Cloudflare Blog
https://blog.cloudflare.com/Why it matters: This proof of concept demonstrates how to transform heavy, stateful communication protocols into serverless architectures. It reduces operational overhead and costs to near zero while future-proofing security with post-quantum encryption at the edge.
- •Ported the Matrix homeserver protocol to Cloudflare Workers using TypeScript and the Hono framework.
- •Replaced traditional stateful infrastructure with serverless primitives: D1 for SQL, KV for caching, R2 for media, and Durable Objects for state resolution.
- •Achieved a scale-to-zero cost model, eliminating the fixed overhead of running dedicated virtual private servers.
- •Integrated post-quantum cryptography by default using hybrid X25519MLKEM768 key agreement for TLS 1.3 connections.
- •Leveraged Cloudflare's global edge network to reduce latency by executing homeserver logic in over 300 locations.
- •Maintained end-to-end encryption (Megolm) while adding a quantum-resistant transport layer for defense-in-depth.
Why it matters: Understanding global connectivity disruptions helps engineers build more resilient, multi-homed architectures. It highlights the fragility of physical infrastructure like submarine cables and the impact of BGP routing and government policy on service availability.
- •Q4 2025 saw over 180 global Internet disruptions caused by government mandates, physical infrastructure damage, and technical failures.
- •Tanzania implemented a near-total Internet shutdown during its presidential election, resulting in a 90% traffic drop and fluctuations in BGP address space announcements.
- •Submarine cable cuts, specifically to the PEACE and WACS systems, significantly impacted connectivity in Pakistan and Cameroon.
- •Infrastructure vulnerabilities in Haiti led to multiple outages for Digicel users due to international fiber optic cuts.
- •Beyond physical damage, disruptions were linked to hyperscaler cloud platform issues and ongoing military conflicts affecting regional network stability.
Why it matters: This incident highlights how minor automation errors in BGP policy configuration can cause global traffic disruptions. It underscores the risks of permissive routing filters and the importance of robust validation in network automation to prevent large-scale route leaks.
- •An automated routing policy change intended to remove IPv6 prefix advertisements for a Bogotá data center caused a major BGP route leak in Miami.
- •The removal of specific prefix lists from policy statements resulted in overly permissive terms, unintentionally redistributing peer routes to other providers.
- •The incident lasted 25 minutes, causing significant congestion on Miami backbone infrastructure and affecting both Cloudflare customers and external parties.
- •The leak was classified as a mixture of Type 3 and Type 4 route leaks according to RFC7908, violating standard valley-free routing principles.
- •Impact was limited to IPv6 traffic and was mitigated by manually reverting the configuration and pausing the automation platform.
Why it matters: This vulnerability highlights the risks of global security bypasses for protocol-specific paths. Engineers must ensure that 'allow-list' logic for automated services like ACME is strictly scoped to prevent unintended access to origin servers without protection.
- •Security researchers identified a vulnerability in Cloudflare's ACME HTTP-01 challenge validation logic.
- •The flaw allowed requests to bypass Web Application Firewall (WAF) rules on specific ACME-related paths.
- •Cloudflare previously disabled WAF features on these paths to prevent interference with automated certificate issuance.
- •A logic error allowed unauthenticated requests to reach customer origins without WAF protection if tokens weren't managed by Cloudflare.
- •The mitigation ensures security features are only disabled when a request matches a valid ACME token for the specific hostname.
Why it matters: This acquisition secures the long-term future of Astro, a leading framework for content-driven sites. For engineers, it ensures continued investment in performance-first web architecture and Islands Architecture while maintaining the framework's open-source and platform-agnostic nature.
- •Cloudflare has acquired The Astro Technology Company, the creators of the Astro web framework.
- •Astro will remain open source under the MIT license with open governance and a public roadmap.
- •The upcoming Astro 6 release introduces a redesigned development server powered by Vite, currently in public beta.
- •Astro's Islands Architecture allows for fast, static HTML by default with the ability to hydrate specific components using any UI framework.
- •The framework remains platform-agnostic, maintaining its commitment to portability across various cloud providers and hosting platforms.
- •Cloudflare will continue to support the Astro Ecosystem Fund alongside partners like Webflow, Netlify, and Sentry.
Why it matters: This acquisition signals a shift from chaotic web scraping to structured, licensed data for AI. For engineers, it introduces new patterns like pub/sub content indexing and machine-to-machine payments (x402), moving away from inefficient crawling toward a sustainable, automated web economy.
- •Cloudflare has acquired Human Native, a UK-based marketplace that transforms unstructured multimedia content into high-quality, licensed AI training data.
- •The acquisition aims to address the strain on the internet's economic model caused by skyrocketing crawl-to-referral ratios from AI bots.
- •Cloudflare is developing an 'AI Index' using a pub/sub model, allowing websites to push structured updates to developers in real time instead of relying on blind crawling.
- •The integration supports Cloudflare's existing tools like AI Crawl Control and Pay Per Crawl, giving content owners granular control over bot access.
- •Cloudflare is partnering with Coinbase on the x402 Foundation to establish protocols for machine-to-machine transactions and digital resource payments.
Why it matters: This incident highlights how subtle optimizations can break systems by violating undocumented assumptions in legacy clients. It serves as a reminder that even when a protocol doesn't mandate order, real-world implementations often depend on it.
- •A memory optimization in Cloudflare's 1.1.1.1 resolver inadvertently changed the order of records in DNS responses.
- •The code change moved CNAME records to the end of the answer section instead of the beginning when merging cached partial chains.
- •While the DNS protocol technically treats record order as irrelevant, many client implementations process records sequentially.
- •Legacy implementations like glibc's getaddrinfo fail to resolve addresses if the A record appears before the CNAME that defines the alias.
- •The incident was resolved by reverting the optimization, restoring the original record ordering where CNAMEs precede final answers.
Why it matters: Understanding how nation-states manipulate BGP and IP announcements to enforce shutdowns is crucial for engineers building resilient, global systems. It highlights the vulnerability of centralized network infrastructure and the importance of monitoring tools like Cloudflare Radar.
- •Iran implemented a near-total internet shutdown starting January 8, 2026, following widespread civil protests.
- •Cloudflare Radar observed a 98.5% drop in announced IPv6 address space, signaling a deliberate disruption of routing paths.
- •Overall traffic volume plummeted by 90% within a 30-minute window as major ISPs like MCCI, IranCell, and TCI went offline.
- •By 18:45 UTC on January 8, internet traffic from the country reached effectively zero, indicating a complete disconnection from the global web.
- •Brief spikes in DNS traffic (1.1.1.1) and university network connectivity were observed on January 9 before being shut down again.
Why it matters: BGP route leaks can cause traffic delays or interception. Distinguishing between configuration errors and malicious intent is vital for network security. This analysis demonstrates how technical data can debunk theories of malfeasance by identifying systemic ISP policy failures.
- •Cloudflare Radar detected a BGP route leak on January 2 involving Venezuelan ISP CANTV (AS8048).
- •The event violated valley-free routing by redistributing routes from a provider to an external network.
- •Data shows 11 similar leaks since December, suggesting systemic configuration issues rather than malfeasance.
- •The leak impacted prefixes from Dayco Telecom (AS21980), a customer of the leaking ISP.
- •Such anomalies highlight the critical need for ISPs to implement strict routing export and import policies.
Why it matters: Manual infrastructure management fails at scale. This article shows how Cloudflare uses serverless Workers and graph-based data modeling to automate global maintenance scheduling, preventing downtime by programmatically enforcing safety constraints across distributed data centers.
- •Cloudflare transitioned from manual maintenance coordination to an automated scheduler built on Cloudflare Workers to manage 330+ global data centers.
- •The system enforces safety constraints to prevent simultaneous downtime of redundant edge routers and customer-specific egress IP pools.
- •To solve 'out of memory' errors on the Workers platform, the team implemented a graph-based data interface inspired by Facebook’s TAO.
- •The scheduler uses a graph model of objects and associations to load only the regional data necessary for specific maintenance requests.
- •The tool programmatically identifies overlapping maintenance windows and alerts operators to potential conflicts to ensure high availability.