Cloudflare Blog

https://blog.cloudflare.com/

Cloudflare BlogMar 13, 2026

From legacy architecture to Cloudflare One

Why it matters: Moving from legacy VPNs to Zero Trust is high-risk. This methodology de-risks the process by treating migration as application modernization, allowing engineers to secure legacy systems with MFA and identity-based access without downtime or code changes.

Cloudflare and CDW advocate for a tiered, risk-aware migration strategy to Zero Trust rather than high-risk 'big bang' VPN replacements.
Legacy applications are modernized by 'wrapping' them in Cloudflare Access, adding MFA and SSO capabilities without requiring code rewrites.
Cloudflare Tunnel establishes outbound-only connections, effectively hiding internal applications from the public internet and preventing lateral movement.
Comprehensive pre-migration audits map backend dependencies and identity providers to ensure service continuity during the transition.
Dynamic Path MTU Discovery (PMTUD) is utilized to maintain persistent sessions for legacy architectures even as client IP addresses change.

#security #sre

Read original

Cloudflare BlogMar 12, 2026

Announcing Cloudflare Account Abuse Protection: prevent fraudulent attacks from bots and humans

Why it matters: Modern threats blend human intent with automated scale, making traditional bot detection insufficient. This suite provides privacy-preserving tools like Hashed User IDs and email risk scoring to stop account takeover and promotion abuse without compromising sensitive user data.

Cloudflare introduced Account Abuse Protection to combat hybrid threats involving both automated bots and human-driven fraud.
New features include disposable email checks and email risk scoring to identify throwaway accounts used for promotion abuse.
Hashed User IDs provide a privacy-preserving way to track suspicious activity by cryptographically hashing usernames per domain.
The suite integrates with existing leaked credential detection, which checks passwords against a database of 16 billion compromised records.
Account Takeover (ATO) detection IDs use behavioral anomaly detection to identify suspicious login patterns unique to each customer.
The solution addresses industrialized fraud where attackers use human-powered farms and AI agents to bypass traditional bot defenses.

#security #dist

Read original

Cloudflare BlogMar 11, 2026

Slashing agent token costs by 98% with RFC 9457-compliant error responses

Why it matters: Engineers building AI agents can now handle network errors programmatically and cost-effectively. By replacing verbose HTML with structured data, Cloudflare enables agents to make deterministic decisions like exponential backoff while slashing operational token costs by 98%.

Cloudflare now serves RFC 9457-compliant structured error responses in JSON and Markdown specifically for AI agents.
The new formats replace heavy HTML error pages, reducing payload size and LLM token consumption by over 98%.
Agents can trigger these responses by sending specific Accept headers such as application/problem+json or text/markdown.
Responses include machine-readable metadata like retryable status, retry_after durations, and specific error categories.
The implementation currently covers all 1xxx-class errors, including rate limits, WAF blocks, and DNS resolution issues.
This system requires no configuration from site owners and maintains standard HTML responses for browser-based traffic.

#dist #mlp #sre

Read original

Cloudflare BlogMar 11, 2026

AI Security for Apps is now generally available

Why it matters: AI apps introduce probabilistic attack surfaces like prompt injection that traditional WAFs can't stop. Cloudflare's GA release provides automated discovery and specialized guardrails to secure LLM endpoints and agents without requiring model-specific integrations.

Cloudflare's AI Security for Apps is now generally available, providing a reverse proxy layer to protect LLM-powered applications and agents.
AI endpoint discovery is now free for all customers, using behavioral analysis to identify AI-integrated endpoints across web properties.
The platform detects prompt injection, PII exposure, and toxic content, attaching metadata to requests for mitigation via WAF rules.
New custom topic detection allows organizations to define and flag specific off-policy categories relevant to their business domain.
Custom prompt extraction enables security teams to define where LLM inputs reside within non-standard JSON structures for accurate inspection.
The solution addresses risks highlighted in the OWASP Top 10 for LLM Applications, such as sensitive information disclosure and unbounded consumption.

#security #mlp

Read original

Cloudflare BlogMar 10, 2026

Building a security overview dashboard for actionable insights

Why it matters: Security teams are overwhelmed by data noise. This architecture demonstrates how to transform massive telemetry into prioritized, actionable insights using a distributed system of specialized microservices, reducing incident response times and closing critical configuration gaps.

Cloudflare revamped its Security Overview dashboard to prioritize actionable 'Security Action Items' over raw data visibility, reducing noise for security teams.
The system addresses the 'configuration gap' by surfacing the status of security tools, identifying when features are inactive or incorrectly set to 'Log Only' mode.
The backend architecture utilizes specialized microservices called 'checkers' that scale independently to process over 10 million insights daily.
Checkers operate via two mechanisms: scheduled deep-inspection tasks for complex configurations and real-time event handlers for immediate risk detection.
Deep-linking between the overview and analytics dashboards reduces the 'tab switching tax' by automatically applying relevant filters during incident investigation.
Action items are categorized by criticality and type, allowing defenders to move from reactive monitoring to proactive control of their security posture.

#security #dist #data

Read original

Cloudflare BlogMar 10, 2026

Investigating multi-vector attacks in Log Explorer

Why it matters: Engineers need holistic visibility to combat multi-vector attacks. By centralizing edge telemetry and Zero Trust events, teams can correlate disparate signals, significantly reducing detection time and improving forensic accuracy without managing complex log pipelines.

Cloudflare Log Explorer integrates 14 new datasets to provide 360-degree visibility across Application Services and Cloudflare One portfolios.
The platform correlates telemetry from HTTP requests, L3/L4 network logs, and Zero Trust events to identify sophisticated multi-vector attacks.
Zone-scoped logs capture edge interactions like DNS queries, WAF events, and Page Shield audits before traffic reaches origin servers.
Account-scoped logs track identity-based authentication, administrative changes, and device posture to monitor internal security health.
Centralized logging at the edge helps security analysts reduce Mean Time to Detect (MTTD) by providing a unified interface for deep-dive forensics.

#security #data

Read original

Cloudflare BlogMar 10, 2026

Translating risk insights into actionable protection: leveling up security posture with Cloudflare and Mastercard

Why it matters: This integration automates the discovery of shadow IT and unprotected assets, allowing engineers to close security gaps before exploitation. By combining outside-in scanning with immediate remediation via Cloudflare's proxy, teams can maintain a robust security posture at scale.

Cloudflare is integrating Mastercard’s RiskRecon to provide continuous discovery and monitoring of an organization's entire internet footprint.
The solution uses outside-in scanning to identify shadow IT, forgotten subdomains, and unauthorized cloud servers using only public data.
Discovered assets can be immediately secured by routing traffic through Cloudflare’s proxy, enabling WAF and DDoS protection without code changes.
RiskRecon assigns criticality levels to hosts, helping security teams prioritize remediation for systems handling sensitive data.
Data indicates that proxied systems show 53% fewer software vulnerabilities and 98% fewer instances of malicious behavior compared to unproxied ones.

#security

Read original

Cloudflare BlogMar 9, 2026

Active defense: introducing a stateful vulnerability scanner for APIs

Why it matters: Traditional security tools miss logic-based vulnerabilities like BOLA because the requests appear valid. This stateful scanner allows engineers to proactively hunt for authorization flaws, ensuring business logic integrity beyond simple schema validation and signature matching.

Cloudflare launched a stateful Web and API Vulnerability Scanner in beta, specifically targeting Broken Object Level Authorization (BOLA).
Unlike traditional WAFs that focus on syntax-based attacks like SQLi, this scanner identifies logic flaws where valid requests violate business rules.
The tool utilizes Dynamic Application Security Testing (DAST) to proactively hunt for vulnerabilities in both development and production environments.
The scanner is stateful, enabling it to chain multiple requests together to simulate complex attack patterns that require resource creation and manipulation.
Integration with API Shield allows the scanner to leverage existing API Discovery and Schema Learning for deeper context and easier configuration.

#security

Read original

Cloudflare BlogMar 9, 2026

Fixing request smuggling vulnerabilities in Pingora OSS deployments

Why it matters: Request smuggling vulnerabilities can lead to critical security breaches like session hijacking and cache poisoning. For engineers using Pingora as an ingress proxy, upgrading to 0.8.0 is essential to ensure RFC compliance and prevent connection desynchronization attacks.

Cloudflare patched three HTTP/1.x request smuggling vulnerabilities (CVE-2026-2833, CVE-2026-2835, CVE-2026-2836) in Pingora 0.8.0.
One flaw involved Pingora prematurely entering passthrough mode for Upgrade requests before receiving a 101 Switching Protocols response.
Vulnerabilities also stemmed from non-RFC-compliant interpretations of request bodies involving Transfer-Encoding in specific HTTP contexts.
These issues could allow attackers to bypass security controls, hijack user sessions, or poison caches in standalone Pingora deployments.
Cloudflare's CDN was unaffected due to architectural safeguards and internal proxy configurations that prevent these exploitation vectors.
Users of the Pingora framework are strongly urged to upgrade to version 0.8.0 to mitigate risks of connection desynchronization.

#security #sre

Read original

Cloudflare BlogMar 9, 2026

Complexity is a choice. SASE migrations shouldn’t take years.

Why it matters: Engineers can bypass the 'marathon of misery' of multi-year SASE deployments. By using programmable, identity-centric tools, teams can secure global infrastructure and AI workflows in weeks rather than years, reducing technical debt and improving performance.

Cloudflare One reduces SASE migration timelines from 18 months to 6 weeks by replacing legacy hardware-centric approaches with a software-defined connectivity cloud.
The platform utilizes identity-first on-ramps and consolidated policy engines to eliminate the 'trombone effect' and latency common in traditional service chaining.
Lightweight cloud-native connectors like cloudflared enable instant connectivity without requiring inbound firewall port changes.
The extensible edge allows for custom environment support, such as creating native services for Arch Linux to maintain consistent device posture checks.
Integrated AI security tools provide shadow AI visibility and Data Loss Prevention (DLP) to control sensitive data flow into LLMs.

#security #sre #dist

Read original

Page 1 of 10

Prev1 2 3...10 Next