---
title: Changelogs
image: https://developers.cloudflare.com/cf-twitter-card.png
---

> Documentation Index  
> Fetch the complete documentation index at: https://developers.cloudflare.com/changelog/llms.txt  
> Use this file to discover all available pages before exploring further. 

[Skip to content](#%5Ftop) 

# Changelog

New updates and improvements at Cloudflare.

[ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/index.xml) [ View RSS feeds ](https://developers.cloudflare.com/fundamentals/new-features/available-rss-feeds/) 

All products

![hero image](https://developers.cloudflare.com/_astro/hero.CVYJHPAd_26AMqX.svg) 

Oct 14, 2025
1. ### [Enhanced AI Crawl Control metrics with new drilldowns and filters](https://developers.cloudflare.com/changelog/post/2025-10-14-enhanced-metrics-drilldowns/)  
[ AI Crawl Control ](https://developers.cloudflare.com/ai-crawl-control/)  
AI Crawl Control now provides enhanced metrics and CSV data exports to help you better understand AI crawler activity across your sites.  
#### What's new  
#### Track crawler requests over time  
Visualize crawler activity patterns over time, and group data by different dimensions:

  * **By Crawler** — Track activity from individual AI crawlers (GPTBot, ClaudeBot, Bytespider)
  * **By Category** — Analyze crawler purpose or type
  * **By Operator** — Discover which companies (OpenAI, Anthropic, ByteDance) are crawling your site
  * **By Host** — Break down activity across multiple subdomains
  * **By Status Code** — Monitor HTTP response codes to crawlers (200s, 300s, 400s, 500s)  
![AI Crawl Control requests over time chart with grouping tabs](https://developers.cloudflare.com/_astro/ai-crawl-control-requests-over-time.BtRyz0OT_ZpotRm.webp "Interactive chart showing crawler requests over time with filterable dimensions")  
Interactive chart showing crawler requests over time with filterable dimensions  
#### Analyze referrer data (Paid plans)  
Identify traffic sources with referrer analytics:

  * View top referrers driving traffic to your site
  * Understand discovery patterns and content popularity from AI operators  
![AI Crawl Control top referrers breakdown](https://developers.cloudflare.com/_astro/ai-crawl-control-top-referrers.CEUAwpd8_YrhT4.webp "Bar chart showing top referrers and their respective traffic volumes")  
Bar chart showing top referrers and their respective traffic volumes  
#### Export data  
Download your filtered view as a CSV:

  * Includes all applied filters and groupings
  * Useful for custom reporting and deeper analysis  
#### Get started

  1. Log in to the Cloudflare dashboard, and select your account and domain.
  2. Go to **AI Crawl Control** \> **Metrics**.
  3. Use the grouping tabs to explore different views of your data.
  4. Apply filters to focus on specific crawlers, time ranges, or response codes.
  5. Select **Download CSV** to export your filtered data for further analysis.  
Learn more about [AI Crawl Control](https://developers.cloudflare.com/ai-crawl-control).

Oct 14, 2025
1. ### [Single sign-on now manageable in the user experience](https://developers.cloudflare.com/changelog/post/2025-10-14-sso-self-service-ux/)  
[ Cloudflare Fundamentals ](https://developers.cloudflare.com/fundamentals/)  
![Screenshot of new user experience for managing SSO](https://developers.cloudflare.com/_astro/2025-10-14-sso-configuration-ux.DLkIKSax_Z3pbMD.webp)  
During Birthday Week, we announced that [single sign-on (SSO) is available for free ↗](https://blog.cloudflare.com/enterprise-grade-features-for-all/) to everyone who signs in with a custom email domain and maintains a compatible [identity provider ↗](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/). SSO minimizes user friction around login and provides the strongest security posture available. At the time, this could only be configured using the API.  
Today, we are launching a new user experience which allows users to manage their SSO configuration from within the Cloudflare dashboard. You can access this by going to **Manage account** \> **Members** \> **Settings**.  
#### For more information

  * [Cloudflare dashboard SSO](https://developers.cloudflare.com/fundamentals/manage-members/dashboard-sso/)

Oct 13, 2025
1. ### [WAF Release - 2025-10-13](https://developers.cloudflare.com/changelog/post/2025-10-13-waf-release/)  
[ WAF ](https://developers.cloudflare.com/waf/)  
This week’s highlights include a new JinJava rule targeting a sandbox-bypass flaw that could allow malicious template input to escape execution controls. The rule improves detection for unsafe template rendering paths.

**Key Findings**  
New WAF rule deployed for JinJava (CVE-2025-59340) to block a sandbox bypass in the template engine that permits attacker-controlled type construction and arbitrary class instantiation; in vulnerable environments this can escalate to remote code execution and full server compromise.

**Impact**

  * CVE-2025-59340 — Exploitation enables attacker-supplied type descriptors / Jackson `ObjectMapper` abuse, allowing arbitrary class loading, file/URL access (LFI/SSRF primitives) and, with suitable gadget chains, potential remote code execution and system compromise.

| Ruleset                    | Rule ID     | Legacy Rule ID | Description                         | Previous Action | New Action | Comments                |
| -------------------------- | ----------- | -------------- | ----------------------------------- | --------------- | ---------- | ----------------------- |
| Cloudflare Managed Ruleset | ...c04bab5f | 100892         | JinJava - SSTI - CVE:CVE-2025-59340 | Log             | Block      | This is a New Detection |

Oct 10, 2025
1. ### [New domain categories added](https://developers.cloudflare.com/changelog/post/2025-10-10-new-domain-categories/)  
[ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/)  
We have added three new domain categories under the Technology parent category, to better reflect online content and improve DNS filtering.

**New categories added**

| Parent ID | Parent Name | Category ID | Category Name       |
| --------- | ----------- | ----------- | ------------------- |
| 26        | Technology  | 194         | Keep Awake Software |
| 26        | Technology  | 192         | Remote Access       |
| 26        | Technology  | 193         | Shareware/Freeware  |  
Refer to [Gateway domain categories](https://developers.cloudflare.com/cloudflare-one/traffic-policies/domain-categories/) to learn more.

Oct 10, 2025
1. ### [Worker startup time limit increased to 1 second](https://developers.cloudflare.com/changelog/post/2025-10-10-increased-startup-time/)  
[ Workers ](https://developers.cloudflare.com/workers/)  
You can now upload a Worker that takes up 1 second to parse and execute its global scope. Previously, startup time was limited to 400 ms.  
This allows you to run Workers that import more complex packages and execute more code prior to requests being handled.  
For more information, see the documentation on [Workers startup limits](https://developers.cloudflare.com/workers/platform/limits/#worker-startup-time).

Oct 09, 2025
1. ### [Expanded CT log activity insights on Cloudflare Radar](https://developers.cloudflare.com/changelog/post/2025-10-09-radar-ct-log-activity-insights/)  
[ Radar ](https://developers.cloudflare.com/radar/)  
[**Radar**](https://developers.cloudflare.com/radar/) has expanded its Certificate Transparency (CT) log insights with new stats that provide greater visibility into log activity:

  * **Log growth rate**: The average throughput of the CT log over the past 7 days, measured in certificates per hour.
  * **Included certificate count**: The total number of certificates already included in this CT log.
  * **Eligible-for-inclusion certificate count**: The number of certificates eligible for inclusion in this log but not yet included. This metric is based on certificates signed by trusted root CAs within the log’s accepted date range.
  * **Last update**: The timestamp of the most recent update to the CT log.  
These new statistics have been added to the response of the [Get Certificate Log Details](https://developers.cloudflare.com/api/resources/radar/subresources/ct/subresources/logs/methods/get/) API endpoint, and are displayed on the [CT log information page ↗](https://radar.cloudflare.com/certificate-transparency/log/nimbus2025#log-activity).  
![Screenshot of the CT log activity card on the CT log information page](https://developers.cloudflare.com/_astro/ct-log-activity.GHD-K7Mk_Z1eNOXK.webp)

Oct 09, 2025
1. ### [You can now deploy full-stack apps on Workers using Terraform](https://developers.cloudflare.com/changelog/post/2025-10-09-assets-terraform/)  
[ Workers ](https://developers.cloudflare.com/workers/)  
You can now upload Workers with [static assets](https://developers.cloudflare.com/workers/static-assets/) (like HTML, CSS, JavaScript, images) with the [Cloudflare Terraform provider v5.11.0 ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/5.11.0/docs), making it even easier to deploy and manage full-stack apps with IaC.

**Previously**, you couldn't use Terraform to upload static assets without writing custom scripts to handle generating an [asset manifest](https://developers.cloudflare.com/workers/static-assets/direct-upload/#upload-manifest), calling the [Cloudflare API to upload assets in chunks](https://developers.cloudflare.com/workers/static-assets/direct-upload/#upload-static-assets), and handling change detection.

**Now**, you simply define the directory where your assets are built, and we handle the rest. Check out the [examples](https://developers.cloudflare.com/changelog/#examples) for what this looks like in Terraform configuration.  
You can get started today with [the Cloudflare Terraform provider (v5.11.0) ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/5.11.0/docs), using either the existing [cloudflare\_workers\_script resource ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/workers%5Fscript), or the beta [cloudflare\_worker\_version resource ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/worker%5Fversion).  
#### Examples  
#### With `cloudflare_workers_script`  
Here's how you can use the existing [cloudflare\_workers\_script ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/5.11.0/docs/resources/workers%5Fscript) resource to upload your Worker code and assets in one shot.  
```hcl  
resource "cloudflare_workers_script" "my_app" {  
  account_id  = var.account_id  
  script_name = "my-app"  
  content_file   = "./dist/worker/index.js"  
  content_sha256 = filesha256("./dist/worker/index.js")  
  main_module    = "index.js"  
  # Just point to your assets directory - that's it!  
  assets = {  
    directory = "./dist/static"  
  }  
}  
```  
#### With `cloudflare_worker`, `cloudflare_worker_version`, and `cloudflare_workers_deployment`  
And here's an example using the beta [cloudflare\_worker\_version ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/5.11.0/docs/resources/worker%5Fversion) resource, alongside the [cloudflare\_worker ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/worker) and [cloudflare\_workers\_deployment ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/5.11.0/docs/resources/workers%5Fdeployment) resources:  
```hcl  
# This tracks the existence of your Worker, so that you  
# can upload code and assets separately from tracking Worker state.  
resource "cloudflare_worker" "my_app" {  
  account_id = var.account_id  
  name       = "my-app"  
}  
resource "cloudflare_worker_version" "my_app_version" {  
  account_id = var.account_id  
  worker_id  = cloudflare_worker.my_app.id  
  # Just point to your assets directory - that's it!  
  assets = {  
    directory = "./dist/static"  
  }  
  modules = [{  
    name         = "index.js"  
    content_file = "./dist/worker/index.js"  
    content_type = "application/javascript+module"  
  }]  
}  
resource "cloudflare_workers_deployment" "my_app_deployment" {  
  account_id  = var.account_id  
  script_name = cloudflare_worker.my_app.name  
  strategy = "percentage"  
  versions = [{  
    version_id = cloudflare_worker_version.my_app_version.id  
    percentage = 100  
  }]  
}  
```  
#### What's changed  
Under the hood, the Cloudflare Terraform provider now handles the same logic that Wrangler uses for static asset uploads. This includes scanning your assets directory, computing hashes for each file, generating a manifest with file metadata, and calling the Cloudflare API to upload any missing files in chunks. We support large directories with parallel uploads and chunking, and when the asset manifest hash changes, we detect what's changed and trigger an upload for _only_ those changed files.  
#### Try it out

  * Get started with [the Cloudflare Terraform provider (v5.11.0) ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/5.11.0/docs)
  * You can use either the existing [cloudflare\_workers\_script resource ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/workers%5Fscript) to upload your Worker code and assets in one resource.
  * Or you can use the new beta [cloudflare\_worker\_version resource ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/worker%5Fversion) (along with the [cloudflare\_worker ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/worker) and [cloudflare\_workers\_deployment ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/5.11.0/docs/resources/workers%5Fdeployment)) resources to more granularly control the lifecycle of each Worker resource.

Oct 09, 2025
1. ### [You can now deploy and manage Workflows in Terraform](https://developers.cloudflare.com/changelog/post/2025-10-09-workflows-terraform/)  
[ Workers ](https://developers.cloudflare.com/workers/)  
You can now create and manage [Workflows](https://developers.cloudflare.com/workflows/) using Terraform, now supported in the [Cloudflare Terraform provider v5.11.0 ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/workflow). Workflows allow you to build durable, multi-step applications -- without needing to worry about retrying failed tasks or managing infrastructure.  
Now, you can deploy and manage Workflows through Terraform using the new [cloudflare\_workflow resource ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/workflow):  
```hcl  
resource "cloudflare_workflow" "my_workflow" {  
  account_id    = var.account_id  
  workflow_name = "my-workflow"  
  class_name    = "MyWorkflow"  
  script_name   = "my-worker"  
}  
```  
#### Examples  
Here are full examples of how to configure `cloudflare_workflow` in Terraform, using the existing [cloudflare\_workers\_script resource ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/workers%5Fscript), and the beta [cloudflare\_worker\_version resource ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/worker%5Fversion).  
#### With `cloudflare_workflow` and `cloudflare_workers_script`  
```hcl  
resource "cloudflare_workers_script" "workflow_worker" {  
  account_id  = var.cloudflare_account_id  
  script_name = "my-workflow-worker"  
  content_file   = "${path.module}/../dist/worker/index.js"  
  content_sha256 = filesha256("${path.module}/../dist/worker/index.js")  
  main_module    = "index.js"  
}  
resource "cloudflare_workflow" "workflow" {  
  account_id    = var.cloudflare_account_id  
  workflow_name = "my-workflow"  
  class_name    = "MyWorkflow"  
  script_name   = cloudflare_workers_script.workflow_worker.script_name  
}  
```  
#### With `cloudflare_workflow`, and the new beta resources  
You can more granularly control the lifecycle of each Worker resource using the beta [cloudflare\_worker\_version ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/5.11.0/docs/resources/worker%5Fversion) resource, alongside the [cloudflare\_worker ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/worker) and [cloudflare\_workers\_deployment ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/5.11.0/docs/resources/workers%5Fdeployment) resources.  
```hcl  
resource "cloudflare_worker" "workflow_worker" {  
  account_id = var.cloudflare_account_id  
  name       = "my-workflow-worker"  
}  
resource "cloudflare_worker_version" "workflow_worker_version" {  
  account_id = var.cloudflare_account_id  
  worker_id  = cloudflare_worker.workflow_worker.id  
  main_module         = "index.js"  
  modules = [{  
    name         = "index.js"  
    content_file = "${path.module}/../dist/worker/index.js"  
    content_type = "application/javascript+module"  
  }]  
}  
resource "cloudflare_workers_deployment" "workflow_deployment" {  
  account_id  = var.cloudflare_account_id  
  script_name = cloudflare_worker.workflow_worker.name  
  strategy = "percentage"  
  versions = [{  
    version_id = cloudflare_worker_version.workflow_worker_version.id  
    percentage = 100  
  }]  
}  
resource "cloudflare_workflow" "my_workflow" {  
  account_id    = var.cloudflare_account_id  
  workflow_name = "my-workflow"  
  class_name    = "MyWorkflow"  
  script_name   = cloudflare_worker.workflow_worker.name  
}  
```  
#### Try it out

  * Get started with [the Cloudflare Terraform provider (v5.11.0) ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/5.11.0/docs) and the new [cloudflare\_workflow resource ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/workflow).

Oct 07, 2025
1. ### [WARP client for Linux (version 2025.8.779.0)](https://developers.cloudflare.com/changelog/post/2025-10-07-warp-linux-ga/)  
[ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/)  
A new GA release for the Linux WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/).  
This release contains significant fixes and improvements including an updated public key for Linux packages. The public key must be updated if it was installed before September 12, 2025 to ensure the repository remains functional after December 4, 2025\. Instructions to make this update are available at [pkg.cloudflareclient.com](https://pkg.cloudflareclient.com/).

**Changes and improvements**

  * [Proxy mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#local-proxy-mode) has been enhanced for even faster resolution. Proxy mode now supports SOCKS4, SOCK5, and HTTP CONNECT over an L4 tunnel with custom congestion control optimizations instead of the previous L3 tunnel to Cloudflare's network. This has more than doubled Proxy mode throughput in lab speed testing, by an order of magnitude in some cases.
  * The MASQUE protocol is now the only protocol that can use [Proxy mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#local-proxy-mode). If you previously configured a device profile to use Proxy mode with Wireguard, you will need to select a new WARP mode or switch to the MASQUE protocol. Otherwise, all devices matching the profile will lose connectivity.

**Known issues**

  * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server).

Oct 07, 2025
1. ### [WARP client for Windows (version 2025.8.779.0)](https://developers.cloudflare.com/changelog/post/2025-10-07-warp-windows-ga/)  
[ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/)  
A new GA release for the Windows WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/).  
This release contains significant fixes and improvements.

**Changes and improvements**

  * [Proxy mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#local-proxy-mode) has been enhanced for even faster resolution. Proxy mode now supports SOCKS4, SOCK5, and HTTP CONNECT over an L4 tunnel with custom congestion control optimizations instead of the previous L3 tunnel to Cloudflare's network. This has more than doubled Proxy mode throughput in lab speed testing, by an order of magnitude in some cases.
  * The MASQUE protocol is now the only protocol that can use [Proxy mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#local-proxy-mode). If you previously configured a device profile to use Proxy mode with Wireguard, you will need to select a new WARP mode or switch to the MASQUE protocol. Otherwise, all devices matching the profile will lose connectivity.

**Known issues**

  * For Windows 11 24H2 users, Microsoft has confirmed a regression that may lead to performance issues like mouse lag, audio cracking, or other slowdowns. Cloudflare recommends users experiencing these issues upgrade to a minimum [Windows 11 24H2 KB5062553](https://support.microsoft.com/en-us/topic/july-8-2025-kb5062553-os-build-26100-4652-523e69cb-051b-43c6-8376-6a76d6caeefd) or higher for resolution.
  * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server).
  * Devices with KB5055523 installed may receive a warning about `Win32/ClickFix.ABA` being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to [version 1.429.19.0](https://www.microsoft.com/en-us/wdsi/definitions/antimalware-definition-release-notes?requestVersion=1.429.19.0) or later.
  * DNS resolution may be broken when the following conditions are all true:

    * WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode.
    * A custom DNS server address is configured on the primary network adapter.
    * The custom DNS server address on the primary network adapter is changed while WARP is connected.  
  To work around this issue, reconnect the WARP client by toggling off and back on.

Oct 07, 2025
1. ### [WARP client for macOS (version 2025.8.779.0)](https://developers.cloudflare.com/changelog/post/2025-10-07-warp-macos-ga/)  
[ Cloudflare One Client ](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/)  
A new GA release for the macOS WARP client is now available on the [stable releases downloads page](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/download/).  
This release contains significant fixes and improvements.

**Changes and improvements**

  * [Proxy mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#local-proxy-mode) has been enhanced for even faster resolution. Proxy mode now supports SOCKS4, SOCK5, and HTTP CONNECT over an L4 tunnel with custom congestion control optimizations instead of the previous L3 tunnel to Cloudflare's network. This has more than doubled Proxy mode throughput in lab speed testing, by an order of magnitude in some cases.
  * The MASQUE protocol is now the only protocol that can use [Proxy mode](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/modes/#local-proxy-mode). If you previously configured a device profile to use Proxy mode with Wireguard, you will need to select a new WARP mode or switch to the MASQUE protocol. Otherwise, all devices matching the profile will lose connectivity.

**Known issues**

  * macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later.
  * Devices using WARP client 2025.4.929.0 and up may experience Local Domain Fallback failures if a fallback server has not been configured. To configure a fallback server, refer to [Route traffic to fallback server](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/configure/route-traffic/local-domains/#route-traffic-to-fallback-server).

Oct 07, 2025
1. ### [Automated reminders for backup codes](https://developers.cloudflare.com/changelog/post/2025-10-07-recovery-codes/)  
[ Cloudflare Fundamentals ](https://developers.cloudflare.com/fundamentals/)  
The most common reason users contact Cloudflare support is lost two-factor authentication (2FA) credentials. Cloudflare supports both app-based and hardware keys for 2FA, but you could lose access to your account if you lose these. Over the past few weeks, we have been rolling out email and in-product reminders that remind you to also download backup codes (sometimes called recovery keys) that can get you back into your account in the event you lose your 2FA credentials. Download your backup codes now by logging into Cloudflare, then navigating to **Profile** \> **Security & Authentication** \> **Backup codes**.  
#### Sign-in security best practices  
Cloudflare is critical infrastructure, and you should protect it as such. Please review the following best practices and make sure you are doing your part to secure your account.

  * Use a unique password for every website, including Cloudflare, and store it in a password manager like 1Password or Keeper. These services are cross-platform and simplify the process of managing secure passwords.
  * Use 2FA to make it harder for an attacker to get into your account in the event your password is leaked
  * Store your backup codes securely. A password manager is the best place since it keeps the backup codes encrypted, but you can also print them and put them somewhere safe in your home.
  * If you use an app to manage your 2FA keys, enable cloud backup, so that you don't lose your keys in the event you lose your phone.
  * If you use a custom email domain to sign in, [configure SSO ↗](https://developers.cloudflare.com/fundamentals/manage-members/dashboard-sso/).
  * If you use a public email domain like Gmail or Hotmail, you can also use social login with Apple, GitHub, or Google to sign in.
  * If you manage a Cloudflare account for work:  
    * Have at least two administrators in case one of them unexpectedly leaves your company
    * Use SCIM to automate permissions management for members in your Cloudflare account

Oct 07, 2025
1. ### [WAF Release - 2025-10-07 - Emergency](https://developers.cloudflare.com/changelog/post/2025-10-07-emergency-waf-release/)  
[ WAF ](https://developers.cloudflare.com/waf/)  
This week highlights multiple critical Cisco vulnerabilities (CVE-2025-20363, CVE-2025-20333, CVE-2025-20362). This flaw stems from improper input validation in HTTP(S) requests. An authenticated VPN user could send crafted requests to execute code as root, potentially compromising the device. The initial two rules were made available on September 28, with a third rule added today, October 7, for more robust protection.

  * Cisco (CVE-2025-20333, CVE-2025-20362, CVE-2025-20363): Multiple vulnerabilities that could allow attackers to exploit unsafe deserialization and input validation flaws. Successful exploitation may result in arbitrary code execution, privilege escalation, or command injection on affected systems.

**Impact**  
Cisco (CVE-2025-20333, CVE-2025-20362, CVE-2025-20363): Exploitation enables attackers to escalate privileges or achieve remote code execution via command injection. Administrators are strongly advised to apply vendor updates immediately.

| Ruleset                    | Rule ID     | Legacy Rule ID | Description                                                                                                                            | Previous Action | New Action | Comments                |
| -------------------------- | ----------- | -------------- | -------------------------------------------------------------------------------------------------------------------------------------- | --------------- | ---------- | ----------------------- |
| Cloudflare Managed Ruleset | ...3a4d1bd6 | 100788B        | Cisco Secure Firewall Adaptive Security Appliance - Remote Code Execution - CVE:CVE-2025-20333, CVE:CVE-2025-20362, CVE:CVE-2025-20363 | N/A             | Block      | This is a New Detection |

Oct 07, 2025
1. ### [New Overview Page for Cloudflare Workers](https://developers.cloudflare.com/changelog/post/2025-10-06-new-worker-overview-page/)  
[ Workers ](https://developers.cloudflare.com/workers/)  
![Screenshot of the Workers overview page in the Cloudflare dashboard](https://developers.cloudflare.com/_astro/workers-overview.BM_exs4R_IaSn9.webp)  
Each of your Workers now has a new overview page in the Cloudflare dashboard.  
The goal is to make it easier to understand your Worker without digging through multiple tabs. Think of it as a new home base, a place to get a high-level overview on what's going on.  
It's the first place you land when you open a Worker in the dashboard, and it gives you an immediate view of what’s going on. You can see requests, errors, and CPU time at a glance. You can view and add bindings, and see recent versions of your app, including who published them.  
Navigation is also simpler, with visually distinct tabs at the top of the page. At the bottom right you'll find guided steps for what to do next that are based on the state of your Worker, such as adding a [binding](https://developers.cloudflare.com/workers/runtime-apis/bindings/) or connecting a custom domain.  
We plan to add more here over time. Better insights, more controls, and ways to manage your Worker from one page.  
If you have feedback or suggestions for the new Overview page or your Cloudflare Workers experience in general, we'd love to hear from you. Join the Cloudflare developer community on [Discord ↗](https://discord.com/channels/595317990191398933/1064502845061210152).

Oct 06, 2025
1. ### [R2 Data Catalog table-level compaction](https://developers.cloudflare.com/changelog/post/2025-10-06-data-catalog-table-compaction/)  
[ R2 ](https://developers.cloudflare.com/r2/)  
You can now enable compaction for individual [Apache Iceberg ↗](https://iceberg.apache.org/) tables in [R2 Data Catalog](https://developers.cloudflare.com/r2/data-catalog/), giving you fine-grained control over different workloads.  
```bash  
# Enable compaction for a specific table (no token required)  
npx wrangler r2 bucket catalog compaction enable <BUCKET> <NAMESPACE> <TABLE> --target-size 256  
```  
This allows you to:

  * Apply different target file sizes per table
  * Disable compaction for specific tables
  * Optimize based on table-specific access patterns  
Learn more at [Manage catalogs](https://developers.cloudflare.com/r2/data-catalog/manage-catalogs/).

Oct 06, 2025
1. ### [Browser Support Detection for PQ Encryption on Cloudflare Radar](https://developers.cloudflare.com/changelog/post/2025-10-06-radar-pq-encryption-test/)  
[ Radar ](https://developers.cloudflare.com/radar/)  
[**Radar**](https://developers.cloudflare.com/radar/) now includes browser detection for Post-quantum (PQ) encryption. The [Post-quantum encryption card ↗](https://radar.cloudflare.com/adoption-and-usage#post-quantum-encryption) now checks whether a user’s browser supports post-quantum encryption. If support is detected, information about the key agreement in use is displayed.  
![Screenshot of the PQ encryption browser support test on the Adoption & Usage page](https://developers.cloudflare.com/_astro/pq-encryption-test.gx_uoaMX_1GpnR5.webp)

Oct 06, 2025
1. ### [WAF Release - 2025-10-06](https://developers.cloudflare.com/changelog/post/2025-10-06-waf-release/)  
[ WAF ](https://developers.cloudflare.com/waf/)  
This week’s highlights prioritise an emergency Oracle E-Business Suite RCE rule deployed to block active, high-impact exploitation. Also addressed are high-severity Chaos Mesh controller command-injection flaws that enable unauthenticated in-cluster RCE and potential cluster compromise, plus a form-data multipart boundary issue that permits HTTP Parameter Pollution (HPP). Two new generic SQLi detections were added to catch inline-comment obfuscation and information disclosure techniques.

**Key Findings**

  * New emergency rule released for Oracle E-Business Suite (CVE-2025-61882) addressing an actively exploited remote code execution vulnerability in core business application modules. Immediate mitigation deployed to protect enterprise workloads.
  * Chaos Mesh (CVE-2025-59358,CVE-2025-59359,CVE-2025-59360,CVE-2025-59361): A GraphQL debug endpoint on the Chaos Controller Manager is exposed without authentication; several controller mutations (`cleanTcs`, `killProcesses`, `cleanIptables`) are vulnerable to OS command injection.
  * Form-Data (CVE-2025-7783): Attackers who can observe `Math.random()` outputs and control request fields in form-data may exploit this flaw to perform HTTP parameter pollution, leading to request tampering or data manipulation.
  * Two new generic SQLi detections added to enhance baseline coverage against inline-comment obfuscation and information disclosure attempts.

**Impact**

  * CVE-2025-61882 — Oracle E-Business Suite remote code execution (emergency detection): attacker-controlled input can yield full system compromise, data exfiltration, and operational outage; immediate blocking enforced.
  * CVE-2025-59358 / CVE-2025-59359 / CVE-2025-59360 / CVE-2025-59361 — Unauthenticated command-injection in Chaos Mesh controllers allowing remote code execution, cluster compromise, and service disruption (high availability risk).
  * CVE-2025-7783 — Predictable multipart boundaries in form-data enabling HTTP Parameter Pollution; results include request tampering, parameter overwrite, and downstream data integrity loss.

| Ruleset                    | Rule ID     | Legacy Rule ID | Description                                                          | Previous Action | New Action | Comments                |
| -------------------------- | ----------- | -------------- | -------------------------------------------------------------------- | --------------- | ---------- | ----------------------- |
| Cloudflare Managed Ruleset | ...8650f52f | 100882         | Chaos Mesh - Missing Authentication - CVE:CVE-2025-59358             | Log             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...2b8c3680 | 100883         | Chaos Mesh - Command Injection - CVE:CVE-2025-59359                  | Log             | Block      | This is a New Detection |
| Cloudflare Managed Ruleset | ...ef859a04 | 100884         | Chaos Mesh - Command Injection - CVE:CVE-2025-59361                  | Log             | Block      | This is a New Detection |
| Cloudflare Managed Ruleset | ...961f26a7 | 100886         | Form-Data - Parameter Pollution - CVE:CVE-2025-7783                  | Log             | Block      | This is a New Detection |
| Cloudflare Managed Ruleset | ...26a4074c | 100888         | Chaos Mesh - Command Injection - CVE:CVE-2025-59360                  | Log             | Block      | This is a New Detection |
| Cloudflare Managed Ruleset | ...31101b2f | 100916         | Oracle E-Business Suite - Remote Code Execution - CVE:CVE-2025-61882 | N/A             | Block      | This is a New Detection |
| Cloudflare Managed Ruleset | ...29aa43c3 | 100917         | Generic Rules - SQLi - Inline Comment Injection                      | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...73c10b6f | 100918         | Generic Rules - SQLi - Information Disclosure                        | N/A             | Disabled   | This is a New Detection |

Oct 03, 2025
1. ### [WAF Release - 2025-10-03](https://developers.cloudflare.com/changelog/post/2025-10-03-waf-release/)  
[ WAF ](https://developers.cloudflare.com/waf/)  

**Managed Ruleset Updated**  
This update introduces 21 new detections in the Cloudflare Managed Ruleset (all currently set to Disabled mode to preserve remediation logic and allow quick activation if needed). The rules cover a broad spectrum of threats - SQL injection techniques, command and code injection, information disclosure of common files, URL anomalies, and cross-site scripting.

| Ruleset                    | Rule ID     | Legacy Rule ID | Description                             | Previous Action | New Action | Comments                |
| -------------------------- | ----------- | -------------- | --------------------------------------- | --------------- | ---------- | ----------------------- |
| Cloudflare Managed Ruleset | ...d61fac74 | 100902         | Generic Rules - Command Execution - 2   | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...514aeeb8 | 100908         | Generic Rules - Command Execution - 3   | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...8d46a6f4 | 100910         | Generic Rules - Command Execution - 4   | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...1bd0a329 | 100915         | Generic Rules - Command Execution - 5   | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...5e51450a | 100899         | Generic Rules - Content-Type Abuse      | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...7996012f | 100914         | Generic Rules - Content-Type Injection  | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...93209312 | 100911         | Generic Rules - Cookie Header Injection | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...0f373b3f | 100905         | Generic Rules - NoSQL Injection         | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...78a0ed04 | 100913         | Generic Rules - NoSQL Injection - 2     | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...5d649624 | 100907         | Generic Rules - Parameter Pollution     | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...fd1c674e | 100906         | Generic Rules - PHP Object Injection    | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...34c88168 | 100904         | Generic Rules - Prototype Pollution     | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...3ab43f7e | 100897         | Generic Rules - Prototype Pollution 2   | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...0d94ee22 | 100903         | Generic Rules - Reverse Shell           | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...d5add8e3 | 100909         | Generic Rules - Reverse Shell - 2       | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...565c78b0 | 100898         | Generic Rules - SSJI NoSQL              | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...12b837a0 | 100896         | Generic Rules - SSRF                    | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...11c4fb00 | 100895         | Generic Rules - Template Injection      | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...d3ed0123 | 100895A        | Generic Rules - Template Injection - 2  | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...7501a1d9 | 100912         | Generic Rules - XXE                     | N/A             | Disabled   | This is a New Detection |
| Cloudflare Managed Ruleset | ...dc55cdb6 | 100900         | Relative Paths - Anomaly Headers        | N/A             | Disabled   | This is a New Detection |

Oct 03, 2025
1. ### [One-click Cloudflare Access for Workers](https://developers.cloudflare.com/changelog/post/2025-10-03-one-click-access-for-workers/)  
[ Workers ](https://developers.cloudflare.com/workers/)  
You can now enable [Cloudflare Access](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) for your [workers.dev](https://developers.cloudflare.com/workers/configuration/routing/workers-dev/) and [Preview URLs](https://developers.cloudflare.com/workers/configuration/previews/) in a single click.  
![Screenshot of the Enable/Disable Cloudflare Access button on the workers.dev route settings page](https://developers.cloudflare.com/_astro/workers-access.DGGYThLx_1YsjKO.webp)  
Access allows you to limit access to your Workers to specific users or groups. You can limit access to yourself, your teammates, your organization, or anyone else you specify in your [Access policy](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/).  
To enable Cloudflare Access:

  1. In the Cloudflare dashboard, go to the **Workers & Pages** page.  
  [ Go to **Workers & Pages** ](https://dash.cloudflare.com/?to=/:account/workers-and-pages)
  2. In **Overview**, select your Worker.
  3. Go to **Settings** \> **Domains & Routes**.
  4. For `workers.dev` or Preview URLs, click **Enable Cloudflare Access**.
  5. Optionally, to configure the Access application, click **Manage Cloudflare Access**. There, you can change the email addresses you want to authorize. View [Access policies](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/#selectors) to learn about configuring alternate rules.  
To fully secure your application, it is important that you validate the JWT that Cloudflare Access adds to the `Cf-Access-Jwt-Assertion` header on the incoming request.  
The following code will validate the JWT using the [jose NPM package ↗](https://www.npmjs.com/package/jose):

**JavaScript**  
```javascript  
import { jwtVerify, createRemoteJWKSet } from "jose";  
export default {  
  async fetch(request, env, ctx) {  
    // Verify the POLICY_AUD environment variable is set  
    if (!env.POLICY_AUD) {  
      return new Response("Missing required audience", {  
        status: 403,  
        headers: { "Content-Type": "text/plain" },  
      });  
    }  
    // Get the JWT from the request headers  
    const token = request.headers.get("cf-access-jwt-assertion");  
    // Check if token exists  
    if (!token) {  
      return new Response("Missing required CF Access JWT", {  
        status: 403,  
        headers: { "Content-Type": "text/plain" },  
      });  
    }  
    try {  
      // Create JWKS from your team domain  
      const JWKS = createRemoteJWKSet(  
        new URL(`${env.TEAM_DOMAIN}/cdn-cgi/access/certs`),  
      );  
      // Verify the JWT  
      const { payload } = await jwtVerify(token, JWKS, {  
        issuer: env.TEAM_DOMAIN,  
        audience: env.POLICY_AUD,  
      });  
      // Token is valid, proceed with your application logic  
      return new Response(`Hello ${payload.email || "authenticated user"}!`, {  
        headers: { "Content-Type": "text/plain" },  
      });  
    } catch (error) {  
      // Token verification failed  
      return new Response(`Invalid token: ${error.message}`, {  
        status: 403,  
        headers: { "Content-Type": "text/plain" },  
      });  
    }  
  },  
};  
```  
#### Required environment variables  
Add these [environment variables](https://developers.cloudflare.com/workers/configuration/environment-variables/) to your Worker:

  * `POLICY_AUD`: Your application's AUD tag
  * `TEAM_DOMAIN`: `https://<your-team-name>.cloudflareaccess.com`  
Both of these appear in the modal that appears when you enable Cloudflare Access.  
You can set these variables by adding them to your Worker's [Wrangler configuration file](https://developers.cloudflare.com/workers/wrangler/configuration/), or via the Cloudflare dashboard under **Workers & Pages** \> **your-worker** \> **Settings** \> **Environment Variables**.

Oct 02, 2025
1. ### [Fine-grained Permissioning for Access for Apps, IdPs, & Targets now in Public Beta](https://developers.cloudflare.com/changelog/post/2025-10-01-fine-grained-permissioning-beta/)  
[ Cloudflare Fundamentals ](https://developers.cloudflare.com/fundamentals/)[ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/)  
Fine-grained permissions for **Access Applications, Identity Providers (IdPs), and Targets** is now available in Public Beta. This expands our RBAC model beyond account & zone-scoped roles, enabling administrators to grant permissions scoped to individual resources.  
#### What's New

  * **[Access Applications ↗](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/)**: Grant admin permissions to specific Access Applications.
  * **[Identity Providers ↗](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/)**: Grant admin permissions to individual Identity Providers.
  * **[Targets ↗](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/infrastructure-apps/#1-add-a-target)**: Grant admin rights to specific Targets  
![Updated Permissions Policy UX](https://developers.cloudflare.com/_astro/2025-10-01-fine-grained-permissioning-ux.BWVmQsVF_Z1p4MJh.webp)  
Note  
During the public beta, members must also be assigned an account-scoped, read only role to view resources in the dashboard. This restriction will be lifted in a future release.

  * **Account Read Only** plus a fine-grained permission for a specific App, IdP, or Target
  * **Cloudflare Zero Trust Read Only** plus fine-grained permission for a specific App, IdP, or Target  
For more info:

  * [Get started with Cloudflare Permissioning](https://developers.cloudflare.com/fundamentals/manage-members/roles/)
  * [Manage Member Permissioning via the UI & API](https://developers.cloudflare.com/fundamentals/manage-members/manage)

Oct 02, 2025
1. ### [New Deepgram Flux model available on Workers AI](https://developers.cloudflare.com/changelog/post/2025-10-02-deepgram-flux/)  
[ Workers AI ](https://developers.cloudflare.com/workers-ai/)  
Deepgram's newest Flux model [@cf/deepgram/flux](https://developers.cloudflare.com/workers-ai/models/flux/) is now available on Workers AI, hosted directly on Cloudflare's infrastructure. We're excited to be a launch partner with Deepgram and offer their new Speech Recognition model built specifically for enabling voice agents. Check out [Deepgram's blog ↗](https://deepgram.com/flux) for more details on the release.  
The Flux model can be used in conjunction with Deepgram's speech-to-text model [@cf/deepgram/nova-3](https://developers.cloudflare.com/workers-ai/models/nova-3/) and text-to-speech model [@cf/deepgram/aura-1](https://developers.cloudflare.com/workers-ai/models/aura-1/) to build end-to-end voice agents. Having Deepgram on Workers AI takes advantage of our edge GPU infrastructure, for ultra low latency voice AI applications.  
#### Promotional Pricing  
For the month of October 2025, Deepgram's Flux model will be free to use on Workers AI. Official pricing will be announced soon and charged after the promotional pricing period ends on October 31, 2025\. Check out the [model page](https://developers.cloudflare.com/workers-ai/models/flux/) for pricing details in the future.  
#### Example Usage  
The new Flux model is WebSocket only as it requires live bi-directional streaming in order to recognize speech activity.

  1. Create a worker that establishes a websocket connection with `@cf/deepgram/flux`

**JavaScript**  
```js  
export default {  
  async fetch(request, env, ctx): Promise<Response> {  
    const resp = await env.AI.run("@cf/deepgram/flux", {  
      encoding: "linear16",  
      sample_rate: "16000"  
    }, {  
      websocket: true  
    });  
    return resp;  
  },  
} satisfies ExportedHandler<Env>;  
```

  1. Deploy your worker  
```bash  
npx wrangler deploy  
```

  1. Write a client script to connect to your worker and start sending random audio bytes to it

**JavaScript**  
```js  
const ws = new WebSocket('wss://<your-worker-url.com>');  
ws.onopen = () => {  
  console.log('Connected to WebSocket');  
  // Generate and send random audio bytes  
  // You can replace this part with a function  
  // that reads from your mic or other audio source  
  const audioData = generateRandomAudio();  
  ws.send(audioData);  
  console.log('Audio data sent');  
};  
ws.onmessage = (event) => {  
  // Transcription will be received here  
  // Add your custom logic to parse the data  
  console.log('Received:', event.data);  
};  
ws.onerror = (error) => {  
  console.error('WebSocket error:', error);  
};  
ws.onclose = () => {  
  console.log('WebSocket closed');  
};  
// Generate random audio data (1 second of noise at 44.1kHz, mono)  
function generateRandomAudio() {  
  const sampleRate = 44100;  
  const duration = 1;  
  const numSamples = sampleRate * duration;  
  const buffer = new ArrayBuffer(numSamples * 2);  
  const view = new Int16Array(buffer);  
  for (let i = 0; i < numSamples; i++) {  
    view[i] = Math.floor(Math.random() * 65536 - 32768);  
  }  
  return buffer;  
}  
```

Oct 02, 2025
1. ### [Workers Analytics Engine adds supports for new SQL functions](https://developers.cloudflare.com/changelog/post/2025-09-26-analytics-engine-sql-enhancements/)  
[ Workers Analytics Engine ](https://developers.cloudflare.com/analytics/analytics-engine/)[ Workers ](https://developers.cloudflare.com/workers/)  
You can now perform more powerful queries directly in [Workers Analytics Engine ↗](https://developers.cloudflare.com/analytics/analytics-engine/) with a major expansion of our SQL function library.  
Workers Analytics Engine allows you to ingest and store high-cardinality data at scale (such as custom analytics) and query your data through a simple SQL API.  
Today, we've expanded Workers Analytics Engine's SQL capabilities with several new functions:  
[**New aggregate functions:** ↗](https://developers.cloudflare.com/analytics/analytics-engine/sql-reference/aggregate-functions/)

  * `argMin()` \- Returns the value associated with the minimum in a group
  * `argMax()` \- Returns the value associated with the maximum in a group
  * `topK()` \- Returns an array of the most frequent values in a group
  * `topKWeighted()` \- Returns an array of the most frequent values in a group using weights
  * `first_value()` \- Returns the first value in an ordered set of values within a partition
  * `last_value()` \- Returns the last value in an ordered set of values within a partition  
[**New bit functions:** ↗](https://developers.cloudflare.com/analytics/analytics-engine/sql-reference/bit-functions/)

  * `bitAnd()` \- Returns the bitwise AND of two expressions
  * `bitCount()` \- Returns the number of bits set to one in the binary representation of a number
  * `bitHammingDistance()` \- Returns the number of bits that differ between two numbers
  * `bitNot()` \- Returns a number with all bits flipped
  * `bitOr()` \- Returns the inclusive bitwise OR of two expressions
  * `bitRotateLeft()` \- Rotates all bits in a number left by specified positions
  * `bitRotateRight()` \- Rotates all bits in a number right by specified positions
  * `bitShiftLeft()` \- Shifts all bits in a number left by specified positions
  * `bitShiftRight()` \- Shifts all bits in a number right by specified positions
  * `bitTest()` \- Returns the value of a specific bit in a number
  * `bitXor()` \- Returns the bitwise exclusive-or of two expressions  
[**New mathematical functions:** ↗](https://developers.cloudflare.com/analytics/analytics-engine/sql-reference/mathematical-functions/)

  * `abs()` \- Returns the absolute value of a number
  * `log()` \- Computes the natural logarithm of a number
  * `round()` \- Rounds a number to a specified number of decimal places
  * `ceil()` \- Rounds a number up to the nearest integer
  * `floor()` \- Rounds a number down to the nearest integer
  * `pow()` \- Returns a number raised to the power of another number  
[**New string functions:** ↗](https://developers.cloudflare.com/analytics/analytics-engine/sql-reference/string-functions/)

  * `lowerUTF8()` \- Converts a string to lowercase using UTF-8 encoding
  * `upperUTF8()` \- Converts a string to uppercase using UTF-8 encoding  
[**New encoding functions:** ↗](https://developers.cloudflare.com/analytics/analytics-engine/sql-reference/encoding-functions/)

  * `hex()` \- Converts a number to its hexadecimal representation
  * `bin()` \- Converts a string to its binary representation  
[**New type conversion functions:** ↗](https://developers.cloudflare.com/analytics/analytics-engine/sql-reference/type-conversion-functions/)

  * `toUInt8()` \- Converts any numeric expression, or expression resulting in a string representation of a decimal, into an unsigned 8 bit integer  
#### Ready to get started?  
Whether you're building usage-based billing systems, customer analytics dashboards, or other custom analytics, these functions let you get the most out of your data. [Get started ](https://developers.cloudflare.com/analytics/analytics-engine/get-started/) with Workers Analytics Engine and explore all available functions in our [SQL reference documentation](https://developers.cloudflare.com/analytics/analytics-engine/sql-reference/).

Oct 01, 2025
1. ### [New Confidence Intervals in GraphQL Analytics API](https://developers.cloudflare.com/changelog/post/2025-10-01-confidence-intervals/)  
[ Analytics ](https://developers.cloudflare.com/analytics/)  
The GraphQL Analytics API now supports confidence intervals for `sum` and `count` fields on adaptive (sampled) datasets. Confidence intervals provide a statistical range around sampled results, helping verify accuracy and quantify uncertainty.

  * **Supported datasets**: Adaptive (sampled) datasets only.
  * **Supported fields**: All `sum` and `count` fields.
  * **Usage**: The confidence `level` must be provided as a decimal between 0 and 1 (e.g. `0.90`, `0.95`, `0.99`).
  * **Default**: If no confidence level is specified, no intervals are returned.  
For examples and more details, see the [GraphQL Analytics API documentation](https://developers.cloudflare.com/analytics/graphql-api/features/confidence-intervals/).

Oct 01, 2025
1. ### [Larger Container instance types](https://developers.cloudflare.com/changelog/post/2025-10-01-new-container-instance-types/)  
[ Containers ](https://developers.cloudflare.com/containers/)  
New instance types provide up to 4 vCPU, 12 GiB of memory, and 20 GB of disk per container instance.

| Instance Type | vCPU | Memory  | Disk  |
| ------------- | ---- | ------- | ----- |
| lite          | 1/16 | 256 MiB | 2 GB  |
| basic         | 1/4  | 1 GiB   | 4 GB  |
| standard-1    | 1/2  | 4 GiB   | 8 GB  |
| standard-2    | 1    | 6 GiB   | 12 GB |
| standard-3    | 2    | 8 GiB   | 16 GB |
| standard-4    | 4    | 12 GiB  | 20 GB |  
The `dev` and `standard` instance types are preserved for backward compatibility and are aliases for `lite` and `standard-1`, respectively. The `standard-1` instance type now provides up to 8 GB of disk instead of only 4 GB.  
See the [getting started guide](https://developers.cloudflare.com/containers/get-started/) to deploy your first Container, and the [limits documentation](https://developers.cloudflare.com/containers/platform-details/limits/) for more details on the available instance types and limits.

Oct 01, 2025
1. ### [Expanded File Type Controls for Executables and Disk Images](https://developers.cloudflare.com/changelog/post/2025-10-01-new-file-type-support/)  
[ Data Loss Prevention ](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/)  
You can now enhance your security posture by blocking additional application installer and disk image file types with Cloudflare Gateway. Preventing the download of unauthorized software packages is a critical step in securing endpoints from malware and unwanted applications.  
We have expanded Gateway's file type controls to include:

  * Apple Disk Image (dmg)
  * Microsoft Software Installer (msix, appx)
  * Apple Software Package (pkg)  
You can find these new options within the [_Upload File Types_ and _Download File Types_ selectors](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#download-and-upload-file-types) when creating or editing an HTTP policy. The file types are categorized as follows:

  * **System**: _Apple Disk Image (dmg)_
  * **Executable**: _Microsoft Software Installer (msix)_, _Microsoft Software Installer (appx)_, _Apple Software Package (pkg)_  
To ensure these file types are blocked effectively, please note the following behaviors:

  * DMG: Due to their file structure, DMG files are blocked at the very end of the transfer. A user's download may appear to progress but will fail at the last moment, preventing the browser from saving the file.
  * MSIX: To comprehensively block Microsoft Software Installers, you should also include the file type _Unscannable_. MSIX files larger than 100 MB are identified as Unscannable ZIP files during inspection.  
To get started, go to your HTTP policies in Zero Trust. For a full list of file types, refer to [supported file types](https://developers.cloudflare.com/cloudflare-one/traffic-policies/http-policies/#supported-file-types).

```json
{"@context":"https://schema.org","@type":"BlogPosting","@id":"https://developers.cloudflare.com/changelog/24/#page","headline":"Changelogs | Cloudflare Docs","url":"https://developers.cloudflare.com/changelog/24/","inLanguage":"en","image":"https://developers.cloudflare.com/cf-twitter-card.png","publisher":{"@type":"Organization","name":"Cloudflare","url":"https://www.cloudflare.com/"},"isPartOf":{"@type":"WebSite","@id":"https://developers.cloudflare.com/#website","name":"Cloudflare Docs","url":"https://developers.cloudflare.com/"}}
```
