Cloudflare Blog

Why it matters: Redesigning a UI served billions of times daily requires balancing security, accessibility, and performance. This case study shows how to handle massive-scale deployments while reducing user friction in critical security checkpoints, ensuring a better experience for a global audience.

Cloudflare redesigned its Turnstile and Challenge Pages to improve the user experience for 7.67 billion daily security verifications.
A comprehensive design audit revealed fragmented error states and overly technical messaging that increased user frustration.
The team mapped complex user journeys to identify 'unhappy paths' and replaced technical jargon with actionable, human-readable guidance.
The redesign addresses a 58% year-over-year increase in security challenges driven by the rise of AI-powered bot attacks.
Engineering efforts focused on maintaining performance and accessibility at an unprecedented global scale while ensuring backward compatibility.

#security #frontend #culture

Read original

Cloudflare BlogFeb 27, 2026

We deserve a better streams API for JavaScript

Why it matters: Modern web apps rely on streaming data, yet the current Web Streams API is plagued by performance bottlenecks and a complex locking model. Understanding these flaws is crucial for engineers building high-performance runtimes or handling large-scale data processing in JavaScript.

The WHATWG Streams Standard was designed before async iteration (ES2018), leading to an API that relies on complex reader/writer acquisition instead of idiomatic language primitives.
Web streams use a restrictive locking model where forgetting to call releaseLock() can permanently break a stream, creating significant debugging hurdles.
The current API requires excessive boilerplate for common operations, such as manually managing reader locks and the { value, done } protocol.
Retrofitting async iteration onto Web streams hides but does not solve underlying complexity, and it fails to support advanced features like BYOB (Bring Your Own Buffer) reads.
Benchmarks show that alternative stream implementations leveraging modern JS features can be 2x to 120x faster than the current standard across various runtimes.
The author advocates for a new streaming standard that aligns with modern JavaScript development patterns to improve both performance and developer experience.

#data #frontend #dist

Read original

Cloudflare BlogFeb 24, 2026

How we rebuilt Next.js with AI in one week

Why it matters: vinext solves the 'deployment problem' for Next.js on non-Vercel platforms by replacing the bespoke Turbopack toolchain with Vite. This offers engineers faster builds, smaller bundles, and native compatibility with Cloudflare Workers without sacrificing the familiar Next.js developer experience.

Cloudflare introduced vinext, a Vite-based, drop-in replacement for Next.js developed in one week using AI models.
The framework reimplements Next.js APIs like RSC and Server Actions directly on Vite, bypassing fragile build-output adapters like OpenNext.
Benchmarks show production builds up to 4.4x faster and client bundle sizes reduced by 57% using the Rolldown bundler.
It features first-class support for Cloudflare Workers, including single-command deployment and built-in ISR via Cloudflare KV.
By using the Vite Environment API, vinext ensures the development server and production output run natively on target runtimes.

#frontend #dist

Read original

Cloudflare BlogFeb 23, 2026

Cloudflare One is the first SASE offering modern post-quantum encryption across the full platform

Why it matters: With NIST setting a 2030 deadline to deprecate classical encryption, engineers must adopt post-quantum standards now to prevent 'Harvest Now, Decrypt Later' attacks. This update provides built-in crypto agility for SASE, simplifying the transition to quantum-resistant networking.

Cloudflare One is the first SASE platform to implement post-quantum (PQ) encryption across its entire suite, including Secure Web Gateway, Zero Trust, and WAN.
The platform utilizes hybrid ML-KEM (Module-Lattice-based Key-Encapsulation Mechanism) alongside classical ECDHE to provide quantum-resistant key agreement.
Support extends to Cloudflare IPsec and the Cloudflare One Appliance, securing both site-to-site and outbound internet traffic against future quantum threats.
The implementation specifically targets 'Harvest Now, Decrypt Later' attacks by upgrading the key establishment phase of cryptographic handshakes.
Cloudflare One Appliance version 2026.2.0 is generally available with these upgrades, while the Cloudflare IPsec upgrade has entered closed beta.

#security #dist

Read original

Cloudflare BlogFeb 21, 2026

Cloudflare outage on February 20, 2026

Why it matters: This incident highlights the risks of automated configuration propagation in global networks. It demonstrates how a single API change can trigger widespread BGP withdrawals and how software bugs can complicate recovery, emphasizing the need for 'fail small' deployment strategies.

A configuration change to the BYOIP management pipeline caused the unintentional withdrawal of approximately 1,100 BGP prefixes.
The outage lasted 6 hours and 7 minutes, impacting services including Magic Transit, Spectrum, and Dedicated Egress.
While many prefixes were restored by reverting the change, a software bug deleted edge configurations for 300 prefixes, requiring manual restoration.
The Addressing API's immediate propagation mechanism meant that the configuration error was distributed globally to the edge almost instantly.
Impacted customers experienced BGP Path Hunting, where connections repeatedly failed while trying to find valid routes to destination IPs.
Cloudflare is implementing a 'Fail Small' resilience plan to improve how these systems roll out changes and prevent global-scale failures.

#sre #dist

Read original

Cloudflare BlogFeb 20, 2026

Code Mode: give agents an entire API in 1,000 tokens

Why it matters: Code Mode solves the context window bottleneck for AI agents by replacing thousands of tool definitions with a programmable interface. This allows agents to interact with massive APIs efficiently and securely, significantly reducing token costs and latency while improving task performance.

Cloudflare's Code Mode reduces AI agent context usage by 99.9%, fitting the entire Cloudflare API into just 1,000 tokens.
It replaces thousands of individual tool definitions with two primary tools: search() for discovery and execute() for action.
Agents generate JavaScript code to interact with a typed SDK, enabling complex multi-step operations in a single round trip.
Execution occurs within a secure Dynamic Worker isolate, a V8 sandbox that prevents prompt injection leaks and unauthorized access.
This pattern allows agents to handle massive APIs that would otherwise exceed the context limits of modern foundation models.
Cloudflare has open-sourced a Code Mode SDK to facilitate this pattern in third-party MCP servers and AI agents.

#mlp #security #dist

Read original

Cloudflare BlogFeb 13, 2026

Shedding old code with ecdysis: graceful restarts for Rust services at Cloudflare

Why it matters: Graceful restarts are critical for high-availability services where even millisecond outages cause millions of failed requests. ecdysis provides a battle-tested Rust implementation for zero-downtime upgrades, ensuring continuous connection handling during security patches and deployments.

Cloudflare open-sourced ecdysis, a Rust library for zero-downtime graceful restarts of high-traffic network services.
It solves the orphaned connection problem inherent in SO_REUSEPORT by passing socket file descriptors directly between processes.
The mechanism uses fork() and execve(), allowing the new process to inherit listening sockets via a named pipe.
It ensures crash safety: if a new version fails during initialization, the existing process continues serving traffic without interruption.
The library integrates natively with the Tokio async runtime and supports systemd-notify for seamless service management.

#sre #dist

Read original

Cloudflare BlogFeb 12, 2026

Introducing Markdown for Agents

Why it matters: As AI agents become primary web consumers, optimizing content for them is crucial. This feature reduces LLM token costs by 80% and simplifies data ingestion pipelines, making it easier to build efficient, agent-friendly applications at the edge.

Cloudflare introduced 'Markdown for Agents' to automatically convert HTML content to Markdown in real-time for AI crawlers.
Converting HTML to Markdown can reduce token usage by approximately 80%, lowering costs and processing complexity for AI pipelines.
The feature leverages HTTP content negotiation, enabling agents to request Markdown via the 'Accept: text/markdown' header.
Responses include an 'x-markdown-tokens' header to help developers manage context windows and chunking strategies.
The service integrates with the Content Signals framework to define how content is used for AI training and search.

#mlp #dist #finops

Read original

Cloudflare BlogFeb 12, 2026

Introducing Markdown for Agents

Why it matters: As AI agents become primary web consumers, serving raw HTML is inefficient and costly. This feature treats agents as first-class citizens, drastically reducing LLM token costs and improving parsing accuracy by providing clean, structured data directly at the network edge.

Cloudflare introduced 'Markdown for Agents,' a feature that automatically converts HTML content to Markdown in real-time at the edge.
Markdown significantly reduces token consumption by up to 80% compared to HTML, optimizing costs and context window usage for LLMs.
The feature utilizes standard HTTP content negotiation, allowing AI agents to request Markdown via the 'Accept: text/markdown' header.
Responses include an 'x-markdown-tokens' header to help developers manage context windows and chunking strategies effectively.
The system integrates with the Content Signals framework to define how content should be used for AI training and search indexing.

#dist #mlp #finops

Read original

Cloudflare BlogFeb 5, 2026

2025 Q4 DDoS threat report: A record-setting 31.4 Tbps attack caps a year of massive DDoS assaults

Why it matters: The scale of DDoS attacks is reaching unprecedented levels, with botnets leveraging IoT devices to hit 31.4 Tbps. Engineers must prioritize automated, multi-vector mitigation strategies as manual intervention is no longer viable against such hyper-volumetric volume.

DDoS attacks surged by 121% in 2025, totaling 47.1 million incidents with an average of 5,376 mitigations per hour.
A record-breaking 31.4 Tbps attack occurred in late 2025, highlighting a massive increase in attack volume.
The Aisuru-Kimwolf botnet, composed of 1-4 million infected Android TVs, launched hyper-volumetric HTTP attacks exceeding 200 million requests per second.
Network-layer DDoS attacks more than tripled year-over-year, accounting for 78% of all attacks in Q4 2025.
Multi-vector campaigns utilized SYN floods, Mirai-based attacks, and SSDP amplification to target global internet infrastructure.
Telecommunications emerged as the most-attacked industry, while Hong Kong and the UK saw the highest growth in attack frequency.

#security #sre #dist

Read original

Page 4 of 10

Prev 1 2 3 4 5 6...10 Next