Cloudflare Blog

Why it matters: This article provides a blueprint for implementing "shift left" security and IaC at enterprise scale, crucial for preventing misconfigurations, enhancing consistency, and improving operational efficiency in large, complex environments.

Cloudflare adopted "shift left" principles and Infrastructure as Code (IaC) to manage its critical platform securely and consistently at enterprise scale.
All production account configurations are managed via IaC using Terraform, integrated with a custom CI/CD pipeline (Atlantis, GitLab, tfstate-butler).
A centralized monorepo holds all configurations, with teams owning their specific sections, promoting accountability and consistency.
Security baselines are enforced through Policy as Code (Open Policy Agent with Rego), shifting validation to the earliest stages of development.
Policies are automatically checked on every merge request, preventing misconfigurations before deployment and minimizing human error.

#security #sre

Read original

Cloudflare BlogDec 8, 2025

Python Workers redux: fast cold starts, packages, and a uv-first workflow

Why it matters: Engineers can now deploy Python applications globally on Cloudflare Workers with full package support and exceptionally fast cold starts. This significantly improves serverless Python development, offering a highly performant and flexible platform for a wide range of edge computing use cases.

Cloudflare Python Workers now support any Pyodide-compatible package, including pure Python and many dynamic libraries, enhancing developer flexibility.
A uv-first workflow and pywrangler tooling simplify package installation and global deployment of Python applications on the Workers platform.
Significant cold start performance improvements have been achieved through dedicated memory snapshots, making Python Workers 2.4x faster than AWS Lambda and 3x faster than Google Cloud Run for package-heavy applications.
The platform offers a free tier and supports various use cases, from FastAPI apps and HTML templating to real-time chat with Durable Objects and image generation.
These advancements provide a Python-native serverless experience with global deployment and minimal latency.

#dist #sre

Read original

Cloudflare BlogDec 5, 2025

Cloudflare outage on December 5, 2025

Why it matters: This incident underscores the critical impact of configuration management in distributed systems. It highlights how rapid, global deployments without gradual rollouts and robust error handling can lead to widespread outages, even from seemingly minor code paths.

A 25-minute Cloudflare outage on Dec 5, 2025, impacted 28% of HTTP traffic due to a configuration change.
The incident stemmed from disabling an internal WAF testing tool, intended to mitigate a React Server Components vulnerability (CVE-2025-55182).
A global configuration system, lacking gradual rollout, propagated a change that triggered a Lua runtime error in the FL1 proxy.
The error was an attempt to access a nil value ('rule_result.execute') when a killswitch skipped an "execute" action rule, a bug undetected for years.
This highlights the need for robust type systems and safe deployment practices, especially for critical infrastructure.
Cloudflare acknowledges similar past incidents and is prioritizing enhanced rollouts and versioning to prevent future widespread impacts.

#sre #dist #security

Read original

Cloudflare BlogDec 3, 2025

Cloudflare WAF proactively protects against React vulnerability

Why it matters: This article is crucial for engineers managing React/Next.js applications, highlighting an RCE vulnerability and Cloudflare's WAF as a critical first line of defense. It emphasizes the importance of both network-level protection and prompt application-level updates.

Cloudflare WAF has deployed new rules to proactively protect against a critical Remote Code Execution (RCE) vulnerability (CVE-2025-55182, CVSS 10.0) in React Server Components.
The vulnerability impacts React versions 19.0-19.2 and Next.js versions 15-16, allowing insecure deserialization leading to RCE.
All Cloudflare customers with traffic proxied through WAF are automatically protected, including free and paid plans, with default block actions.
Cloudflare Workers-based applications are inherently immune to this specific exploit.
Despite WAF protection, users are strongly recommended to update to React 19.2.1 and the latest Next.js versions (16.0.7, 15.5.7, 15.4.8).
Specific WAF rule IDs (e.g., 33aa8a8a948b48b28d40450c5fb92fba) have been deployed across Cloudflare's network.

#security #frontend

Read original

Cloudflare BlogDec 3, 2025

Cloudflare's 2025 Q3 DDoS threat report -- including Aisuru, the apex of botnets

Why it matters: This report highlights the escalating scale and sophistication of DDoS attacks, exemplified by the Aisuru botnet. Engineers must prioritize robust, autonomous defense systems to protect critical infrastructure and services from increasingly powerful and short-lived threats.

The Aisuru botnet dominated Q3 2025, launching hyper-volumetric DDoS attacks up to 29.7 Tbps and 14.1 Bpps, causing significant internet disruption.
Cloudflare mitigated 8.3 million DDoS attacks in Q3 2025, a 15% QoQ and 40% YoY increase, with network-layer attacks surging 87% QoQ.
DDoS attacks against AI companies increased by 347% MoM in September, while attacks on Mining/Metals and Automotive sectors also rose due to geopolitical tensions.
The majority of DDoS attacks are short-lived (under 10 minutes), emphasizing the need for autonomous, real-time mitigation systems.
Aisuru, available as a botnet-for-hire, targeted critical infrastructure, telecommunications, gaming, and financial services, demonstrating its disruptive potential.

#security #dist

Read original

Cloudflare BlogDec 1, 2025

Why Replicate is joining Cloudflare

Why it matters: Replicate's acquisition by Cloudflare signifies a major step towards building a comprehensive, integrated AI infrastructure. It promises to simplify the deployment and scaling of complex AI applications by combining model serving with a global network and full-stack primitives.

Replicate, founded in 2019, aimed to democratize access to research-grade ML models by abstracting away infrastructure complexities.
They developed Cog for model packaging and the Replicate platform for running models as cloud API endpoints, successfully scaling with models like Stable Diffusion.
The modern AI stack has evolved beyond just model inference, requiring a full suite of services like microservices, storage, and databases.
Replicate is joining Cloudflare to leverage Cloudflare's extensive network, Workers, R2, and other primitives to build a complete, integrated AI infrastructure layer.
This acquisition will enable faster edge models, model pipelines on Workers, and streaming model I/O, realizing a vision where "the network is the computer" for AI.

#mlp #dist #data

Read original

Cloudflare BlogNov 25, 2025

Partnering with Black Forest Labs to bring FLUX.2 [dev] to Workers AI

Why it matters: Engineers can leverage FLUX.2 on Workers AI for highly consistent, photorealistic image generation, solving challenges like stochastic drift. Its advanced controls and multi-reference editing enable robust AI-powered applications for marketing, e-commerce, and creative content.

FLUX.2 [dev], a new open-weight image generation model from Black Forest Labs, is now available on Cloudflare Workers AI.
It offers enhanced photorealism, physical world grounding, and supports advanced customization like JSON prompting and multipart form data for multiple image inputs.
A key feature is its ability to maintain character and product consistency across multiple generations, addressing "stochastic drift" through multi-reference editing.
FLUX.2 is designed for functional business use cases, enabling consistent ad variations, reliable product shots, and dynamic editorial content.
It supports granular controls including JSON prompting, HEX codes, and multi-language input for highly specific image generation.

#mlp

Read original

Cloudflare BlogNov 24, 2025

Get better visibility for the WAF with payload logging

Why it matters: Engineers can now precisely debug WAF false positives and fine-tune security rules by understanding exactly which request fields trigger actions. This improves application security posture and reduces operational overhead from misconfigured WAFs.

Cloudflare's WAF protects against layer 7 attacks using various rulesets, but fine-tuning is necessary due to inevitable false positives.
Traditional WAF logging only indicates if a rule matched, failing to specify which part of a complex request or rule expression triggered the action.
Ambiguity arises from logical OR expressions, data transformations (e.g., Base64, URL decoding), cumulative scoring rulesets, and private rule logic.
Payload logging solves this by detailing the exact fields and their post-transformation values that caused a WAF rule to match.
This feature significantly enhances visibility, simplifies false positive identification, ensures rule correctness, and improves WAF fine-tuning.
Payload logging leverages the Wirefilter engine, re-evaluating the Rulesets Engine's execution context with a dedicated PayloadLoggingCompiler to pinpoint matching elements.

#security

Read original

Cloudflare BlogNov 18, 2025

Cloudflare outage on November 18, 2025

Why it matters: This incident highlights the critical importance of robust change management, configuration validation, and effective incident response in large-scale distributed systems. It underscores how seemingly minor changes can cascade into widespread failures.

Cloudflare experienced a significant outage due to a database permission change that generated an oversized "feature file" for its Bot Management system.
The excessively large feature file, propagated across the network, caused routing software to fail as it exceeded an internal size limit.
Initial incident response was complicated by fluctuating system failures, leading to a temporary misdiagnosis of a DDoS attack.
Resolution involved halting the propagation of the bad configuration, manually inserting a known good file, and restarting the core proxy.
The outage impacted core CDN, security services, Workers KV, Turnstile, and Access, manifesting as widespread HTTP 5xx errors and increased latency.

#sre #dist #security

Read original

Cloudflare BlogNov 17, 2025

Replicate is joining Cloudflare

Why it matters: This acquisition significantly enhances Cloudflare's AI capabilities, offering developers a vast model catalog and simplified deployment on a global, high-performance edge network. It streamlines AI application development, making advanced models more accessible and efficient for engineers.

Replicate, a leading AI model platform, is joining Cloudflare to integrate its services into Cloudflare's Developer Platform.
This acquisition significantly expands Cloudflare's Workers AI model catalog, enabling users to run fine-tuned and custom models directly on the platform.
Replicate's platform simplifies AI model deployment by abstracting complex infrastructure, utilizing its open-source tool Cog for containerization.
Cloudflare's 'AI Cloud' provides serverless GPU inference at the edge (Workers AI), a control plane (AI Gateway), data storage (Vectorize, R2), and orchestration tools.
The combined entity will offer a comprehensive selection of over 50,000 models from Replicate's catalog, runnable on Cloudflare's global, high-performance network.

#mlp #dist

Read original

Page 7 of 10

Prev 1...5 6 7 8 9 10 Next