Core Platform Release Notes

Cloudflare's network now supports redirecting verified AI training crawlers to canonical URLs when they request deprecated or duplicate pages. When enabled via AI Crawl Control > Quick Actions, AI training crawlers that request a page with a canonical tag pointing elsewhere receive a 301 redirect to the canonical version. Humans, search engine crawlers, and AI Search agents continue to see the original page normally.

This feature leverages your existing <link rel="canonical"> tags. No additional configuration required beyond enabling the toggle. Available on Pro, Business, and Enterprise plans at no additional cost.

Refer to the Redirects for AI Training documentation for details.

Original source

AI Crawl Control now includes new tools to help you prepare your site for the agentic Internet—a web where AI agents are first-class citizens that discover and interact with content differently than human visitors.

Content Format insights

The Metrics tab now includes a Content Format chart showing what content types AI systems request versus what your origin serves. Understanding these patterns helps you optimize content delivery for both human and agent consumption.

Directives tab (formerly Robots.txt)

The Robots.txt tab has been renamed to Directives and now includes a link to check your site's Agent Readiness score.

Refer to our blog post on preparing for the agentic Internet for more on why these capabilities matter.

Original source

Cloudflare has added new fields to multiple Logpush datasets:

TenantID field

The following Gateway and Zero Trust datasets now include a TenantID field:

• Gateway DNS: Identifies the tenant ID of the DNS request, if it exists.
• Gateway HTTP: Identifies the tenant ID of the HTTP request, if it exists.
• Gateway Network: Identifies the tenant ID of the network session, if it exists.
• Zero Trust Network Sessions: Identifies the tenant ID of the network session, if it exists.

Firewall for AI fields

The following datasets now include Firewall for AI fields:

Firewall Events

• FirewallForAIInjectionScore: The score indicating the likelihood of a prompt injection attack in the request.
• FirewallForAIPIICategories: List of PII categories detected in the request.
• FirewallForAITokenCount: The number of tokens in the request.
• FirewallForAIUnsafeTopicCategories: List of unsafe topic categories detected in the request.

HTTP Requests

• FirewallForAIInjectionScore: The score indicating the likelihood of a prompt injection attack in the request.
• FirewallForAIPIICategories: List of PII categories detected in the request.
• FirewallForAITokenCount: The number of tokens in the request.
• FirewallForAIUnsafeTopicCategories: List of unsafe topic categories detected in the request.

For the complete field definitions for each dataset, refer to Logpush datasets.

Original source

OAuth allows third-party applications to access your Cloudflare account on your behalf — like when Wrangler deploys Workers or when monitoring tools read your analytics. You now have granular control over which accounts these applications can access, plus the ability to revoke access anytime.

What's new

Choose which accounts to authorize

When authorizing an OAuth application, you can now select specific accounts instead of granting access to all your accounts:

• Account-by-account selection — Choose exactly which accounts the application can access
• "All accounts" option — Still available for trusted tools like Wrangler

This gives you precise control who can access your data.

Clear consent screens

The OAuth consent screen now shows:

• What the application can access — Explicit list of permissions being requested
• Who created the application — Application owner and contact information
• Which accounts you're authorizing — Checkboxes for account selection

Revoke access anytime

Manage authorized OAuth applications from your profile:

• See all connected apps — View every OAuth application with access to your accounts
• Review permissions and scope — Check what each application can do and which accounts it can access
• Revoke instantly — Remove access with one click when you no longer need it

To manage your OAuth applications, navigate to Profile > Access Management > Connected Applications.

Why this matters

These updates give you:

• Granular control — Authorize apps per-account instead of all-or-nothing
• Transparency — Know exactly what you're authorizing before you consent
• Security — Limit blast radius by restricting access to only necessary accounts
• Easy cleanup — Revoke access when applications are no longer needed

Learn more

Read more about these improvements in our blog post: Improving the OAuth consent experience.

Original source

Cloudflare API tokens now include identifiable patterns that enable secret scanning tools to automatically detect them when leaked in code repositories, configuration files, or other public locations.

What changed

API tokens generated by Cloudflare now follow a standardized format that secret scanning tools can recognize. When a Cloudflare token is accidentally committed to GitHub, GitLab, or another platform with secret scanning enabled, the tool will flag it and alert you.

Why this matters

Leaked credentials are a common security risk. By making Cloudflare tokens detectable by scanning tools, you can:

• Detect leaks faster — Get notified immediately when a token is exposed.
• Reduce risk window — Exposed tokens are deactivated immediately, before they can be exploited.
• Automate security — Leverage existing secret scanning infrastructure without additional configuration.

What happens when a leak is detected

When a third-party secret scanning tool detects a leaked Cloudflare API token:

• Cloudflare immediately deactivates the token to prevent unauthorized access.
• The token creator receives an email notification alerting them to the leak.
• The token is marked as "Exposed" in the Cloudflare dashboard.
• You can then roll or delete the token from the token management pages.

Supported platforms

• GitHub Secret Scanning — Automatically enabled for public repositories

For more information on token formats and secret scanning, refer to API token formats.

Original source

Redesigned "Get Help" Portal for faster, personalized help

Cloudflare has officially launched a redesigned "Get Help" Support Portal to eliminate friction and get you to a resolution faster. Previously, navigating support meant clicking through multiple tiles, categorizing your own technical issues across 50+ conditional fields, and translating your problem into Cloudflare's internal taxonomy.

The new experience replaces that complexity with a personalized front door built around your specific account plan. Whether you are under a DDoS attack or have a simple billing question, the portal now presents a single, clean page that surfaces the direct paths available to you — such as "Ask AI", "Chat with a human", or "Community" — without the manual triage.

What's New

One Page, Clear Choices: No more navigating a grid of overlapping categories. The portal now uses action cards tailored to your plan (Free, Pro, Business, or Enterprise), ensuring you only see the support channels you can actually use.

A Radically Simpler Support Form: We've reduced the ticket submission process from four+ screens and 50+ fields to a single screen with five critical inputs. You describe the issue in your own words, and our backend handles the categorization.

AI-Driven Triage: Using Cloudflare Workers AI and Vectorize, the portal now automatically generates case subjects and predicts product categories.

Moving complexity to the backend

Behind the scenes, we've moved the complexity from the user to our own developer stack. When you describe an issue, we use semantic embeddings to capture intent rather than just keywords.

By leveraging case-based reasoning, our system compares your request against millions of resolved cases to route your inquiry to the specialist best equipped to help. This ensures that while the front-end experience is simpler for you, the back-end routing is more accurate than ever.

To learn more, refer to the Support documentation or select Get Help directly in the Cloudflare Dashboard.

Original source

We're announcing the public beta of Organizations for enterprise customers, a new top-level Cloudflare container that lets Cloudflare customers manage multiple accounts, members, analytics, and shared policies from one centralized location.

What's New

• Organizations [BETA]: Organizations are a new top-level container for centrally managing multiple accounts. Each Organization supports up to 500 accounts and 500 zones, giving larger teams a single place to administer resources at scale.
• Self-serve onboarding: Enterprise customers can create an Organization in the dashboard and assign accounts where they are already Super Administrators.
• Centralized Account Management: At launch, every Organization member has the Organization Super Admin role. Organization Super Admins can invite other users and manage any child account under the Organization implicitly.
• Shared policies: Share WAF or Gateway policies across multiple accounts within your Organization to simplify centralized policy management.
• Implicit access: Members of an Organization automatically receive Super Administrator permissions across child accounts, removing the need for explicit membership on each account. Additional Org-level roles will be available over the course of the year.
• Unified analytics: View, filter, and download aggregate HTTP analytics across all Organization child accounts from a single dashboard for centralized visibility into traffic patterns and security events.
• Terraform provider support: Manage Organizations with infrastructure as code from day one. Provision organizations, assign accounts, and configure settings programmatically with the Cloudflare Terraform provider.
• Shared policies: Share WAF or Gateway policies across multiple accounts within your Organization to simplify centralized policy management.

Note

Organizations is in Public Beta. You must have an Enterprise account to create an organization, but once created, you can add accounts of any plan type where you are a Super Administrator.

For more info:

Get started with Organizations

Set up your Organization

Review limitations

Original source

Two new fields are now available in rule expressions that surface Layer 4 transport telemetry from the client connection. Together with the existing cf.timings.client_tcp_rtt_msec field, these fields give you a complete picture of connection quality for both TCP and QUIC traffic — enabling transport-aware rules without requiring any client-side changes.

Previously, QUIC RTT and delivery rate data was only available via the Server-Timing: cfL4 response header. These new fields make the same data available directly in rule expressions, so you can use them in Transform Rules, WAF Custom Rules, and other phases that support dynamic fields.

New fields

Field Type Description cf.timings.client_quic_rtt_msec Integer The smoothed QUIC round-trip time (RTT) between Cloudflare and the client in milliseconds. Only populated for QUIC (HTTP/3) connections. Returns 0 for TCP connections. cf.edge.l4.delivery_rate Integer The most recent data delivery rate estimate for the client connection, in bytes per second. Returns 0 when L4 statistics are not available for the request.

Example: Route slow connections to a lightweight origin

Use a request header transform rule to tag requests from high-latency connections, so your origin can serve a lighter page variant:

Rule expression

cf.timings.client_tcp_rtt_msec > 200 or cf.timings.client_quic_rtt_msec > 200

Header modifications

Operation Header name Value Set X-High-Latency true

Example: Match low-bandwidth connections

cf.edge.l4.delivery_rate > 0 and cf.edge.l4.delivery_rate < 100000

For more information, refer to Request Header Transform Rules and the fields reference.

Original source

Logpush now supports higher-precision timestamp formats for log output. You can configure jobs to output timestamps at millisecond or nanosecond precision. This is available in both the Logpush UI in the Cloudflare dashboard and the Logpush API.

To use the new formats, set timestamp_format in your Logpush job's output_options:

• rfc3339ms — 2024-02-17T23:52:01.123Z
• rfc3339ns — 2024-02-17T23:52:01.123456789Z

Default timestamp formats apply unless explicitly set. The dashboard defaults to rfc3339 and the API defaults to unixnano.

For more information, refer to the Log output options documentation.

Original source

Cloudflare now exposes four new fields in the Transform Rules phase that encode client certificate data in RFC 9440 format. Previously, forwarding client certificate information to your origin required custom parsing of PEM-encoded fields or non-standard HTTP header formats. These new fields produce output in the standardized Client-Cert and Client-Cert-Chain header format defined by RFC 9440, so your origin can consume them directly without any additional decoding logic.

Each certificate is DER-encoded, Base64-encoded, and wrapped in colons. For example, :MIIDsT...Vw==:. A chain of intermediates is expressed as a comma-separated list of such values.

New fields

Field Type Description cf.tls_client_auth.cert_rfc9440 String The client leaf certificate in RFC 9440 format. Empty if no client certificate was presented. cf.tls_client_auth.cert_rfc9440_too_large Boolean true if the leaf certificate exceeded 16 KB and was omitted. In practice this will almost always be false. cf.tls_client_auth.cert_chain_rfc9440 String The intermediate certificate chain in RFC 9440 format as a comma-separated list. Empty if no intermediate certificates were sent or if the chain exceeded 16 KB. cf.tls_client_auth.cert_chain_rfc9440_too_large Boolean true if the intermediate chain exceeded 16 KB and was omitted.

The chain encoding follows the same ordering as the TLS handshake: the certificate closest to the leaf appears first, working up toward the trust anchor. The root certificate is not included.

Example: Forwarding client certificate headers to your origin server

Add a request header transform rule to set the Client-Cert and Client-Cert-Chain headers on requests forwarded to your origin server. For example, to forward headers for verified, non-revoked certificates:

Rule expression:

cf.tls_client_auth.cert_verified and not cf.tls_client_auth.cert_revoked

Header modifications:

Operation Header name Value Set Client-Cert cf.tls_client_auth.cert_rfc9440 Set Client-Cert-Chain cf.tls_client_auth.cert_chain_rfc9440

To get the most out of these fields, upload your client CA certificate to Cloudflare so that Cloudflare validates the client certificate at the edge and populates cf.tls_client_auth.cert_verified and cf.tls_client_auth.cert_revoked.

For more information, refer to Mutual TLS authentication, Request Header Transform Rules, and the fields reference.

Original source

AI Crawl Control now supports extending the underlying WAF rule with custom modifications. Any changes you make directly in the WAF custom rules editor — such as adding path-based exceptions, extra user agents, or additional expression clauses — are preserved when you update crawler actions in AI Crawl Control.

If the WAF rule expression has been modified in a way AI Crawl Control cannot parse, a warning banner appears on the Crawlers page with a link to view the rule directly in WAF.

For more information, refer to WAF rule management.

Original source

In the Cloudflare One dashboard, the overview page for a specific Cloudflare Tunnel now shows all replicas of that tunnel and supports streaming logs from multiple replicas at once.

Previously, you could only stream logs from one replica at a time. With this update:

Replicas on the tunnel overview

All active replicas for the selected tunnel now appear on that tunnel's overview page under Connectors. Select any replica to stream its logs.

Multi-connector log streaming

Stream logs from multiple replicas simultaneously, making it easier to correlate events across your infrastructure during debugging or incident response. To try it out, log in to Cloudflare One and go to Networks > Connectors > Cloudflare Tunnels. Select View logs next to the tunnel you want to monitor.

For more information, refer to Tunnel log streams and Deploy replicas.

Original source

Service Key authentication for the Cloudflare API is deprecated. Service Keys will stop working on September 30, 2026.

API Tokens replace Service Keys with fine-grained permissions, expiration, and revocation.

What you need to do

Replace any use of the X-Auth-User-Service-Key header with an API Token scoped to the permissions your integration requires.

If you use cloudflared, update to a version from November 2022 or later. These versions already use API Tokens.

If you use origin-ca-issuer, update to a version that supports API Token authentication.

For more information, refer to API deprecations.

Original source