---
title: Changelogs
image: https://developers.cloudflare.com/cf-twitter-card.png
---

> Documentation Index  
> Fetch the complete documentation index at: https://developers.cloudflare.com/changelog/llms.txt  
> Use this file to discover all available pages before exploring further. 

[Skip to content](#%5Ftop) 

# Changelog

New updates and improvements at Cloudflare.

[ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/index.xml) [ View RSS feeds ](https://developers.cloudflare.com/fundamentals/new-features/available-rss-feeds/) 

All products

![hero image](https://developers.cloudflare.com/_astro/hero.CVYJHPAd_26AMqX.svg) 

Oct 30, 2025
1. ### [Access Workers preview URLs from the Build details page](https://developers.cloudflare.com/changelog/post/2025-10-30-builds-preview/)  
[ Workers ](https://developers.cloudflare.com/workers/)  
You can now access [preview URLs](https://developers.cloudflare.com/workers/configuration/previews/) directly from the build details page, making it easier to test your changes when reviewing builds in the dashboard.  
![preview button](https://developers.cloudflare.com/_astro/builds-preview-button.CjGnhkt7_kOMMe.webp)  

**What's new**

  * A **Preview** button now appears in the top-right corner of the build details page for successful builds
  * Click it to instantly open the latest preview URL
  * Matches the same experience you're familiar with from Pages

Oct 28, 2025
1. ### [Access private hostname applications support all ports/protocols](https://developers.cloudflare.com/changelog/post/2025-10-28-access-application-support-for-all-ports-and-protocols/)  
[ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/)  
[Cloudflare Access for private hostname applications](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/self-hosted-private-app/) can now secure traffic on all ports and protocols.  
Previously, applying Zero Trust policies to private applications required the application to use HTTPS on port `443` and support Server Name Indicator (SNI).  
This update removes that limitation. As long as the application is reachable via a Cloudflare off-ramp, you can now enforce your critical security controls — like single sign-on (SSO), MFA, device posture, and variable session lengths — to any private application. This allows you to extend Zero Trust security to services like SSH, RDP, internal databases, and other non-HTTPS applications.  
![Example private application on non-443 port](https://developers.cloudflare.com/_astro/internal_private_app_any_port.DNXnEy0u_2rybRJ.webp)  
For example, you can now create a self-hosted application in Access for `ssh.testapp.local` running on port `22`. You can then build a policy that only allows engineers in your organization to connect after they pass an SSO/MFA check and are using a corporate device.  
This feature is generally available across all plans.

Oct 28, 2025
1. ### [Reranking and API-based system prompt configuration in AI Search](https://developers.cloudflare.com/changelog/post/2025-10-27-ai-search-reranking-system-prompt/)  
[ AI Search ](https://developers.cloudflare.com/ai-search/)  
[AI Search](https://developers.cloudflare.com/ai-search/) now supports reranking for improved retrieval quality and allows you to set the system prompt directly in your API requests.  
#### Rerank for more relevant results  
You can now enable [reranking](https://developers.cloudflare.com/ai-search/configuration/retrieval/reranking/) to reorder retrieved documents based on their semantic relevance to the user’s query. Reranking helps improve accuracy, especially for large or noisy datasets where vector similarity alone may not produce the optimal ordering.  
You can enable and configure reranking in the dashboard or directly in your API requests:

**JavaScript**  
```javascript  
const answer = await env.AI.autorag("my-autorag").aiSearch({  
  query: "How do I train a llama to deliver coffee?",  
  model: "@cf/meta/llama-3.3-70b-instruct-fp8-fast",  
  reranking: {  
    enabled: true,  
    model: "@cf/baai/bge-reranker-base",  
  },  
});  
```  
#### Set system prompts in API  
Previously, [system prompts](https://developers.cloudflare.com/ai-search/configuration/retrieval/system-prompt/) could only be configured in the dashboard. You can now define them directly in your API requests, giving you per-query control over behavior. For example:

**JavaScript**  
```javascript  
// Dynamically set query and system prompt in AI Search  
async function getAnswer(query, tone) {  
  const systemPrompt = `You are a ${tone} assistant.`;  
  const response = await env.AI.autorag("my-autorag").aiSearch({  
    query: query,  
    system_prompt: systemPrompt,  
  });  
  return response;  
}  
// Example usage  
const query = "What is Cloudflare?";  
const tone = "friendly";  
const answer = await getAnswer(query, tone);  
console.log(answer);  
```  
Learn more about [Reranking](https://developers.cloudflare.com/ai-search/configuration/retrieval/reranking/) and [System Prompt](https://developers.cloudflare.com/ai-search/configuration/retrieval/system-prompt/) in AI Search.

Oct 28, 2025
1. ### [CASB introduces new granular roles](https://developers.cloudflare.com/changelog/post/2025-10-28-casb-roles/)  
[ CASB ](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/)  
Cloudflare CASB (Cloud Access Security Broker) now supports two new granular roles to provide more precise access control for your security teams:

  * **Cloudflare CASB Read:** Provides read-only access to view CASB findings and dashboards. This role is ideal for security analysts, compliance auditors, or team members who need visibility without modification rights.
  * **Cloudflare CASB:** Provides full administrative access to configure and manage all aspects of the CASB product.  
These new roles help you better enforce the principle of least privilege. You can now grant specific members access to CASB security findings without assigning them broader permissions, such as the **Super Administrator** or **Administrator** roles.  
To enable [Data Loss Prevention (DLP)](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/), scans in CASB, account members will need the **Cloudflare Zero Trust** role.  
You can find these new roles when inviting members or creating API tokens in the Cloudflare dashboard under **Manage Account** \> **Members**.  
To learn more about managing roles and permissions, refer to the [Manage account members and roles documentation](https://developers.cloudflare.com/fundamentals/manage-members/roles/).

Oct 28, 2025
1. ### [New Application Categories added for HTTP Traffic Management](https://developers.cloudflare.com/changelog/post/gateway-application-categories-added/)  
[ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/)  
To give you precision and flexibility while creating policies to block unwanted traffic, we are introducing new, more granular application categories in the Gateway product.  
We have added the following categories to provide more precise organization and allow for finer-grained policy creation, designed around how users interact with different types of applications:

  * Business
  * Education
  * Entertainment & Events
  * Food & Drink
  * Health & Fitness
  * Lifestyle
  * Navigation
  * Photography & Graphic Design
  * Travel  
The new categories are live now, but we are providing a transition period for existing applications to be fully remapped to these new categories.  
The full remapping will be completed by January 30, 2026.  
We encourage you to use this time to:

  * Review the new category structure.
  * Identify and adjust any existing HTTP policies that reference older categories to ensure a smooth transition.  
For more information on creating HTTP policies, refer to [Applications and app types](https://developers.cloudflare.com/cloudflare-one/traffic-policies/application-app-types/).

Oct 27, 2025
1. ### [Azure Sentinel Connector](https://developers.cloudflare.com/changelog/post/2025-10-27-sentinel-connector/)  
[ Logs ](https://developers.cloudflare.com/logs/)  
Logpush now supports integration with [Microsoft Sentinel ↗](https://www.microsoft.com/en-us/security/business/siem-and-xdr/microsoft-sentinel).The new Azure Sentinel Connector built on Microsoft’s Codeless Connector Framework (CCF), is now available. This solution replaces the previous Azure Functions-based connector, offering significant improvements in security, data control, and ease of use for customers. Logpush customers can send logs to Azure Blob Storage and configure this new Sentinel Connector to ingest those logs directly into Microsoft Sentinel.  
This upgrade significantly streamlines log ingestion, improves security, and provides greater control:

  * Simplified Implementation: Easier for engineering teams to set up and maintain.
  * Cost Control: New support for Data Collection Rules (DCRs) allows you to filter and transform logs at ingestion time, offering potential cost savings.
  * Enhanced Security: CCF provides a higher level of security compared to the older Azure Functions connector.
  * Data Lake Integration: Includes native integration with Data Lake.  
Find the new solution [here ↗](https://marketplace.microsoft.com/en-us/product/azure-application/cloudflare.azure-sentinel-solution-cloudflare-ccf?tab=Overview) and refer to the [Cloudflare's developer documentation ↗](https://developers.cloudflare.com/analytics/analytics-integrations/sentinel/#supported-logs:~:text=WorkBook%20fields,-Analytic%20rules)for more information on the connector, including setup steps, supported logs and Microsoft's resources.

Oct 27, 2025
1. ### [TLD Insights in Cloudflare Radar](https://developers.cloudflare.com/changelog/post/2025-10-27-radar-tld-insights/)  
[ Radar ](https://developers.cloudflare.com/radar/)  
[**Radar**](https://developers.cloudflare.com/radar/) now introduces Top-Level Domain (TLD) insights, providing visibility into popularity based on the DNS magnitude metric, detailed TLD information including its type, manager, DNSSEC support, RDAP support, and WHOIS data, and trends such as DNS query volume and geographic distribution observed by the [1.1.1.1](https://developers.cloudflare.com/1.1.1.1/) DNS resolver.  
The following dimensions were added to the Radar DNS API, specifically, to the [/dns/summary/{dimension}](https://developers.cloudflare.com/api/resources/radar/subresources/dns/methods/summary%5Fv2/) and [/dns/timeseries\_groups/{dimension}](https://developers.cloudflare.com/api/resources/radar/subresources/dns/methods/timeseries%5Fgroups%5Fv2/) endpoints:

  * `tld`: Top-level domain extracted from DNS queries; can also be used as a filter.
  * `tld_dns_magnitude`: Top-level domain ranking by [DNS magnitude](https://developers.cloudflare.com/radar/glossary#dns-magnitude).  
And the following endpoints were added:

  * [/tlds](https://developers.cloudflare.com/api/resources/radar/subresources/tlds/methods/list/) \- Lists all TLDs.
  * [/tlds/{tld}](https://developers.cloudflare.com/api/resources/radar/subresources/tlds/methods/get/) \- Retrieves information about a specific TLD.  
![Screenshot of the TLD ranking by DNS magnitude](https://developers.cloudflare.com/_astro/tld-ranking-by-dns-magnitude.DbmrooPK_1wHWG1.webp)  
Learn more about the new Radar DNS insights in our [blog post ↗](https://blog.cloudflare.com/introducing-tld-insights-on-cloudflare-radar/), and check out the [new Radar page ↗](https://radar.cloudflare.com/tlds).

Oct 27, 2025
1. ### [Cloudforce One RFI tokens are now visible in the dashboard](https://developers.cloudflare.com/changelog/post/2025-10-27-rfi-tokens-in-dash/)  
[ Security Center ](https://developers.cloudflare.com/security-center/)  
The Requests for Information (RFI) dashboard now shows users the number of tokens used by each submitted RFI to better understand usage of tokens and how they relate to each request submitted.  
![Cloudforce One RFI tokens](https://developers.cloudflare.com/_astro/2025-10-24RFITokens.DPm1e8uC_2g3fE3.webp)  
What’s new:

  * Users can now see the number of tokens used for a submitted request for information.
  * Users can see the remaining tokens allocated to their account for the quarter.
  * Users can only select the Routine priority for the `Strategic Threat Research` request type.  
Cloudforce One subscribers can try it now in [Application Security > Threat Intelligence > Requests for Information ↗](https://dash.cloudflare.com/?to=/:account/security-center/threat-intelligence/requests).

Oct 24, 2025
1. ### [WAF Release - 2025-10-24 - Emergency](https://developers.cloudflare.com/changelog/post/2025-10-24-emergency-waf-release/)  
[ WAF ](https://developers.cloudflare.com/waf/)  
This week’s release introduces a new detection signature that enhances coverage for a critical vulnerability in Windows Server Update Services (WSUS), tracked as CVE-2025-59287.

**Key Findings**  
The vulnerability allows unauthenticated attackers to potentially achieve remote code execution. The updated detection logic strengthens defenses by improving resilience against exploitation attempts targeting this flaw.

**Impact**  
Successful exploitation of CVE-2025-59287 could enable attackers to hijack sessions, execute arbitrary commands, exfiltrate sensitive data, and disrupt storefront operations. These actions pose significant confidentiality and integrity risks to affected environments. Administrators should apply vendor patches immediately to mitigate exposure.

| Ruleset                    | Rule ID     | Legacy Rule ID | Description                                           | Previous Action | New Action | Comments                |
| -------------------------- | ----------- | -------------- | ----------------------------------------------------- | --------------- | ---------- | ----------------------- |
| Cloudflare Managed Ruleset | ...bd72ba08 | N/A            | Windows Server - Deserialization - CVE:CVE-2025-59287 | N/A             | Block      | This is a New Detection |

Oct 24, 2025
1. ### [Automatic resource provisioning for KV, R2, and D1](https://developers.cloudflare.com/changelog/post/2025-10-24-automatic-resource-provisioning/)  
[ Workers ](https://developers.cloudflare.com/workers/)  
Previously, if you wanted to develop or deploy a worker with attached resources, you'd have to first manually create the desired resources. Now, if your Wrangler configuration file includes a KV namespace, D1 database, or R2 bucket that does not yet exist on your account, you can develop locally and deploy your application seamlessly, without having to run additional commands.  
Automatic provisioning is launching as an open beta, and we'd love to hear your feedback to help us make improvements! It currently works for KV, R2, and D1 bindings. You can disable the feature using the `--no-x-provision` flag.  
To use this feature, update to wrangler@4.45.0 and add bindings to your config file _without_ resource IDs e.g.:

**JSONC**  
```jsonc  
{  
  "kv_namespaces": [{ "binding": "MY_KV" }],  
  "d1_databases": [{ "binding": "MY_DB" }],  
  "r2_buckets": [{ "binding": "MY_R2" }],  
}  
```  
`wrangler dev` will then automatically create these resources for you locally, and on your next run of `wrangler deploy`, Wrangler will call the Cloudflare API to create the requested resources and link them to your Worker.  
Though resource IDs will be automatically written back to your Wrangler config file after resource creation, resources will stay linked across future deploys even without adding the resource IDs to the config file. This is especially useful for shared templates, which now no longer need to include account-specific resource IDs when adding a binding.

Oct 24, 2025
1. ### [Build TanStack Start apps with the Cloudflare Vite plugin](https://developers.cloudflare.com/changelog/post/2025-10-24-tanstack-start/)  
[ Workers ](https://developers.cloudflare.com/workers/)  
The [Cloudflare Vite plugin](https://developers.cloudflare.com/workers/vite-plugin/) now supports [TanStack Start ↗](https://tanstack.com/start/) apps. Get started with new or existing projects.  
#### New projects  
Create a new TanStack Start project that uses the Cloudflare Vite plugin via the `create-cloudflare` CLI:  
 npm  yarn  pnpm  
```  
npm create cloudflare@latest -- my-tanstack-start-app --framework=tanstack-start  
```  
```  
yarn create cloudflare my-tanstack-start-app --framework=tanstack-start  
```  
```  
pnpm create cloudflare@latest my-tanstack-start-app --framework=tanstack-start  
```  
#### Existing projects  
Migrate an existing TanStack Start project to use the Cloudflare Vite plugin:

  1. Install `@cloudflare/vite-plugin` and `wrangler`  
 npm  yarn  pnpm  bun  
```  
npm i -D @cloudflare/vite-plugin wrangler  
```  
```  
yarn add -D @cloudflare/vite-plugin wrangler  
```  
```  
pnpm add -D @cloudflare/vite-plugin wrangler  
```  
```  
bun add -d @cloudflare/vite-plugin wrangler  
```

  1. Add the Cloudflare plugin to your Vite config

**vite.config.ts**  
```ts  
import { defineConfig } from "vite";  
import { tanstackStart } from "@tanstack/react-start/plugin/vite";  
import viteReact from "@vitejs/plugin-react";  
import { cloudflare } from "@cloudflare/vite-plugin";  
export default defineConfig({  
  plugins: [  
    cloudflare({ viteEnvironment: { name: "ssr" } }),  
    tanstackStart(),  
    viteReact(),  
  ],  
});  
```

  1. Add your Worker config file

  * [  wrangler.jsonc ](#tab-panel-4871)
  * [  wrangler.toml ](#tab-panel-4872)

**JSONC**  
```jsonc  
{  
  "$schema": "./node_modules/wrangler/config-schema.json",  
  "name": "my-tanstack-start-app",  
  // Set this to today's date  
  "compatibility_date": "2026-07-01",  
  "compatibility_flags": [  
    "nodejs_compat"  
  ],  
  "main": "@tanstack/react-start/server-entry"  
}  
```

**TOML**  
```toml  
"$schema" = "./node_modules/wrangler/config-schema.json"  
name = "my-tanstack-start-app"  
# Set this to today's date  
compatibility_date = "2026-07-01"  
compatibility_flags = [ "nodejs_compat" ]  
main = "@tanstack/react-start/server-entry"  
```

  1. Modify the scripts in your `package.json`

**package.json**  
```json  
{  
  "scripts": {  
    "dev": "vite dev",  
    "build": "vite build && tsc --noEmit",  
    "start": "node .output/server/index.mjs",  
    "preview": "vite preview",  
    "deploy": "npm run build && wrangler deploy",  
    "cf-typegen": "wrangler types"  
  }  
}  
```  
See the [TanStack Start framework guide](https://developers.cloudflare.com/workers/framework-guides/web-apps/tanstack-start/) for more info.

Oct 23, 2025
1. ### [WAF Release - 2025-10-23 - Emergency](https://developers.cloudflare.com/changelog/post/2025-10-23-emergency-waf-release/)  
[ WAF ](https://developers.cloudflare.com/waf/)  
This week highlights enhancements to detection signatures improving coverage for vulnerabilities in Adobe Commerce and Magento Open Source, linked to CVE-2025-54236.

**Key Findings**  
This vulnerability allows unauthenticated attackers to take over customer accounts through the Commerce REST API and, in certain configurations, may lead to remote code execution. The latest update enhances detection logic to provide more resilient protection against exploitation attempts.

**Impact**  
Adobe Commerce (CVE-2025-54236): Exploitation may allow attackers to hijack sessions, execute arbitrary commands, steal data, and disrupt storefronts, resulting in confidentiality and integrity risks for merchants. Administrators are strongly encouraged to apply vendor patches without delay.

| Ruleset                    | Rule ID     | Legacy Rule ID | Description                                                 | Previous Action | New Action | Comments                |
| -------------------------- | ----------- | -------------- | ----------------------------------------------------------- | --------------- | ---------- | ----------------------- |
| Cloudflare Managed Ruleset | ...c6ef59a1 | N/A            | Adobe Commerce - Remote Code Execution - CVE:CVE-2025-54236 | N/A             | Block      | This is a New Detection |

Oct 23, 2025
1. ### [Workers AI Markdown Conversion: New endpoint to list supported formats](https://developers.cloudflare.com/changelog/post/2025-10-23-new-markdown-conversion-endpoint/)  
[ Workers AI ](https://developers.cloudflare.com/workers-ai/)  
Developers can now programmatically retrieve a list of all file formats supported by the [Markdown Conversion utility](https://developers.cloudflare.com/workers-ai/features/markdown-conversion/) in Workers AI.  
You can use the [env.AI](https://developers.cloudflare.com/workers-ai/configuration/bindings/) binding:

**TypeScript**  
```typescript  
await env.AI.toMarkdown().supported()  
```  
Or call the REST API:  
```bash  
curl https://api.cloudflare.com/client/v4/accounts/{ACCOUNT_ID}/ai/tomarkdown/supported \
  -H 'Authorization: Bearer {API_TOKEN}'  
```  
Both return a list of file formats that users can convert into Markdown:  
```json  
[  
  {  
    "extension": ".pdf",  
    "mimeType": "application/pdf",  
  },  
  {  
    "extension": ".jpeg",  
    "mimeType": "image/jpeg",  
  },  
  ...  
]  
```  
Learn more about our [Markdown Conversion utility](https://developers.cloudflare.com/workers-ai/features/markdown-conversion/).

Oct 23, 2025
1. ### [Workers Preview URL default behavior now matches your workers.dev setting](https://developers.cloudflare.com/changelog/post/2025-10-23-preview-url-default-behavior/)  
[ Workers ](https://developers.cloudflare.com/workers/)  
We have updated the default behavior for Cloudflare Workers [Preview URLs](https://developers.cloudflare.com/workers/configuration/previews/). **Going forward, if a preview URL setting is not [explicitly configured](https://developers.cloudflare.com/workers/configuration/previews/#toggle-preview-urls-enable-or-disable) during deployment, its default behavior will automatically match the setting of your [workers.dev subdomain](https://developers.cloudflare.com/workers/configuration/routing/workers-dev/).**  
This change is intended to provide a more intuitive and secure experience by aligning your preview URL's default state with your `workers.dev` configuration to prevent cases where a preview URL might remain public even after you disabled your `workers.dev` route.

**What this means for you:**

  * **If neither setting is configured:** both the workers.dev route and the preview URL will default to enabled
  * **If your workers.dev route is enabled and you do not explicitly set Preview URLs to enabled or disabled:** Preview URLs will default to enabled
  * **If your workers.dev route is disabled and you do not explicitly set Preview URLs to enabled or disabled:** Preview URLs will default to disabled  
You can override the default setting by explicitly enabling or disabling the preview URL in your Worker's configuration through the [API](https://developers.cloudflare.com/api/resources/workers/subresources/scripts/subresources/subdomain/), [Dashboard](https://developers.cloudflare.com/workers/configuration/previews/#from-the-dashboard), or [Wrangler](https://developers.cloudflare.com/workers/configuration/previews/#from-the-wrangler-configuration-file).

**Wrangler Version Behavior**  
The default behavior depends on the version of Wrangler you are using. This new logic applies to the latest version. Here is a summary of the behavior across different versions:

  * **Before v4.34.0:** Preview URLs defaulted to enabled, regardless of the workers.dev setting.
  * **v4.34.0 up to (but not including) v4.44.0:** Preview URLs defaulted to disabled, regardless of the workers.dev setting.
  * **v4.44.0 or later:** Preview URLs now default to matching your workers.dev setting.

**Why we’re making this change**  
In July, [we introduced preview URLs to Workers](https://developers.cloudflare.com/changelog/2025-07-23-workers-preview-urls/), which let you preview code changes before deploying to production. This made disabling your Worker’s workers.dev URL an ambiguous action — the preview URL, served as a subdomain of `workers.dev` (ex: `preview-id-worker-name.account-name.workers.dev`) would still be live even if you had disabled your Worker’s `workers.dev` route. If you misinterpreted what it meant to disable your `workers.dev` route, you might unintentionally leave preview URLs enabled when you didn’t mean to, and expose them to the public Internet.  
To address this, we made a [one-time update](https://developers.cloudflare.com/changelog/2025-09-17-update-preview-url-setting/) to disable preview URLs on existing Workers that had their workers.dev route disabled and changed the default behavior to be disabled for all new deployments where a preview URL setting was not explicitly configured.  
While this change helped secure many customers, it was disruptive for customers who keep their `workers.dev` route enabled and actively use the preview functionality, as it now required them to explicitly enable preview URLs on every redeployment.This new, more intuitive behavior ensures that your preview URL settings align with your `workers.dev` configuration by default, providing a more secure and predictable experience.

**Securing access to `workers.dev` and preview URL endpoints**  
To further secure your `workers.dev` subdomain and preview URL, you can [enable Cloudflare Access with a single click](https://developers.cloudflare.com/changelog/2025-10-03-one-click-access-for-workers/) in your Worker's settings to limit access to specific users or groups.

Oct 21, 2025
1. ### [New Robots.txt tab for tracking crawler compliance](https://developers.cloudflare.com/changelog/post/2025-10-21-track-robots-txt/)  
[ AI Crawl Control ](https://developers.cloudflare.com/ai-crawl-control/)  
AI Crawl Control now includes a **Robots.txt** tab that provides insights into how AI crawlers interact with your `robots.txt` files.  
#### What's new  
The Robots.txt tab allows you to:

  * Monitor the health status of `robots.txt` files across all your hostnames, including HTTP status codes, and identify hostnames that need a `robots.txt` file.
  * Track the total number of requests to each `robots.txt` file, with breakdowns of successful versus unsuccessful requests.
  * Check whether your `robots.txt` files contain [Content Signals ↗](https://contentsignals.org/) directives for AI training, search, and AI input.
  * Identify crawlers that request paths explicitly disallowed by your `robots.txt` directives, including the crawler name, operator, violated path, specific directive, and violation count.
  * Filter `robots.txt` request data by crawler, operator, category, and custom time ranges.  
#### Take action  
When you identify non-compliant crawlers, you can:

  * Block the crawler in the [Crawlers tab](https://developers.cloudflare.com/ai-crawl-control/features/manage-ai-crawlers/)
  * Create custom [WAF rules](https://developers.cloudflare.com/waf/) for path-specific security
  * Use [Redirect Rules](https://developers.cloudflare.com/rules/url-forwarding/) to guide crawlers to appropriate areas of your site  
To get started, go to **AI Crawl Control** \> **Robots.txt** in the Cloudflare dashboard. Learn more in the [Track robots.txt documentation](https://developers.cloudflare.com/ai-crawl-control/features/track-robots-txt/).

Oct 20, 2025
1. ### [Schedule DNS policies from the UI](https://developers.cloudflare.com/changelog/post/2025-10-20-schedule-dns-policies-from-the-ui/)  
[ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/)  
Admins can now create [scheduled DNS policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/dns-policies/timed-policies/) directly from the Zero Trust dashboard, without using the API. You can configure policies to be active during specific, recurring times, such as blocking social media during business hours or gaming sites on school nights.

  * **Preset Schedules**: Use built-in templates for common scenarios like Business Hours, School Days, Weekends, and more.
  * **Custom Schedules**: Define your own schedule with specific days and up to three non-overlapping time ranges per day.
  * **Timezone Control**: Choose to enforce a schedule in a specific timezone (for example, US Eastern) or based on the local time of each user.
  * **Combined with Duration**: Policies can have both a schedule and a duration. If both are set, the duration's expiration takes precedence.  
You can see the flow in the demo GIF:  
![Schedule DNS policies demo](https://developers.cloudflare.com/_astro/gateway-dns-scheduled-policies-ui.Cf4l1OTE_Z9szVM.webp)  
This update makes time-based DNS policies accessible to all Gateway customers, removing the technical barrier of the API.

Oct 20, 2025
1. ### [WAF Release - 2025-10-20](https://developers.cloudflare.com/changelog/post/2025-10-20-waf-release/)  
[ WAF ](https://developers.cloudflare.com/waf/)  
This week’s update introduces an enhanced rule that expands detection coverage for a critical vulnerability in Oracle E-Business Suite. It also improves an existing rule to provide more reliable coverage in request processing.

**Key Findings**  
New WAF rule deployed for Oracle E-Business Suite (CVE-2025-61882) to block unauthenticated attacker's network access via HTTP to compromise Oracle Concurrent Processing. If successfully exploited, this vulnerability may result in remote code execution.

**Impact**

  * Successful exploitation of CVE-2025-61882 allows unauthenticated attackers to execute arbitrary code remotely by chaining multiple weaknesses, enabling lateral movement into internal services, data exfiltration, and large-scale extortionware deployment within Oracle E-Business Suite environments.

| Ruleset                    | Rule ID     | Legacy Rule ID | Description                                                              | Previous Action | New Action | Comments                                                                                                    |
| -------------------------- | ----------- | -------------- | ------------------------------------------------------------------------ | --------------- | ---------- | ----------------------------------------------------------------------------------------------------------- |
| Cloudflare Managed Ruleset | ...2b4101ab | 100598A        | Remote Code Execution - Common Bash Bypass - Beta                        | Log             | Block      | This rule is merged into the original rule "Remote Code Execution - Common Bash Bypass" (ID: ...50cec478  ) |
| Cloudflare Managed Ruleset | ...a1118614 | 100916A        | Oracle E-Business Suite - Remote Code Execution - CVE:CVE-2025-61882 - 2 | Log             | Block      | This is a New Detection                                                                                     |
| Cloudflare Managed Ruleset | ...c22b51d3 | N/A            | HTTP Truncated                                                           | N/A             | Disabled   | This is a New Detection                                                                                     |

Oct 17, 2025
1. ### [On-Demand Security Report](https://developers.cloudflare.com/changelog/post/2025-10-16-on-demand-security-report/)  
[ Email security ](https://developers.cloudflare.com/cloudflare-one/email-security/)  
You can now generate on-demand security reports directly from the Cloudflare dashboard. This new feature provides a comprehensive overview of your email security posture, making it easier than ever to demonstrate the value of Cloudflare’s Email security to executives and other decision makers.  
These reports offer several key benefits:

  * **Executive Summary:** Quickly view the performance of Email security with a high-level executive summary.
  * **Actionable Insights:** Dive deep into trend data, breakdowns of threat types, and analysis of top targets to identify and address vulnerabilities.
  * **Configuration Transparency:** Gain a clear view of your policy, submission, and domain configurations to ensure optimal setup.
  * **Account Takeover Risks:** Get a snapshot of your M365 risky users (requires a Microsoft Entra ID P2 license and [M365 SaaS integration ↗](https://developers.cloudflare.com/cloudflare-one/integrations/cloud-and-saas/microsoft-365/)).  
![Report](https://developers.cloudflare.com/_astro/report.CbkPa8Jt_Z1xMpIx.webp)  
This feature is available across the following Email security packages:

  * **Advantage**
  * **Enterprise**
  * **Enterprise + PhishGuard**

Oct 17, 2025
1. ### [New Application Security reports (Closed Beta)](https://developers.cloudflare.com/changelog/post/2025-10-17-app-sec-reports/)  
[ Security Center ](https://developers.cloudflare.com/security-center/)  
Cloudflare's new **Application Security report**, currently in Closed Beta, is now available in the dashboard.  
[ Go to **Security reports** ](https://dash.cloudflare.com/?to=/:account/security-center/reports)  
The reports are generated monthly and provide cyber security insights trends for all of the Enterprise zones in your Cloudflare account.  
The reports also include an industry benchmark, comparing your cyber security landscape to peers in your industry.  
![Application Security report mock data](https://developers.cloudflare.com/_astro/2025-10-17-application-security-report-mock-data.Cz0-WuoX_15MbLt.webp)  
Learn more about the reports by referring to the [Security Reports documentation](https://developers.cloudflare.com/analytics/account-and-zone-analytics/app-security-reports/).  
Use the feedback survey link at the top of the page to help us improve the reports.  
![Application Security report survey](https://developers.cloudflare.com/_astro/2025-10-17-report-feedback-survey.DPmUlWh2_Z1nYBN6.webp)

Oct 17, 2025
1. ### [New detections released for WAF managed rulesets](https://developers.cloudflare.com/changelog/post/2025-10-17-emergency-waf-release/)  
[ WAF ](https://developers.cloudflare.com/waf/)  
This week we introduced several new detections across Cloudflare Managed Rulesets, expanding coverage for high-impact vulnerability classes such as SSRF, SQLi, SSTI, Reverse Shell attempts, and Prototype Pollution. These rules aim to improve protection against attacker-controlled payloads that exploit misconfigurations or unvalidated input in web applications.

**Key Findings**  
New detections added for multiple exploit categories:  
SSRF (Server-Side Request Forgery) — new rules targeting both local and cloud metadata abuse patterns (Beta).  
SQL Injection (SQLi) — rules for common patterns, sleep/time-based injections, and string/wait function exploitation across headers and URIs.  
SSTI (Server-Side Template Injection) — arithmetic-based probe detections introduced across URI, header, and body fields.  
Reverse Shell and XXE payloads — enhanced heuristics for command execution and XML external entity misuse.  
Prototype Pollution — new Beta rule identifying common JSON payload structures used in object prototype poisoning.  
PHP Wrapper Injection and HTTP Parameter Pollution detections — to catch path traversal and multi-parameter manipulation attempts.  
Anomaly Header Checks — detecting CRLF injection attempts in header names.

**Impact**  
These updates help detect multi-vector payloads that blend SSRF + RCE or SQLi + SSTI attacks, especially in cloud-hosted applications with exposed metadata endpoints or unsafe template rendering.  
Prototype Pollution and HTTP parameter pollution rules address emerging JavaScript supply-chain exploitation patterns increasingly seen in real-world incidents.

| Ruleset                    | Rule ID     | Legacy Rule ID | Description                                          | Previous Action | New Action | Comments                |
| -------------------------- | ----------- | -------------- | ---------------------------------------------------- | --------------- | ---------- | ----------------------- |
| Cloudflare Managed Ruleset | ...589f2a1d | N/A            | Anomaly:Header - name - CR, LF                       | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...132fab7e | N/A            | Generic Rules - Reverse Shell - Body                 | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...1a027008 | N/A            | Generic Rules - Reverse Shell - Header               | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...958d0486 | N/A            | Generic Rules - Reverse Shell - URI                  | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...8e0cf7ad | N/A            | Generic Rules - XXE - Body                           | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...bf8aab5e | N/A            | Generic Rules - SQLi - Common Patterns - Header URI  | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...2e466337 | N/A            | Generic Rules - SQLi - Sleep Function - Header URI   | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...b686ab47 | N/A            | Generic Rules - SQLi - String Function - Header URI  | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...b0633709 | N/A            | Generic Rules - SQLi - WaitFor Function - Header URI | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...01a076eb | N/A            | SSRF - Local - Beta                                  | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...743a63ec | N/A            | SSRF - Local - 2 - Beta                              | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...c2e84e2d | N/A            | SSRF - Cloud - Beta                                  | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...ab8af26f | N/A            | SSRF - Cloud - 2 - Beta                              | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...e6e8dc5b | N/A            | SSTI - Arithmetic Probe - URI                        | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...2550d794 | N/A            | SSTI - Arithmetic Probe - Header                     | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...659d12a6 | N/A            | SSTI - Arithmetic Probe - Body                       | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...1a3e521e | N/A            | PHP Wrapper Injection                                | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...8f76bd74 | N/A            | PHP Wrapper Injection                                | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...091e296d | N/A            | HTTP parameter pollution                             | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...e34214ef | N/A            | Prototype Pollution - Common Payloads - Beta         | N/A             | Disabled   | This is a New Detection |

Oct 16, 2025
1. ### [WARP client for Windows (version 2025.9.173.1)](https://developers.cloudflare.com/changelog/post/2025-10-16-warp-windows-beta/)  
[ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/)  
A new Beta release for the Windows WARP client is now available on the [beta releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/beta-releases/).  
This release contains minor fixes, improvements, and new features including Path Maximum Transmission Unit Discovery (PMTUD). With PMTUD enabled, the client will dynamically adjust packet sizing to optimize connection performance. There is also a new connection status message in the GUI to inform users that the local network connection may be unstable. This will make it easier to debug connectivity issues.

**Changes and improvements**

  * Improvements for [Windows multi-user](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/deployment/mdm-deployment/windows-multiuser/) to maintain the [Global WARP override](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/settings/#disconnect-warp-on-all-devices) state when switching between users.
  * The GUI now displays the health of the tunnel and DNS connections by showing a connection status message when the network may be unstable. This will make it easier to debug connectivity issues.
  * Deleting registrations no longer returns an error when succeeding.
  * Path Maximum Transmission Unit Discovery (PMTUD) is now used to discover the effective MTU of the connection. This allows the client to improve connection performance optimized for the current network.

**Known issues**

  * For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum [Windows 11 24H2 KB5062553](https://support.microsoft.com/en-us/topic/july-8-2025-kb5062553-os-build-26100-4652-523e69cb-051b-43c6-8376-6a76d6caeefd) or higher for resolution.
  * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server).
  * Devices with KB5055523 installed may receive a warning about `Win32/ClickFix.ABA` being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later.
  * DNS resolution may be broken when the following conditions are all true:

    * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode.
    * A custom DNS server address is configured on the primary network adapter.
    * The custom DNS server address on the primary network adapter is changed while WARP is connected.  
  To work around this issue, reconnect the WARP client by toggling off and back on.

Oct 16, 2025
1. ### [WARP client for macOS (version 2025.9.173.1)](https://developers.cloudflare.com/changelog/post/2025-10-16-warp-macos-beta/)  
[ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/)  
A new Beta release for the macOS WARP client is now available on the [beta releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/beta-releases/).  
This release contains minor fixes, improvements, and new features including Path Maximum Transmission Unit Discovery (PMTUD). With PMTUD enabled, the client will dynamically adjust packet sizing to optimize connection performance. There is also a new connection status message in the GUI to inform users that the local network connection may be unstable. This will make it easier to debug connectivity issues.

**Changes and improvements**

  * The GUI now displays the health of the tunnel and DNS connections by showing a connection status message when the network may be unstable. This will make it easier to debug connectivity issues.
  * Deleting registrations no longer returns an error when succeeding.
  * Path Maximum Transmission Unit Discovery (PMTUD) is now used to discover the effective MTU of the connection. This allows the client to improve connection performance optimized for the current network.

**Known issues**

  * macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later.
  * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server).

Oct 16, 2025
1. ### [View and edit Durable Object data in UI with Data Studio (Beta)](https://developers.cloudflare.com/changelog/post/2025-10-16-durable-objects-data-studio/)  
[ Durable Objects ](https://developers.cloudflare.com/durable-objects/)[ Workers ](https://developers.cloudflare.com/workers/)  
![Screenshot of Durable Objects Data Studio](https://developers.cloudflare.com/_astro/do-data-studio.BfCcgtkq_Z4LLzm.webp)  
You can now view and write to each Durable Object's storage using a UI editor on the Cloudflare dashboard. Only Durable Objects using [SQLite storage](https://developers.cloudflare.com/durable-objects/best-practices/access-durable-objects-storage/#create-sqlite-backed-durable-object-class) can use Data Studio.  
[ Go to **Durable Objects** ](https://dash.cloudflare.com/?to=/:account/workers/durable-objects)  
Data Studio unlocks easier data access with Durable Objects for prototyping application data models to debugging production storage usage. Before, querying your Durable Objects data required deploying a Worker.  
To access a Durable Object, you can provide an object's unique name or ID generated by Cloudflare. Data Studio requires you to have at least the `Workers Platform Admin` role, and all queries are captured with audit logging for your security and compliance needs. Queries executed by Data Studio send requests to your remote, deployed objects and incur normal usage billing.  
To learn more, visit the Data Studio [documentation](https://developers.cloudflare.com/durable-objects/observability/data-studio/). If you have feedback or suggestions for the new Data Studio, please share your experience on [Discord ↗](https://discord.com/channels/595317990191398933/773219443911819284)

Oct 16, 2025
1. ### [Increased HTTP header size limit to 128 KB](https://developers.cloudflare.com/changelog/post/2025-10-16-header-limit-increase/)  
[ Cloudflare Fundamentals ](https://developers.cloudflare.com/fundamentals/)  
#### CDN now supports 128 KB request and response headers 🚀  
We're excited to announce a significant increase in the maximum header size supported by Cloudflare's Content Delivery Network (CDN). Cloudflare now supports up to **128 KB** for both **request and response headers**.  
Previously, customers were limited to a total of 32 KB for request or response headers, with a maximum of 16 KB per individual header. Larger headers could cause requests to fail with `HTTP 413` (Request Header Fields Too Large) errors.

---  
#### What's new?

  * **Support for large headers:** You can now utilize much larger headers, whether as a single large header up to 128 KB or split over multiple headers.
  * **Reduces `413` and `520` HTTP errors:** This change drastically reduces the likelihood of customers encountering `HTTP 413` errors from large request headers or `HTTP 520` errors caused by oversized response headers, improving the overall reliability of your web applications.
  * **Enhanced functionality:** This is especially beneficial for applications that rely on:  
    * A large number of cookies.
    * Large Content-Security-Policy (CSP) response headers.
    * Advanced use cases with Cloudflare Workers that generate large response headers.  
This enhancement improves compatibility with Cloudflare's CDN, enabling more use cases that previously failed due to header size limits.

---  
To learn more and get started, refer to the [Cloudflare Fundamentals documentation](https://developers.cloudflare.com/fundamentals/reference/connection-limits/#request-limits).

Oct 16, 2025
1. ### [Monitor Groups for Advanced Health Checking With Load Balancing](https://developers.cloudflare.com/changelog/post/2025-08-15-monitor-groups-for-load-balancing/)  
[ Load Balancing ](https://developers.cloudflare.com/load-balancing/)  
Cloudflare Load Balancing now supports Monitor Groups, a powerful new way to combine multiple health monitors into a single, logical group. This allows you to create sophisticated health checks that more accurately reflect the true availability of your applications by assessing multiple services at once.  
With Monitor Groups, you can ensure that all critical components of an application are healthy before sending traffic to an origin pool, enabling smarter failover decisions and greater resilience. This feature is now available via the API for customers with an Enterprise Load Balancing subscription.  
#### What you can do:

  * **Combine Multiple Monitors**: Group different health monitors (for example, HTTP, TCP) that check various application components, like a primary API gateway and a specific `/login` service.
  * **Isolate Monitors for Observation**: Mark a monitor as "monitoring only" to receive alerts and data without it affecting a pool's health status or traffic steering. This is perfect for testing new checks or observing non-critical dependencies.
  * **Improve Steering Intelligence**: Latency for Dynamic Steering is automatically averaged across all active monitors in a group, providing a more holistic view of an origin's performance.  
This enhancement is ideal for complex, multi-service applications where the health of one component depends on another. By aggregating health signals, Monitor Groups provide a more accurate and comprehensive assessment of your application's true status.  
For detailed information and API configuration guides, please visit our [developer documentation](https://developers.cloudflare.com/load-balancing/monitors/monitor-groups) for Monitor Groups.

```json
{"@context":"https://schema.org","@type":"BlogPosting","@id":"https://developers.cloudflare.com/changelog/23/#page","headline":"Changelogs | Cloudflare Docs","url":"https://developers.cloudflare.com/changelog/23/","inLanguage":"en","image":"https://developers.cloudflare.com/cf-twitter-card.png","publisher":{"@type":"Organization","name":"Cloudflare","url":"https://www.cloudflare.com/"},"isPartOf":{"@type":"WebSite","@id":"https://developers.cloudflare.com/#website","name":"Cloudflare Docs","url":"https://developers.cloudflare.com/"}}
```
