Cloudflare Blog

Why it matters: This unified approach addresses the 'endpoint-to-prompt' challenge, ensuring security policies follow data across tools and AI interfaces. For engineers, it simplifies visibility and control over sensitive information without sacrificing productivity or creating siloed security gaps.

Cloudflare One introduces browser-based RDP clipboard controls to manage data movement between local devices and remote sessions.
Operation mapping now enriches logs with specific SaaS actions, such as 'SendPrompt' in ChatGPT, to simplify policy authoring and forensic analysis.
Endpoint DLP is being integrated into the Cloudflare One Client to protect data in use, specifically monitoring and controlling OS clipboard activity.
New CASB integrations provide security scanning for Microsoft 365 Copilot, identifying sensitive data risks within AI-driven workflows.
The unified vision aims to secure data across its entire lifecycle: in transit, at rest, in use on endpoints, and at the AI prompt interface.

#security #data

Read original

Cloudflare BlogMar 5, 2026

Ending the "silent drop": how Dynamic Path MTU Discovery makes the Cloudflare One Client more resilient

Why it matters: Engineers often face 'zombie' connections caused by MTU mismatches and blocked ICMP feedback. By implementing active probing via QUIC, Cloudflare eliminates these silent failures, ensuring robust connectivity across diverse, unmanaged network infrastructures without manual tuning.

Cloudflare One Client now implements Dynamic Path MTU Discovery (PMTUD) to prevent 'black hole' packet loss and connection hangs.
Traditional PMTUD relies on ICMP messages that are frequently blocked by firewalls, leading to silent packet drops.
The new implementation follows RFC 8899, using active probing to interrogation the network path instead of relying on ICMP feedback.
Leveraging the MASQUE protocol and QUIC, the client sends encrypted probes of varying sizes to determine the optimal MTU.
The client dynamically resizes its virtual interface MTU on the fly, ensuring seamless transitions between different network environments like Wi-Fi and LTE.
This active discovery mechanism maintains session stability for mission-critical applications on restrictive or legacy infrastructure.

#security #dist

Read original

Cloudflare BlogMar 5, 2026

A QUICker SASE client: re-building Proxy Mode

Why it matters: This shift solves the performance penalty of SASE proxies by moving from L3 tunneling to direct L4 proxying via QUIC. It doubles throughput and lowers latency, making Zero Trust security transparent to users during high-bandwidth tasks or when coexisting with legacy VPNs.

Cloudflare re-engineered its SASE client proxy mode by replacing the WireGuard-based Layer 3 tunnel with a direct Layer 4 QUIC-based architecture.
The previous implementation relied on smoltcp, a user-space TCP stack that lacked modern features and created a performance ceiling for media-heavy traffic.
The new architecture leverages MASQUE and HTTP/3 (RFC 9114) using the CONNECT method to encapsulate traffic directly into QUIC streams.
By bypassing Layer 3 translation, the client eliminates inefficient IP packet handling and benefits from native QUIC congestion and flow control.
Internal testing demonstrated that download and upload speeds doubled while latency decreased significantly for end-users.
The update specifically improves performance for third-party VPN coexistence, high-bandwidth application partitioning, and developer CLI tools.

#security #dist #sre

Read original

Cloudflare BlogMar 5, 2026

How Automatic Return Routing solves IP overlap

Why it matters: ARR simplifies complex network architectures by eliminating the need for NAT or VRF when handling overlapping private IP spaces. This reduces administrative toil and prevents non-deterministic routing, allowing engineers to scale enterprise backbones without manual IP re-addressing.

Cloudflare introduced Automatic Return Routing (ARR) to resolve IP overlap issues in private enterprise networks without manual configuration.
IP overlap typically arises from mergers and acquisitions, extranet connections, or standardized 'cookie-cutter' site architectures.
Traditional solutions like NAT and VRF are effective but introduce significant administrative overhead and brittle configuration requirements.
ARR utilizes stateful tracking to remember the specific tunnel (IPsec, GRE, or CNI) that initiated a network flow.
By bypassing the routing table for return traffic, ARR ensures symmetric routing even when multiple sites share identical IP addresses.
The 'zero-touch' approach allows overlapping networks to coexist seamlessly without requiring complex route leaking or IP re-addressing.

#dist #security

Read original

Cloudflare BlogMar 4, 2026

Always-on detections: eliminating the WAF “log versus block” trade-off

Why it matters: This shift from binary 'log vs. block' to continuous detection allows engineers to gain deep security insights without impacting latency or risking false positives. It enables more sophisticated, context-aware defenses by correlating full HTTP transactions instead of just inspecting requests.

Cloudflare is introducing an 'always-on' framework that separates WAF detection from mitigation, eliminating the traditional trade-off between visibility and protection.
Attack Signature Detection runs on every request, providing rich metadata including confidence scores, attack categories, and unique Ref IDs without stopping evaluation upon a match.
The system optimizes performance by running detections asynchronously after the request is sent to the origin, unless a specific blocking rule is active.
Full-Transaction Detection is being developed to correlate both requests and responses, enabling the identification of reflective SQL injection and data exfiltration.
Engineers can use new fields like cf.waf.signature.request.confidence and categories to build highly precise security policies in the Edge Rules Engine.
This evolution allows for easier onboarding and tuning by providing complete visibility into which signatures would have fired before switching to blocking mode.

#security #dist

Read original

Cloudflare BlogMar 4, 2026

Mind the gap: new tools for continuous enforcement from boot to login

Why it matters: These tools close critical security gaps by ensuring continuous enforcement from device boot. By decoupling MFA from the primary IdP, engineers can prevent lateral movement even if SSO credentials are compromised, significantly reducing the blast radius of potential breaches.

Cloudflare is introducing mandatory authentication to ensure devices are secured and visible from the moment of system boot.
The Cloudflare One Client now acts as a gatekeeper, using a system firewall to block all internet traffic until a user successfully authenticates.
A new independent MFA feature provides a secondary root of trust at the network edge, separate from the primary Identity Provider (IdP).
Independent MFA supports biometrics, FIDO2 security keys, and TOTP to protect against SSO session hijacking and credential compromise.
Administrators can define granular, per-application policies, requiring higher assurance authentication for sensitive resources like production databases.

#security #sre

Read original

Cloudflare BlogMar 4, 2026

Defeating the deepfake: stopping laptop farms and insider threats

Why it matters: Traditional Zero Trust is insufficient when attackers use deepfakes and laptop farms to bypass credential checks. Integrating biometric identity verification into the SASE layer closes the identity assurance gap, preventing nation-state actors from infiltrating corporate networks.

Remote IT worker fraud involves laptop farms where attackers use stolen identities and remote access to infiltrate corporate networks.
Traditional Zero Trust models often verify devices and credentials but fail to verify the actual person, creating an identity assurance gap.
Cloudflare is partnering with Nametag to integrate identity-verified onboarding and continuous assurance into the Cloudflare One SASE platform.
The integration uses OpenID Connect (OIDC) to chain Nametag as an identity provider or an external evaluation factor within Cloudflare Access.
Nametag's Deepfake Defense engine uses biometrics and AI to detect injection attacks and fabricated government IDs during authentication.
The system ensures that the person receiving and configuring a corporate device is the legitimate hire before granting access to sensitive resources.

#security

Read original

Cloudflare BlogMar 4, 2026

Moving from license plates to badges: the Gateway Authorization Proxy

Why it matters: This enables identity-based security for unmanaged devices without endpoint agents. Engineers can enforce granular policies and gain visibility in restricted environments like VDI or M&A, bridging the gap between network-level proxying and user-level identity.

Cloudflare introduced the Gateway Authorization Proxy to provide identity-based filtering for unmanaged devices without requiring client software.
The system replaces static IP-based identification with Cloudflare Access-style authentication using signed JWT cookies.
A domain-specific token generation process ensures seamless user authentication across different domains via Cloudflare's global edge network.
New Proxy Auto-Configuration (PAC) File Hosting allows teams to host and manage proxy settings directly on Cloudflare with built-in templates.
The solution supports multiple identity providers simultaneously, facilitating complex environments like mergers and acquisitions.
Identity-aware logging and granular policy enforcement are now possible for browser-based traffic on any device reaching the Internet.

#security #dist

Read original

Cloudflare BlogMar 4, 2026

Stop reacting to breaches and start preventing them with User Risk Scoring

Why it matters: It shifts security from static, binary login checks to continuous, adaptive authorization. By automating responses to behavioral risks and integrating third-party telemetry, engineers can reduce incident response times and prevent lateral movement without manual intervention.

Cloudflare One now incorporates User Risk Scores into Zero Trust Network Access (ZTNA) policies for real-time, behavior-based access control.
Risk scores are calculated continuously using internal telemetry from Cloudflare Access and Gateway, monitoring events like impossible travel and DLP violations.
The platform integrates third-party signals from security partners like CrowdStrike and SentinelOne to ingest external device posture and threat data.
Administrators can define deterministic risk levels and automate responses, such as requiring physical security keys or revoking access.
Integration with the Shared Signals Framework allows risk data to be synchronized with Identity Providers like Okta to secure the SSO ecosystem.

#security

Read original

Cloudflare BlogMar 3, 2026

Evolving Cloudflare’s Threat Intelligence Platform: actionable, scalable, and ETL-less

Why it matters: This architecture demonstrates how to build high-scale, low-latency platforms by moving compute and storage to the edge. By eliminating ETL and using sharded SQLite via Durable Objects, engineers can gain real-time insights from massive datasets without centralized database bottlenecks.

Cloudflare evolved its Threat Intelligence Platform (TIP) to eliminate complex ETL pipelines using a sharded, SQLite-backed architecture.
The platform leverages Cloudflare Workers and Durable Objects to run GraphQL directly at the edge, achieving sub-second query latency.
Data is distributed across thousands of logical shards, allowing for high-volume ingestion and parallel query execution without central bottlenecks.
The system integrates global telemetry with manual investigations to create a single source of truth for proactive threat blocking.
Cloudflare Queues handle asynchronous telemetry ingestion, while R2 provides long-term storage and SQLite handles the hot index for instant retrieval.

#security #dist #data

Read original

Page 2 of 10

Prev 1 2 3 4...10 Next