Cloudflare Blog

Why it matters: This approach automates the analysis of stealthy BPF-based malware, allowing engineers to quickly identify and replicate the 'magic' packets used to trigger backdoors. It demonstrates how symbolic execution and theorem provers like Z3 can solve complex reverse-engineering bottlenecks.

Linux malware uses Berkeley Packet Filter (BPF) socket programs to remain dormant until a specific 'magic' packet is received.
Manually reverse-engineering complex BPF filters with hundreds of instructions is a significant bottleneck for security researchers.
Symbolic execution treats code as a series of constraints rather than instructions, allowing researchers to work backward from a target state.
By integrating the Z3 theorem prover, researchers can automatically generate the exact network packet required to trigger a malicious filter.
The tool calculates the shortest execution path to an 'ACCEPT' state by tracking conditional jumps and instruction offsets.
This automation reduces the time required to analyze sophisticated backdoors like BPFDoor from hours to just a few seconds.

#security

Read original

Cloudflare BlogApr 7, 2026

Cloudflare targets 2029 for full post-quantum security

Why it matters: The timeline for quantum computers to break standard encryption has accelerated to 2029. Engineers must prioritize post-quantum migration now to protect against both 'harvest-now/decrypt-later' threats and future authentication bypasses as cryptographic standards become obsolete.

Cloudflare has accelerated its post-quantum (PQ) security roadmap, targeting full PQ-readiness including authentication by 2029.
Recent breakthroughs in neutral atom quantum computing have drastically reduced the physical qubit count required to break RSA-2048 and P-256.
Oratomic research indicates that reconfigurable qubits allow for highly efficient error correction, requiring only 3-4 physical qubits per logical qubit.
Google has demonstrated significant algorithmic improvements that speed up the process of cracking elliptic curve cryptography.
The industry-wide estimate for Q-Day has shifted from 2035+ to as early as 2029, prompting urgent migration efforts across major tech providers.

#security #dist

Read original

Cloudflare BlogApr 6, 2026

How we built Organizations to help enterprises manage Cloudflare at scale

Why it matters: Managing large-scale infrastructure across fragmented accounts creates security risks and operational overhead. This update simplifies governance by centralizing identity, policy enforcement, and observability, allowing engineers to maintain the principle of least privilege at scale.

Cloudflare Organizations provides a centralized management layer for enterprises to oversee multiple accounts, users, and configurations.
Introduces the Org Super Administrator role, which grants global permissions across all accounts without requiring individual account memberships.
Enables shared configurations, allowing security teams to centrally manage and deploy WAF and Gateway policies across the entire organization.
Provides a unified analytics dashboard that aggregates HTTP traffic data from all accounts and zones for better visibility.
The backend refactor consolidated authorization checks into a domain-scoped roles system, resulting in a 27% performance improvement for permission enumeration.
Future roadmap items include organization-level audit logs, centralized billing reports, and additional granular user roles.

#security #sre

Read original

Cloudflare BlogApr 2, 2026

Why we're rethinking cache for the AI era

Why it matters: AI crawlers disrupt traditional CDN caching by prioritizing long-tail content over popular pages. Engineers must rethink cache eviction policies to prevent AI bots from degrading performance for human users while still supporting the data needs of LLMs and RAG systems.

AI crawlers account for 32% of automated traffic, with 80% of that volume focused on harvesting data for LLM training.
AI traffic patterns differ significantly from human behavior, characterized by high-volume parallel requests and sequential scans of long-tail content.
Modeling shows AI agents maintain a unique access ratio between 70% and 100%, leading to very low content reuse within the cache.
Traditional CDN cache architectures face a dichotomy between optimizing for human-centric popular content or broad AI crawler scans.
Cloudflare and ETH Zurich research suggests that current cache eviction policies must evolve to prevent AI bots from evicting useful human-requested data.

#dist #data #mlp

Read original

Cloudflare BlogApr 1, 2026

Introducing EmDash — the spiritual successor to WordPress that solves plugin security

Why it matters: EmDash modernizes CMS architecture by replacing insecure PHP-based plugin hooks with isolated serverless environments. This shift to capability-based security and modern TypeScript tooling solves decades-old security vulnerabilities while maintaining the extensibility of the WordPress model.

EmDash is an open-source, MIT-licensed CMS built from scratch using TypeScript and the Astro framework.
It addresses WordPress's fundamental security flaws by sandboxing plugins within isolated Dynamic Workers.
Plugins utilize a capability-based security model, requiring explicit declarations of permissions like database access or network calls in a manifest.
The architecture is serverless-first but portable, allowing deployment on Cloudflare, Node.js, or private hardware.
By using static declarations for plugin needs, administrators can audit and restrict plugin behavior at install time rather than relying on allowlists.

#security #frontend #dist

Read original

Cloudflare BlogApr 1, 2026

Our ongoing commitment to privacy for the 1.1.1.1 public DNS resolver

Why it matters: DNS is a critical internet protocol that can leak significant user behavior data. Cloudflare's independent audit provides a rare, verifiable guarantee of privacy in a space where 'trust us' is the norm, setting a technical and ethical benchmark for infrastructure providers.

Cloudflare completed its second independent privacy examination of the 1.1.1.1 public DNS resolver, conducted by a Big 4 accounting firm.
The review confirms that Cloudflare does not sell personal data, use it for ad targeting, or retain identifying information.
Source IP addresses are anonymized and deleted within 25 hours, maintaining strict user privacy.
The resolver now runs on a new technical platform, which was included in the scope of the latest rigorous audit.
A small fraction of traffic (0.05%) is sampled for network troubleshooting and DDoS mitigation purposes.
Anonymized transaction logs are utilized for research and services like Cloudflare Radar without compromising individual user privacy.

#security #dist #culture

Read original

Cloudflare BlogMar 31, 2026

Introducing Programmable Flow Protection: custom DDoS mitigation logic for Magic Transit customers

Why it matters: Engineers can now extend Cloudflare's DDoS protection with custom eBPF logic. This is crucial for proprietary UDP-based applications like gaming or VoIP, where generic rate limiting causes collateral damage. It provides granular, stateful control over traffic filtering at the network edge.

Cloudflare launched Programmable Flow Protection, allowing Magic Transit customers to deploy custom DDoS mitigation logic via eBPF.
The system addresses the limitations of generic DDoS protection for proprietary or custom UDP protocols used in gaming, VoIP, and streaming.
Customers can write eBPF programs to define precise 'good' versus 'bad' packet logic, which Cloudflare executes across its global edge network.
To ensure security and flexibility, these programs run in a userspace environment rather than the Linux kernel, using a specialized API for stateful mitigation.
The platform includes helper functions for storing client state, performing cryptographic validation, and issuing challenge packets to mitigate attacks without impacting legitimate users.

#security #dist #sre

Read original

Cloudflare BlogMar 30, 2026

Cloudflare Client-Side Security: smarter detection, now open to everyone

Why it matters: Client-side attacks like skimming are hard to detect because they don't break site functionality. Cloudflare's use of GNNs and LLMs to analyze script intent at scale allows engineers to secure front-end dependencies and meet PCI DSS v4 compliance without manual overhead or performance lag.

Cloudflare has expanded access to Client-Side Security Advanced for self-serve customers and made domain-based threat intelligence free for all users.
The system uses browser reporting and Content Security Policy (CSP) to monitor scripts with zero latency impact on web applications.
Detection logic utilizes Graph Neural Networks (GNN) to analyze Abstract Syntax Trees (AST), identifying malicious intent rather than relying on static signatures.
A new LLM-based triage layer has been integrated to reduce false positives by distinguishing between malicious code and benign but obfuscated scripts like ad-tech bundles.
The platform automates code change monitoring and proactive blocking, assisting organizations in meeting PCI DSS v4 compliance requirements.

#security #frontend #mlp

Read original

Cloudflare BlogMar 27, 2026

How we use Abstract Syntax Trees (ASTs) to turn Workflows code into visual diagrams

Why it matters: Visualizing code-based workflows is difficult due to dynamic logic like loops and parallel promises. Using ASTs to generate diagrams provides critical observability into complex durable executions, helping engineers debug and verify logic whether written by humans or AI agents.

Cloudflare Workflows now automatically generates visual diagrams for every deployment to improve observability of complex logic.
Unlike declarative workflow engines using YAML or JSON, Cloudflare uses Abstract Syntax Trees (ASTs) to statically derive graphs from dynamic JavaScript/TypeScript code.
The visualizer tracks Promise and await relationships to accurately represent parallel execution versus sequential blocking steps.
Diagrams are generated at deploy time by fetching bundled scripts and traversing an intermediate graph of WorkflowEntrypoints.
The underlying architecture uses a Durable Object engine to manage execution and dynamic dispatch to trigger user workers.
The system handles minified code from various bundlers like esbuild and rspack to extract step relationships and flow control.

#dist #sre

Read original

Cloudflare BlogMar 26, 2026

A one-line Kubernetes fix that saved 600 hours a year

Why it matters: Default Kubernetes volume management can cause massive downtime for stateful apps with many small files. Understanding fsGroupChangePolicy is crucial for SREs to prevent recursive ownership checks from blocking pod startups and wasting hundreds of engineering hours.

Atlantis restarts were taking 30 minutes due to a large number of files on the Persistent Volume (PV) causing inode exhaustion and slow mounts.
Kubernetes defaults to recursively changing ownership (chgrp -R) of all files in a volume if fsGroup is specified in the securityContext.
For volumes with millions of files, this recursive check becomes a significant bottleneck, leading to context deadline exceeded errors in kubelet.
The issue was diagnosed by analyzing kubelet systemd logs rather than standard pod events, which failed to show the underlying volume mounting delay.
The fix involved setting fsGroupChangePolicy to OnRootMismatch, which only triggers ownership changes if the root directory's permissions don't match.
This one-line configuration change reduced restart times from 30 minutes to under 2 minutes, saving approximately 600 hours of engineering time annually.

#sre #security

Read original

Page 5 of 15

Prev 1...3 4 5 6 7...15 Next