< ciso
brief />
Tag Banner

All news with #cloudflare tag

318 articles · page 3 of 16

DNSSEC signing error at .de TLD caused mass outages

🔐 On May 5, 2026, DENIC began publishing incorrect DNSSEC signatures for the .de zone, causing validating resolvers to reject responses and return SERVFAIL—impacting .de domains worldwide and affecting Cloudflare’s 1.1.1.1. Many users were buffered by serve stale behavior, but Cloudflare deployed an override equivalent to a Negative Trust Anchor at 22:17 UTC to bypass validation and restore reachability while DENIC corrected the key rollover.
read more →

ConsentFix v3 Automates OAuth Abuse Targeting Azure

🔐 ConsentFix v3 is an automated evolution of prior OAuth consent phishing techniques that targets Microsoft Azure environments by abusing pre-trusted first-party apps and the OAuth2 authorization code flow. Attackers conduct reconnaissance to harvest employee names, roles, and emails, host convincing phishing pages on Cloudflare Pages and DocSend, and use Pipedream webhooks to collect and immediately exchange authorization codes for refresh tokens. Phishing is often highly personalized and delivered via PDFs to evade filters. Captured tokens are imported into post-exploitation tools to access mail, files, and other resources permitted by the token.
read more →

Code Orange: Fail Small Complete — Stronger Cloudflare

🔧Cloudflare completed its Code Orange: Fail Small program after two quarters of focused engineering to prevent the November 18 and December 5, 2025 global outages. The work delivers safer configuration deployments through Snapstone, improved failure modes and segmentation to reduce blast radius, and revised break-glass and communications practices. Changes are codified in a mandatory Codex enforced by AI reviews to prevent regressions.
read more →

Amazon CloudFront Adds WebSockets Support for VPC Origins

🔒 Amazon CloudFront now supports WebSockets through VPC origins, allowing customers to host real-time, bidirectional applications entirely in private subnets. You can place Application Load Balancers, Network Load Balancers, and EC2 instances inside private subnets and expose them via a CloudFront distribution as the single entry point. This reduces attack surface, simplifies security management, and brings built-in DDoS protection to WebSockets workloads. WebSockets via VPC origins is available in all AWS Commercial Regions that support VPC origins at no additional cost.
read more →

Dynamic Workflows: Durable Execution Following Tenants

🚀 Cloudflare announced Dynamic Workflows, a compact TypeScript library that lets a single Worker Loader route durable Workflows to per-tenant code at runtime. It wraps the WORKFLOWS binding so tenant-created workflows persist, resume, and execute in the correct tenant sandbox. Built on Dynamic Workers, it supports per-tenant caching, hibernation, and minimal dispatch overhead.
read more →

Cloudflare Enables Post-Quantum IPsec with ML-KEM Standard

🔒 Cloudflare has made post-quantum encryption generally available for Cloudflare IPsec using hybrid ML‑KEM (FIPS 203), implementing draft-ietf-ipsecme-ikev2-mlkem. The rollout enables site-to-site WAN tunnels protected against harvest-now-decrypt-later attacks and has been tested interoperably with Cisco and Fortinet branch connectors. This brings post-quantum IPsec closer to Internet-scale deployment and supports Cloudflare’s goal of full post-quantum security by 2029.
read more →

Agents Can Now Provision Cloudflare via Stripe Integration

🤖 Agents can now provision Cloudflare resources and complete billing through Stripe Projects, enabling end-to-end deployment without manual dashboard steps. Using a co-designed protocol, an agent can discover available services, create or link a Cloudflare account, and receive API credentials to deploy code and register domains. Stripe supplies a payment token (not raw card data) with a default $100/month cap, and human approval can be requested when needed. Any platform with signed-in users can adopt the same orchestration flow.
read more →

Making Rust Workers Reliable: Wasm Panic and Abort Recovery

🛠 Cloudflare explains reliability improvements for Rust Workers that prevent panics and aborts from poisoning Wasm instances. They upstreamed fixes into wasm-bindgen, adding panic=unwind support via WebAssembly Exception Handling so Rust destructors run and instances remain reusable after a panic. They also implemented abort classification, an abort recovery hook, and an experimental --reset-state-function to reinitialize libraries without reimporting them. Users are encouraged to upgrade to workers-rs 0.8.0 and try the --panic-unwind flag for improved stability.
read more →

Moving Beyond Bots vs. Humans for Web Security and Privacy

🔐 This post by Thibault Meunier explains why the old "bots vs. humans" lens is breaking down as AI agents, accessibility tools, and proxies blur client behavior. Cloudflare outlines current bot management signals (IP, TLS, User-Agent), the rate-limit trilemma, and the limits of fingerprinting. It advocates privacy-preserving proofs such as Privacy Pass and experimental primitives like ARC and ACT to enable anonymous, accountable rate-limiting while protecting an open Web.
read more →

Orchestrating AI-Powered Code Review at Cloudflare

🤖 We built a CI-native orchestration system around OpenCode that launches up to seven specialised AI reviewers per merge request, each focused on domains like security, performance, code quality, documentation, release management, and internal compliance. A coordinator agent deduplicates and rates structured XML findings, applies a conservative approval-biased rubric, and posts a single unified review. Deployed across thousands of merge requests, it approves clean code, blocks critical issues, and reduces median review latency to 3m39s while keeping human oversight.
read more →

Cloudflare's Internal AI Engineering Stack Overview

🤖 Over eleven months Cloudflare built an internal AI engineering stack that integrates AI Gateway, Workers AI, the Agents SDK, and developer tools like OpenCode and Backstage. The platform centralizes authentication with Cloudflare Access, routes model traffic and costs through AI Gateway, and runs inference on Workers AI to reduce latency and expense. The deployment includes an AI Code Reviewer and an Engineering Codex to enforce standards and maintain quality at scale.
read more →

Cloudflare's Agents Week: Building an Agentic Cloud

🤖 Cloudflare's Agents Week highlights a broad set of primitives, services, and developer tooling to support agents as first-class workloads on the Cloudflare Workers platform. Key compute advances include Artifacts, Sandboxes GA with programmable egress, Durable Object Facets, and Workflows v2 to scale background agents. Security features—like Cloudflare Mesh, Managed OAuth for Access, and resource-scoped permissions—aim to make secure agent deployment the default while an expanded Agent Toolbox adds inference, memory, voice, email, and browsing capabilities to help builders move prototypes to production.
read more →

Assessing and Improving Website Readiness for AI Agents

🔎 Cloudflare launches isitagentready.com and a companion Cloudflare Radar dataset to measure and accelerate adoption of emerging AI agent standards across the web. The tool scores sites on Discoverability, Content, Bot Access Control, and Capabilities, and returns actionable prompts for each failing check. The site publishes machine-readable endpoints (MCP server, agent-skills index) so compatible agents can scan and remediate programmatically. Cloudflare also refactored its developer docs to serve Markdown and curated LLM resources, producing measurable reductions in token usage and latency.
read more →

Cloudflare Announces Shared Compression Dictionaries

📦 Cloudflare is introducing support for shared compression dictionaries to reduce redundant transfers and speed page loads for sites that deploy frequently or are heavily crawled by agents. In Phase 1 the edge will passthrough Use-As-Dictionary and Available-Dictionary headers and respect dcb/dcz encodings; an open beta begins April 30, 2026. Later phases move delta compression and automatic dictionary generation into Cloudflare’s edge, simplifying origin logic and maximizing bandwidth and latency savings for versioned assets and returning visitors.
read more →

Agents Week: Cloudflare network performance update

🚀Using Real User Measurements that capture browser‑side timing via a small background speed test, Cloudflare reports it became the fastest provider in 60% of the top 1,000 networks by December 2025, up from 40% in September. Rankings rely on the trimean of TCP connection time to smooth outliers and reflect real user experience. Improvements came from new points of presence (Wroclaw, Malang, Constantine) and software optimizations such as HTTP/3 support and tighter congestion handling, producing an average 6ms lead over the next provider in December.
read more →

Redirects for AI Training enforces canonical content

🔁 Cloudflare introduces Redirects for AI Training, a toggle that turns existing rel="canonical" tags into HTTP 301 redirects for verified AI training crawlers. On paid Cloudflare plans this enforcement redirects AI crawler traffic (examples include GPTBot, ClaudeBot, Bytespider) to canonical URLs, preventing ingestion of deprecated content. Human visitors and other automated classes are unaffected.
read more →

Unweight: Lossless BF16 Exponent Compression for LLMs

💾 Cloudflare's Unweight is a lossless compression system for LLM weights that reduces model size by roughly 15–22% while preserving bit-exact outputs and requiring no special hardware. It compresses only the exponent byte of BF16 tensors—using Huffman coding, palette/transcoding and row-level fallbacks—while leaving sign and mantissa untouched. Decompression happens into GPU shared memory to feed tensor cores directly, and Cloudflare has published a technical paper and open-sourced GPU kernels.
read more →

Cloudflare Agent Memory: Managed Persistent Memory Service

🧠 Cloudflare announces Agent Memory, a private beta managed service that extracts information from agent conversations and makes it available without filling model context windows. The service offers persistent profiles with operations to ingest conversations, explicitly remember or forget items, and recall synthesized answers, integrating with Cloudflare Workers and a REST API. Agent Memory uses a retrieval-based architecture with deterministic ingestion, multi-stage verification, vector and full-text retrieval channels, and Reciprocal Rank Fusion to synthesize concise, contextual responses. Memories are classified, versioned or superseded as appropriate, and fully exportable so organizations retain ownership.
read more →

Flagship: Cloudflare's Native Feature Flag Service

🧭 Cloudflare introduces Flagship, a native feature-flag service built on the CNCF standard OpenFeature that evaluates flags at the edge using Workers, Durable Objects, and KV. The Worker binding performs in-isolate evaluations with typed accessors and full evaluation details, avoiding external HTTP calls and reducing latency. Flagship centralizes flag storage, change auditing, percentage rollouts, and nested targeting rules, and is now available in private beta to help teams safely ship autonomous or AI-assisted code.
read more →

High-Performance LLMs on Cloudflare Workers AI Platform

🚀 Cloudflare details optimizations to run extra-large open-source LLMs on Workers AI, notably making Kimi K2.5 three times faster and adding more models. The post explains hardware tuning, prefill–decode disaggregation, token-aware load balancing, and prompt-caching via an x-session-affinity header to improve throughput and tail latency. It also covers KV-cache sharing with Mooncake, speculative decoding with NVIDIA EAGLE-3, and Cloudflare’s Rust-based inference engine Infire for multi-GPU, low-memory, fast cold-start inference.
read more →