Core Platform Release Notes

ip.src.metro_code

The ip.src.metro_code field in the Ruleset Engine is now populated with DMA (Designated Market Area) data.
You can use this field to build rules that target traffic based on geographic market areas, enabling more granular location-based policies for your applications.

Field details

The metro code (DMA) of the incoming request's IP address. Returns the designated market area code for the client's location.

Example filter expression:

ip.src.metro_code eq "501"

For more information, refer to the Fields reference.

Earlier this year, we announced the launch of the new Terraform v5 Provider. We are aware of the high number of issues reported by the Cloudflare community related to the v5 release. We have committed to releasing improvements on a 2-3 week cadence to ensure its stability and reliability, including the v5.15 release. We have also pivoted from an issue-to-issue approach to a resource-per-resource approach - we will be focusing on specific resources to not only stabilize the resource but also ensure it is migration-friendly for those migrating from v4 to v5.

Thank you for continuing to raise issues. They make our provider stronger and help us build products that reflect your needs.

This release includes bug fixes, the stabilization of even more popular resources, and more.

Features

• ai_search: Add AI Search endpoints (6f02adb)
• certificate_pack: Ensure proper Terraform resource ID handling for path parameters in API calls (081f32a)
• worker_version: Support startup_time_ms (286ab55)
• zero_trust_dlp_custom_entry: Support upload_status (7dc0fe3)
• zero_trust_dlp_entry: Support upload_status (7dc0fe3)
• zero_trust_dlp_integration_entry: Support upload_status (7dc0fe3)
• zero_trust_dlp_predefined_entry: Support upload_status (7dc0fe3)
• zero_trust_gateway_policy: Support forensic_copy (5741fd0)
• zero_trust_list: Support additional types (category, location, device) (5741fd0)

Bug fixes

• access_rules: Add validation to prevent state drift. Ideally, we'd use Semantic Equality but since that isn't an option, this will remove a foot-gun. (4457791)
• cloudflare_pages_project: Addressing drift issues (6edffcf) (3db318e)
• cloudflare_worker: Can be cleanly imported (4859b52)
• cloudflare_worker: Ensure clean imports (5b525bc)
• list_items: Add validation for IP List items to avoid inconsistent state (b6733dc)
• zero_trust_access_application: Remove all conditions from sweeper (3197f1a)
• spectrum_application: Map missing fields during spectrum resource import (#6495) (ddb4e72)

Upgrade to newer version

We suggest waiting to migrate to v5 while we work on stabilization. This helps with avoiding any blocking issues while the Terraform resources are actively being stabilized. We will be releasing a new migration tool in March 2026 to help support v4 to v5 transitions for our most popular resources.

For more information

• Terraform Provider
• Documentation on using Terraform with Cloudflare

The Overview tab is now the default view in AI Crawl Control. The previous default view with controls for individual AI crawlers is available in the Crawlers tab.

What's new

• Executive summary — Monitor total requests, volume change, most common status code, most popular path, and high-volume activity
• Operator grouping — Track crawlers by their operating companies (OpenAI, Microsoft, Google, ByteDance, Anthropic, Meta)
• Customizable filters — Filter your snapshot by date range, crawler, operator, hostname, or path

Get started

• Log in to the Cloudflare dashboard and select your account and domain.
• Go to AI Crawl Control, where the Overview tab opens by default with your activity snapshot.
• Use filters to customize your view by date range, crawler, operator, hostname, or path.
• Navigate to the Crawlers tab to manage controls for individual crawlers.

Learn more about analyzing AI traffic and managing AI crawlers.

For AI crawler operators

Discovery API

A new authenticated API endpoint allows verified crawlers to programmatically discover domains participating in Pay Per Crawl. Crawlers can use this to build optimized crawl queues, cache domain lists, and identify new participating sites. This eliminates the need to discover payable content through trial requests.

The API endpoint is

GET https://crawlers-api.ai-audit.cfdata.org/charged_zones

and requires Web Bot Auth authentication. Refer to
Discover payable content
for authentication steps, request parameters, and response schema.

Payment header signature requirement

Payment headers (crawler-exact-price or crawler-max-price) must now be included in the Web Bot Auth signature-input header components. This security enhancement prevents payment header tampering, ensures authenticated payment intent, validates crawler identity with payment commitment, and protects against replay attacks with modified pricing. Crawlers must add their payment header to the list of signed components when constructing the signature-input header.

New crawler-error header

Pay Per Crawl error responses now include a new crawler-error header with 11 specific error codes for programmatic handling. Error response bodies remain unchanged for compatibility. These codes enable robust error handling, automated retry logic, and accurate spending tracking.

For site owners

Configure free pages

Site owners can now offer free access to specific pages like homepages, navigation, or discovery pages while charging for other content. Create a Configuration Rule in Rules > Configuration Rules, set your URI pattern using wildcard, exact, or prefix matching on the URI Full field, and enable the Disable Pay Per Crawl setting. When disabled for a URI pattern, crawler requests pass through without blocking or charging.

Some paths are always free to crawl. These paths are:

• /robots.txt
• /sitemap.xml
• /security.txt
• /.well-known/security.txt
• /crawlers.json

Get started

• AI crawler operators: Discover payable content | Crawl pages
• Site owners: Advanced configuration

Earlier this year, we announced the launch of the new Terraform v5 Provider. We are aware of the high number of issues reported by the Cloudflare community related to the v5 release. We have committed to releasing improvements on a 2-3 week cadence to ensure its stability and reliability, including the v5.14 release. We have also pivoted from an issue-to-issue approach to a resource-per-resource approach - we will be focusing on specific resources to not only stabilize the resource but also ensure it is migration-friendly for those migrating from v4 to v5.

Thank you for continuing to raise issues. They make our provider stronger and help us build products that reflect your needs.

This release includes bug fixes, the stabilization of even more popular resources, and more.

Deprecation notice

Resource affected: api_shield_discovery_operation

Cloudflare continuously discovers and updates API endpoints and web assets of your web applications. To improve the maintainability of these dynamic resources, we are working on reducing the need to actively engage with discovered operations.

The corresponding public API endpoint of discovered operations is not affected and will continue to be supported.

Features

• pages_project: Add v4 -> v5 migration tests (#6506)

Bug fixes

• account_members: Makes member policies a set (#6488)
• pages_project: Ensures non empty refresh plans (#6515)
• R2: Improves sweeper (#6512)
• workers_kv: Ignores value import state for verify (#6521)
• workers_script: No longer treats the migrations attribute as WriteOnly (#6489)
• workers_script: Resolves resource drift when worker has unmanaged secret (#6504)
• zero_trust_device_posture_rule: Preserves input.version and other fields (#6500) and (#6503)
• zero_trust_dlp_custom_profile: Adds sweepers for dlp_custom_profile
• zone_subscription|account_subscription: Adds partners_ent as valid enum for rate_plan.id (#6505)
• zone: Ensures datasource model schema parity (#6487)
• subscription: Updates import signature to accept account_id/subscription_id to import account subscription (#6510)

Upgrade to newer version

We suggest waiting to migrate to v5 while we work on stabilization. This helps with avoiding any blocking issues while the Terraform resources are actively being stabilized. We will be releasing a new migration tool in March 2026 to help support v4 to v5 transitions for our most popular resources.

For more information

• Terraform Provider
• Documentation on using Terraform with Cloudflare

Breaking Change

Please be aware that there are breaking changes for the cloudflare_api_token and cloudflare_account_token resources. These changes eliminate configuration drift caused by policy ordering differences in the Cloudflare API.

For more specific information about the changes or the actions required, please see the detailed Repository changelog.

Features

• New resources and data sources added
  • cloudflare_connectivity_directory
  • cloudflare_sso_connector
  • cloudflare_universal_ssl_setting
• api_token+account_tokens: state upgrader and schema bump (#6472)
• docs: make docs explicit when a resource does not have import support
• magic_transit_connector: support self-serve license key (#6398)
• worker_version: add content_base64 support
• worker_version: boolean support for run_worker_first (#6407)
• workers_script_subdomains: add import support (#6375)
• zero_trust_access_application: add proxy_endpoint for ZT Access Application (#6453)
• zero_trust_dlp_predefined_profile: Switch DLP Predefined Profile endpoints, introduce enabled_entries attribut

Bug Fixes

• account_token: token policy order and nested resources (#6440)
• allow r2_bucket_event_notification to be applied twice without failing (#6419)
• cloudflare_worker+cloudflare_worker_version: import for the resources (#6357)
• dns_record: inconsistent apply error (#6452)
• pages_domain: resource tests (#6338)
• pages_project: unintended resource state drift (#6377)
• queue_consumer: id population (#6181)
• workers_kv: multipart request (#6367)
• workers_kv: updating workers metadata attribute to be read from endpoint (#6386)
• workers_script_subdomain: add note to cloudflare_workers_script_subdomain about redundancy with cloudflare_worker (#6383)
• workers_script: allow config.run_worker_first to accept list input
• zero_trust_device_custom_profile_local_domain_fallback: drift issues (#6365)
• zero_trust_device_custom_profile: resolve drift issues (#6364)
• zero_trust_dex_test: correct configurability for 'targeted' attribute to fix drift
• zero_trust_tunnel_cloudflared_config: remove warp_routing from cloudflared_config (#6471)

Upgrading

We suggest holding off on migration to v5 while we work on stabilization. This help will you avoid any blocking issues while the Terraform resources are actively being stabilized. We will be releasing a new migration tool in March 2026 to help support v4 to v5 transitions for our most popular resources.

For more info

• Terraform Provider
• Documentation on using Terraform with Cloudflare

Bug fixes

We've resolved a bug in Log Explorer that caused inconsistencies between the custom SQL date field filters and the date picker dropdown. Previously, users attempting to filter logs based on a custom date field via a SQL query sometimes encountered unexpected results or mismatching dates when using the interactive date picker.

This fix ensures that the custom SQL date field filters now align correctly with the selection made in the date picker dropdown, providing a reliable and predictable filtering experience for your log data. This is particularly important for users creating custom log views based on time-sensitive fields.

New Cloudflare product datasets

We've significantly enhanced Log Explorer by adding support for 14 additional Cloudflare product datasets.

This expansion enables Operations and Security Engineers to gain deeper visibility and telemetry across a wider range of Cloudflare services. By integrating these new datasets, users can now access full context to efficiently investigate security incidents, troubleshoot application performance issues, and correlate logged events across different layers (like application and network) within a single interface. This capability is crucial for a complete and cohesive understanding of event flows across your Cloudflare environment.

The newly supported datasets include:
Zone Level

• Dns_logs
• Nel_reports
• Page_shield_events
• Spectrum_events
• Zaraz_events
  Account Level
• Audit Logs
• Audit_logs_v2
• Biso_user_actions
• DNS firewall logs
• Email_security_alerts
• Magic Firewall IDS
• Network Analytics
• Sinkhole HTTP
• ipsec_logs

Note

Auditlog and Auditlog_v2 datasets require audit-log.read permission for querying.
The biso_user_actions dataset requires either the Super Admin or ZT PII role for querying.

Example: Correlating logs

You can now use Log Explorer to query and filter with each of these datasets. For example, you can identify an IP address exhibiting suspicious behavior in the FW_event logs, and then instantly pivot to the Network Analytics logs or Access logs to see its network-level traffic profile or if it bypassed a corporate policy.

To learn more and get started, refer to the Log Explorer documentation and the Cloudflare Logs documentation.

Logpush Health Dashboards

We’re excited to introduce Logpush Health Dashboards, giving customers real-time visibility into the status, reliability, and performance of their Logpush jobs. Health dashboards make it easier to detect delivery issues, monitor job stability, and track performance across destinations. The dashboards are divided into two sections:

Upload Health

See how much data was successfully uploaded, where drops occurred, and how your jobs are performing overall. This includes data completeness, success rate, and upload volume.

Upload Reliability

Diagnose issues impacting stability, retries, or latency, and monitor key metrics such as retry counts, upload duration, and destination availability.

Health Dashboards can be accessed from the Logpush page in the Cloudflare dashboard at the account or zone level, under the Health tab. For more details, refer to our Logpush Health Dashboards documentation, which includes a comprehensive troubleshooting guide to help interpret and resolve common issues.