Core Platform Release Notes

Two-factor authentication (2FA)

Two-factor authentication (2FA) is one of the best ways to protect your account from the risk of account takeover. Cloudflare has offered phishing resistant 2FA options including hardware based keys (for example, a Yubikey) and app based TOTP (time-based one-time password) options which use apps like Google or Microsoft's Authenticator app. Unfortunately, while these solutions are very secure, they can be lost if you misplace the hardware based key, or lose the phone which includes that app. The result is that users sometimes get locked out of their accounts and need to contact support.

Today, we are announcing the addition of email as a 2FA factor for all Cloudflare accounts. Email 2FA is in wide use across the industry as a least common denominator for 2FA because it is low friction, loss resistant, and still improves security over username/password login only. We also know that most commercial email providers already require 2FA, so your email address is usually well protected already.

You can now enable email 2FA on the Cloudflare dashboard:

• Go to Profile at the top right corner.
• Select Authentication.
• Under Two-Factor Authentication, select Set up.

What’s New

• Refreshed member invite flow

  • We overhauled the Invite Members UI to simplify inviting users and assigning permissions.

• Refreshed Members Overview Page

  • We've updated the Members Overview Page to clearly display:
  • ◦ Member 2FA status
  • ◦ Which members hold Super Admin privileges
  • ◦ API access settings per member
  • ◦ Member onboarding state (accepted vs pending invite)

• New Member Permission Policies Details View

  • We've created a new member details screen that shows all permission policies associated with a member; including policies inherited from group associations to make it easier for members to understand the effective permissions they have.

• Improved Member Permission Workflow

  • We redesigned the permission management experience to make it faster and easier for administrators to review roles and grant access.

• Account-scoped Policies Restrictions Relaxed

  • Previously, customers could only associate a single account-scoped policy with a member. We've relaxed this restriction, and now Administrators can now assign multiple account-scoped policies to the same member; bringing policy assignment behavior in-line with user-groups and providing greater flexibility in managing member permissions.

New fields

Cloudflare now provides two new request fields in the Ruleset engine that let you make decisions based on whether a request used TCP and the measured TCP round-trip time between the client and Cloudflare. These fields help you understand protocol usage across your traffic and build policies that respond to network performance. For example, you can distinguish TCP from QUIC traffic or route high latency requests to alternative origins when needed.

Field | Type | Description
cf.edge.client_tcp | Boolean | Indicates whether the request used TCP. A value of true means the client connected using TCP instead of QUIC.
cf.timings.client_tcp_rtt_msec | Number | Reports the smoothed TCP round-trip time between the client and Cloudflare in milliseconds. For example, a value of 20 indicates roughly twenty milliseconds of RTT.

Example filter expression:

cf.edge.client_tcp && cf.timings.client_tcp_rtt_msec < 100

More information can be found in the Rules language fields reference.

Logpush now supports integration with Microsoft Sentinel

Logpush now supports integration with Microsoft Sentinel. The new Azure Sentinel Connector built on Microsoft’s Codeless Connector Framework (CCF), is now avaialble. This solution replaces the previous Azure Functions-based connector, offering significant improvements in security, data control, and ease of use for customers. Logpush customers can send logs to Azure Blob Storage and configure this new Sentinel Connector to ingest those logs directly into Microsoft Sentinel.

This upgrade significantly streamlines log ingestion, improves security, and provides greater control:

• Simplified Implementation: Easier for engineering teams to set up and maintain.
• Cost Control: New support for Data Collection Rules (DCRs) allows you to filter and transform logs at ingestion time, offering potential cost savings.
• Enhanced Security: CCF provides a higher level of security compared to the older Azure Functions connector.
• ata Lake Integration: Includes native integration with Data Lake.

Find the new solution here and refer to the Cloudflare's developer documention for more information on the connector, including setup steps, supported logs and Microsfot's resources.

Robots.txt tab insights in AI Crawl Control

AI Crawl Control now includes a Robots.txt tab that provides insights into how AI crawlers interact with your robots.txt files.

The Robots.txt tab allows you to:

• Monitor the health status of robots.txt files across all your hostnames, including HTTP status codes, and identify hostnames that need a robots.txt file.
• Track the total number of requests to each robots.txt file, with breakdowns of successful versus unsuccessful requests.
• Check whether your robots.txt files contain Content Signals directives for AI training, search, and AI input.
• Identify crawlers that request paths explicitly disallowed by your robots.txt directives, including the crawler name, operator, violated path, specific directive, and violation count.
• Filter robots.txt request data by crawler, operator, category, and custom time ranges.

Take action

When you identify non-compliant crawlers, you can:

• Block the crawler in the Crawlers tab
• Create custom WAF rules for path-specific security
• Use Redirect Rules to guide crawlers to appropriate areas of your site

To get started, go to AI Crawl Control > Robots.txt in the Cloudflare dashboard. Learn more in the Track robots.txt documentation.

CDN now supports 128 KB request and response headers 🚀

We're excited to announce a significant increase in the maximum header size supported by Cloudflare's Content Delivery Network (CDN). Cloudflare now supports up to 128 KB for both request and response headers.

Previously, customers were limited to a total of 32 KB for request or response headers, with a maximum of 16 KB per individual header. Larger headers could cause requests to fail with HTTP 413 (Request Header Fields Too Large) errors.

What's new?

• Support for large headers: You can now utilize much larger headers, whether as a single large header up to 128 KB or split over multiple headers.
• Reduces 413 and 520 HTTP errors: This change drastically reduces the likelihood of customers encountering HTTP 413 errors from large request headers or HTTP 520 errors caused by oversized response headers, improving the overall reliability of your web applications.
• Enhanced functionality: This is especially beneficial for applications that rely on:
  • A large number of cookies.
  • Large Content-Security-Policy (CSP) response headers.
  • Advanced use cases with Cloudflare Workers that generate large response headers.

This enhancement improves compatibility with Cloudflare's CDN, enabling more use cases that previously failed due to header size limits.

To learn more and get started, refer to the Cloudflare Fundamentals documentation.

During Birthday Week, we announced that single sign-on (SSO) is available for free to everyone who signs in with a custom email domain and maintains a compatible identity provider. SSO minimizes user friction around login and provides the strongest security posture available. At the time, this could only be configured using the API.

Today, we are launching a new user experience which allows users to manage their SSO configuration from within the Cloudflare dashboard. You can access this by going to Manage account > Members > Settings.

For more information

Cloudflare dashboard SSO.

What's new

AI Crawl Control now provides enhanced metrics and CSV data exports to help you better understand AI crawler activity across your sites.

Track crawler requests over time

Visualize crawler activity patterns over time, and group data by different dimensions:

• By Crawler — Track activity from individual AI crawlers (GPTBot, ClaudeBot, Bytespider)
• By Category — Analyze crawler purpose or type
• By Operator — Discover which companies (OpenAI, Anthropic, ByteDance) are crawling your site
• By Host — Break down activity across multiple subdomains
• By Status Code — Monitor HTTP response codes to crawlers (200s, 300s, 400s, 500s)

Analyze referrer data (Paid plans)

Identify traffic sources with referrer analytics:

• View top referrers driving traffic to your site
• Understand discovery patterns and content popularity from AI operators

Export data

Download your filtered view as a CSV:

• Includes all applied filters and groupings
• Useful for custom reporting and deeper analysis

Get started

1. Log in to the Cloudflare dashboard, and select your account and domain.
2. Go to AI Crawl Control > Metrics.
3. Use the grouping tabs to explore different views of your data.
4. Apply filters to focus on specific crawlers, time ranges, or response codes.
5. Select Download CSV to export your filtered data for further analysis.

Learn more about AI Crawl Control.

The most common reason users contact Cloudflare support is lost two-factor authentication (2FA) credentials. Cloudflare supports both app-based and hardware keys for 2FA, but you could lose access to your account if you lose these. Over the past few weeks, we have been rolling out email and in-product reminders that remind you to also download backup codes (sometimes called recovery keys) that can get you back into your account in the event you lose your 2FA credentials. Download your backup codes now by logging into Cloudflare, then navigating to Profile > Security & Authentication > Backup codes.

Sign-in security best practices

Cloudflare is critical infrastructure, and you should protect it as such. Please review the following best practices and make sure you are doing your part to secure your account.

• Use a unique password for every website, including Cloudflare, and store it in a password manager like 1Password or Keeper. These services are cross-platform and simplify the process of managing secure passwords.
• Use 2FA to make it harder for an attacker to get into your account in the event your password is leaked
• Store your backup codes securely. A password manager is the best place since it keeps the backup codes encrypted, but you can also print them and put them somewhere safe in your home.
• If you use an app to manage your 2FA keys, enable cloud backup, so that you don't lose your keys in the event you lose your phone.
• If you use a custom email domain to sign in, configure SSO.
• If you use a public email domain like Gmail or Hotmail, you can also use social login with Apple, GitHub, or Google to sign in.
• If you manage a Cloudflare account for work:
  • Have at least two administrators in case one of them unexpectedly leaves your company
  • Use SCIM to automate permissions management for members in your Cloudflare account

Fine-grained permissions for Access Applications, Identity Providers (IdPs), and Targets is now available in Public Beta. This expands our RBAC model beyond account & zone-scoped roles, enabling administrators to grant permissions scoped to individual resources.

What's New

• Access Applications: Grant admin permissions to specific Access Applications.
• Identity Providers: Grant admin permissions to individual Identity Providers.
• Targets: Grant admin rights to specific Targets

During the public beta, members must also be assigned an account-scoped, read only role to view resources in the dashboard. This restriction will be lifted in a future release.

• Account Read Only plus a fine-grained permission for a specific App, IdP, or Target
• Cloudflare Zero Trust Read Only plus fine-grained permission for a specific App, IdP, or Target

For more info:

• Get started with Cloudflare Permissioning
• Manage Member Permissioning via the UI & API