Cloudflare Blog

https://blog.cloudflare.com/

Cloudflare BlogApr 13, 2026

Dynamic, identity-aware, and secure Sandbox auth

Why it matters: Outbound Workers solve the 'untrusted agent' problem by moving auth logic out of the sandbox. This enables zero-trust security for AI workloads, allowing engineers to inject secrets and enforce granular RBAC at the network edge without exposing sensitive tokens to LLMs.

Cloudflare introduced outbound Workers for Sandboxes, acting as programmatic egress proxies for microVM-based environments.
These proxies enable zero-trust authentication by injecting secrets at the egress point, keeping credentials hidden from untrusted AI agents.
Developers can implement granular traffic control, allowing for logging, modification, or blocking of requests based on destination or method.
The system supports identity-aware routing, applying specific rules and credentials dynamically based on the sandbox's unique identity.
By executing on the same host as the sandbox, the proxy minimizes latency while remaining transparent to the sandboxed application.

#security #mlp #dist

Read original

Cloudflare BlogApr 12, 2026

Welcome to Agents Week

Why it matters: AI agents require a massive shift in infrastructure. Traditional containers are too heavy for the one-to-one scaling agents demand. Using V8 isolates allows for the ephemeral, high-concurrency execution needed to make agentic workflows economically and technically viable at global scale.

AI agents shift the cloud paradigm from one-to-many microservices to one-to-one execution environments tailored for specific tasks.
Traditional container-based infrastructure lacks the efficiency to handle the projected scale of millions of concurrent agent sessions.
V8 isolates provide a lightweight alternative to containers, offering ~100x faster startup times and ~100x better memory efficiency.
Cloudflare's Dynamic Workers enable on-demand execution environments that make the per-unit economics of agents viable for mass adoption.
The industry is moving toward structured protocols like Model Context Protocol (MCP) to replace agents navigating human-centric UIs.

#dist #mlp #finops

Read original

Cloudflare BlogApr 10, 2026

500 Tbps of capacity: 16 years of scaling our global network

Why it matters: This milestone demonstrates how massive-scale infrastructure can handle record-breaking DDoS attacks (31.4 Tbps) autonomously. It showcases the power of pushing security and compute to the edge using eBPF and XDP, allowing for high-performance, distributed application hosting.

Cloudflare reached 500 Tbps of external capacity across 330+ cities, supporting over 20% of the web.
Autonomous DDoS mitigation uses eBPF and XDP (l4drop) to drop malicious packets at line rate without human intervention.
The 'dosd' daemon samples traffic and broadcasts mitigation rules globally via Quicksilver, a distributed KV store.
Layer 4 load balancing is handled by Unimog, while flowtrackd provides stateful TCP inspection for enterprise traffic.
The network has evolved into a distributed developer platform (Workers) that now supports V8 isolates and edge containers.

#security #dist #sre

Read original

Cloudflare BlogApr 8, 2026

From bytecode to bytes: automated magic packet generation

Why it matters: This approach automates the analysis of stealthy BPF-based malware, allowing engineers to quickly identify and replicate the 'magic' packets used to trigger backdoors. It demonstrates how symbolic execution and theorem provers like Z3 can solve complex reverse-engineering bottlenecks.

Linux malware uses Berkeley Packet Filter (BPF) socket programs to remain dormant until a specific 'magic' packet is received.
Manually reverse-engineering complex BPF filters with hundreds of instructions is a significant bottleneck for security researchers.
Symbolic execution treats code as a series of constraints rather than instructions, allowing researchers to work backward from a target state.
By integrating the Z3 theorem prover, researchers can automatically generate the exact network packet required to trigger a malicious filter.
The tool calculates the shortest execution path to an 'ACCEPT' state by tracking conditional jumps and instruction offsets.
This automation reduces the time required to analyze sophisticated backdoors like BPFDoor from hours to just a few seconds.

#security

Read original

Cloudflare BlogApr 7, 2026

Cloudflare targets 2029 for full post-quantum security

Why it matters: The timeline for quantum computers to break standard encryption has accelerated to 2029. Engineers must prioritize post-quantum migration now to protect against both 'harvest-now/decrypt-later' threats and future authentication bypasses as cryptographic standards become obsolete.

Cloudflare has accelerated its post-quantum (PQ) security roadmap, targeting full PQ-readiness including authentication by 2029.
Recent breakthroughs in neutral atom quantum computing have drastically reduced the physical qubit count required to break RSA-2048 and P-256.
Oratomic research indicates that reconfigurable qubits allow for highly efficient error correction, requiring only 3-4 physical qubits per logical qubit.
Google has demonstrated significant algorithmic improvements that speed up the process of cracking elliptic curve cryptography.
The industry-wide estimate for Q-Day has shifted from 2035+ to as early as 2029, prompting urgent migration efforts across major tech providers.

#security #dist

Read original

Cloudflare BlogApr 6, 2026

How we built Organizations to help enterprises manage Cloudflare at scale

Why it matters: Managing large-scale infrastructure across fragmented accounts creates security risks and operational overhead. This update simplifies governance by centralizing identity, policy enforcement, and observability, allowing engineers to maintain the principle of least privilege at scale.

Cloudflare Organizations provides a centralized management layer for enterprises to oversee multiple accounts, users, and configurations.
Introduces the Org Super Administrator role, which grants global permissions across all accounts without requiring individual account memberships.
Enables shared configurations, allowing security teams to centrally manage and deploy WAF and Gateway policies across the entire organization.
Provides a unified analytics dashboard that aggregates HTTP traffic data from all accounts and zones for better visibility.
The backend refactor consolidated authorization checks into a domain-scoped roles system, resulting in a 27% performance improvement for permission enumeration.
Future roadmap items include organization-level audit logs, centralized billing reports, and additional granular user roles.

#security #sre

Read original

Cloudflare BlogApr 2, 2026

Why we're rethinking cache for the AI era

Why it matters: AI crawlers disrupt traditional CDN caching by prioritizing long-tail content over popular pages. Engineers must rethink cache eviction policies to prevent AI bots from degrading performance for human users while still supporting the data needs of LLMs and RAG systems.

AI crawlers account for 32% of automated traffic, with 80% of that volume focused on harvesting data for LLM training.
AI traffic patterns differ significantly from human behavior, characterized by high-volume parallel requests and sequential scans of long-tail content.
Modeling shows AI agents maintain a unique access ratio between 70% and 100%, leading to very low content reuse within the cache.
Traditional CDN cache architectures face a dichotomy between optimizing for human-centric popular content or broad AI crawler scans.
Cloudflare and ETH Zurich research suggests that current cache eviction policies must evolve to prevent AI bots from evicting useful human-requested data.

#dist #data #mlp

Read original

Cloudflare BlogApr 1, 2026

Introducing EmDash — the spiritual successor to WordPress that solves plugin security

Why it matters: EmDash modernizes CMS architecture by replacing insecure PHP-based plugin hooks with isolated serverless environments. This shift to capability-based security and modern TypeScript tooling solves decades-old security vulnerabilities while maintaining the extensibility of the WordPress model.

EmDash is an open-source, MIT-licensed CMS built from scratch using TypeScript and the Astro framework.
It addresses WordPress's fundamental security flaws by sandboxing plugins within isolated Dynamic Workers.
Plugins utilize a capability-based security model, requiring explicit declarations of permissions like database access or network calls in a manifest.
The architecture is serverless-first but portable, allowing deployment on Cloudflare, Node.js, or private hardware.
By using static declarations for plugin needs, administrators can audit and restrict plugin behavior at install time rather than relying on allowlists.

#security #frontend #dist

Read original

Cloudflare BlogApr 1, 2026

Our ongoing commitment to privacy for the 1.1.1.1 public DNS resolver

Why it matters: DNS is a critical internet protocol that can leak significant user behavior data. Cloudflare's independent audit provides a rare, verifiable guarantee of privacy in a space where 'trust us' is the norm, setting a technical and ethical benchmark for infrastructure providers.

Cloudflare completed its second independent privacy examination of the 1.1.1.1 public DNS resolver, conducted by a Big 4 accounting firm.
The review confirms that Cloudflare does not sell personal data, use it for ad targeting, or retain identifying information.
Source IP addresses are anonymized and deleted within 25 hours, maintaining strict user privacy.
The resolver now runs on a new technical platform, which was included in the scope of the latest rigorous audit.
A small fraction of traffic (0.05%) is sampled for network troubleshooting and DDoS mitigation purposes.
Anonymized transaction logs are utilized for research and services like Cloudflare Radar without compromising individual user privacy.

#security #dist #culture

Read original

Cloudflare BlogMar 31, 2026

Introducing Programmable Flow Protection: custom DDoS mitigation logic for Magic Transit customers

Why it matters: Engineers can now extend Cloudflare's DDoS protection with custom eBPF logic. This is crucial for proprietary UDP-based applications like gaming or VoIP, where generic rate limiting causes collateral damage. It provides granular, stateful control over traffic filtering at the network edge.

Cloudflare launched Programmable Flow Protection, allowing Magic Transit customers to deploy custom DDoS mitigation logic via eBPF.
The system addresses the limitations of generic DDoS protection for proprietary or custom UDP protocols used in gaming, VoIP, and streaming.
Customers can write eBPF programs to define precise 'good' versus 'bad' packet logic, which Cloudflare executes across its global edge network.
To ensure security and flexibility, these programs run in a userspace environment rather than the Linux kernel, using a specialized API for stateful mitigation.
The platform includes helper functions for storing client state, performing cryptographic validation, and issuing challenge packets to mitigate attacks without impacting legitimate users.

#security #dist #sre

Read original

Page 7 of 18

Prev 1...5 6 7 8 9...18 Next