Cloudflare Blog

https://blog.cloudflare.com/

Cloudflare BlogMar 3, 2026

How Cloudy translates complex security into human action

Why it matters: Cloudy bridges the gap between sophisticated ML detections and human action. By providing clear context for security flags, it reduces alert fatigue for SOC teams and empowers end users to make better security decisions in real-time without needing deep technical expertise.

Cloudy is an LLM-powered explanation layer built on Cloudflare Workers AI to translate complex security telemetry into human-readable guidance.
The system integrates with Cloudflare Email Security to provide real-time summaries explaining why specific messages were flagged as malicious or suspicious.
By embedding explanations into the Phishnet reporting tool, Cloudy helps reduce SOC noise by educating end users at the point of interaction.
For Cloudflare CASB, Cloudy simplifies SaaS security findings by surfacing the reasoning behind detections and providing clear remediation paths.
The architecture utilizes Llama 3 and a chain-of-thought prompting approach to ensure explanations are grounded in specific, structured ML model outputs.

#security #mlp #data

Read original

Cloudflare BlogMar 2, 2026

Beyond the blank slate: how Cloudflare accelerates your Zero Trust journey

Why it matters: Project Helix reduces Zero Trust adoption barriers by replacing manual, error-prone configurations with automated best practices. This allows engineers to deploy secure, optimized SASE environments in minutes while ensuring consistency across complex network architectures.

Project Helix automates the configuration of Cloudflare One to eliminate the 'blank slate' problem and reduce deployment friction.
The system codifies best practices from solutions engineers into reusable Terraform templates for consistent, error-free SASE setups.
Automated policies cover DNS protection, TLS inspection, Remote Browser Isolation, and visibility controls for AI applications.
Helix addresses complex networking tasks like configuring CGNAT ranges for private app routing and managing split-tunneling for real-time apps.
The solution leverages a web-based UI hosted on Cloudflare Workers to trigger infrastructure-as-code deployments via API.

#security #sre

Read original

Cloudflare BlogMar 2, 2026

Modernizing with agile SASE: a Cloudflare One blog takeover

Why it matters: Agile SASE moves security from rigid hardware silos to a programmable, single-pass global network. For engineers, this reduces technical debt, eliminates performance bottlenecks caused by service-chaining, and enables custom security logic via native developer platforms like Cloudflare Workers.

Cloudflare One introduces agile SASE, a composable platform designed to replace fragmented legacy hardware and VPNs with a unified connectivity cloud.
The platform utilizes a single-pass architecture across 300+ cities, eliminating service-chaining bottlenecks by running all security checks on every server simultaneously.
Integration with Cloudflare Workers allows developers to write custom code for real-time security event interception, moving beyond static allow/block rules.
Modernization focuses on five key areas: remote access, AI-powered email protection, DNS filtering, safe AI governance, and simplified branch networking.
Upcoming technical deep-dives will cover identity evolution, AI-driven threat detection, and the engineering behind the autonomous edge for performance-centric security.

#security #dist #sre

Read original

Cloudflare BlogMar 2, 2026

The truly programmable SASE platform

Why it matters: Cloudflare's programmable SASE allows engineers to build context-aware security policies using code. By executing logic at the edge, teams can integrate external data into access decisions in real-time, reducing latency and complexity compared to traditional webhook-based automation.

Cloudflare defines true programmability as the ability to intercept security events, enrich them with external context, and act in real-time.
The platform integrates SASE (Cloudflare One) with the Developer Platform (Workers), allowing security logic to run on the same global edge network.
Engineers can move beyond static 'allow/block' rules by using Workers to inject dynamic headers or query external risk APIs inline.
Managed actions provide templates for common IT and compliance workflows, while custom actions allow for bespoke logic via serverless functions.
This architecture eliminates the latency overhead typically associated with routing traffic to separate cloud environments for policy enforcement.
Real-world use cases include automated device session revocation and context-aware access based on external training or certification databases.

#security #dist #sre

Read original

Cloudflare BlogFeb 27, 2026

Toxic combinations: when small signals add up to a security incident

Why it matters: Engineers often overlook minor anomalies, but their convergence signals sophisticated attacks. Understanding toxic combinations helps teams move beyond signature-based defense to intent-based security, identifying breaches that lack obvious exploit payloads.

Toxic combinations are security incidents where attackers exploit multiple minor misconfigurations or anomalies that appear harmless in isolation.
Cloudflare identifies these by intersecting bot traffic data, sensitive application paths (e.g., /wp-admin, /debug), and request anomalies like geo jumps or identity mismatches.
Traditional point defenses like WAFs often focus on individual requests, whereas toxic combination detection analyzes the broader context and intent of multiple signals.
Analysis shows that while only 0.25% of non-WordPress hosts are susceptible, these represent high-risk vulnerabilities to compromise.
Engineers can use tools like Cloudflare Log Explorer to run queries that identify automated probing of administrative endpoints and debug flags.

#security #data

Read original

Cloudflare BlogFeb 27, 2026

ASPA: making Internet routing more secure

Why it matters: BGP route leaks cause major outages and security risks. ASPA extends RPKI to verify the entire routing path, not just the destination. For network engineers, this standard is a critical step toward a more secure and predictable Internet by cryptographically preventing unauthorized traffic detours.

ASPA (Autonomous System Provider Authorization) is a new cryptographic standard designed to prevent BGP route leaks by validating the entire network path.
While RPKI and ROAs verify the destination of traffic, ASPA verifies the sequence of Autonomous Systems (AS_PATH) it traverses.
ASPA allows network operators to publish a list of authorized upstream providers within the existing RPKI infrastructure.
Validation follows valley-free routing principles, ensuring traffic moves up to providers and down to customers without unauthorized lateral or downward-then-upward shifts.
Cloudflare Radar has introduced a monitoring tool to track ASPA adoption trends across Regional Internet Registries and individual Autonomous Systems.

#security #dist

Read original

Cloudflare BlogFeb 27, 2026

Bringing more transparency to post-quantum usage, encrypted messaging, and routing security

Why it matters: As quantum computing threats loom, transitioning to post-quantum cryptography and securing BGP routing are critical for long-term data integrity. These tools provide the transparency needed to audit infrastructure readiness and verify the security of encrypted communication channels.

Cloudflare Radar now monitors post-quantum (PQ) encryption support for origin-facing connections, complementing existing client-side tracking.
A new public tool allows users to verify if specific hostnames support PQ-secure hybrid key exchange algorithms like X25519MLKEM768.
The Key Transparency dashboard provides real-time verification status of logs for encrypted messaging services, ensuring public key integrity.
Routing security insights now include data on ASPA (Autonomous System Provider Authorization) deployment to mitigate BGP route leaks.
Origin-side PQ support has seen a 10x increase over the past year, driven by default enablement in libraries like OpenSSL 3.5.0 and Go 1.24.

#security #data #dist

Read original

Cloudflare BlogFeb 27, 2026

The most-seen UI on the Internet? Redesigning Turnstile and Challenge Pages

Why it matters: Redesigning a UI served billions of times daily requires balancing security, accessibility, and performance. This case study shows how to handle massive-scale deployments while reducing user friction in critical security checkpoints, ensuring a better experience for a global audience.

Cloudflare redesigned its Turnstile and Challenge Pages to improve the user experience for 7.67 billion daily security verifications.
A comprehensive design audit revealed fragmented error states and overly technical messaging that increased user frustration.
The team mapped complex user journeys to identify 'unhappy paths' and replaced technical jargon with actionable, human-readable guidance.
The redesign addresses a 58% year-over-year increase in security challenges driven by the rise of AI-powered bot attacks.
Engineering efforts focused on maintaining performance and accessibility at an unprecedented global scale while ensuring backward compatibility.

#security #frontend #culture

Read original

Cloudflare BlogFeb 27, 2026

We deserve a better streams API for JavaScript

Why it matters: Modern web apps rely on streaming data, yet the current Web Streams API is plagued by performance bottlenecks and a complex locking model. Understanding these flaws is crucial for engineers building high-performance runtimes or handling large-scale data processing in JavaScript.

The WHATWG Streams Standard was designed before async iteration (ES2018), leading to an API that relies on complex reader/writer acquisition instead of idiomatic language primitives.
Web streams use a restrictive locking model where forgetting to call releaseLock() can permanently break a stream, creating significant debugging hurdles.
The current API requires excessive boilerplate for common operations, such as manually managing reader locks and the { value, done } protocol.
Retrofitting async iteration onto Web streams hides but does not solve underlying complexity, and it fails to support advanced features like BYOB (Bring Your Own Buffer) reads.
Benchmarks show that alternative stream implementations leveraging modern JS features can be 2x to 120x faster than the current standard across various runtimes.
The author advocates for a new streaming standard that aligns with modern JavaScript development patterns to improve both performance and developer experience.

#data #frontend #dist

Read original

Cloudflare BlogFeb 24, 2026

How we rebuilt Next.js with AI in one week

Why it matters: vinext solves the 'deployment problem' for Next.js on non-Vercel platforms by replacing the bespoke Turbopack toolchain with Vite. This offers engineers faster builds, smaller bundles, and native compatibility with Cloudflare Workers without sacrificing the familiar Next.js developer experience.

Cloudflare introduced vinext, a Vite-based, drop-in replacement for Next.js developed in one week using AI models.
The framework reimplements Next.js APIs like RSC and Server Actions directly on Vite, bypassing fragile build-output adapters like OpenNext.
Benchmarks show production builds up to 4.4x faster and client bundle sizes reduced by 57% using the Rolldown bundler.
It features first-class support for Cloudflare Workers, including single-command deployment and built-in ISR via Cloudflare KV.
By using the Vite Environment API, vinext ensures the development server and production output run natively on target runtimes.

#frontend #dist

Read original

Page 9 of 15

Prev 1...7 8 9 10 11...15 Next