All news with #cloudflare tag

🔐 Cloudflare is launching Managed OAuth for Cloudflare Access in open beta, enabling agents that speak OAuth 2.0 to authenticate to internal apps with a single click. When enabled, Access acts as the authorization server and uses the www-authenticate header to point agents to the /.well-known/oauth-authorization-server. Agents can dynamically register (RFC 7591), perform PKCE (RFC 7636), and receive JWTs to act on behalf of users, removing the need for static service accounts.

🔐 Cloudflare announces updates to secure non-human identities—agents, scripts, and third-party tools—by enhancing credential detection, OAuth visibility, and resource-scoped RBAC. New scannable token formats (with identifiable prefixes and checksums) and integration with GitHub Secret Scanning enable rapid verification and automated revocation of leaked tokens. Cloudflare One DLP extends prevention across network, email, SaaS, and AI traffic. The Dashboard now surfaces connected OAuth apps and permissions to simplify review and revocation.

🔒 Cloudflare Mesh provides a developer-friendly private network that unifies access for users, devices, and AI agents across clouds and the Cloudflare edge. Integrated with Cloudflare One, Mesh uses the Cloudflare One Client and Mesh nodes to route bidirectional, many-to-many traffic with built-in Gateway policies, DNS filtering, device posture checks, and DLP. It supports Workers VPC bindings and the Agents SDK so serverless agents and Durable Objects can securely reach private services, with a free tier for up to 50 nodes and 50 users.

🚀 Cloudflare released a technical preview of a rebuilt CLI distributed as the new cf command to provide unified, consistent access across its extensive API surface. The preview demonstrates a TypeScript-based schema and code-generation pipeline that produces consistent commands, configuration, bindings, and OpenAPI output for both agents and developers. It also introduces Local Explorer, an open beta available in Wrangler and the Cloudflare Vite plugin, which mirrors Cloudflare APIs locally so you can inspect and modify KV, R2, D1, Durable Objects and Workflows during development.

🧩 Durable Object Facets let you instantiate dynamic Durable Object classes inside a supervisor Durable Object, giving each AI-generated app its own isolated SQLite-backed storage. Using the Dynamic Worker Loader API, a supervisor loads agent code, instantiates the exported DurableObject class as a facet via this.ctx.facets.get(...), and forwards requests while retaining logging, quotas, and billing controls. Facets enable near-zero-latency local storage and safe multi-tenant application patterns.

🧰 Cloudflare has declared Sandboxes and Cloudflare Containers generally available, delivering persistent, isolated development environments tailored for AI agents and human developers. Key additions include secure credential injection via an egress proxy, PTY-backed WebSocket terminals, persistent Python/JavaScript/TypeScript interpreters, filesystem event streams, background dev servers with public preview URLs, and fast disk-state snapshots. Higher instance limits and Active CPU Pricing reduce cost and improve scalability; the SDK is at version 0.8.9.

🔐 Cloudflare has added outbound Workers to its Sandboxes and Containers, providing programmable egress proxies that let sandboxed workloads connect, add observability, and perform safe authentication. Handlers such as outboundByHost and global outbound functions can inject headers, block requests, or log traffic without exposing secrets to the guest. The proxy runs locally beside the sandbox with minimal latency and integrates with platform bindings like KV and R2 for identity‑aware, dynamic controls.

🔔 Cloudflare is launching Agents Week to announce platform work aimed at scaling one-to-one AI agents across the Internet. The post argues that traditional container-based cloud models don't map well to ephemeral, per-user agents and highlights Workers and lightweight isolates as efficient primitives alongside GA container sandboxes and improved browser rendering. It also stresses integrating security, identity, payment, and open standards like MCP to make agents practical and sustainable.

🚀 Cloudflare announced it has provisioned 500 Tbps of external interconnection capacity across 330+ cities, a milestone reflecting 16 years of global network scaling. This figure represents aggregate provisioned ports to transit providers, IXPs, private peers and CNI — not peak traffic, with the unused portion reserved as the DDoS budget. The company attributes resilience to running security and developer platforms on every server and to automated, server‑level mitigation using eBPF, dosd and global propagation via Quicksilver.

🔐 Cloudflare says it is “actively adjusting” its post-quantum cryptography priorities after Google moved its PQC migration deadline up to 2029, citing algorithmic advances. The company reports that more than half of its traffic is already protected against harvest-now/decrypt-later using ML-KEM (a PQC standard ratified in 2024), and plans to deploy post-quantum certificates in 2027 to guard against active attacks. Bas Westerbaan noted Google demonstrated a breakthrough with a zero-knowledge proof while withholding key details.

🛡️ Cloudflare demonstrates an automated method to reverse-engineer classic BPF socket filters and generate the exact “magic” packets that trigger stealthy Linux backdoors. By combining symbolic execution with the Z3 theorem prover and translating the resulting constraints into concrete byte values, the approach reduces manual analysis of complex BPF bytecode from hours or days to seconds. The team uses scapy to assemble crafted packets and has open-sourced the filterforge tool to accelerate threat research and detection.

🔒 Cloudflare is accelerating its post-quantum roadmap and now targets 2029 to achieve full post-quantum security, explicitly including post-quantum authentication. The company already enabled post-quantum encryption for the majority of human traffic to mitigate harvest-now/decrypt-later risks, but new algorithmic and hardware advances (notably Google’s reported speedups and Oratomic’s neutral-atom estimates) make authentication the urgent priority. Cloudflare will enable PQ defaults for customers at no extra cost.

🔒 Cloudflare has introduced Organizations in public beta to help enterprise customers manage multiple Cloudflare Accounts centrally. The feature creates an organization layer for account grouping, introduces an Org Super Administrator role, and provides aggregated analytics and shared policy sets. Initial rollout targets enterprise plans with staged expansion to other customers and partners. There is no additional fee for Organizations during beta.

🛡️ Cloudflare introduced EmDash, presented as a modern, more secure alternative to WordPress. The MIT-licensed, open-source CMS aims to reduce plugin-driven vulnerabilities by isolating execution and enforcing least-privilege principles. EmDash uses a different content model and targets developer-first and AI-driven site workflows. While attractive for new projects, enterprises face nontrivial migration and ecosystem challenges.

🤖 Cloudflare describes how increasing AI crawler traffic—used by retrieval-augmented generation, real-time summarization, and large-scale dataset collection—fundamentally alters CDN cache dynamics. AI agents request high volumes of unique, long‑tail URLs, often in parallel and without shared sessions, producing low reuse and high cache churn that raises misses and origin load. Cloudflare proposes AI-aware caching, traffic filtering, and a dedicated AI cache tier to preserve low-latency human-facing performance while serving diverse AI workloads.

🛡️ EmDash is a new, open-source CMS from Cloudflare, written in TypeScript and available as a v0.1.0 preview that aims to be the spiritual successor to WordPress. It runs plugins in isolated Dynamic Workers and enforces capability-based manifests so extensions can only perform explicitly declared actions, substantially reducing plugin attack surface. EmDash is serverless-first, uses Astro for themes, includes built-in x402 payment support and passkey authentication, and provides CLI and MCP tooling to enable AI-driven management and migrations.

🔒 An independent Big 4 accounting firm has completed a fresh privacy examination of Cloudflare's 1.1.1.1 public DNS resolver and confirmed that its core privacy commitments remain in force. The report reaffirms that Cloudflare does not sell or share resolver users’ personal data or use it for advertising, and that source IP addresses are anonymized and deleted within 25 hours. The review also notes that up to 0.05% of randomly sampled packets may be inspected solely for network troubleshooting and attack mitigation, and clarifies that the examination scope focused exclusively on privacy assurances.

🛡️Programmable Flow Protection lets Magic Transit customers author and deploy custom eBPF programs across Cloudflare’s global edge to define what constitutes legitimate UDP traffic. Programs run in a verified userspace BPF VM and can pass, drop, or challenge packets using helper functions for state, cryptographic validation, and challenge emission. In beta for Magic Transit Enterprise customers, the feature enables stateful, protocol-aware DDoS mitigation that distinguishes legitimate clients from scripted or replay attacks.

🔒 Cloudflare is making advanced client-side protections self-serve and offering domain-based threat intelligence free across all Client-Side Security customers. The Client-Side Security Advanced bundle brings machine learning and an LLM-backed second opinion to detect malicious JavaScript and drastically reduce false positives. It relies on browser reporting like CSP and requires only that traffic be proxied through Cloudflare, so there is zero latency impact to applications. These tools are intended to help organizations of all sizes detect skimming, supply-chain compromises, and sophisticated browser-side attacks.

🔍 Cloudflare has added complete visual diagrams to the Cloudflare Workflows dashboard so developers can better inspect and debug code-first workflows. Because Workflows are dynamic code — with Promises, await, loops and nested functions — Cloudflare parses the bundled script at deploy time into an AST, using oxc-parser and a Rust Worker compiled to WebAssembly to translate nodes into a graph. The renderer maps step and function relationships, tracks parallelism and ordering with starts and resolves indices, and exposes a concise set of node types to support debugging and future real-time tracing features.