Cloudflare Blog

Why it matters: Client-side attacks like skimming are hard to detect because they don't break site functionality. Cloudflare's use of GNNs and LLMs to analyze script intent at scale allows engineers to secure front-end dependencies and meet PCI DSS v4 compliance without manual overhead or performance lag.

Cloudflare has expanded access to Client-Side Security Advanced for self-serve customers and made domain-based threat intelligence free for all users.
The system uses browser reporting and Content Security Policy (CSP) to monitor scripts with zero latency impact on web applications.
Detection logic utilizes Graph Neural Networks (GNN) to analyze Abstract Syntax Trees (AST), identifying malicious intent rather than relying on static signatures.
A new LLM-based triage layer has been integrated to reduce false positives by distinguishing between malicious code and benign but obfuscated scripts like ad-tech bundles.
The platform automates code change monitoring and proactive blocking, assisting organizations in meeting PCI DSS v4 compliance requirements.

#security #frontend #mlp

Read original

Cloudflare BlogMar 27, 2026

How we use Abstract Syntax Trees (ASTs) to turn Workflows code into visual diagrams

Why it matters: Visualizing code-based workflows is difficult due to dynamic logic like loops and parallel promises. Using ASTs to generate diagrams provides critical observability into complex durable executions, helping engineers debug and verify logic whether written by humans or AI agents.

Cloudflare Workflows now automatically generates visual diagrams for every deployment to improve observability of complex logic.
Unlike declarative workflow engines using YAML or JSON, Cloudflare uses Abstract Syntax Trees (ASTs) to statically derive graphs from dynamic JavaScript/TypeScript code.
The visualizer tracks Promise and await relationships to accurately represent parallel execution versus sequential blocking steps.
Diagrams are generated at deploy time by fetching bundled scripts and traversing an intermediate graph of WorkflowEntrypoints.
The underlying architecture uses a Durable Object engine to manage execution and dynamic dispatch to trigger user workers.
The system handles minified code from various bundlers like esbuild and rspack to extract step relationships and flow control.

#dist #sre

Read original

Cloudflare BlogMar 26, 2026

A one-line Kubernetes fix that saved 600 hours a year

Why it matters: Default Kubernetes volume management can cause massive downtime for stateful apps with many small files. Understanding fsGroupChangePolicy is crucial for SREs to prevent recursive ownership checks from blocking pod startups and wasting hundreds of engineering hours.

Atlantis restarts were taking 30 minutes due to a large number of files on the Persistent Volume (PV) causing inode exhaustion and slow mounts.
Kubernetes defaults to recursively changing ownership (chgrp -R) of all files in a volume if fsGroup is specified in the securityContext.
For volumes with millions of files, this recursive check becomes a significant bottleneck, leading to context deadline exceeded errors in kubelet.
The issue was diagnosed by analyzing kubelet systemd logs rather than standard pod events, which failed to show the underlying volume mounting delay.
The fix involved setting fsGroupChangePolicy to OnRootMismatch, which only triggers ownership changes if the root directory's permissions don't match.
This one-line configuration change reduced restart times from 30 minutes to under 2 minutes, saving approximately 600 hours of engineering time annually.

#sre #security

Read original

Cloudflare BlogMar 24, 2026

Sandboxing AI agents, 100x faster

Why it matters: This technology enables secure, high-performance execution of AI-generated code. By replacing heavy containers with lightweight V8 isolates, engineers can build responsive, consumer-scale AI agents that operate with minimal latency and significantly lower infrastructure costs.

Cloudflare's Dynamic Worker Loader allows Workers to instantiate new, isolated sandboxes at runtime using AI-generated code.
Built on V8 isolates, these sandboxes start in milliseconds and use minimal memory, performing 100x faster than traditional Linux containers.
The system enables 'Code Mode,' where agents write TypeScript to call APIs directly, reducing token usage by up to 81% compared to standard tool calling.
Dynamic Workers run on the same thread as the parent Worker, ensuring zero-latency execution across Cloudflare's global edge network.
Security is enforced through strict isolation and RPC-based capability sharing, allowing fine-grained control over what the AI-generated code can access.

#mlp #security #dist

Read original

Cloudflare BlogMar 23, 2026

Inside Gen 13: how we built our most powerful server yet

Why it matters: Cloudflare's Gen 13 hardware shows how software shifts, like the Rust-based FL2, enable radical hardware optimizations. By reducing cache dependency, they achieved 2x throughput and 50% better power efficiency, which is critical for scaling global edge networks sustainably.

Gen 13 features the 192-core AMD EPYC Turin 9965 processor, doubling the core count and hardware threads compared to the previous generation.
The hardware refresh leverages Cloudflare's FL2 Rust-based rewrite, which reduces L3 cache dependency and allows for linear scaling with higher core counts.
Memory capacity doubled to 768GB of DDR5-6400 across 12 channels, significantly increasing bandwidth for memory-intensive edge workloads.
Networking throughput increased 4x via dual 100 GbE ports, utilizing Intel E830 or NVIDIA Mellanox ConnectX-6 Dx adapters.
The design achieves a 50% improvement in performance-per-watt and 60% higher throughput per rack while maintaining constant power budgets.
Security is bolstered with new PCIe encryption hardware support and a DC-SCM 2.0-based Hardware Root of Trust (HRoT).

#dist #finops #security

Read original

Cloudflare BlogMar 23, 2026

Launching Cloudflare’s Gen 13 servers: trading cache for cores for 2x edge compute performance

Why it matters: This shift demonstrates how software architecture must evolve to match hardware trends. By rewriting core layers in Rust, Cloudflare decoupled performance from cache locality, enabling the use of high-density CPUs to double edge throughput and improve power efficiency.

Cloudflare's Gen 13 servers adopt AMD EPYC 5th Gen (Turin) processors, doubling core counts to 192 per socket.
The new hardware trades per-core L3 cache (2MB vs 12MB in Gen 12) for massive throughput and 32% better power efficiency.
Legacy NGINX/LuaJIT software (FL1) faced 50% latency regressions on the new chips due to increased DRAM fetch cycles.
The transition to FL2, a Rust-based rewrite of the request handling layer, successfully decoupled performance from cache locality.
FL2 allows Gen 13 to achieve 2x edge compute performance gains while maintaining strict latency SLAs.
Engineers utilized AMD Platform Quality of Service (PQOS) to optimize shared resource allocation across Core Complex Dies (CCDs).

#sre #dist #finops

Read original

Cloudflare BlogMar 19, 2026

Powering the agents: Workers AI now runs large models, starting with Kimi K2.5

Why it matters: Cloudflare is evolving Workers AI into a full-stack agent platform by adding frontier-scale models. By combining large context windows with optimized inference and usage-based pricing, they enable cost-effective, high-performance autonomous agents at enterprise scale.

Workers AI now supports frontier-scale models, starting with Moonshot AI’s Kimi K2.5, featuring a 256k context window and vision support.
The platform leverages custom kernels and the Infire inference engine to optimize GPU utilization and throughput for large-scale LLMs.
New prefix caching functionality reduces latency and costs by reusing processed input tokens in multi-turn agentic conversations.
Cloudflare has transitioned Workers AI to a usage-based pricing model, charging per-token to better accommodate high-volume agent workloads.
The integration combines LLMs with existing primitives like Durable Objects and Workflows to provide a unified environment for autonomous agents.

#mlp #dist #finops

Read original

Cloudflare BlogMar 18, 2026

Introducing Custom Regions for precision data control

Why it matters: This allows engineers to meet strict data sovereignty and compliance requirements without losing global DDoS protection. By decoupling ingestion from processing, teams can precisely control where TLS termination and L7 logic occur, which is critical for regulated industries and AI data privacy.

Cloudflare expanded its Regional Services to include Turkey, UAE, IRAP (Australia), and ISMAP (Japan), totaling 35 managed regions.
Introduced Custom Regions, allowing customers to define precise geographical boundaries for traffic processing using expression-based rules.
The architecture decouples global L3/L4 DDoS mitigation at the edge from regional L7 processing and TLS termination.
Traffic entering outside a specified region is routed via a secure private backbone to an in-region data center before decryption.
Custom Regions support specialized use cases like localizing AI inference, meeting government compliance, and aligning with corporate structures.

#security #dist #data

Read original

Cloudflare BlogMar 16, 2026

Standing up for the open Internet: why we appealed Italy’s "Piracy Shield" fine

Why it matters: This case highlights the technical and legal risks of IP-based blocking. For engineers, it underscores how blunt regulatory tools can disrupt shared infrastructure, causing widespread outages for innocent services and challenging the fundamental architecture of the open Internet.

Cloudflare is appealing a €14 million fine from Italy's AGCOM over its refusal to participate in the Piracy Shield blocking system.
Piracy Shield allows private rightsholders to mandate IP-level blocking within 30 minutes without judicial oversight or transparency.
The system relies on IP address blocking, which leads to significant collateral damage as thousands of legitimate sites often share a single IP.
Documented failures include the accidental blocking of Google Drive, Ukrainian government sites, and various NGOs for extended periods.
Cloudflare argues the scheme violates the EU Digital Services Act (DSA) by lacking proportionality and procedural safeguards.
A 2025 study by the University of Twente confirmed that the system routinely causes persistent collateral blocking of legitimate web services.

#security #culture #dist

Read original

Cloudflare BlogMar 13, 2026

From legacy architecture to Cloudflare One

Why it matters: Migrating legacy infrastructure to Zero Trust is notoriously risky. This approach allows engineers to modernize security for old applications without rewriting code, reducing the attack surface via outbound-only tunnels while maintaining session persistence and operational stability.

Adopts a tiered, risk-aware methodology to move applications based on complexity rather than using a risky 'big bang' migration approach.
Utilizes Cloudflare Access to wrap legacy applications in a Zero Trust layer, enabling MFA and SSO without requiring any code changes.
Employs Cloudflare Tunnel to create outbound-only connections, effectively hiding internal services from the public internet by removing public IP addresses.
Conducts pre-migration audits to map backend dependencies and identity providers, ensuring service continuity during the transition.
Leverages Dynamic Path MTU Discovery (PMTUD) to maintain persistent sessions at the edge even when client IP addresses change.

#security #sre

Read original

Page 8 of 18

Prev 1...6 7 8 9 10...18 Next