets code editor lets you edit Snippet code and rule in one place, making it easier to test and deploy changes without switching between pages.

    New Snippets code editor

    What’s new:

    • Single-page editing for code and rule – No need to jump between screens.
    • Auto-complete & syntax highlighting – Get suggestions and avoid mistakes.
    • Code formatting & refactoring – Write cleaner, more readable code.

    Try it now in Rules > Snippets.

  1. Automatic configuration for private databases on Hyperdrive

    Hyperdrive

    Hyperdrive now automatically configures your Cloudflare Tunnel to connect to your private database.

    Automatic configuration of Cloudflare Access and Service Token in the Cloudflare dashboard for Hyperdrive.

    When creating a Hyperdrive configuration for a private database, you only need to provide your database credentials and set up a Cloudflare Tunnel within the private network where your database is accessible. Hyperdrive will automatically create the Cloudflare Access, Service Token, and Policies needed to secure and restrict your Cloudflare Tunnel to the Hyperdrive configuration.

    To create a Hyperdrive for a private database, you can follow the Hyperdrive documentation. You can still manually create the Cloudflare Access, Service Token, and Policies if you prefer.

    This feature is available from the Cloudflare dashboard.

  1. Workers KV namespace limits increased to 1000

    KV

    You can now have up to 1000 Workers KV namespaces per account.

    Workers KV namespace limits were increased from 200 to 1000 for all accounts. Higher limits for Workers KV namespaces enable better organization of key-value data, such as by category, tenant, or environment.

    Consult the Workers KV limits documentation for the rest of the limits. This increased limit is available for both the Free and Paid Workers plans.

  1. Support for Node.js DNS, Net, and Timer APIs in Workers

    Workers

    When using a Worker with the nodejs_compat compatibility flag enabled, you can now use the following Node.js APIs:

    node:net

    You can use node:net to create a direct connection to servers via a TCP sockets with net.Socket.

    index.js
    import net from "node:net";
    

    const exampleIP = "127.0.0.1";
    

    export default {
      async fetch(req) {
        const socket = new net.Socket();
        socket.connect(4000, exampleIP, function () {
          console.log("Connected");
        });
    

        socket.write("Hello, Server!");
        socket.end();
    

        return new Response("Wrote to server", { status: 200 });
      },
    };

    Additionally, you can now use other APIs including net.BlockList and net.SocketAddress.

    Note that net.Server is not supported.

    node:dns

    You can use node:dns for name resolution via DNS over HTTPS using Cloudflare DNS at 1.1.1.1.

    index.js
    import dns from "node:dns";
    

    let response = await dns.promises.resolve4("cloudflare.com", "NS");

    All node:dns functions are available, except lookup, lookupService, and resolve which throw "Not implemented" errors when called.

    node:timers

    You can use node:timers to schedule functions to be called at some future period of time.

    This includes setTimeout for calling a function after a delay, setInterval for calling a function repeatedly, and setImmediate for calling a function in the next iteration of the event loop.

    index.js
    import timers from "node:timers";
    

    console.log("first");
    timers.setTimeout(() => {
      console.log("last");
    }, 10);
    

    timers.setTimeout(() => {
      console.log("next");
    });

  1. WAF Release - 2025-01-21

    WAF
    RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments
    Cloudflare Managed Ruleset 100303Command Injection - NslookupLogBlock

    This was released as

    Cloudflare Managed Ruleset 100534Web Shell ActivityLogBlock

    This was released as

  1. Detect source code leaks with Data Loss Prevention

    Data Loss Prevention

    You can now detect source code leaks with Data Loss Prevention (DLP) with predefined checks against common programming languages.

    The following programming languages are validated with natural language processing (NLP).

    • C
    • C++
    • C#
    • Go
    • Haskell
    • Java
    • JavaScript
    • Lua
    • Python
    • R
    • Rust
    • Swift

    DLP also supports confidence level for source code profiles.

    For more details, refer to DLP profiles.

  1. Export SSH command logs with Access for Infrastructure using Logpush

    Access

    Cloudflare now allows you to send SSH command logs to storage destinations configured in Logpush, including third-party destinations. Once exported, analyze and audit the data as best fits your organization! For a list of available data fields, refer to the SSH logs dataset.

    To set up a Logpush job, refer to Logpush integration.

  1. Increased Workflows limits and improved instance queueing.

    Workflows

    Workflows (beta) now allows you to define up to 1024 steps. sleep steps do not count against this limit.

    We've also added:

    • instanceId as property to the WorkflowEvent type, allowing you to retrieve the current instance ID from within a running Workflow instance
    • Improved queueing logic for Workflow instances beyond the current maximum concurrent instances, reducing the cases where instances are stuck in the queued state.
    • Support for pause and resume for Workflow instances in a queued state.

    We're continuing to work on increases to the number of concurrent Workflow instances, steps, and support for a new waitForEvent API over the coming weeks.

  1. WAF Release - 2025-01-13

    WAF
    RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments
    Cloudflare Managed Ruleset 100704

    Cleo Harmony - Auth Bypass - CVE:CVE-2024-55956, CVE:CVE-2024-55953

    		LogBlockNew Detection
    Cloudflare Managed Ruleset 100705Sentry - SSRFLogBlockNew Detection
    Cloudflare Managed Ruleset 100706Apache Struts - Remote Code Execution - CVE:CVE-2024-53677LogBlockNew Detection
    Cloudflare Managed Ruleset 100707

    FortiWLM - Remote Code Execution - CVE:CVE-2023-48782, CVE:CVE-2023-34993, CVE:CVE-2023-34990

    		LogBlockNew Detection
    Cloudflare Managed Ruleset 100007C_BETACommand Injection - Common Attack CommandsDisabled

  1. New Rules Overview Interface

    Rules

    Rules Overview gives you a single page to manage all your Cloudflare Rules.

    Rules Overview Interface

    What you can do:

    • See all your rules in one place – No more clicking around.
    • Find rules faster – Search by name.
    • Understand execution order – See how rules run in sequence.
    • Debug easily – Use Trace without switching tabs.

    Check it out in Rules > Overview.

  1. Smart Tiered Cache optimizes Load Balancing Pools

    Cache / CDN

    You can now achieve higher cache hit rates and reduce origin load when using Load Balancing with Smart Tiered Cache. Cloudflare automatically selects a single, optimal tiered data center for all origins in your Load Balancing Pool.

    How it works

    When you use Load Balancing with Smart Tiered Cache, Cloudflare analyzes performance metrics across your pool's origins and automatically selects the optimal Upper Tier data center for the entire pool. This means:

    • Consistent cache location: All origins in the pool share the same Upper Tier cache.
    • Higher HIT rates: Requests for the same content hit the cache more frequently.
    • Reduced origin requests: Fewer requests reach your origin servers.
    • Improved performance: Faster response times for cache HITs.

    Example workflow

    Load Balancing Pool: api-pool
    ├── Origin 1: api-1.example.com
    ├── Origin 2: api-2.example.com
    └── Origin 3: api-3.example.com
        
    Selected Upper Tier: [Optimal data center based on pool performance]

    Get started

    To get started, enable Smart Tiered Cache on your zone and configure your Load Balancing Pool.

  1. 40-60% Faster D1 Worker API Requests

    D1

    Users making D1 requests via the Workers API can see up to a 60% end-to-end latency improvement due to the removal of redundant network round trips needed for each request to a D1 database.

    D1 Worker API latency

    p50, p90, and p95 request latency aggregated across entire D1 service. These latencies are a reference point and should not be viewed as your exact workload improvement.

    This performance improvement benefits all D1 Worker API traffic, especially cross-region requests where network latency is an outsized latency factor. For example, a user in Europe talking to a database in North America. D1 location hints can be used to influence the geographic location of a database.

    For more details on how D1 removed redundant round trips, see the D1 specific release note entry.

  1. WAF Release - 2025-01-06

    WAF
    RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionComments
    Cloudflare Specials 100678Pandora FMS - Remote Code Execution - CVE:CVE-2024-11320LogBlockNew Detection
    Cloudflare Specials 100679

    Palo Alto Networks - Remote Code Execution - CVE:CVE-2024-0012, CVE:CVE-2024-9474

    		LogBlockNew Detection
    Cloudflare Specials 100680Ivanti - Command Injection - CVE:CVE-2024-37397LogBlockNew Detection
    Cloudflare Specials 100681Really Simple Security - Auth Bypass - CVE:CVE-2024-10924LogBlockNew Detection
    Cloudflare Specials 100682Magento - XXE - CVE:CVE-2024-34102LogBlockNew Detection
    Cloudflare Specials 100683CyberPanel - Remote Code Execution - CVE:CVE-2024-51567LogBlockNew Detection
    Cloudflare Specials 100684

    Microsoft SharePoint - Remote Code Execution - CVE:CVE-2024-38094, CVE:CVE-2024-38024, CVE:CVE-2024-38023

    		LogBlockNew Detection
    Cloudflare Specials 100685CyberPanel - Remote Code Execution - CVE:CVE-2024-51568LogBlockNew Detection
    Cloudflare Specials 100686Seeyon - Remote Code ExecutionLogBlockNew Detection
    Cloudflare Specials 100687

    WordPress - Remote Code Execution - CVE:CVE-2024-10781, CVE:CVE-2024-10542

    		LogBlockNew Detection
    Cloudflare Specials 100688ProjectSend - Remote Code Execution - CVE:CVE-2024-11680LogBlockNew Detection
    Cloudflare Specials 100689

    Palo Alto GlobalProtect - Remote Code Execution - CVE:CVE-2024-5921

    		LogBlockNew Detection
    Cloudflare Specials 100690Ivanti - Remote Code Execution - CVE:CVE-2024-37404LogBlockNew Detection
    Cloudflare Specials 100691Array Networks - Remote Code Execution - CVE:CVE-2023-28461LogBlockNew Detection
    Cloudflare Specials 100692CyberPanel - Remote Code Execution - CVE:CVE-2024-51378LogBlockNew Detection
    Cloudflare Specials 100693Symfony Profiler - Auth Bypass - CVE:CVE-2024-50340LogBlockNew Detection
    Cloudflare Specials 100694Citrix Virtual Apps - Remote Code Execution - CVE:CVE-2024-8069LogBlockNew Detection
    Cloudflare Specials 100695MSMQ Service - Remote Code Execution - CVE:CVE-2023-21554LogBlockNew Detection
    Cloudflare Specials 100696Nginxui - Remote Code Execution - CVE:CVE-2024-49368LogBlockNew Detection
    Cloudflare Specials 100697

    Apache ShardingSphere - Remote Code Execution - CVE:CVE-2022-22733

    		LogBlockNew Detection
    Cloudflare Specials 100698Mitel MiCollab - Auth Bypass - CVE:CVE-2024-41713LogBlockNew Detection
    Cloudflare Specials 100699Apache Solr - Auth Bypass - CVE:CVE-2024-45216LogBlockNew Detection

  1. AI Gateway adds DeepSeek as a Provider

    AI Gateway

    AI Gateway now supports DeepSeek, including their cutting-edge DeepSeek-V3 model. With this addition, you have even more flexibility to manage and optimize your AI workloads using AI Gateway. Whether you're leveraging DeepSeek or other providers, like OpenAI, Anthropic, or Workers AI, AI Gateway empowers you to:

    • Monitor: Gain actionable insights with analytics and logs.
    • Control: Implement caching, rate limiting, and fallbacks.
    • Optimize: Improve performance with feedback and evaluations.
    AI Gateway adds DeepSeek as a provider

    To get started, simply update the base URL of your DeepSeek API calls to route through AI Gateway. Here's how you can send a request using cURL:

    Example fetch request
    curl https://gateway.ai.cloudflare.com/v1/{account_id}/{gateway_id}/deepseek/chat/completions \
     --header 'content-type: application/json' \
     --header 'Authorization: Bearer DEEPSEEK_TOKEN' \
     --data '{
        "model": "deepseek-chat",
        "messages": [
            {
                "role": "user",
                "content": "What is Cloudflare?"
            }
        ]
    }'

    For detailed setup instructions, see our DeepSeek provider documentation.

  1. Faster Workers Builds with Build Caching and Watch Paths

    Workers
    Build caching settingsBuild watch path settings

    Workers Builds, the integrated CI/CD system for Workers (currently in beta), now lets you cache artifacts across builds, speeding up build jobs by eliminating repeated work, such as downloading dependencies at the start of each build.

    • Build Caching: Cache dependencies and build outputs between builds with a shared project-wide cache, ensuring faster builds for the entire team.

    • Build Watch Paths: Define paths to include or exclude from the build process, ideal for monorepos to target only the files that need to be rebuilt per Workers project.

    To get started, select your Worker on the Cloudflare dashboard then go to Settings > Builds, and connect a GitHub or GitLab repository. Once connected, you'll see options to configure Build Caching and Build Watch Paths.

  1. Escalate user submissions

    Email security

    After you triage your users' submissions (that are machine reviewed), you can now escalate them to our team for reclassification (which are instead human reviewed). User submissions from the submission alias, PhishNet, and our API can all be escalated.

    Escalate

    From Reclassifications, go to User submissions. Select the three dots next to any of the user submissions, then select Escalate to create a team request for reclassification. The Cloudflare dashboard will then show you the submissions on the Team Submissions tab.

    Refer to User submissions to learn more about this feature.

    This feature is available across these Email security packages:

    • Advantage
    • Enterprise
    • Enterprise + PhishGuard

  1. Increased transparency for phishing email submissions

    Email security

    You now have more transparency about team and user submissions for phishing emails through a Reclassification tab in the Zero Trust dashboard.

    Reclassifications happen when users or admins submit a phish to Email security. Cloudflare reviews and - in some cases - reclassifies these emails based on improvements to our machine learning models.

    This new tab increases your visibility into this process, allowing you to view what submissions you have made and what the outcomes of those submissions are.

    Use the Reclassification area to review submitted phishing emails

  1. Troubleshoot tunnels with diagnostic logs

    Cloudflare Tunnel Cloudflare Tunnel for SASE

    The latest cloudflared build 2024.12.2 introduces the ability to collect all the diagnostic logs needed to troubleshoot a cloudflared instance.

    A diagnostic report collects data from a single instance of cloudflared running on the local machine and outputs it to a cloudflared-diag file.

    For more information, refer to Diagnostic logs.

  1. Establish BGP peering over Direct CNI circuits

    Magic Transit Cloudflare WAN Network Interconnect

    Magic WAN and Magic Transit customers can use the Cloudflare dashboard to configure and manage BGP peering between their networks and their Magic routing table when using a Direct CNI on-ramp.

    Using BGP peering allows customers to:

    • Automate the process of adding or removing networks and subnets.
    • Take advantage of failure detection and session recovery features.

    With this functionality, customers can:

    • Establish an eBGP session between their devices and the Magic WAN / Magic Transit service when connected via CNI.
    • Secure the session by MD5 authentication to prevent misconfigurations.
    • Exchange routes dynamically between their devices and their Magic routing table.

    Refer to Magic WAN BGP peering or Magic Transit BGP peering to learn more about this feature and how to set it up.

Search all changelog entries