All news with #cloudflare tag

🔒 Cloudflare has extended its Cloud Access Security Broker (CASB) to support the Claude Compliance API, enabling security and compliance teams to monitor Claude Enterprise activity directly in the Cloudflare dashboard without endpoint agents. The integration surfaces security findings for projects, attachments, chat files, messages, and provider-generated artifacts, and groups findings by category and severity. Customers can immediately convert findings into enforcement actions via Gateway policies and use existing detection and remediation workflows. Setup requires a Claude Enterprise account and Compliance API access, and the integration begins scanning and surfacing findings within minutes.

🚀 Cloudflare and Anthropic have integrated Claude Managed Agents with Cloudflare Sandboxes, allowing teams to run the Claude agent loop on Anthropic while Cloudflare executes code, secures connections, and provides detailed observability. A default deployment template offers enhanced security through customizable outbound proxies, sandbox metrics and logs, SSH access, and configurable sandbox images. You can choose traditional microVMs or lightweight V8 isolates to optimize for performance and cost, and use Cloudflare Mesh or Workers VPC to connect agents to private services without exposing them to the Internet.

🔍 Cloudflare tested security-focused LLMs on its infrastructure and reports detailed findings from using Anthropic’s Mythos Preview as part of Project Glasswing. The model stood out for exploit chain construction and automated proof generation, producing runnable PoCs and iterating on failures. Its emergent guardrails proved inconsistent across runs and prompts, so Cloudflare built a tailored harness and additional safeguards to scale safely. The team also observed higher-quality, actionable findings compared with earlier frontier models, but noted increased noise from memory-unsafe languages and model bias.

🔧 At Cloudflare we encountered severe query slowdowns after changing partitioning for a large ClickHouse table to support per-namespace retention; the migration aimed to enable tenant-specific TTLs without thousands of tables. Usual metrics (I/O, memory, rows scanned, parts read) looked normal, but flame graphs exposed heavy lock contention in query planning and costly copies of a giant parts vector. We implemented shared locks, a shared cached parts view, and a binary-search-based prune on the partition key to avoid linear scans. These patches dramatically reduced SELECT latency and were contributed upstream.

🚀 Cloudflare rebuilt Browser Run on its new Containers platform to boost concurrency, throughput, and reliability. Developers can now start 60 browsers per minute via the Workers binding and run up to 120 concurrently — four times the previous limit — while Quick Action response times have dropped by over 50%. The team migrated state from Workers KV to D1, introduced regional pre-warmed pools, and adopted batched Queue writes to avoid race conditions and scale to very large fleets. These changes let Cloudflare ship fixes and features faster and reduce global latency for automated browser tasks.

🔧Cloudflare engineers describe a CUBIC congestion control bug in their open-source QUIC implementation, quiche, where the congestion window (cwnd) becomes permanently pinned at its minimum after an early congestion collapse. Test harnesses that injected 30% loss during the first two seconds revealed per-RTT oscillations and frequent timeouts despite loss stopping. The root cause was an idle-period epoch adjustment ported from the Linux kernel that could advance the recovery epoch into the future; a concise near-one-line change in quiche breaks the death spiral and restores recovery.

🔧 Cloudflare announced a global workforce reduction of more than 1,100 employees as it reorganizes for the agentic AI era. Founders Matthew Prince and his co-sender emphasized transparency, notifying the entire global team directly by email and scheduling an all-hands and an earnings call to explain the change. The company characterized the move as a structural redesign to adapt to a 600% surge in internal AI usage, not a performance-based action. Departing employees will receive industry-leading severance, extended equity vesting through August 15, and U.S. healthcare support through year-end.

🔒 Cloudflare assessed and mitigated the Linux local privilege escalation named Copy Fail (CVE-2026-31431) following public disclosure on 2026-04-29. Our behavioral detections flagged the exploit chain within minutes during validation, and threat hunting across a 48-hour window found no evidence of compromise. We deployed an eBPF LSM allow-list (bpf-lsm) to block AF_ALG binds for non-allow-listed binaries, built and staged patched LTS kernels, and completed fleet protection via controlled reboots with no customer impact.

🔐 On May 5, 2026, DENIC began publishing incorrect DNSSEC signatures for the .de zone, causing validating resolvers to reject responses and return SERVFAIL—impacting .de domains worldwide and affecting Cloudflare’s 1.1.1.1. Many users were buffered by serve stale behavior, but Cloudflare deployed an override equivalent to a Negative Trust Anchor at 22:17 UTC to bypass validation and restore reachability while DENIC corrected the key rollover.

🔐 ConsentFix v3 is an automated evolution of prior OAuth consent phishing techniques that targets Microsoft Azure environments by abusing pre-trusted first-party apps and the OAuth2 authorization code flow. Attackers conduct reconnaissance to harvest employee names, roles, and emails, host convincing phishing pages on Cloudflare Pages and DocSend, and use Pipedream webhooks to collect and immediately exchange authorization codes for refresh tokens. Phishing is often highly personalized and delivered via PDFs to evade filters. Captured tokens are imported into post-exploitation tools to access mail, files, and other resources permitted by the token.

🔧Cloudflare completed its Code Orange: Fail Small program after two quarters of focused engineering to prevent the November 18 and December 5, 2025 global outages. The work delivers safer configuration deployments through Snapstone, improved failure modes and segmentation to reduce blast radius, and revised break-glass and communications practices. Changes are codified in a mandatory Codex enforced by AI reviews to prevent regressions.

🔒 Amazon CloudFront now supports WebSockets through VPC origins, allowing customers to host real-time, bidirectional applications entirely in private subnets. You can place Application Load Balancers, Network Load Balancers, and EC2 instances inside private subnets and expose them via a CloudFront distribution as the single entry point. This reduces attack surface, simplifies security management, and brings built-in DDoS protection to WebSockets workloads. WebSockets via VPC origins is available in all AWS Commercial Regions that support VPC origins at no additional cost.

🚀 Cloudflare announced Dynamic Workflows, a compact TypeScript library that lets a single Worker Loader route durable Workflows to per-tenant code at runtime. It wraps the WORKFLOWS binding so tenant-created workflows persist, resume, and execute in the correct tenant sandbox. Built on Dynamic Workers, it supports per-tenant caching, hibernation, and minimal dispatch overhead.

🔒 Cloudflare has made post-quantum encryption generally available for Cloudflare IPsec using hybrid ML‑KEM (FIPS 203), implementing draft-ietf-ipsecme-ikev2-mlkem. The rollout enables site-to-site WAN tunnels protected against harvest-now-decrypt-later attacks and has been tested interoperably with Cisco and Fortinet branch connectors. This brings post-quantum IPsec closer to Internet-scale deployment and supports Cloudflare’s goal of full post-quantum security by 2029.

🤖 Agents can now provision Cloudflare resources and complete billing through Stripe Projects, enabling end-to-end deployment without manual dashboard steps. Using a co-designed protocol, an agent can discover available services, create or link a Cloudflare account, and receive API credentials to deploy code and register domains. Stripe supplies a payment token (not raw card data) with a default $100/month cap, and human approval can be requested when needed. Any platform with signed-in users can adopt the same orchestration flow.

🛠 Cloudflare explains reliability improvements for Rust Workers that prevent panics and aborts from poisoning Wasm instances. They upstreamed fixes into wasm-bindgen, adding panic=unwind support via WebAssembly Exception Handling so Rust destructors run and instances remain reusable after a panic. They also implemented abort classification, an abort recovery hook, and an experimental --reset-state-function to reinitialize libraries without reimporting them. Users are encouraged to upgrade to workers-rs 0.8.0 and try the --panic-unwind flag for improved stability.

🔐 This post by Thibault Meunier explains why the old "bots vs. humans" lens is breaking down as AI agents, accessibility tools, and proxies blur client behavior. Cloudflare outlines current bot management signals (IP, TLS, User-Agent), the rate-limit trilemma, and the limits of fingerprinting. It advocates privacy-preserving proofs such as Privacy Pass and experimental primitives like ARC and ACT to enable anonymous, accountable rate-limiting while protecting an open Web.

🤖 We built a CI-native orchestration system around OpenCode that launches up to seven specialised AI reviewers per merge request, each focused on domains like security, performance, code quality, documentation, release management, and internal compliance. A coordinator agent deduplicates and rates structured XML findings, applies a conservative approval-biased rubric, and posts a single unified review. Deployed across thousands of merge requests, it approves clean code, blocks critical issues, and reduces median review latency to 3m39s while keeping human oversight.

🤖 Over eleven months Cloudflare built an internal AI engineering stack that integrates AI Gateway, Workers AI, the Agents SDK, and developer tools like OpenCode and Backstage. The platform centralizes authentication with Cloudflare Access, routes model traffic and costs through AI Gateway, and runs inference on Workers AI to reduce latency and expense. The deployment includes an AI Code Reviewer and an Engineering Codex to enforce standards and maintain quality at scale.

🤖 Cloudflare's Agents Week highlights a broad set of primitives, services, and developer tooling to support agents as first-class workloads on the Cloudflare Workers platform. Key compute advances include Artifacts, Sandboxes GA with programmable egress, Durable Object Facets, and Workflows v2 to scale background agents. Security features—like Cloudflare Mesh, Managed OAuth for Access, and resource-scoped permissions—aim to make secure agent deployment the default while an expanded Agent Toolbox adds inference, memory, voice, email, and browsing capabilities to help builders move prototypes to production.