All news with #cloudflare tag

Eliminating Cold Starts 2: Shard and Conquer Globally

🧊 Cloudflare describes a new Worker sharding technique that uses a consistent hash ring to route requests to existing Worker instances across a data center, reducing cold starts. The approach trades a sub-millisecond proxy hop for far fewer expensive cold starts, improving memory efficiency and latency. The system leverages Cap'n Proto RPC to implement optimistic forwarding, lazy capabilities, and seamless context transfer for nested Worker invocations.

Cloudflare Uses Global Performance Data to Reduce Congestion

🔍 Cloudflare explains how it leverages the world’s largest performance dataset, combining passive transport logs with Real User Measurement (RUM), to refine congestion control across its global network. Using a new Rust-based stack and experimentation framework, the company evaluates multiple algorithms (including BBR) to predict user experience from passive signals and validate with RUM. Early tests on free-tier QUIC traffic show roughly 10% average improvement versus the prior baseline, with staged rollouts and an early-access program planned for enterprises.

Cloudflare Uses Massive Data to Boost Global Network

⚡ Cloudflare is leveraging telemetry from its vast Free Plan and global edge to refine congestion control and improve routing across its network. By combining passive connection logs, Real User Measurement (RUM) and cross-network models, the team evaluates multiple algorithms beyond classic loss-based and BBR approaches. A migration to a Rust-based stack enables faster experimentation and parameter tuning; early QUIC tests show up to 10% performance gains. Cloudflare plans staged rollouts through 2026 and offers enterprise early access.

Cloudflare Email Service Private Beta for Developers

📧 Cloudflare announced the private beta of its Email Sending capability, integrated into Workers so developers can send transactional emails directly from serverless code using a simple binding. The service complements existing Email Routing to provide a unified Email Service for both inbound and outbound flows, automates SPF/DKIM/DMARC setup to boost deliverability, and offers local testing, observability, and low-latency global delivery.

Safe in the Sandbox: Security Hardening for Workers

🔒 Cloudflare describes recent security hardening applied to Cloudflare Workers, combining V8 runtime changes with CPU features to strengthen isolation of customer scripts. The post highlights use of memory protection keys (PKU) assigned per-isolate, adoption of V8's sandbox and compressed pointers to confine heap corruption, and custom memory placement to pack sandboxes efficiently. Together these mitigations improve defense-in-depth and reduce opportunities for cross-isolate data leaks.

Cloudflare Brings Enterprise Features to All Plans

🔐 Cloudflare announced it will make nearly every feature available for direct purchase on any plan, removing the previous distinction of “enterprise-only” capabilities. The rollout begins today with dashboard SSO, which is now accessible to all customers and supports GitHub social login; many Zero Trust features are available at no cost for up to 50 users. Over the next year Cloudflare will extend this self-service approach to additional capabilities, simplify billing and packaging, and reduce the need to involve sales or solutions engineers, while noting a few region-specific exceptions such as its China Network.

Cloudflare Data Platform: R2 Pipelines, Catalog, SQL

🧭 Cloudflare announced the Cloudflare Data Platform, combining Cloudflare Pipelines, R2 Data Catalog, and R2 SQL to ingest, store, and query analytical tables directly on R2 object storage. Built on Apache Iceberg and open standards, the platform emphasizes engine interoperability and Cloudflare’s zero-cost egress. Pipelines offers exactly-once ingestion and SQL transforms today; stateful processing is planned. The products are open betas with usage-based pricing signals ahead of GA.

Enabling AI Sovereignty Through Choice and Openness Globally

🌐 Cloudflare argues that AI sovereignty should mean choice: the ability for nations to control data, select models, and deploy applications without vendor lock-in. Through its distributed edge network and serverless Workers AI, Cloudflare promotes accessible, low-cost deployment and inference close to users. The company hosts regional open-source models—India’s IndicTrans2, Japan’s PLaMo-Embedding-1B, and Singapore’s SEA-LION v4-27B—and offers an AI Gateway to connect diverse models. Open standards, interoperability, and pay-as-you-go economics are presented as central to resilient national AI strategies.

Cloudflare Developer Platform: Bigger, Faster, More Powerful

🚀 Cloudflare announced a broad set of developer platform upgrades designed to remove friction and scale modern workloads. Highlights include expanded Node.js API support, AI Search now supporting multiple model providers, and larger Container and Workers Build sizes. GA releases such as Remote Bindings, R2 Infrequent Access, Media Transformations, and Playwright-backed Browser Rendering aim to speed development and reduce costs.

Cloudflare Workers Now Directly Connect to PlanetScale

🚀 Cloudflare Workers can now connect directly to PlanetScale Postgres and MySQL databases through a dashboard integration that links accounts and provisions an optimal Hyperdrive configuration. Built on Hyperdrive, the integration keeps connections warm, places pooled connections near your database, and can cache frequent read queries to reduce latency and database load. Credentials are managed securely, including a one-click password rotation, and the integration is accessible from both Cloudflare and PlanetScale dashboards to simplify full-stack app development.

Cloudflare Workers: A Year of Node.js Compatibility

🔧 Over the past year Cloudflare has significantly expanded Node.js compatibility inside Workers, adding many core modules as native runtime features. The effort includes modules such as node:fs, node:crypto, node:http, node:net, and node:zlib, plus a virtual in-memory file system and native crypto via ncrypto. These changes reduce reliance on polyfills and tooling shims, improve performance and memory usage, and let popular npm packages and frameworks like Express run more seamlessly. Developers enable this with the nodejs_compat flag and can opt in or out of EOL-related APIs using granular compatibility flags.

ShadowV2 Botnet Highlights Growth of DDoS-as-a-Service

🛡️ Darktrace has uncovered a ShadowV2 campaign that combines a GitHub CodeSpaces-hosted Python command-and-control framework, a Docker-based spreader, and a Go-based RAT to operate a DDoS-as-a-service platform. Attackers target exposed Docker daemons on AWS EC2 to build on-victim images and deploy malware via environment variables, reducing forensic artifacts. The platform exposes an OpenAPI-driven UI and multi-tenant API enabling HTTP/HTTP2 floods, UAM bypasses, and other configurable attack options.

Automatic SSL/TLS: Upgrading 6M Domains for Quantum Safety

🔐 Cloudflare's Automatic SSL/TLS now upgrades origin-facing encryption by default, having strengthened over 6 million domains without operator intervention. The system scans origins, verifies content and certificates, then gradually ramps stronger SSL/TLS modes from 1% to 100% of traffic, aborting safely on failures. This prepares sites for the post-quantum era by favoring hybrid key agreements (X25519 + ML-KEM) and will soon automate post-quantum handshakes and ad-hoc rescans.

Simpler Path to a Safer Internet: CSAM Tool Update

🔒 Cloudflare has simplified access to its CSAM Scanning Tool by removing the prior requirement for National Center for Missing and Exploited Children (NCMEC) credentials. The tool relies on fuzzy hashing to create perceptual fingerprints that detect altered images with high confidence. Since the change in February, monthly adoption has increased sixteenfold. Detected matches result in blocked URLs and owner notifications so site operators can remediate.

SaaS-to-SaaS Proxy: Centralized Visibility and Control

🌐Cloudflare is prototyping a SaaS-to-SaaS proxy that consolidates SaaS connections through a single front door to improve monitoring, detection, and response. Two deployment models are proposed: a customer-controlled vanity hostname proxy that returns visibility to data owners, and a vendor-side reverse proxy that strengthens platform security. Both approaches use key splitting to avoid persisting full bearer tokens and enable instant revocation. Cloudflare is seeking feedback and offering early access.

Cloudflare WARP Adds Post-Quantum Key Agreement Support

🔐 Cloudflare's WARP client now supports post-quantum key agreement across both consumer (1.1.1.1) and enterprise (Cloudflare One Agent) offerings, tunneling traffic over MASQUE with hybrid post-quantum/classical ciphersuites. The upgrade provides immediate protection against harvest-now-decrypt-later attacks by wrapping user traffic in post-quantum MASQUE tunnels even when individual connections inside the tunnel are not yet PQ-protected. Cloudflare staged the rollout with temporary downgrades, phased population enablement, and an MDM override to balance robustness and downgrade-resistance while meeting FIPS/FedRAMP constraints.

Cloudflare Launches Content Signals Policy for robots.txt

🛡️ Cloudflare introduced the Content Signals Policy, an extension to robots.txt that lets site operators express how crawlers may use content after it has been accessed. The policy defines three machine-readable signals — search, ai-input, and ai-train — each set to yes/no or left unset. Cloudflare will add a default signal set (search=yes, ai-train=no) to managed robots.txt for ~3.8M domains, serve commented guidance for free zones, and publish the spec under CC0. Cloudflare emphasizes signals are preferences, not technical enforcement, and recommends pairing them with WAF and Bot Management.

Responsible AI Bot Principles to Protect Web Content

🛡️ Cloudflare proposes five practical principles to guide responsible AI bot behavior and protect web publishers, users, and infrastructure. The framework stresses public disclosure, reliable self-identification (moving toward cryptographic verification such as Web Bot Auth), a declared single purpose for crawlers, and respect for operator preferences via robots.txt or headers. Operators must also avoid deceptive or high-volume crawling, and Cloudflare invites multi-stakeholder collaboration to refine and adopt these norms.

Cloudflare Mitigates Record 22.2 Tbps DDoS Attack Again

🚨 Cloudflare reported that it mitigated a massive volumetric DDoS attack that peaked at 22.2 Tbps and 10.6 billion packets per second, lasting roughly 40 seconds. The traffic surge equated to streaming about one million 4K videos simultaneously and generated a packet rate roughly equal to 1.3 web page refreshes per person on Earth. Such extreme packet velocities strain firewalls, routers, and load balancers even where aggregate bandwidth may be handled. Cloudflare has provided limited technical detail on this and recent record attacks.

Nimbus Manticore Intensifies Cyber-Espionage in Europe

🔍 Check Point Research reports that Iranian-linked actor Nimbus Manticore has escalated cyber-espionage operations across Western Europe, with heightened targeting of organizations in Denmark, Sweden and Portugal. Attackers impersonate recruiters and use convincing fake career portals to deliver personalized credentials and malicious archives. The campaign leverages evolved backdoors—first seen as Minibike, now observed as MiniJunk and MiniBrowse—and employs multi-stage DLL sideloading into legitimate Windows binaries, including Microsoft Defender components, alongside valid code-signing certificates and compiler-level obfuscation to evade detection. Infrastructure hosted via Azure App Service and shielded by Cloudflare provides redundancy and rapid command-and-control recovery.