What's New at Cloudflare

At Cloudflare we're dedicated to constantly improving our product. Read below to find out the latest updates.

featureSep 2022

Logpush filters and alerts

We are excited to announce three enhancements to Logpush, available to customers on an Enterprise plan, to help improve the reliability and usability of this service. You will now have the ability to filter logs based on match criteria before sending to the Logpush destination, helping you manage your log volume and storage costs. In addition, you will also be alerted when Logpush fails due to issues with the destination or network reachability, and you will be able to track and query the health of Logpush jobs, such as bytes and records transferred, number of successful pushes and number of failuers.

blogSep 2022

API management and analytics

See how Cloudflare can now manage and monitor your APIs. We give you the ability to discover, manage, update, and monitor the performance of all API endpoints in addition to protecting them with the deep API security we have long offered.

featureSep 2022

Regional Services comes to India, Japan and Australia

We are expanding Regional Services capabilities to more countries in APJC: Australia, India, and Japan. This expansion gives customers in those countries more precise controls over which data centers decrypt and inspect their traffic, helping them to meet local regulatory and contractual requirements.

blogSep 2022

Stream Live is now Generally Available

We’re excited to announce that Stream Live is out of beta, available to everyone, and ready for production traffic at scale. Stream Live is a feature of Cloudflare Stream that allows developers to build live video features in websites and native apps. Bring your big live events, ambitious new video subscription service, or the next mobile video app with millions of users — we’re ready for it.

productSep 2022

R2

R2, Cloudflare's zero egress fee object storage, is now available for all customers. R2 gives you the ability to store static assets and retrieve them with zero egress fees. R2 was built to store large amounts of static include documents, images, videos, logs, and archival information. Start moving your data today with R2's S3-compatible API.

featureSep 2022

Isolate browser-borne threats on any network with WAN-as-a-Service

Now you can easily integrate Cloudflare Browser Isolation into your existing network from any traffic source such as IPsec and GRE via our WAN-as-a-service, Magic WAN. This new capability enables your administrators to connect on-premise networks to Cloudflare and protect Internet activity from browser-borne malware and zero day threats, without installing any endpoint software or nagging users to update to the browser.

productSep 2022

Cloudflare Data Loss Prevention is now generally available

The migration to the cloud has made tracking and controlling sensitive information more difficult than ever. Using Cloudflare DLP, you can now get visibility and control of sensitive data moving into, out of, and around their corporate network.

productSep 2022

Cloudflare CASB is now generally available

Your IT and security administrators can now begin using Cloudflare CASB to connect, scan, and monitor your SaaS apps for a wide variety of security issues - all in just a few clicks. Whether it’s auditing Google Drive for data exposure and file oversharing, checking Microsoft 365 for misconfigurations and insecure settings, or reviewing third-party access for Shadow IT, CASB can help your organization establish a direct line of sight into your SaaS security and DLP posture.

featureSep 2022

Adaptive DDoS Protection

Introducing Cloudflare Adaptive DDoS Protection, a new feature that joins our existing suite of autonomous DDoS Protection solutions. Adaptive DDoS Protection learns your traffic patterns to automatically detect and mitigate DDoS attacks against your Internet properties at lightning-speed. You will benefit from better protection against sophisticated attacks, granular controls (via our dashboard or API), and out-of-the-box functionality that will help provide an extra layer of security. Adaptive DDoS Protection is available for L7 Enterprise customers with Advanced DDoS Protection, Spectrum customers, and Magic Transit Enterprise customers.

featureSep 2022

Advanced DDoS Alerts

Introducing Advanced DDoS Alerts, which bring more flexibility and ability to customize alerting to suit your needs when managing multiple Internet properties. Customers can now easily define which alerts they want to receive — for which DDoS attack sizes, protocols and for which Internet properties. Advanced HTTP DDoS Attack Alerts are available to WAF/CDN customers on the Enterprise plan, who have also subscribed to the Advanced DDoS Protection service. Advanced L3/4 DDoS Attack Alerts are available to Magic Transit and Spectrum BYOIP customers on the Enterprise plan.

productSep 2022

Account WAF

Organizations can now manage a single WAF configuration for all their enterprise domains, saving valuable time and effort. This means deploying a ruleset once to protect all zones on Cloudflare, with the flexibilty to customize as necessary.

productSep 2022

Cloudforce One

We have unveiled Cloudforce One, our threat intelligence and operations offering. It combines threat research, threat intelligence feeds and custom research to bolster adversary insights, strengthen security postures and pave the way for effective responses and defenses

analystsSep 2022

2022 Gartner Magic Quadrant for WAAP

Cloudflare named a LEADER in the Gartner® Magic Quadrant™ for Web Application and API Protection (WAAP).

blogJun 2022

Zero Trust: CASB + Gateway integration now in closed beta

Detecting issues through CASB is a great start, but admins also want guidance to fix them! Otherwise, they have a bunch of useful data in front of them and no clear action for what to do with it. Customers can now take suspicious findings and block some or all of the activity in a few clicks by creating Gateway policies directly from CASB security findings. This helps expand SaaS visibility to help prevent data leaks and compliance voliations. Gateway + CASB integration is available now in closed beta.

blogJun 2022

Announcing the Cloudflare One Partner Program

The Cloudflare One Partner Program helps channel partners deliver on the promise of Zero Trust. The skills and expertise of the channel will act as trusted advisors to our customers to optimize solutions to meet their specific business requirements. The program includes new product bundles to streamline the design and delivery of solutions, plus all program elements are operationalized through Cloudflare’s distributors. New tools, training, and rich incentive structures will enable our partners to be successful.

blogJun 2022

Zero Trust: Private network discovery now in closed beta

Networks are constantly evolving with new resources being spun up dynamically, so it can be difficult to discover and secure new apps when admins may not even know what they’re looking for. Network discovery provides better visibility to help maintain security of a private network over time. It passively catalogs both resources being accessed and the users who are accessing them, without any configuration required. This capability is available for early access through our closed beta.

blogJun 2022

Introducing Cloudforce One: our new threat operations and research team

Cloudforce One is Cloudflare’s new threat operations and research team, created to track and disrupt threat actors in addition to publishing research. Insights gathered will improve our products and all customers will benefit without taking action. Enterprise customers can soon sign up for a Threat Intelligence subscription, offering 1:1 tailored briefings and periodic inquiries for follow-up. All other Enterprise customers can join periodic group briefings.

blogJun 2022

Zero Trust: Email link isolation now in closed beta

Neither humans nor security tools are perfect. Anyone can fall for socially engineered attacks, and even the best threat intelligence can’t block 100% of threats. Increasingly blended multi-channel and/or deferred attacks are ways for threat actors to bypass existing filters. When “fuzzy” signals exist and attack methods only grow more advanced, isolating an email link destination to ensure end users are secure is the most effective solution. Admins can now enable remote browser isolation for email links through our closed beta.

featureJun 2022

Logpush Filters

Filters are now available in Logpush for all Enterprise customers. Log filtering gives our customers more control over the scale of their logs which saves time and money when storing and analyzing them. With filters, customers can send logs to different destinations or at different sample rates based on criteria such as status code, path, firewall action, bot score and many more fields!

blogJun 2022

Private Access Tokens: Internet with greater privacy and fewer CAPTCHAs

Cloudflare, in conjunction with tech leaders like Apple, has created a new open source standard that provides an invisible, privacy-first way for users to prove they are real using Apple devices – without CAPTCHAs or PII collection.

productJun 2022

Load Balancing Country Steering is now Generally Available

We are excited to add support for Load Balancing customers to create a mapping between their origin pool and Cloudflare datacenters with country level granularity. Before this, customers could already map to specific geographies (using Geo Steering). This new fearure directly supports customers to fine tune how their traffic should be directed between their origin pools with a country-level granularity and get more control around how their traffic should behave.

featureApr 2022

Full packet captures with Magic Firewall

Customers can now configure a Logpush bucket to receive full (non-sampled) packet captures on-demand from Cloudflare's edge, giving them full visibility into their network traffic for troubleshooting and blocking attacks. This is available to all customers with Advanced Magic Firewall.

analystsApr 2022

Cloudflare Named A ‘Strong Performer’ in The Forrester Wave™ for Bot Management

Forrester Research, Inc. evaluated the most significant providers in the market for Bot Management based on 25-criteria across current offering, strategy, and market presence. According to Forrester, “Cloudflare has vastly improved its bot management…” with a product roadmap that “reflects Cloudflare’s goals of more-efficient detection and response.”

featureApr 2022

WAF Analytics: Expanded query time window

Enterprise customers can now query the full web application firewall (WAF) analytics data set, an increase from the previous 3 day query time window to the full 30 days. This will simplify troubleshooting and incident resolution and enable customers to do more from their Cloudflare dashboard.

featureMar 2022

Magic Firewall: SIP validation

DDoS attacks can quickly overwhelm VoIP services resulting in performance degradation and service outages. Of late, we have seen a surge in attacks targeting SIP ports on the Internet. With this new Magic Firewall Advanced feature, customers can now enforce protocol validation checks to ensure that incoming packets are actually valid SIP frames. Using a simple match condition, customers can choose to block or skip unwanted packets and protect their VoIP services from network-layer DDoS attacks.

featureMar 2022

WAF machine learning detections

We are introducing machine learning detections to complement our WAF managed rulesets. It is trained on massive Cloudflare datasets and attack patterns to stop sophisticated bypass attempts. The WAF dashboard will show all requests scored from 1-99 indicating likelihood of attack.

With machine learning, we become even more effective at stopping attacks and bypass attempts, starting with SQLi and XSS, two of the most common application attacks.

blogMar 2022

Introducing Cloudflare API Gateway

We are introducing Cloudflare API Gateway. With API Gateway, we will build on our current API Shield capabilities so businesses will be able to create, manage and secure APIs with robust API Gateway functionality:

Create and manage APIs directly with Cloudflare Workers Automatically detect unmanaged APIs Address authentication and authorization Identify and stop API abuse (ready today with API Shield in GA) Transform, route, log, and measure API requests.

Our security features in API Shield like API Discovery, Schema Validation, Abuse Detection, and mTLS are available now. Activate API Security and learn more about our plans to build it out into an API Gateway.

blogMar 2022

Zero Trust: SSH command logging now in closed beta

Secure Shell Protocol (SSH) command logging is now in closed beta, and we will be opening this feature up to users in the coming weeks. It provides a full replay of all commands run during an SSH session to help paint a clear picture in the event of an accident, suspected breach, or attack. As an extension of Cloudflare’s secure Web Gateway, it provides SSH visibility at a network layer. All commands are automatically captured without complex logging software installed on individual remote machines.

blogMar 2022

Zero Trust: Client-based sessions now generally available

You can now build Zero Trust rules that require periodic authentication to control network access, including to TCP connections and UDP flows. To help mitigate risk with persistent sessions on scenarios like lost/laptops, shared workstations, and personal devices, client-based sessions require a user to reauthenticate with their identity provider before accessing specific resources. You can specify how often users need to reauthenticate depending on the resource and serve pop-ups to users without being overly intrusive.

blogMar 2022

New on-ramp available via Zero Trust device client and Magic IP-layer tunnels

Now, traffic from devices with our Zero Trust client installed can route automatically to any network connected with an IP-layer on-ramp, e.g., Anycast GRE, IPsec, or CNI. This option increases the flexibility you have to connect existing network infrastructure and serves as another way to help you transition away from a traditional VPN architecture over time.

blogMar 2022

Zero Trust: Managing clouds with Cloudflare CASB and what’s next

Cloudflare’s CASB beta is now available for sign-ups, with the first wave of beta invitations going out early next month. Our CASB looks at both data and users in SaaS apps to alert teams to issues ranging from unauthorized user access and file exposure to misconfigurations and shadow IT. Through the beta, you’ll be able to try out integrations with Google Workspace and GitHub shortly. We’ll soon follow with others like Zoom, Slack, Okta, Microsoft 365, and Salesforce throughout the year. More capabilities like SaaS asset management, remediation guides, and automated workflows are coming soon as well, plus integrations with Cloudflare Gateway to help wrangle in shadow IT. We’re eager to hear from you to help us shape what comes next.

featureMar 2022

Magic Transit: Protect all networks

We are excited to extend the capabilities of Magic Transit to customers with any size network, from home networks to offices to large cloud properties, by offering Cloudflare-maintained and Magic Transit-protected IP space as a service. Customers can now use Cloudflare-assigned IP addresses for their Internet-facing services and receive industry-leading DDoS protection through Magic Transit, no matter the size of their IP address block. Previously Magic Transit required a /24 prefix at a minimum. Contact your account team to take advantage of this feature today.

blogMar 2022

Zero Trust: Clientless web isolation now generally available

Cloudflare’s clientless web isolation is now generally available, which streamlines connections to remote browsers through a hyperlink (e.g., https://.cloudflareaccess.com/browser). Once users are authenticated, their browser establishes a low-latency connection to a remote browser hosted in a nearby Cloudflare data center without installing any software or requiring any certificates on the endpoint device. You can better secure browsing for third-party contractors, protect against suspicious hyperlinks and PDF documents, integrate with third-party secure web gateways, and empower users to securely access sensitive data on unmanaged device endpoints anywhere in the world.

blogMar 2022

Cloudflare and CrowdStrike partner to give CISOs secure control across devices, applications, and corporate networks

We’ve deepened the integration between Cloudflare’s Zero Trust suite and CrowdStrike’s Endpoint Detection and Response (EDR) offering. You can now use CrowdStike Falcon Zero Trust Assessment (ZTA), which provides continuous real-time device posture assessments, to verify device posture before granting access to internal or external applications via Cloudflare’s Zero Trust services. The CrowdStrike ZTA scores enable enforcement of conditional policies based on device health and compliance checks to mitigate risks. These policies are evaluated each time a connection request is made, making the conditional access adaptive to the evolving condition of the device.

With this integration, you can build on top of existing Cloudflare Access and Gateway policies ensuring that a minimum ZTA score or version has been met before a user is granted access. Because these policies work across our entire Zero Trust platform, you can use these to build powerful rules invoking Browser Isolation, tenant control, antivirus or any part of your Cloudflare deployment.

analystsMar 2022

Cloudflare Named A ‘Leader’ in the 2022 IDC MarketScape for WW CDN Services

Cloudflare is named a LEADER in the 2022 IDC MarketScape for Worldwide Commercial Content Delivery Network Services 2022 Vendor Assessment. (doc #US47652821, March 2022).

According to the IDC MarketScape, “Cloudflare is a highly innovative vendor and continues to invest in its competencies to support advanced technologies such as virtualization, serverless, AI/ML, IoT, HTTP3, 5G and (mobile) edge computing.”

featureFeb 2022

Premium DNS Health Monitoring is now GA for Contract Customers

We are excited to announce the addition of new health monitoring types. These newly added types directly support our customer's ability to load balance more DNS records than just A/AAAA and CNAME records. Now, customers can add MX, SRV, HTTPs, and TXT records. The new health monitoring types are ICMP Ping, SMTP, and UDP-ICMP (these are in addition to the previously existing HTTP, HTTPS, and TCP types).

Cloudflare Enterprise plan customers can now point an MX, SRV, or HTTPs record address to a Load Balancer hostname and leverage the new health monitoring type(s) to inform intelligent traffic steering and failover support for unproxed (grey clouded) Load Balancers.

featureJan 2022

Magic Firewall: Early access for on-demand packet captures

Magic Firewall customers now have early access to an API to collect packet captures from Cloudflare's edge, which can be used for debugging network issues and gaining greater visibility into malicious traffic patterns. This early access API allows customers to capture the first 160 bytes of packets, sampled at a default rate of 1/100. More functionality including full, encrypted packet captures and control in the Cloudflare dashboard is coming soon.

Please contact your account team to get early access for this feature.

blogDec 2021

Zero Trust: New partnerships with Mobile Device Management (MDM) vendors

New integrations with mobile device management vendors Microsoft Intune, Ivanti, JumpCloud, Kandji, and Hexnode make it even easier to deploy and install Cloudflare's device client on user devices. We are partnering with leading MDM organizations that organizations already rely on to ensure Cloudflare's software is compatible and has purpose-built documentation to protect users across all devices.

blogDec 2021

Zero Trust: New controls to route traffic with Cloudflare's device client (WARP)

Cloudflare's enterprise device client (WARP) now support API and Terraform based controls. This provides even more options to roll out the client to your organization's workforce. See API documentation and the Terraform documentation.

Also, Cloudflare's enterprise device client (WARP) now fully supports the major operating systems, including: Windows 8.1, Windows 10 and Windows 11; macOS Mojave, Catalina, Big Sur, Monterey; Including M1 support; ChromeBooks (Manufactured after 2019) (New); Linux CentOS 8, RHEL, Ubuntu, Debian (New); iOS; and Android.

blogDec 2021

Zero Trust: Clientless web isolation (BETA)

By isolating specific URLs, Cloudflare's web isolation can apply Zero Trust threat and data protection for contractor devices or devices managed by third parties without the overhead of deploying additional software to endpoints. Cloudflare’s clientless web isolation leverages our Browser Isolation solution, which runs all web code remotely on our global network far away from any user endpoint.

blogDec 2021

Zero Trust: Extending Cloudflare’s Zero Trust platform to support UDP and Internal DNS

Thousands of organizations have already started building a private network on top of Cloudflare’s network, and now we’re making it easier than ever. Coming soon, we’re eliminating the need to migrate thousands of private hostnames manually to override DNS rules. Now you can route traffic to a private DNS resolver from Cloudflare's network. To learn more, check out the recent announcement.

blogDec 2021

Zero Trust: Private networking rules add sessions and login intervals

Granular, identity based policies help build a Zero Trust posture, and now you can enforce session rules to the resources made available in your private network model. Until now, you could build Zero Trust rules around who could reach certain IPs and destinations, however when a user authenticated once, they could keep connecting indefinitely unless fully revoked. Whether you need to force a login every 24 hours or set a timeout after one week, you can now configure specific session durations for your policies and require a user re-authenticates with multi-factor authentication.

blogDec 2021

Zero Trust: Control input on suspicious sites with Cloudflare Browser Isolation

Earlier this year, Cloudflare Browser Isolation introduced data protection controls that take advantage of the remote browser’s ability to manage all input and outputs between a user and any website. We’re excited to extend that functionality to apply more controls such as prohibiting keyboard input and file uploads to avert phishing attacks and credential theft on high risk and unknown websites.

blogDec 2021

Zero Trust: New cloud-native firewall capabilities

Cloudlare expands its Zero Trust firewall capabilities to help companies secure their entire corporate network across all of their branch offices, data centers, and clouds—no matter where their employees are working from.

Cloudflare also launched the Oahu program today to help orgranizations migrate from hardware firewalls to Zero Trust. Eligible customers who deprecate hardware firewalls may qualify for discounts and be entered for a chance to win a trip to Oahu, Hawaii.

featureDec 2021

Customers can now customize L3/4 DDoS attack protection settings

After initially providing our customers control over the HTTP-layer DDoS protection settings earlier this year, we’re now excited to extend the control our customers have to the packet layer. Using these new controls, Cloudflare Enterprise customers using the Magic Transit and Spectrum services can now tune and tweak their L3/4 DDoS protection settings directly from the Cloudflare dashboard or via Cloudflare API.

Network-layer DDoS Protection ruleset - This ruleset includes rules to detect and mitigate DDoS attacks on layer 3/4 of the OSI model such as UDP floods, SYN-ACK reflection attacks, SYN Floods, and DNS floods. This ruleset is available for customers using Cloudflare Spectrum and Magic Transit on the Enterprise plan.

Advanced TCP Protection ruleset - This ruleset includes rules to detect and mitigate sophisticated out-of-state TCP attacks such as spoofed ACK Floods, Randomized SYN Floods, and distributed SYN-ACK Reflection attacks. This ruleset is available for Cloudflare Magic Transit customers only.

In the past, customers had to contact Cloudflare Support to customize these rulesets. With this feature, customers can tailor and fine-tune the settings to further improve the accuracy of the protection for their specific network needs.

blogNov 2021

Build Full Stack applications with Pages

Developers can turn static sites into a fully dynamic application by executing code at the edge with help from the powerful Cloudflare Workers platform. We are announcing this as an open beta and have some exciting things planned for the coming weeks and months.

blogNov 2021

Database Connectors and New Partners

Cloudflare offers database connectors (early access), enabling developers to directly connect to classic relational databases like Postgres and MySQL. Customers can also leverage our partnerships with MongoDB, Prisma.

blogNov 2021

Durable Objects are now generally available

Durable Objects are now generally available and production-ready. Customers can now implement complex applications, like collaborative whiteboarding, game servers, or global queues, in just a few lines of code.

analystsOct 2021

Cloudflare recognized as a 'Leader' in The Forrester New Wave for Edge Development Platforms

Forrester Research, Inc. evaluated the most significant providers in the market for edge development platforms based on 10 criteria across compute, data services and web development capabilities. In the report, “The Forrester New Wave™: Edge Development Platforms, Q4 2021” Cloudflare was named a ‘Leader’.

blogOct 2021

Zero Trust: User interface to set up tunnel connections

With the new UI in the Cloudflare for Teams Dashboard, users who deploy and manage Cloudflare Tunnel at scale now have easier visibility into their tunnels’ status, routes, uptime, connectors, cloudflared version, and much more. On the Teams Dashboard you will also find an interactive guide that walks you through setting up your first tunnel. Our new onboarding guide walks through each command required to create, route, and run your tunnel successfully while also highlighting relevant validation commands to serve as guardrails along the way. Once completed, you’ll be able to view and manage your newly established tunnels.

featureOct 2021

Zero Trust: Browser Isolation text input and file control

Customers will be able to apply new rules that stop users from inputting text in Browser Isolation, as well prevent users from downloading or uploading inside of an isolated browser session.

featureOct 2021

Zero Trust: Access rule with temporary authentication

With Cloudflare Access, you can require that users obtain approval before they can access a specific application. For any temporary authentication policy, a user will need to request access at the start of each session and every time their temporary session expires. This allows administrators to define which users should have persistent access and those that must request temporary access.

featureOct 2021

Magic Static Routes + GRE Tunnel Config UI is now live

Magic Transit and Magic WAN customers can now view and update their static route and GRE tunnel configuration with a new section in the Cloudflare dashboard. This new UI allows customers to view and edit existing route and tunnel information, as well as validate changes, with updates propagated globally within minutes.

productSep 2021

Serverless Live Streaming with Cloudflare Stream

We’re excited to introduce the open beta of Stream Live, an end-to-end scalable live-streaming platform that allows you to focus on growing your live video apps, not your codebase. With Stream Live, you can painlessly grow your streaming app to scale to millions of concurrent broadcasters and millions of concurrent users.

productSep 2021

Registrar for Everyone

All Cloudflare customers now have full Registrar access, including the ability to register new domains. Starting today — and over the course of the next few weeks — we will be introducing over 40 new top-level domains (TLDs).

featureSep 2021

Magic GRE Tunnel Config API is now live

Magic Transit and Magic WAN customers can now view and update their GRE tunnel configuration via API. This new API allows customers to view existing tunnel information and add/delete tunnels, as well as validate changes, with updates propagated globally within minutes.

featureSep 2021

Customize your HTTP DDoS protection settings

We’re excited to announce the availability of the HTTP DDoS Managed Ruleset. This feature allows Cloudflare customers to independently tailor their HTTP DDoS protection settings. Customers on all plans, including the Free plan, can now tweak and optimize the settings directly from within the Cloudflare dashboard or via API.

productSep 2021

Cloudflare Images Now Available to Everyone

Cloudflare Images provides a straightforward, end-to-end solution to cost-effectively build and maintain your image infrastructure. Store, resize, and optimize images at scale using one unified product.

featureSep 2021

Generate Signed Exchanges for Google Search (waitlist)

Starting today, you will be able to generate Signed Exchanges (SXG) for Google Search with just one click. Automatic Signed Exchanges will be free for all Cloudflare Pro, Business and Enterprise customers as well as for customers using our Advanced Platform Optimization product. To sign up for the waitlist go to the Speed page on the Cloudflare dashboard and click on “Join Waitlist” on the Automatic Signed Exchanges (SXGs) card.

blogAug 2021

Zero Trust: Data protection controls within Cloudflare Browser Isolation

Cloudflare Browser Isolation executes all website code (including HTML) in the remote browser. Since page content remains on the remote browser and draw instructions are only sent to the browser, Cloudflare Browser Isolation is in a powerful position to protect sensitive data on any website or SaaS application.

Administrators can now control copy-paste, and printing functionality with per-rule granularity with one click in the Cloudflare for Teams Dashboard. For example, now administrators can build rules that prevent users from copying information from your CRM or that stop team members from printing data from your ERP—without blocking their attempts to print from external websites where printing does not present a data loss risk.

blogAug 2021

Zero Trust: Tenant control in Cloudflare's SWG solution

Cloudflare for Teams offers IT administrators a way to ensure users have access to SaaS applications for corporate use, while at the same time blocking access to their personal accounts. This helps prevent the loss of sensitive or confidential data from a corporate network.

You can create Gateway HTTP policies to control access to your corporate SaaS applications. When creating an HTTP policy with an Allow action, you will have the option to configure custom headers. The policy will use these headers to grant access to an application if a user’s request is headed to your organization’s account for the SaaS application, and to deny access if the request is headed to an account that does not match the information in the header.

blogAug 2021

Zero Trust: Capturing purpose justification for Zero Trust access policies

Within Cloudflare's Zero Trust platform (Cloudflare for Teams), administrators can prompt users to enter a justification for accessing an application prior to login. Administrators can add this prompt to any existing or new Access application with just two clicks, giving them the ability to log and review employee justifications for accessing sensitive applications; add additional layers of security to applications they deem sensitive; and customize modal text to communicate data use & sharing principles.

blogAug 2021

Zero Trust: Guided integrations with AWS, Zendesk, and Salesforce to protect your SaaS apps

Cloudflare's Zero Trust platform has guided integrations with the Amazon Web Services (AWS) management console, Zendesk, and Salesforce. In just a few minutes, your team can apply a Zero Trust layer over every resource you use and ensure your logs never miss a request. With Cloudflare in front of your SaaS applications, you can build Zero Trust rules that determine who can reach your SaaS applications in the same place where your rules for self-hosted applications and network access live.

blogAug 2021

Zero Trust: 6 new ways to validate device posture

New device posture checks enabled for policy creation in Cloudflare's Zero Trust platform: (1) Application Check — Verify any program of your choice is running on the device; (2) File Check — Ensure a particular file is present on the device (such as an updated signature, OS patch, etc.); (3) Disk Encryption — Ensure all physical disks on the device are encrypted; (4) OS Version — Confirm users have upgraded to a specific operating system version; (5) Firewall — Check that a firewall is configured on the device; (6) Domain Joined — Verify that your Windows devices must be joined to the corporate directory

blogAug 2021

Zero Trust: Shadow IT discovery

Shadow IT Discovery gives you visibility over which SaaS applications your end users are visiting. This information enables you to create the appropriate Zero Trust access or Secure Web Gateway policies in Cloudflare's Zero Trust Platform, so that you can have control over the security of your users and data. Within the Shadow IT Discovery user interface, you can gather information on the application status and application type of the applications visited by your users. You can also change an application's status according to your organization's preferences.

blogJun 2021

Zero Trust: Browser VNC with Zero Trust Rules

Cloudflare can render a Virtual Network Computer (VNC) terminal in your browser without any client software or configuration required.

Administrators can connect a VNC host to Cloudflare’s network. Using Cloudflare's ZNTA solution (Cloudflare Access), you can apply Zero Trust policies to determine who can access your VNC server. Cloudflare’s network will then enforce the Zero Trust policies and, when a user is allowed, render the client in the browser.

blogJun 2021

Zero Trust: Cloudflare's device client (WARP) available for Linux

Cloudflare's device client (WARP) is available on Linux

blogJun 2021

Zero Trust: Cloudflare's device client (WARP) available as local proxy

When Cloudflare's device client (WARP) is configured as a local proxy, only the applications that you configure to use the proxy (HTTPS or SOCKS5) will have their traffic sent through WARP. This allows you to pick and choose which traffic is encrypted (for instance, your web browser or a specific app), and everything else will be left open over the Internet.

featureJun 2021

Magic Transit Static Routes API is now live

Magic Transit customers can now view and update the static routes used to direct traffic over their GRE tunnels with a REST API. This API allows customers to control the routes for each prefix/tunnel as well as some properties of each route including priority, region scope, and weight for ECMP balancing.

blogJun 2021

Zero Trust: Creating private networks on Cloudflare

Administrators can build identity-aware, Zero Trust network policies using Cloudflare's Zero Trust platform. You can apply these rules to connections bound for the public Internet or for traffic inside a private network running on Cloudflare.

Network-level policies will allow you to match traffic that arrives from (or is destined to) data centers, branch offices, and remote users based on the following traffic criteria:

  • Source IP address or CIDR in the header
  • Destination IP address or CIDR in the header
  • Source port or port range in the header
  • Destination port or port range in the header
blogJun 2021

Zero Trust: Network based policies with Cloudflare's Zero Trust platform

Cloudlare's Zero Trust platform allows you can configure policies to control network-level traffic leaving your endpoints. Using network selectors like IP addresses and ports, your policies will control access to any network origin. Because Cloudflare integrates with your identity provider, it also gives you the ability to create identity-based network policies. This means you can now control access to non-HTTP resources on a per-user basis regardless of where they are or what device they’re accessing that resource from.

featureMay 2021

cf-request-id header slated for removal on July 1, 2021

The cf-request-id header has been deprecated and is slated for removal on July 1, 2021. Cloudflare will be temporarily removing it on June 15th as a test-run. If you are dependent on cf-request-id for any reason, we suggest you use cf-ray instead. More info can be found at https://api.cloudflare.com/deprecations

featureApr 2021

Load Balancing Proximity Steering is now GA

Load Balancing is used to keep our customers' infrastructures reliable, resilient, and available to their end-users day-in and day-out. Proximity steering allows customers to input longitude/latitude coordinates of their own data centers on a given pool to route requests from the CF PoP or external resolver the eyeball request arrived at to the closest geographical pool within the customers network.

featureApr 2021

Cloudflare Stream now supports NFTs

Cloudflare Stream has been helping creators publish their videos online without having to think about video quality, device compatibility, storage buckets or digging through FFmpeg documentation. We believe creators should have the freedom to choose how they make money from their work instead of being restricted to three sided ad marketplaces and unfair algorithms. Today, we’re introducing a new API that takes a ERC-721 token ID and contact address and sets it on a video so every video on Stream can be represented with an NFT.

featureApr 2021

Node.js support in Cloudflare Workers

Node.js made a breakthrough by enabling developers to build both the frontend and the backend with a single language. It took JavaScript beyond the browser and into the server by using Chrome V8. Building Node.js support into Workers almost sounds like a no-brainer: importing a library and watching everything work out-of-the-box would help developers move faster. Sharing our plans to support node.js - allowing developers to build bigger and more complex applications in Workers.

featureApr 2021

Announcing Cloudflare for SaaS for Everyone

Before today, SSL for SaaS was only available to Enterprise customers. Today, we are excited to announce that our SaaS solution is available to everyone. And to reflect the evolution of the product since it was first released, we’re changing the name: Cloudflare for SaaS.

Cloudflare for SaaS is a one-stop-shop for SaaS providers looking to provide fast load times, unparalleled redundancy, and the strongest security to their customers. It allows SaaS businesses to keep their teams focused on building out the solution, while we take care of the underlying infrastructure.

productApr 2021

Launching the auditable, browser-based, terminal

Cloudflare for Teams gives organizations of any size the ability to add Zero Trust controls to resources and data while also improving performance with Cloudflare’s network. Starting today, your team can use that same platform to seamlessly connect to non-HTTP resources from inside of a browser with the same level of audit control available in web applications.

Cloudflare’s browser-based terminal renders a fully functional console that a user can launch with a single click. Users authenticate with their organization’s SSO and Cloudflare’s edge checks that they meet the team’s Zero Trust rules for the resource being accessed. Once approved, users can run commands over SSH as if they were using their native command line without any client side configuration or agent. Cloudflare’s network will accelerate their connection, apply rules about what data transfers can take place, and record the session for administrators to audit as needed.

featureApr 2021

Cloudflare Partners with NVIDIA to Bring AI to its Global Edge Network

Cloudflare is now announcing a new partnership with NVIDIA to bring AI to the edge at scale. We're bringing developers powerful AI tools to build the applications that will power the future. The combination of NVIDIA’s GPU technology and Cloudflare’s edge network creates a massive platform on which developers can deploy applications that use pre-trained or custom machine learning models in seconds. By leveraging the TensorFlow platform developers can use familiar tools to build and test machine learning models, and then deploy them globally onto Cloudflare’s edge network.

productApr 2021

Pages General Availability

Cloudflare Pages is now available for anyone and ready for your production needs. Cloudflare Pages radically simplifies the process of developing and deploying sites by taking care of all the tedious parts of web development. Now, developers can focus on the fun and creative parts instead. New and improved features include: web analytics, built in redirects, protected previews, live previews, and optimized images.

productMar 2021

New Cloudflare Web Application Firewall

The new Web Application Firewall (WAF) brings better rule browsing and configuration, a new matching engine, updated rulesets, and global configuration. Starting today, 10% of newly created accounts on Cloudflare will be given access to the new WAF whenever a Pro plan zone or above is added. This percentage will increase to 100% of new accounts over the month of April, after which migration efforts will commence for existing customers. Enterprise customers may migrate early by contacting their account team.

featureMar 2021

Keyless SSL now supports FIPS 140-2 L3 hardware security module (HSM) offerings from all major cloud providers

Private encryption keys stored in hardware security module offerings from all major cloud providers can now be used to secure HTTPS connections at Cloudflare’s global edge.

featureMar 2021

Announcing API Abuse Detection

Today, we are announcing early access to API Abuse Detection. This technology will identify, secure, and protect API endpoints with unsupervised learning.

featureMar 2021

Introducing Super Bot Fight Mode

Cloudflare user with a Pro or Business site can take new action against bots. Pro users can now do more to stop bots. Highlights include: challenge or block traffic from “definitely automated” sources, enable JavaScript Detections to identify headless browsers and other actors on the Internet, and include or exclude verified bots from protection.

Business users can access a new version of Bot Analytics; where users can view traffic by type, adjust the time frame, and filter by different attributes like IP address or user agent.

For those with more advanced security needs, Enterprise Bot Management remains the gold standard. And it’s only getting better.

featureMar 2021

Cloudflare Route Leak Detection

Route Leak Detection is a new network alerting feature that tells you when a prefix you own that is onboarded to Cloudflare is being leaked, i.e., advertised by an unauthorized party. Route Leak Detection helps protect your routes on the Internet: it tells you when your traffic is going places it’s not supposed to go, which is an indicator of a possible attack, and reduces time to mitigate leaks by arming you with timely information. Cloudflare Magic Transit or BYOIP customers can configure route leak alerts in the dashboard today.

productMar 2021

Page Shield

Cloudflare Page Shield helps you monitor your applications’ Javascript dependencies for suspicious activity and protect your visitors from Magecart style attacks. Page Shield monitors potential attack vectors from third party scripts and prevents user information from falling into the hands of hackers. Page Shield uses a feature named ‘Script Monitor’ to record your site’s JavaScript dependencies over time. New JavaScript dependencies trigger alerts so application owners can investigate whether or not they were expected changes.

analystsMar 2021

2021 Gartner Peer Insights Customers’ Choice - Web Application Firewalls

Cloudflare has been recognised as Gartner Peer Insights Customers’ Choice for WAF vendor in 2021. These distinctions recognize vendors and products that are highly rated by their customers. The data collected represents a top-level synthesis of vendor software products most valued by IT Enterprise professionals.

blogMar 2021

Zero Trust: Announcing Cloudflare's Data Loss Prevention platform

Cloudflare's Zero Trust platform announces new controls over data in your enterprise.

featureMar 2021

API Shield with Schema Protection

Schema Validation is now available for all Enterprise customers. We're launching four features to help reduce the impact of exfiltration attacks: a managed IP List allowing you to block traffic from Open Proxies, more control over the certificate lifecycle, and a Data Loss Prevention solution. You can now navigate to the ‘API Shield’ tab where you can deploy API security products directly from the UI.

productMar 2021

Browser Isolation now available in Cloudflare for Teams

We are excited to announce that Cloudflare Browser Isolation is now available within the Cloudflare for Teams suite of zero trust security and secure web browsing services as an add-on. Teams of any size, from startups to large enterprises, can benefit from reliable and safe browsing without changing their preferred web browser or setting up complex network topologies. To get started, add Browser Isolation to a Teams Standard, Gateway, or Teams Enterprise plan as an add-on.

featureMar 2021

New device security integrations: Carbon Black, Sentinel One, Crowdstrike and Azure AD

Cloudflare for Teams customers can configure policies that rely on device security signals provided by their endpoint security vendor to allow or deny connections to their applications. This includes signals and attributes like version of the operating system, date of the last patch, disk encryption status, inventory of installed applications, status of anti-malware or endpoint security provider, and date of the last malware scan.

Cloudflare for Teams customers can now integrate device posture signals from Carbon Black, Sentinel One, Crowdstrike and Azure AD.

blogMar 2021

Zero Trust: Antivirus scanning in Cloudflare

Cloudflare's Secure Web Gateway solution (Gateway) protects users as they navigate the Internet. When users download or upload a file to an origin on the Internet, that file could potentially contain malicious code that may cause their device to perform undesired behavior.

To prevent this, Cloudflare Gateway allows admins to enable Anti-Virus (AV) scanning of files that are uploaded or downloaded by users as the file passes through Gateway.

AV scanning of files requires organizations to enable Proxy mode under Settings > Network > Layer 7 Firewall.

blogMar 2021

Zero Trust: New integrations with VMware Carbon Black, CrowdStrike, and SentinelOne

Cloudflare's Zero Trust platform enables device posture checks with new integrations with Mware Carbon Black, CrowdStrike, and SentinelOne to pair with an existing Tanium integration.

productMar 2021

Introducing Magic WAN with Magic Firewall

We are excited to announce Magic WAN with Magic Firewall - two of the most foundational aspects in our vision for the future of corporate networking and security with Cloudflare One.

Magic WAN provides secure, performant connectivity and routing for your entire corporate network, reducing cost and operational complexity. Magic Firewall integrates smoothly with Magic WAN, enabling you to enforce network firewall policies at the edge, across traffic from any entity within your network.

analystsMar 2021

The Forrester Wave™: DDoS Mitigation Solutions, Q1 2021

Forrester Research, Inc. evaluated 11 of the most significant providers in the market for DDoS Mitigation based on 28-criteria across current offering, strategy, and market presence. In the report, “The Forrester WaveTM: DDoS Mitigation Solutions, Q1 2021” Cloudflare was named a ‘Leader’.

analystsDec 2020

Frost & Sullivan Frost Radar™: Global Holistic Web Protection Market

Cloudflare is named as the innovation leader in the Global Holistic Web Protection Market for 2020 by Frost & Sullivan.

analystsDec 2020

Quadrant Knowledge Solutions 2020 SPARK Matrix of Bot Management

Cloudflare is Recognized as Leader in the 2020 SPARK Matrix of Bot Management Market.

featureDec 2020

Updates to the Network Analytics Dashboard

We are excited to announce updates to the Network Analytics dashboard.

First, a new Trends & Insights section has been added at the top of the dashboard and provides insights into DDoS attack analytics and their trends over time. Read more on our blog.

Additionally, the time-range filter in the Network Analytics dashboard has been expanded to display trends for up to 3 months at a time, allowing customers to view an entire quarter together.

The Network Analytics dashboard also includes a CSV export option that now allows customers to see up to 500 events in one file.

Finally, the new Monitor action allows customers to review traffic flagged by Cloudflare’s mitigation systems, before being mitigated. It allows you to identify the traffic type and decide if this is traffic you'd like to receive or have it blocked at the edge.

featureOct 2020

Introducing Bot Analytics

Bot Analytics helps you understand, analyze, and learn from automated traffic in the dashboard. It works seamlessly with Cloudflare's Bot Management solution. Customers can use Bot Analytics to view up to one week of traffic at a time, and even to filter on particular attributes like IP address or ASN.

Enterprise customers who do not have Bot Management now have access to a Bot Report. This tool — available in the Firewall tab — provides an exciting new breakdown of your site traffic.

analystsOct 2020

Forrester Opportunity Snapshot study shows rise in Zero Trust adoption

Cloudflare commissioned Forrester Consulting to explore the impact of 2020’s disruptions on security strategy and operations among companies of all sizes.

This Opportunity Snapshot survey examines how the understanding and adoption of Zero Trust security has radically accelerated in 2020, and explores what security decision makers at 317 organizations around the world plan to do to enable Zero Trust security architecture in 2021.

featureOct 2020

Cloudflare Gateway now includes L7 filtering and support for roaming devices

Cloudflare Gateway now protects roaming users and remote devices via integration with the Cloudflare WARP desktop client. Gateway can apply L7 filtering to inspect traffic for threats that hide below the surface.

featureOct 2020

Cloudflare Access now protects SaaS applications

Cloudflare Access now can be used to protect both internal and SaaS applications, allowing organizations to extend Zero Trust access capabilities to any application in use in their organization.

With Cloudflare Access, every request to applications is evaluated for user identity and device context. Access allows customers to use multiple sources of identity to grant different groups of users access to the same application. This gives customers the flexibility to extend access to external users (3rd parties, contractors, vendors) without having to onboard them onto your centralized Identity Provider.

featureOct 2020

Announcing support for GRPC

We're excited to announce native support for gRPC, a next-generation protocol that allows you to build APIs at scale. With gRPC on Cloudflare, you get access to the security, reliability, and performance features that you're used to having at your fingertips for traditional APIs.

When you put your gRPC APIs on Cloudflare, you immediately gain the benefits that come with Cloudflare. Nervous about exposing your APIs to bad actors? Add security features such as WAF and Bot Management. Need more performance? Turn on Argo Smart Routing to decrease time to first byte (TTFB). You can also increase reliability by adding a Load Balancer.

Support for gRPC is currently in beta mode. You can join the beta program from the Network tab on the Cloudflare dashboard.

featureSep 2020

Introducing Monitor Previews

Within Load Balancing, we have a feature called Health Monitors. As a refresher, a health monitor actively probes an origin within a pool to see if they are available and the results directly influence steering and failover decisions within the overall Load Balancer.

When our customers make changes to their Health Monitors, sometimes mistakes are made. This presents the possibility for missing critical health notifications across potentially many pools and origins! These missed notifications can result in the larger infrastructure being affected and serving large amounts of errors to end-users, in turn, tarnishing the user experience.

To solve this, we introduced Monitor Preview. With Preview, users can make changes to their monitor details and preview the results across all the pools the particular monitor is attached to, all before deploying the changes. This means as our customers continue to build more complex infrastructure on Cloudflare, they have the tools to drive confidence around any edits/changes they make to their monitor configurations ahead of deploying those changes. This not only ensures users configurations are correct across their varying pools, but protects them from any unwanted surprises and makes sure that application reliability is maximised.

featureSep 2020

Announcing support of Network Analytics for Spectrum applications

Cloudflare Spectrum users can now view detailed traffic reports on DDoS attacks to their configured TCP/UDP applications that include:

  • The size of attacks
  • The attack vector deployed
  • Where the attacks are coming from
  • The allowed network traffic

Cloudflare Spectrum is a reverse proxy product that offers DDoS protection and traffic acceleration for user-specified applications. Users can easily proxy their TCP/ UDP services behind Spectrum from the Cloudflare dashboard by specifying the hostname/ IP address and port number of the application. With support for Network Analytics, Spectrum users can now get detailed insights into DDoS attacks detected and mitigated at Cloudflare's edge on their Internet property.

To learn more about Network Analytics, read the blog post below.

featureSep 2020

Dashboard Updates to Network Analytics

We're introducing a series of features to the Network Analytics dashboard that allows our Magic Transit & BYOIP customers to investigate layer 3/4 DDoS attacks and analyze traffic more easily and effectively.

Network Analytics provides near real-time visibility into network- and transport-layer traffic patterns and DDoS attacks for a customizable timeframe ranging from 30 minutes up to the last 60 days. The Network Analytics dashboard view is available to Enterprise customers that use Cloudflare Magic Transit or Bring-Your-Own-IP for Cloudflare Spectrum.

First, the new increased range of Top Ns allows users to expand their view to lower-tier variables. Users can adjust the Top Ns using a drop-down menu to either top 5, 10, or 15.

Second, the time series chart has an added tooltip to the “Allowed” legend, allowing users to include traffic triggered by Firewall Rules, flowtrackd, and L7 rules, which might not already be reflected in the Block or Rate Limited traffic for the time being.

Third, users can now view the attack distribution in a stacked bar chart that allows for easier comparison of the various attack vectors on your network.

We've also added a link to Network Analytics Knowledge Base (right next to the 'Packer summary' in the 'Packets' view) for users to learn more about the Network Analytics dashboard.

featureAug 2020

Introducing Cloudflare traceroute, a tool that helps customers debug network issues

Debugging network issues can be difficult. Tools like ping can help you understand the health of a network path from one point to another, but it can be hard to diagnose problems in other parts of the network that you don't have a direct presence in. That's why we're excited to announce the availability of the Cloudflare traceroute API, allowing customers to run traceroutes from Cloudflare's edge data centers to any target and narrow in on root causes of network issues regarding latency and packet loss.

The traceroute tool is generally available to all Cloudflare ENT customers and is available via our API at the link below.

featureJul 2020

BYOIP now available for Layer 7, Spectrum, and Magic Transit

Under certain circumstances, Customers may want Cloudflare to announce their IP prefixes on their behalf, a feature known as Bring your own IP, or BYOIP. It may be that these IPs are already allow-listed in important places, or end users are already pointing to these IPs.

Cloudflare can now announce an IP prefix on your behalf for use with our Layer 7 products (e.g. CDN/WAF/Rate Limiting/etc), as well as Spectrum and Magic Transit. It's worth noting that BYOIP is already a requirement for Magic Transit.

Whether you use our ASN or your own (BYOASN), Cloudflare will announce your IPs as Anycast IPs from all of our %{DataCenterCount} data centers, just as we would our own. Check out the blog on the release or take a peek at the developer docs, both linked below.

featureJul 2020

Introducing flowtrackd—Cloudflare’s DDoS protection with unidirectional TCP flow tracking

We’re excited to launch flowtrackd — a software-defined DDoS protection system that significantly improves Cloudflare’s ability to automatically detect and mitigate even the most complex TCP-based DDoS attacks.

Using only the ingress traffic that routes through Cloudflare, flowtrackd determines whether to forward or drop each received TCP packet based on the state of its related connection. The state machine that determines the state of the flows was developed in-house and complements Gatebot and dosd, our existing DDoS protection systems. Together Gatebot, dosd, and flowtrackd provide comprehensive multi-layer DDoS protection.

Flowtrackd is now generally available to all customers using Magic Transit.

featureJul 2020

Group by and zoom charts now available for paid plans

Cloudflare customers can now easily and quickly drill into their analytics to better understand the traffic patterns on their Internet property. With the introduction of the zoom and group-by features, customers can see in more detail any variations in their traffic patterns right from the dashboard. For example, a spike in traffic can be investigated by zooming into the relevant time range and then grouped by either a single IP address or the URL that may have caused the spike.

These features are now generally available to all Cloudflare customers using Firewall, Cache, Load Balancing, or Network analytics on our paid plans.

featureJul 2020

Port-range support for Cloudflare Spectrum

Cloudflare Spectrum is a reverse proxy product that offers DDoS protection and traffic acceleration for user-specified applications. Users can easily proxy their TCP/ UDP services behind Spectrum from the Cloudflare dashboard by specifying the hostname/ IP address and port number of the application.

Many services, however, (such as FTP, WebRTC, VoIP) run on multiple TCP ports requiring users to configure a separate Spectrum application for each port. This can be cumbersome to configure and maintain.

With the introduction of support for port ranges, users can now configure a single Spectrum application for a service that runs on multiple ports, making it significantly easier to configure and maintain.

analystsJul 2020

Cloudflare recognized as a representative vendor in Gartner's 2020 Market Guide for Zero Trust Network Access

Zero Trust Network Access (ZTNA) platforms replace broken corporate perimeters with individual access boundaries around your most critical applications. We’re excited that Gartner has named Cloudflare as a representative ZTNA-as-a-Service vendor in the 2020 Gartner Market Guide for Zero Trust Network Access.

featureJun 2020

Introducing Cache Analytics

Customers can now get deeper insights into the caching of their websites. See what resources are and aren't cached, so you can optimize your cache settings for a higher cache-hit ratio. You can filter by hostnames and see a list of top URLs that aren't cached, or images that might have short cache TTLs—so you can tune your cache settings to improve the performance of your website and save more on bandwidth costs.

Cache analytics is now generally available to all customers on the Pro, Business, and Enterprise plans, just navigate to the 'caching' tab in your dashboard.

featureJun 2020

Cache TTL by Status Page Rule and UI for Enterprise plans

We're introducing a new page rule that allows customers to set cache TTL (time-to-live) based on the status codes received from their origin server. This functionality gives you more granular control over a cached response based on the resource availability determined from the origin server responses.

This feature announcement is part of our continued effort to turn more "Workers required" functionality into first-class Cloudflare features that you can easily enable and set right from the dashboard.

featureJun 2020

Cloudflare Standalone Healthcheck Analytics is now generally available

Cloudflare Standalone Healthcheck Analytics is now generally available to all Pro, Business, and Enterprise customers. With Standalone Healthcheck Analytics, you can now see the availability of your origins, latency metrics, and top offending origins or error types over time. You get detailed insight into errors that are taking place across origins, empowering you to take targeted action(s) to remedy the issue and ensure your uptime is maximized. You can find the new analytics in the Healthcheck Analytics Tab of the Traffic App in the Cloudflare dashboard.

featureJun 2020

Benefit from Cloudflare’s global network and get full control over your traffic

Many customers want to maintain local control over their traffic while getting the security benefits that come with a global network. In the era of decentralized cloud services, this can be a massive challenge.

With the launch of Regional Services, you can leverage the power of our global network to increase the security, speed, and reliability of Internet properties—and retain full control over exactly where their traffic is serviced.

featureMay 2020

Tanium’s on-device security is now integrated with Cloudflare Access

Cloudflare Access now integrates with Tanium for Zero Trust access to internal apps. Today, Cloudflare and Tanium customers can ensure any connection to their corporate resources is protected with two layers of assurance: number one, the user’s corporate credentials, and number two, their managed device.

In the new Cloudflare for Teams UI, you can add Tanium as an authentication mechanism. The UI will prompt you to add your Tanium public certificate and the endpoint used to validate the connecting device. With that information, Cloudflare Access can query the device’s health when evaluating a connection without the risk that the device could be impersonated. All Cloudflare for Teams customers who have a Tanium deployment can begin integrating device posture into their Access policies today at no additional cost.

featureMay 2020

Secondary DNS onboarding UI for Enterprise customers

We’re happy to announce that we're rolling out a new Secondary DNS onboarding UI for our Enterprise customers (who have the secondary DNS entitlement enabled).

Until now, you could only onboard to our Secondary DNS via API. This meant multiple, manual API calls – resulting in a complicated onboarding experience, especially for those with multiple domains.

With the new UI, you can onboard your zones end-to-end and manage your DNS masters and TSIGs entirely through the Cloudflare dashboard. If you're an enterprise customer who is interested in Cloudflare Secondary DNS, please ask your account team to enable it for you.

featureApr 2020

Hardware Keys For 2FA Now Supported

The Cloudflare dashboard now supports security keys as a two-factor authentication method for all users. Hardware security keys are the most secure method of two-factor authentication. They also prevent phishing by verifying that a website is legitimate.

Cloudflare will support multiple hardware security keys, one TOTP seed, and one set of backup codes. We've also added a Management page for your two-factor authentication methods. This means that you can safely add, update, and remove methods while leaving 2FA enabled on your account. You can easily set up your security keys in the 2FA Management menu, found under "My Profile >> Authentication".

analystsApr 2020

Cloudflare named a Leader in the Omdia Market Radar for Zero Trust Access report

Cloudflare has been named as a leading provider of Zero Trust Access (ZTA) in the Omdia Market Radar for Zero Trust Access. In the report, Omdia explores the rise of Zero Trust Access as a response to shortcomings in VPNs, and the rapid expansion of remote work and cloud computing.

featureMar 2020

Protect Against HTTP Floods When Your Server Responds with Error Codes (5xx)

Cloudflare's automatic DDoS detection and mitigation systems are now synchronized with your origin servers and leverage your origin’s error response codes as an additional detection signal.

When your origin begins to respond to Cloudflare with an increasing rate of 5xx errors, Cloudflare's DDoS detection systems initiate automatically and will analyze traffic to identify floods faster than ever. Once a flood is detected, dynamically generated mitigation rules are propagated to Cloudflare’s edge data-center(s) to mitigate the flood.

These events will be visible in your Firewall Analytics Dashboard as part of the existing “HTTP DDoS” events. This capability is now enabled by default to all Cloudflare customers at no additional charge.

featureMar 2020

Load Balancing Fallback Pool has been added to Cloudflare's UI

We've added Cloudflare Fallback Pools to our UI, making it easier for our customers to designate a fallback pool or check if a fallback pool was set at all. The feature is generally available to all Load Balancing customers. Previously, customers could only designate a fallback pool in a given Load Balancer through an API. Now, customers can view, edit, and designate Fallback Pools directly in the Load Balancing UI. This lowers the barrier to utilize Fallback Pools and provides a better understanding of which pool is the fallback at any given time.

Customers can access the new Fallback Pool UI in the Load Balancer creation or edit flow, or within Manage Pools Table.

featureMar 2020

Usage Based Billing Alerts now in beta

We are thrilled to expand our alerting capabilities by launching Usage Based Billing Alerts. This new feature will give customers peace of mind about exceeding high bills by letting them know when their usage-based product – such as Cloudflare Argo or Cloudflare Access – exceeds the defined value set by the customer. This Usage Based Billing Alerts feature is now available as a beta and can be accessed via the Alert Notification Center in the Cloudflare Dashboard.

productMar 2020

Cloudflare Gateway now available to all customers

Cloudflare Gateway is now in general availability to all Cloudflare customers. Gateway is a secure web gateway that protects and accelerates outbound Internet traffic. Gateway protects offices, homes and guest wi-fi networks with secure DNS filtering. With 100+ content and security filters, you can use it to protect protects users from malicious and inappropriate content on the Internet, and stop malware, phishing and ransomware attacks before they impact users.

featureMar 2020

Standalone Healthchecks Advanced Configurations (API) is Generally Available

Cloudflare's Advanced Configuration options for Standalone Healthchecks are now generally available to all Pro, Business, and Enterprise customers. With Advanced Configurations, you can preview your Healthcheck(s) prior to deployment, ensuring no unforeseen breakages take place across your origins.

You can also take advantage of threshold-based checks to better target your health reporting, and also choose to be notified for fail, pass, or all health event types. We've also added TCP as a supported protocol for Healthchecks and added more detail for code mismatch errors, along with supporting PATCH and a new Search API. Customers can take advantage of this new functionality through our updated API's found here.

analystsFeb 2020

The Forrester New Wave™: Function-As-A-Service Platforms, Q1 2020

Forrester Research, Inc. evaluated 9 of the most significant providers in the emerging market for function-as-a-service (FaaS) based on 10-criteria across current offering and strategy. In the report, “The Forrester New Wave™: Function-As-A-Service Platforms, Q1 2020” Cloudflare was named a ‘Strong Performer’.

featureFeb 2020

Secondary DNS Analytics now generally available

Secondary DNS Analytics are now available to all our secondary DNS customers. This feature provides in-depth insights and visibility into DNS queries. Customers can explore DNS queries based on response code, record type, as well as records that return NXDOMAIN response. Customers can also view DNS query distribution across Cloudflare's data centers. This feature is accessible in the Analytics Tab of the Cloudflare Dashboard or through the DNS Analytics API.

featureJan 2020

Network Analytics for enhanced visibility, analytics and reporting

We are announcing Network Analytics for Magic Transit and Bring Your Own IP (BYOIP) enterprise customers. Security professionals are always exploring avenues for better visibility, analytics and reporting. Network Analytics provides actionable insights into the network-layer and transport-layer traffic and attacks. The analytical data enables customers to explore attack events including source, destination, rate, size and duration, in real-time to assess and mitigate DDoS attacks.

Security professionals regularly create customized reports to share with peers, managers and executives. This feature empowers customers with an easy way of creating customized reports for L3/4 DoS attack events. Reports can be created based on select parameters, for example, top events by source or destination and more.

featureJan 2020

Announcing General Availability of BYOIP Dynamic Advertisement APIs

You can now initiate or withdraw BGP advertisements of your Bring Your Own IP (BYOIP) prefixes using Cloudflare’s RESTful APIs.

With Dynamic Advertisements, customers can onboard with Cloudflare in an "on-demand” deployment model, where Cloudflare is not typically in a customer’s flow of traffic but can be inserted when the customer network is under attack. Dynamic Advertisement works with Magic Transit (L3), Spectrum (L4), or the HTTP CDN.

It is important to note that BYOIP prefixes must be explicitly configured for dynamic advertisement support. Existing BYOIP deployments on Cloudflare must go through a migration process before they can use this new functionality.

featureDec 2019

Zero-Downtime Origin Failover improves reliability for all Cloudflare customers

Zero-Downtime Origin Failover is a new capability of our network that improves reliability for all Cloudflare customers. It reduces the number of 52x errors Cloudflare serves to end-users by 20%.

A 52x error occurs when Cloudflare has trouble reaching a customer's origin. Currently, our Load Balancer uses data from our global network to pick the best origin server that we think will be online. However, if Cloudflare ultimately encounters an error, we just return the error to end-users. Zero-Downtime Failover builds on this capability by allowing us to try a new server in real-time before we return an error to the end-user.

Customers who enable Cloudflare Load Balancing and/or add multiple 'A' records for a given domain in their DNS settings will see the most benefit from our Zero-Downtime Origin Failover.

featureDec 2019

Introducing the GraphQL Analytics API

The GraphQL Analytics API, a powerful and flexible new way to explore your Cloudflare metrics and logs, is now generally available for all users. This API offers access to data regarding your HTTP requests, Firewall events, Load Balancing requests, and much more, all from one endpoint. You can select exactly what you need, whether it's one metric for one domain or multiple metrics aggregated for all of your domains. This functionality makes the API ideal for both data exploration and building your own analytics dashboards – it's the same technology we use for the Cloudflare dashboard.

featureDec 2019

Account Analytics now available in open beta for all users.

A new account-focused analytics dashboard is now available in open beta for all Cloudflare users. This dashboard helps you understand what's happening across all of your domains at a glance by providing information on metrics such as requests, bandwidth, cache rate, and error rate. You can also see your traffic broken down by country, view trends over the course of the year, and easily compare each period to the preceding one.

featureDec 2019

Cloudflare now supports Proxy Protocol v2 for TCP and UDP applications

We now support Proxy Protocol v2 for Spectrum customers. When a client connects to your service through Spectrum, your origin sees that connection coming in from one of the Cloudflare IPs – this is how reverse proxies work. But some of our customers would like to see the IP address of the original client.

In HTTP land, we passed that information along using the X-Forwarded-For header.For TCP or UDP applications, however, Cloudflare has used PROXY Protocol (for TCP applications) and Simple Proxy Protocol (for UDP applications) to pass that information along. Both these protocols have certain limitations:

  • PROXY Protocol v1 is quite verbose and outdated, and not all software supports it.
  • Simple Proxy Protocol is effective, but being a custom solution offered by Cloudflare, there is no out-of-the-box software that supports it.

PROXY Protocol v2 solves both of these problems by offering a binary format that is compatible with both UDP and TCP. Cloudflare will now support Proxy Protocol v2 for both TCP and UDP applications on our network.

For related API deprecations, see the API docs.

featureDec 2019

Cloudflare Load Balancing Analytics is now generally available

Cloudflare Load Balancing Analytics is now generally available to all Load Balancing customers. With LB Analytics, you get a granular view of traffic — identify which origins and pools are being selected for your traffic and why, so you can gather insights to optimize your infrastructure.

LB Analytics lets you graphically view traffic demands on load balancers, pools, and origins over variable time ranges. You can also see all of your current health check information on a new map, letting you see which pools and origins are either down or have higher latency than you would like. You can find Load Balancing Analytics in the Traffic tab of the Cloudflare Dashboard.

featureDec 2019

Firewall Analytics: Now available to all paid plans (with several new features!)

We’re making Firewall Analytics available to all paid plans so that more customers can easily understand how their attack mitigation is working.

Previously, Enterprise customers could view 14 days of Firewall Analytics for their domains. Today we’re increasing that retention to 30 days. Business and Professional plan zones will get 30 and 3 days of retention, respectively.

In addition, we’re adding several new enhancements to improve your workflow and productivity. These include:

  • Adaptive sampling: This guarantees that Firewall Analytics results are displayed in the Cloudflare Dashboard quickly and reliably, even when you are under a massive attack or otherwise receiving a large volume of requests.
  • Event-based logging: You can now filter by a specific rule (or any other criteria) and see a row for each event generated by that rule. This change also makes it easier to review all requests that would have been blocked by a rule by only creating it in Log mode.
  • Reduce false-positives: To help you determine what percent of CAPTCHA challenges shown to users may have been unnecessary, i.e., false positives, we are now showing the Challenge Solve Rate (CSR) for each rule.

Read this blog post for more information.

featureDec 2019

Apex proxying is now available for 'SSL for SaaS'

'SSL for SaaS' customers now have the option to enable their domain Apex to be proxied to Cloudflare. This is an improvement to our previous offering that required a subdomain.

To illustrate: Previously, to enable 'SSL for SaaS' you had to use a subdomain as your vanity domain, e.g. subdomain.example.com. Now you can use your domain apex (aka root domain), e.g. example.com.

For more on how 'SSL for SaaS' works, please see the blog post.

featureNov 2019

Cloudflare now defaults to RFC-compliant cache behavior

'Origin cache-control' is the cache-control header sent from the origin server that tells Cloudflare what assets to cache. Previously, a page-rule was made available for customers to enable advanced cache control directives from the origin server.

We are now making this the default behavior of the cache to be compliant with RFC7234.

Note that Cloudflare always respects origin-server cache-control headers, unless explicitly overridden. This change should not result in additional content getting cached. You must still set a "Cache Everything" rule for Cloudflare to treat all types of files as cacheable.

featureNov 2019

New Bypass Action in Firewall Rules

We've added a new action to Firewall Rules called Bypass. The new feature allows you to write a Firewall Rule expression, and select any of the 7 supported features to bypass:

  • Browser Integrity Check
  • Hotlink Protection
  • Rate Limiting
  • Security Level
  • User-Agent Blocking
  • WAF Managed Rules
  • Zone Lockdown

With this new capability, you can write complex expressions to bypass, based on any of the supported Request headers. Use cases include capability to bypass Rate Limiting based on trusted cookies, or being able to bypass specific features like WAF Managed Rules for penetration testing.

This new capability is available to all Cloudflare customers and is available within the Rule Builder and Editor, as well as via our API.

featureNov 2019

Enterprise customers can download filtered reports of Firewall Analytics

Enterprise customers now have the ability to print or download a PDF snapshot of their Firewall Analytics based on the filters that they have applied. This has been extremely helpful for customers to include analytical insights into reports that can be shared with executive management, engineering teams and other cross-functional stakeholders, or used as a snapshot as part of compliance/security reviews.

featureOct 2019

New API Deprecation Page

Any Cloudflare customer can now see all upcoming API changes in one place. Cloudflare's API exposes the entire Cloudflare infrastructure via a standardized programmatic interface. Using Cloudflare's API, you can do just about anything you can do on cloudflare.com in the customer dashboard. With the new API Deprecation Page, you will be able to see all changes to your APIs, which will simplify the workflow for your teams.

featureSep 2019

Customers can now monitor WAF Managed Ruleset updates online and via RSS

Cloudflare's WAF team regularly updates our Managed Rulesets to introduce new protections, update rules to decrease false positives, or to deprecate older rules which have been superseded by other, more effective rules or solutions. To help customers stay up to speed with the changes we are providing a public changelog with an RSS feed, which will provide key details regarding:

  • New changes to Cloudflare's Managed Rulesets
  • Timelines for the testing and deployment phases of the new changes
  • The intention of the rules being introduced or updated
  • The deployment state of the rules (Block or Simulate)
featureSep 2019

Logpush to Azure is now generally available

Cloudflare Enterprise customers can now use Logpush to have their HTTP request logs automatically uploaded to Microsoft Azure Blob Storage. Logpush makes it easy to get comprehensive metadata on the requests served by Cloudflare's network, in order to investigate and debug errors and security mitigations or build customized analytics. Simply select a cloud destination–Amazon S3, Google Cloud Storage, Sumo Logic, and now, Microsoft Azure–provide secure access to Logpush's service, and then receive logs every five minutes.

You can set up Logpush under the Analytics tab in the dashboard for any of your domains. A Logpush API is also available.

featureSep 2019

Cloudflare, along with Mozilla and Chrome are leading the charge to a faster, more secure Internet by providing support for HTTP/3

HTTP/3 is the next generation of the protocol that powers the web. Instead of using TCP as the transport layer, HTTP/3 uses QUIC, a new Internet transport protocol which is encrypted by default and helps accelerate traffic.

Customers with HTTP/3 enabled on their dashboard for their zones will now be able to deliver their websites and APIs over HTTP/3 to visitors who use Google Chrome or Mozilla Firefox browsers.

featureSep 2019

New SSL/TLS tab design

The Cloudflare SSL/TLS tab has a new look! The tab is now organized into sections for overview, edge certificates, origin certificates, and SSL for SaaS. Driven by customer feedback, these features present you with all the relevant information and controls you need to configure SSL/TLS with confidence. This tab is available to all customers in the dashboard.

Cloudflare provides a number of solutions for SSL/TLS including Universal SSL, Dedicated Certificates, User uploaded custom certificates, and SSL for SaaS.

featureSep 2019

1.1.1.1. WARP and WARP Plus now in GA

WARP is a new feature for the 1.1.1.1 mobile app that uses encryption to protect all of your data while it’s in transit over the Internet. This feature was designed to improve your mobile Internet security without draining your battery life or slowing you down. In fact, when network performance is poor, 1.1.1.1. with WARP has been shown to improve Internet speeds on your mobile device.

1.1.1.1. with WARP is free to download and use from Google Play and the iOS app store; you do NOT need to be a Cloudflare customer to use it. For those who want a faster experience, WARP Plus is a subscription-based add-on that uses ARGO routing to send your requests along the fastest path. See the blog post for more details.

productSep 2019

Introducing Browser Insights: a new way to monitor the performance of your sites

By injecting a javascript snippet into the webpage, Browser Insights helps you monitor your website’s performance right from your visitors’ browsers. Measure performance metrics such as TCP connection time, DNS response time, Time to First Byte (TTFB), page load time, and more.

Browser Insights is currently only available in Early Access. Customers can request access to this feature by clicking on the Speed Page in the Dashboard.

featureSep 2019

Announcing Bot Fight Mode

Bot Fight Mode is now available for all customers in the Firewall settings of the Dashboard. With Bot Fight Mode enabled, requests from traffic that matches malicious bot patterns will be challenged and/or blocked. The goal is to make it more computationally demanding and therefore more expensive to proliferate malicious bot traffic, disincentivizing attackers.

Since making bots consume more CPU resources may have the side effect of increasing carbon emissions, Cloudflare will be planting trees at a much greater rate than would be needed to offset this increase. See the blog post for more details.

featureSep 2019

Announcing faster DDoS Mitigation

We have successfully completed the rollout of DDoS mitigation enhancements to all of our data centers worldwide. These new improvements enable each data center to make localized decisions that will result in the automatic detection and mitigation of UDP and TCP-based DDoS attacks in under 10 seconds.

This faster mitigation has been automatically enabled for all Cloudflare customers.

featureSep 2019

Cloudflare API tokens are now generally available

Cloudflare API tokens are now available to all Cloudflare customers. API tokens allow you to authorize access to specific Cloudflare apps, accounts, and zones with limited permissions by API.

With API Tokens, you can minimize your security risk by leveraging the practice of least privilege - only granting that token access to exactly what it needs. You can access API Tokens in the ‘My Profile’ section of your Cloudflare account. For more details on how it works, review our blog post and support guide.

featureAug 2019

Spectrum event logs now available through Logpush

Spectrum connection logs are now accessible to Spectrum users through Logpush. You can create Logpush jobs to push event logs to your cloud service using the Logpush API or the Cloudflare Dashboard.

Connection logs help you to debug, generate reports and monitor service usage. Logs help shape a complete picture of the lifecycle of a connection, giving insight into:

  • where the connection was opened
  • the settings used to open the connection
  • the amount of data transferred on the connection
  • the errors leading to a disconnect

Logpush for Spectrum supports Amazon S3, Google Cloud Storage, Sumo Logic and Microsoft Azure Blob Storage.

productAug 2019

Cloudflare AMP Real URL is now generally available

Cloudflare AMP Real URL is now in general availability to all Cloudflare customers. It uses signed exchanges to guarantee the authenticity of your AMP pages when they are served from a supporting AMP cache. Web visitors will not only experience fast mobile page loads, but the website URL will now be shown natively when served from AMP cache.

featureAug 2019

Sparklines for Firewall and Rate Limiting rules

The next time you load up the Firewall rules or Rate Limiting rules tab in the dashboard, you will see a new sparkline for each rule showing activity over the last 24 hours. This can be a very useful indicator of whether or not your rules are working as expected. You can also click on any sparkline to see a filtered view of your Analytics or Event Log (for self-serve) for that specific rule. This feature is available for all customers.

featureAug 2019

Supercharging Firewall Events for Free, Pro, and Business customers

Cloudflare's new Firewall Event Log for Free, Pro, and Business customers provides a new smoother user experience and advanced functionality giving you more granularity when you search and filter your Firewall Events. With these extra capabilities, Firewall Events allows you to more accurately identify new or repeated threat attempts against your application.

Cloudflare customers are now able to:

  • Search for any field of an Event, including fuzzy matches.
  • Use a date/time picker, so you no longer need to sift through results to find something for a particular date or time.
  • See Events for all Firewall features (previously, some features were missing from the events view).
  • Have a much smoother user experience when trying to understand more about why a request was blocked.
productAug 2019

Announcing Cloudflare Magic Transit

Cloudflare Magic Transit is now available for Enterprise customers. Magic Transit provides secure, performant, and reliable IP connectivity to the Internet. Out-of-the-box, Magic Transit deployed in front of your on-premises network protects it from DDoS attack and enables provisioning of a full suite of virtual network functions, including advanced packet filtering, load balancing, and traffic management tools.

Enterprises are often forced to pick between performance and security when deploying IP network services. Magic Transit is designed from the ground up to minimize these trade-offs: performance and security are better together. Magic Transit deploys IP security services across our entire global network. This means no more diverting traffic to small numbers of distant “scrubbing centers” or relying on on-premise hardware to mitigate attacks on your infrastructure. Visit the product page to learn more.

featureAug 2019

Certificate Transparency Monitoring now in beta

CT Monitoring is now in beta for all customers. This is an opt-in service that crawls the public logs of certificate authorities and sends you an email whenever a certificate is issued for one of your domains. This information is important because a suspicious certificate issued to your domain could mean that a certificate authority made an error or that someone is perpetrating an attack on your service. With CT monitoring, you can spot bad certificates as they arise and quickly alert the certificate authority to minimize any harm.

featureAug 2019

Announcing Subdomain Support for Enterprise Customers

Enterprise customers now have Subdomain Support enabled by default. Cloudflare Subdomain Support simplifies management of Cloudflare performance and security for subdomains and provides several additional benefits.

Subdomain Support allows designated teams within your organization to control Cloudflare settings for a specific subdomain, while your central IT team maintains control of your root or parent domain. For example, Cloudflare settings for support.example.com can be managed completely separately from example.com. For more information and instructions, see the support document.

analystsJul 2019

Forrester Opportunity Snapshot: Internet Applications Don’t Need To Sacrifice Performance for Security

See the results of a commissioned study conducted by Forrester Consulting on behalf of Cloudflare on trends for cloud network adoption, usage, and challenges for enterprises around the world.

featureJul 2019

Announcing IP Firewall whitelisting and IPv4/IPv6 filtering for Spectrum

The IP Firewall for Spectrum apps now supports whitelisting. Previously, you could only use the IP Firewall to block a specific set of IPs (blacklisting). Starting today, you also have the option to effectively block everyone on the Internet outside of a list of approved IPs (whitelisting).

Additionally, we’ve added filtering for IPv4 and IPv6 on Spectrum apps. Several customers have indicated that they only want to enable IPv4 or IPv6 on their apps, so now you can indicate whether you want your app to use IPv4, IPv6, or both.

featureJun 2019

Updates to maximum cache file sizes

Thanks to some recent engineering and operational improvements, we have updated our default size limits for cached files. The new limits are as follows:

  • Enterprise customers can cache files up to 5GB by default
  • Enterprise customers can cache files up to 30GB by enabling origin range requests
  • Free, Business, and Pro customers can cache files up to 512MB
productJun 2019

AMP Real URL Entering Open Beta

We have rolled out the beta of AMP Real URL to all users. Accelerated Mobile Pages (AMP) is a Google feature that allows you to serve your mobile site from Google’s cache. Not only does this speed up the delivery of your site, but it is also viewed favorably by Google’s search algorithm. One side effect of using AMP is that users will see a path that starts with ‘google.com/amp' in the URL bar. This can confuse your users and hurt your brand.

Cloudflare’s AMP Real URL lets you retain your URL attribution on AMP pages by digitally signing content submitted to Google’s web crawler, proving that the content belongs to you. You can access AMP Real URL in the ‘speed’ tab of your dashboard; for more details on how it works please see the blog post.

featureJun 2019

Firewall Events can now be seen in Cloudflare Logs

Firewall events can now be seen in Cloudflare Logs, which is available for all Enterprise customers. Previously, customers using Cloudflare Logs had to decode our pathingStatus and pathingOps to understand what was happening during a request; the only way to get more details was by manually checking Firewall Events. But now you can see a breakdown of every service and rule that touched a request directly from Cloudflare Logs, providing you with better and clearer insights.

featureJun 2019

Cloudflare is now certified SOC 2 Type 2 compliant

We now have our report on SOC 2 Type 2 compliance. We previously received our SOC 2 Type 1 compliance, indicating that we designed and implemented strong controls around security, confidentiality, and availability. The new Type 2 compliance confirms that those controls have been tested over a period of time to demonstrate that they are operating effectively. These reports give our customers higher assurance that our internal controls are meeting security best practices/industry standards. Contact your customer representative to see the full report.

featureJun 2019

Read-only roles now available for Enterprise

A new read-only role is now available for all Enterprise accounts. This will enable you to grant read-only access to users in your organization. This role will have all-access read privileges, but a persistent icon in the top-bar will confirm that a user is in read-only mode. This feature is already live; when you add a new user you can now select “Administrator Read Only” as their role.

featureJun 2019

BYOIP with Spectrum

Bring Your Own IP (BYOIP) with Spectrum is now in beta for Enterprise customers. When creating a Spectrum application, Cloudflare normally assigns an arbitrary IP from Cloudflare’s IP pool to your application. This may not always be what you want: you may want to be explicit in your network setup or use your own IP addresses. BYOIP with Spectrum allows you to do just that.

If you own an IP prefix, you can migrate it to Cloudflare. Once the migration is complete, Cloudflare will start broadcasting your IP prefix and traffic will get routed to the global Cloudflare network. Without configuration, however, Cloudflare will not know how to handle this traffic. You’ll need to add Spectrum applications for all applications that you wish to protect, making sure to use the IP addresses you want associated with each application. See the docs or contact your customer representative to learn more.

featureJun 2019

New Improvements to Firewall Analytics, Rules, and Managed Rulesets

We’ve made some great new additions to Firewall Analytics, Rules, and Managed Rulesets. These updates are all live and available to use today. The complete list is as follows:

Analytics:

  • A new data picker in Firewall Analytics lets you select a specific date and time
  • A search update lets you use “contains,” “starts with,” and “ends with” for string fields (e.g. user-agent)
  • The Managed Rules topN now displays the Managed Rule ID, making it easier to identify
  • topNs can now be extended to 10 or 15 items using a dropdown

Firewall Rules and Managed Rulesets:

  • Descriptions within Managed Rules have been updated in a structured format, and contain more useful info
  • MaxMind's subdivision 1 and 2 data can be utilized within Firewall Rules using the Expression Editor, which allows you to block or whitelist regions, continents, and the EU
featureJun 2019

Updates to Cloudflare Workers

We have some major announcements for Workers customers and Workers developers. Workers now has an open-source CLI (command-line interface) called Wrangler, which will enable devs to build Workers in a way that is more native to their workflow. In addition, we are introducing a free tier for Workers as well as the ability to deploy to workers.dev. This means you can try Workers for free, and you won’t need to deploy to a domain. We are also enabling multi-scripting for Free, Pro, and Business plans so you can enjoy the benefit of having multiple scripts per zone. Previously, this feature was only available for Enterprise customers.

On top of all that, we have created a new UI, new documentation, and a new landing page for Workers (workers.cloudflare.com). Our goal is to eliminate barriers and make it easier to get started and build things with Workers. See the new docs for more details.

featureMay 2019

Updates to Audit Logs API

We are constantly working on improvements to our API so that all Cloudflare customers can have easy access to their data. Previously, Audit Logs API only supported querying by "day". It now supports down to the minute resolution for the since and before fields. The Audit Logs API will also be modified to return records with a maximum age of 18 months. Previously, queries were unbounded and this had a detrimental performance impact.

In addition, ALL Cloudflare APIs now include a standard response envelope, which includes an errors field. Previously, Audit Logs would return null for errors, instead of an empty array, which is the standard.

productMay 2019

Workers KV is Now in General Availability

Workers KV is now out of beta and in GA for all Cloudflare customers. Workers KV is a highly distributed, eventually consistent, key-value store that spans Cloudflare's global edge. It allows you to store billions of key-value pairs and read them with ultra-low latency anywhere in the world so you can build entire applications with the performance of a CDN static cache.

Workers KV enables you to store persistent data on the edge and quickly access that data with an API call. Some examples of functionality you can build with Workers KV include mass redirects and user authentication for apps. You can try Workers KV today by accessing it in the Workers tab in your dashboard.

featureMay 2019

Introducing Functions in Firewall Rules

A new feature in Firewall Rules called “Functions” is now available to customers on all plans. Functions will allow a customer to have better control and flexibility to evaluate attributes. Our first two transformations are an "upper" and "lower" function.

One of the biggest challenges with Wordpress and other applications, is that they automatically sanitize URLs to improve user-experience. The negative impact of this is it makes security more challenging. These functions will disable case sensitivity for that field, and you can now evaluate in either UPPER case or lower case. This does not change the actual request, it purely changes the case during the evaluation of the attribute. For examples and documentation please see the developer docs.

featureApr 2019

Cloudflare is officially ISO 27001:2013 compliant

ISO 27001 is a security certification that is used as an international standard for managing risks to information security. It is published by the International Organization for Standardization (ISO). Receiving this certification means that an organization has met a set of strict requirements in the implementation of their Information Security Risk Management System (ISMS).

To maintain this certification, an organization must be regularly audited by a certifying body who will ensure that the proper standards are being met. This means that Cloudflare customers can have peace of mind knowing that we are preserving the confidentiality, integrity, and availability of your information. You can see the full list of our security certifications on our Compliance page.

featureApr 2019

HTTP flood analytics and UDP protection

We’ve exposed HTTP flood analytics in the Firewall Analytics dashboard. Now you can leverage the filters, toggle time periods, and view topN insights for HTTP floods.

We’ve also upgraded our UDP protection. In addition to the existing UDP protocol violation protection, we’ve added more protection against UDP floods. This fortification is intended to support Spectrum UDP applications, BYOIP, NTP/NTS and QUIC (by Q3). TCP/UDP analytics is planned for later this year as well.

featureApr 2019

Faster cache hits for CNAME origins

We’ve launched a major performance enhancement for all Cloudflare customers who use CNAME DNS records to point to their origin. For example, customers may configure "origin.customer.com" to reach their origin instead of an A record like 198.41.214.162.

Before this change, every single request to our edge would trigger a DNS lookup for an origin IP. This behavior is particularly problematic if a CNAME is configured as the origin. In this case, we could add 100s of milliseconds in latency, since we may need multiple Internet requests to fetch the origin IP. Now, we only look up the origin IP when we need it. This cuts the total number of DNS requests in half and reduces the total time we spent looking up DNS records by about 1/3rd globally.

featureMar 2019

Announcing Concurrent Streaming Acceleration

We have improved the way we deliver large file downloads for all of our customers. Concurrent Streaming Acceleration is a new way of delivering large, uncached files to multiple clients simultaneously. Previously, when several users requested an uncached file, the first user to ask for the file would have to finish downloading for the file to be cached and delivered to the other users. With Concurrent Streaming Acceleration, several users can simultaneously download the file while it is being added to the Cloudflare CDN cache.

This change is live across all of Cloudflare, and will be particularly helpful for streaming live video to multiple users via Cloudflare Stream. Several users have noticed a drop in “cache lock wait time,” i.e. how long a request must wait for other requests – since we rolled out this change.

featureMar 2019

Cloudflare is now certified SOC 2 Type 1 compliant

This week we received our SOC 2 Type 1 compliance report. This report evaluates Cloudflare on three trust service principles of SOC 2: Security, Availability, and Confidentiality. SOC 2 is a compliance certification that focuses on internal controls of an organization related to five trust principles: Security, Confidentiality, Processing Integrity, Availability, and Privacy.

To maintain this certification, an organization must be regularly audited by a certifying body who will ensure that the proper standards are being met. This certification means Cloudflare customers can rest assured that their data is being kept private and protected. Enterprise customers can get in touch if they want to see a copy of the report.

featureMar 2019

Announcing L4 DoS analytics for Enterprise

This week we release Layer 4 DoS analytics in the dashboard for Enterprise customers. Enterprise users will now be able to see both Layer 7 analytics in the form of dropped HTTP requests per second as well as Layer 4 analytics in the form of dropped TCP packets per second.

Layer 4 (transport layer) attacks exploit a vulnerability in the TCP handshake in an attempt to max out the maximum number of TCP connections. Meanwhile layer 7 (application layer) attacks attempt to overwhelm a service with HTTP requests. Seeing analytics for both can help you understand what kind of attacks you are facing and what type of protection you need.

featureMar 2019

Source IP preservation for Spectrum UDP packets

Some services you run may require knowledge of the true client IP. However, since Cloudflare intercepts packets before forwarding them to your server, you may see Cloudflare’s IP rather than the true client IP. In these cases, you can use a proxy protocol for Cloudflare to pass on the client IP to your service.

Previously, we enabled Proxy Protocol support for Spectrum TCP packets. Since Proxy Protocol doesn’t support UDP, we have now created our own Simple Proxy Protocol to allow IP preservation for Spectrum UDP packets; this feature is available for all customers. To enable, simply flip the switch in the Spectrum dashboard. See the docs for more details.

analystsMar 2019

IDC MarketScape: Worldwide DDoS Prevention Solutions 2019

Cloudflare has been named a "Leader" in the IDC MarketScape: Worldwide DDoS Prevention Solutions 2019 Vendor Assessment.

featureMar 2019

Firewall Analytics

Insights into security events are critical for monitoring the health of web applications. Today, Cloudflare announced new Firewall Analytics which will help our Enterprise customers get detailed insights into firewall events, helping them to tailor their security configurations more effectively.

productFeb 2019

Cloudflare Logs - Granular Insights Into Your Traffic

Improve your application’s performance and security by tuning your Cloudflare configuration. Investigate and debug errors and security mitigations reported by your end users. Build customized analytics in the tools you already use.

featureFeb 2019

Access service tokens

Access improves the security of service-to-service connections by adding service token authentication to the protections offered by Cloudflare. With service tokens, customers can now extend access control to automated tools, scripts, and bots.

featureJan 2019

Workers Cache API

Cache API now works with Workers to give customers greater, more fine grained control over Cloudflare's caching behavior. This API will now allow customers to cache objects that were traditionally uncacheable, for example caching POST requests.

featureJan 2019

Increased load balanced origins support

Customers on Free, Pro and Business plans can now purchase load balancing support for up to 20 origins. This increased support allows customers to build a more resilient global infrastructure that ensures their customers are served content from locations closest to them, with the lowest latency.

featureDec 2018

Access Service to Service

Access improves the security of service-to-service connections by adding service token authentication to the protections offered by Cloudflare.

featureDec 2018

Access TLS Client Authentication

Access now supports mutual TLS (mTLS) authentication. Mutual TLS authentication ensures that the traffic is secure and trusted in both directions between a client and server. This type of authentication can be used for allowing requests such as Internet of Things devices, that do not login with an identity provider, to demonstrate that they have permissions to reach a given resource. Organizations will be able to use mutual TLS authentication as a second layer of authentication for users or as the primary method of authentication for connected devices.

featureNov 2018

Access - SSH Support

Access can authenticate users who want to use SSH (Secure Shell). This removes the need for a VPN by developers, IT, and support to use this service while providing secure authentication and integration with major identity providers.

blogOct 2018

Access enables a Zero Trust Command Line Interface (CLI) authentication to APIs

Increase performance for users using APIs over CLI by authenticating near them, not in a far away VPN server. Simplify and reduce costs for deployment, configuration, and maintenance. Tightly control authorization through granular policies based on attributes such as users, IP ranges, and application URLs.

featureOct 2018

Cloudflare Dashboard: Single Sign-On support

The Cloudflare dashboard now supports Single Sign On (SSO) for ease of centralized identity and access management. Reduce user provisioning times and avoid password sprawl, with a seamless SSO experience that supports your existing identity providers.

featureOct 2018

Access Single Sign On (SSO) for On Premise Confluence or JIRA

Customers have secure SSO access to Confluence or JIRA. Instead of entering credentials twice, users authenticate only once through Access.

analystsOct 2018

IDC: Serverless Computing: Benefits, Trends, and Deployment Models

This IDC Vendor Spotlight examines serverless computing technology, which provides a fully managed deployment environment and encourages a microservices-style architecture that lets developers rapidly deploy applications. The paper also looks at the role of Cloudflare in the market for serverless computing.

featureOct 2018

Cloudflare Workers: WebAssembly Support

Cloudflare Workers now support the inclusion of WebAssembly modules. WebAssembly support allows developers to run code inside of Cloudflare Workers written in almost any language including: Rust, Go, C, C++, and others.

productSep 2018

Cloudflare Workers KV: Beta

Cloudflare Workers KV provides access to a secure low latency key-value store at all 154 Cloudflare data centers. Developers can use Cloudflare Workers and Workers KV to augment existing applications or to build entirely new applications on top of Cloudflare's global cloud network. Workers KV scales seamlessly to support applications serving dozens or millions of users.

productSep 2018

Cloudflare Registrar: Early Access Program

Cloudflare Registrar lets you securely register and manage your domain names with transparent, no-markup pricing that eliminates surprise renewal fees and hidden add-on charges. Be one of the first to transfer your domains to Cloudflare. Sign up today for the Cloudflare Registrar Early Access.

featureSep 2018

Encrypted Server Name Indication (SNI)

Server Name Indication (SNI) does not conceal the requested hostname in the ClientHello message during TLS negotiation. This allows intermediaries to have visibility into the hostnames of websites visited by users. Exposing the hostname means that the privacy of users can be compromised, content can be censored, or traffic can be served with discriminatory quality-of-service.

Encrypted SNI keeps the hostname private when a user is visiting an ESNI-enabled site on Cloudflare by concealing the browser’s requested hostname from anyone listening on the Internet.

All domains on Cloudflare using our authoritative name servers get Encrypted SNI enabled as default.

featureSep 2018

Roughtime protocol support

Cloudflare improves the accuracy of time for TLS handshakes through a rough, authenticated time-synchronization based on Google’s Roughtime protocol. By running a Roughtime service, we enable clients to securely keep approximately correct time, which reduces erroneous authentication from 'clock skew' and increases security through wider adoption of short-lived HTTPS certificates.

featureSep 2018

Layer 4 Load Balancing and Health Checks

Cloudflare now supports load balancing for non-HTTP/S traffic across multiple origins for increased availability and performance when deployed with Spectrum.

featureSep 2018

The Cloudflare Onion Service

Cloudflare will run an Onion Service on its network. Tor users visiting sites that have enabled this feature will be scored for reputation differently from general Tor traffic. This will result in fewer CAPTCHAs for human Tor users while protecting the site from malicious actors and reducing exit node tampering.

featureSep 2018

RPKI support for all domains

Cloudflare supports the RPKI-framework for two important parts of Internet transit: signing BGP routes it announces for all Cloudflare domains, and validating announced IP addresses when routing traffic through its global network. Authenticating BGP routes with public key signing helps prevents visitors or origins on RPKI compliant ISP's from being hijacked.

featureSep 2018

Automatically Provision and Maintain DNSSEC

Provision and manage DNSSEC from within the Cloudflare dashboard instead of logging into the supported registrar.

productSep 2018

Distributed Web Gateway

Simplify, speed up, and secure read-only access to files stored on the InterPlanetary File System (IPFS), a peer-to-peer protocol for storing content.

featureSep 2018

Cloudflare Workers Terraform Provider Support

The Cloudflare Provider for Terraform now supports deployment and configuration of Cloudflare Workers. Users of Terraform can now include Cloudflare Workers as another part of their configuration as code approach to infrastructure.

featureSep 2018

Serverless Framework Integration

Deploy projects to Cloudflare Workers quickly and consistently using the Serverless Framework.

featureAug 2018

Spectrum supports multiple ports for TCP applications

Spectrum allows TCP applications to support proxying multiple ports on the same hostname. A single application with multiple ports, (e.g. SMTP, which uses ports 25, 465, and 587) can be proxied through Cloudflare using the same hostname to protect it from DDoS attacks.

productAug 2018

Cloudflare Stream is now generally available

Cloudflare Stream makes streaming high quality video at a global scale easy and affordable. Eliminate the effort of delivering high quality video with a massive, globally distributed video delivery network. Use a single, integrated workflow through a robust API or drag and drop UI that includes video encoding, global delivery, and customizable player.

productJul 2018

Cloudflare Access is now generally available

No VPN required. Cloudflare Access enables easy, secure, and fast access to internal applications wherever they are, from whatever device. Leverage a Zero Trust security framework with existing identity providers like Google™, Facebook™, Okta™, Github™, and more. Get your first 5 users per month for free.

featureJul 2018

Access supports reusable nested groups and bypass policies

Cloudflare Access now provides more granular control by supporting reusable nested user groups and bypass policies that include IP address whitelisting. Access policies based on user groups automatically apply rules to all users in the defined group, simplifying the creation and management of policies. Access rules can also enable traffic to bypass authentication. You can whitelist specific IP addresses, address ranges, or open up specified endpoints to the public internet.

featureJul 2018

Dynamic Steering

Dynamic steering is a load balancing feature that automates traffic steering across origins in multiple geographic regions. Round-trip time (RTT) for health checks is calculated across multiple pools of load balanced servers and origins to determine the fastest server pools. This RTT data enables the load balancers to identify the fastest pools, and to direct user requests to the most responsive origins.

featureJul 2018

Support for New DNS Record Types

Cloudflare's DNS now supports the following record types: CERT, DNSKEY, DS, NAPTR, SMIMEA, SSHFP, TLSA, and URI via the web and API.

featureJun 2018

FQDN Resolution of Load Balanced Origins at the Edge

Cloudflare now resolves fully qualified domain name (FQDN) origins at the edge rather than centrally. This allows load balancers to better support origins that utilize geo-DNS or other dynamic responses.

featureJun 2018

Developer Portal Q2 Update

The Developer Portal has been updated in Q2 to include improved search, documentation for new products, and listings of upcoming Cloudflare community events.

featureJun 2018

Rocket Loader Upgrade

Rocket Loader has been updated to deliver faster performance for website paint & load times by prioritising website content over JavaScript. Majority of mobile devices are now supported. Increased compliance with strict content security policies.

productMay 2018

Stream Delivery

Cloudflare’s Stream Delivery solution offers fast caching and delivery of video content across our network of 150+ global data centers.

featureMay 2018

Deprecating TLS 1.0 and 1.1 on api.cloudflare.com

On June 4, Cloudflare will be dropping support for TLS 1.0 and 1.1 on api.cloudflare.com. Additionally, the dashboard will be moved from www.cloudflare.com/a to dash.cloudflare.com and will require a browser that supports TLS 1.2 or higher.

featureMay 2018

Rate Limiting has new Actions and Triggers

Rate Limiting has two new features: challenges (CAPTCHA and JS Challenge) as an Action; and matching Header attributes in the response (from either origin or the cache) as the Trigger. These features give more control over how Cloudflare Rate Limiting responds to threshold violations, giving customers granularity over the types of requests to "count" to fit their different applications.

To learn more, go to the blog post.

featureMay 2018

Support purge-by-tag for large tag sizes

The Cache-Tag header now supports up to 1000 tags and a total header length of 16kb. This update simplifies file purges for customers who deploy websites with Drupal.

featureMay 2018

Multi-User Access on dash.cloudflare.com

Starting May 2 2018, users can go to the new home of Cloudflare’s Dashboard at dash.cloudflare.com and share account access. This has been supported at our Enterprise level of service, but is now being extended to all customers.

featureApr 2018

Support full SSL (Strict) mode validation for CNAME domains

Cloudflare is now able to validate origin certificates that use a hostname's CNAME target in Full SSL (Strict) mode. Previously, Cloudflare would not validate any certificate without a direct match of the HTTP hostname and the certificate's Common Name or SAN. This update allows SSL for SaaS customers to more easily enable end-to-end security.

productApr 2018

Cloudflare Spectrum

Spectrum protects TCP applications and ports from volumetric DDoS attacks and data theft by proxying non-web traffic through Cloudflare’s Anycast network.

featureApr 2018

Workers Can Control Cache TTL by Response Code

Cloudflare workers can now control cache TTL by response code. This provides greater control over cached assets with Cloudflare Workers.

productApr 2018

Argo Tunnel

Argo Tunnel ensures that no visitor or attacker can reach your web server unless they first pass through Cloudflare. Using a lightweight agent installed on origin infrastructure, including containers or virtual machines, Cloudflare creates an encrypted tunnel between its nearest data center and an application’s origin server without opening a public inbound port.

productMar 2018

Cloudflare Nimbus

Cloudflare is strengthening the Certificate Transparency (CT) ecosystem with our introduction of Nimbus, a free and open CT log. Certificate Transparency improves security online by bringing accountability to the system that protects HTTPs. Additionally, we have published Merkle Town, a dashboard for exploring and monitoring the certificate transparency ecosystem.

featureMar 2018

Load Balancing Configurable Weighting

Configurable weighting allows for user defined weighting for how much traffic an origin server receives.

featureMar 2018

Secondary DNS

Cloudflare can easily be setup as a secondary DNS provider. When records are edited with the primary DNS provider, the corresponding records at Cloudflare are automatically updated.

featureFeb 2018

Zone Lockdown

Zone Lockdown allows for the whitelisting of specific IP addresses and IP ranges, whereby all other IPs are effectively blacklisted. This supports specific sub-domains and URLs and is useful to protect an administrative area from non-specified IP addresses.

featureFeb 2018

User Agent Blocking Rules

Create a rule to block or challenge a specific User Agent from accessing your domain. This works similarly to Zone Lockdown, except the block examines incoming User-Agent strings rather than IPs. User Agent blocking applies to an entire zone, and sub-domains cannot not be specified.

productFeb 2018

Cloudflare Workers Beta is Now Open

Cloudflare Workers lets you run JavaScript on Cloudflare’s edge, deploying globally to over 120+ data centers around the world in less than 30 seconds. Your code can intercept and modify any request made to your website, make outbound requests to any URL on the Internet, and replace much of what you might need to configure your CDN to do today.

featureJan 2018

Cache Deception Armor

In light of cache deception attacks, we have released a tool called Cache Deception Armor to help our customers make sure only assets that should be cached are being cached.

productJan 2018

Cloudflare Access

Cloudflare Access offers secure application access without a VPN. Users can secure, authenticate, and monitor user access to any domain, application, or path on Cloudflare.

featureJan 2018

Load Balancing Event Logs

Load Balancing event logs allow for the review and filtering of status changes of your Load Balancing Origins and Pools.

featureDec 2017

Support for Cache-Control Header Extensions

Cloudflare now supports additional HTTP cache-control directives. These headers allow more control over content caching behavior and enable our cache to handle more complex instructions for handling online assets.  

featureDec 2017

CAA Record Support

Cloudflare now supports Certification Authority Authorization (CAA). CAA records allow domain owners to specify which CAs are authorized to issue certificates for their domain (or subdomain, as CAAs can be defined at any level of the hierarchy).

featureNov 2017

Cloudflare's New Server Response Header

Cloudflare's Nginx response header will change from 'cloudflare-nginx' to 'cloudflare'. This migration will begin on 11/29 and will take 1-2 months for all customers.

featureNov 2017

Audit Logs

Cloudflare's newly released Audit Logs offer the ability to view and download the most recent changes made to domains or account settings. It is provided in both the dashboard and via API.

featureNov 2017

Cloudflare Supports Privacy Pass

When people use anonymity services or shared IPs, it makes it more difficult for website protection services like Cloudflare to identify their requests as coming from legitimate users and not bots. The Privacy Pass browser extension reduces the number of challenge pages presented by Cloudflare by letting users prove their identity across multiple sites anonymously. The Privacy Pass extension is available for both Chrome and Firefox.

featureOct 2017

Load Balancing Session Affinity

Cloudflare Load Balancing now supports session affinity, using automatically generated cookies. If session affinity is enabled, the same target receives the request and can use the automated cookie to recover an existing session with the origin server.

featureOct 2017

Argo Analytics

Customers with Argo Smart Routing enabled can now get an in-depth look at dynamic content performance statistics across both requests and geographies.

featureSep 2017

Geo Key Manager

Geo Key Manager provides the ability to choose which Cloudflare data centers have access to private keys in order to establish HTTPS connections. Cloudflare has preconfigured options to select from either US or EU data centers as well as the highest security data centers in the Cloudflare network. Data centers without access to private keys can still terminate TLS, but they will experience a slight initial delay when contacting the nearest Cloudflare data center storing the private key.