Curated topic

sre

Posts tagged with sre

Cloudflare BlogMar 11, 2026

Slashing agent token costs by 98% with RFC 9457-compliant error responses

Why it matters: Engineers building AI agents can now handle network errors programmatically and cost-effectively. By replacing verbose HTML with structured data, Cloudflare enables agents to make deterministic decisions like exponential backoff while slashing operational token costs by 98%.

Cloudflare now serves RFC 9457-compliant structured error responses in JSON and Markdown specifically for AI agents.
The new formats replace heavy HTML error pages, reducing payload size and LLM token consumption by over 98%.
Agents can trigger these responses by sending specific Accept headers such as application/problem+json or text/markdown.
Responses include machine-readable metadata like retryable status, retry_after durations, and specific error categories.
The implementation currently covers all 1xxx-class errors, including rate limits, WAF blocks, and DNS resolution issues.
This system requires no configuration from site owners and maintains standard HTML responses for browser-based traffic.

#dist #mlp #sre

Read original

Salesforce EngineeringMar 9, 2026

Engineering Platform Trust: Cutting Customer Case Volume 20x with Petabyte-Scale Health Signals

Why it matters: This system demonstrates how to transform massive, fragmented telemetry into actionable insights. By standardizing health metrics and isolating analytics from production, engineers can proactively identify risks, reduce support overhead, and ensure platform stability at a petabyte scale.

Salesforce's Technical Health Score (THS) quantifies implementation health across five pillars: Security, Efficiency, Operational Excellence, Customization, and Observability.
The architecture processes petabytes of telemetry via an off-core analytics platform, ensuring zero impact on live transactional workloads.
Diverse metrics are normalized into a 1–100 scale using distribution-based methods to compare organizations against peers of similar complexity.
A signal-qualification framework filters for actionability, ensuring the score reflects customer-controlled configurations rather than platform-level issues.
This proactive approach has successfully reduced support case volume by 20x for customers who maintain high technical health scores.

#data #sre #security

Read original

Cloudflare BlogMar 9, 2026

Fixing request smuggling vulnerabilities in Pingora OSS deployments

Why it matters: Request smuggling vulnerabilities can lead to critical security breaches like session hijacking and cache poisoning. For engineers using Pingora as an ingress proxy, upgrading to 0.8.0 is essential to ensure RFC compliance and prevent connection desynchronization attacks.

Cloudflare patched three HTTP/1.x request smuggling vulnerabilities (CVE-2026-2833, CVE-2026-2835, CVE-2026-2836) in Pingora 0.8.0.
One flaw involved Pingora prematurely entering passthrough mode for Upgrade requests before receiving a 101 Switching Protocols response.
Vulnerabilities also stemmed from non-RFC-compliant interpretations of request bodies involving Transfer-Encoding in specific HTTP contexts.
These issues could allow attackers to bypass security controls, hijack user sessions, or poison caches in standalone Pingora deployments.
Cloudflare's CDN was unaffected due to architectural safeguards and internal proxy configurations that prevent these exploitation vectors.
Users of the Pingora framework are strongly urged to upgrade to version 0.8.0 to mitigate risks of connection desynchronization.

#security #sre

Read original

Cloudflare BlogMar 9, 2026

Complexity is a choice. SASE migrations shouldn’t take years.

Why it matters: Engineers can bypass the 'marathon of misery' of multi-year SASE deployments. By using programmable, identity-centric tools, teams can secure global infrastructure and AI workflows in weeks rather than years, reducing technical debt and improving performance.

Cloudflare One reduces SASE migration timelines from 18 months to 6 weeks by replacing legacy hardware-centric approaches with a software-defined connectivity cloud.
The platform utilizes identity-first on-ramps and consolidated policy engines to eliminate the 'trombone effect' and latency common in traditional service chaining.
Lightweight cloud-native connectors like cloudflared enable instant connectivity without requiring inbound firewall port changes.
The extensible edge allows for custom environment support, such as creating native services for Arch Linux to maintain consistent device posture checks.
Integrated AI security tools provide shadow AI visibility and Data Loss Prevention (DLP) to control sensitive data flow into LLMs.

#security #sre #dist

Read original

Cloudflare BlogMar 5, 2026

A QUICker SASE client: re-building Proxy Mode

Why it matters: This shift solves the performance penalty of SASE proxies by moving from L3 tunneling to direct L4 proxying via QUIC. It doubles throughput and lowers latency, making Zero Trust security transparent to users during high-bandwidth tasks or when coexisting with legacy VPNs.

Cloudflare re-engineered its SASE client proxy mode by replacing the WireGuard-based Layer 3 tunnel with a direct Layer 4 QUIC-based architecture.
The previous implementation relied on smoltcp, a user-space TCP stack that lacked modern features and created a performance ceiling for media-heavy traffic.
The new architecture leverages MASQUE and HTTP/3 (RFC 9114) using the CONNECT method to encapsulate traffic directly into QUIC streams.
By bypassing Layer 3 translation, the client eliminates inefficient IP packet handling and benefits from native QUIC congestion and flow control.
Internal testing demonstrated that download and upload speeds doubled while latency decreased significantly for end-users.
The update specifically improves performance for third-party VPN coexistence, high-bandwidth application partitioning, and developer CLI tools.

#security #dist #sre

Read original

Airbnb EngineeringMar 4, 2026

It Wasn’t a Culture Problem: Upleveling Alert Development at Airbnb

Why it matters: Validating alert behavior before deployment prevents alert fatigue and missed incidents. By shifting validation left through backtesting and visual diffs, teams can iterate on complex monitoring patterns at scale without risking production reliability or developer trust.

Airbnb transitioned to a Prometheus-based Observability as Code (OaC) platform managing 300,000 alerts.
Identified that traditional code reviews fail to predict alert behavior, leading to noise or missed incidents.
Implemented a local-first workflow ensuring identical execution across developer environments, CI, and production.
Developed Change Reports providing side-by-side configuration diffs and visual previews of production alerts.
Integrated bulk backtesting to simulate alerts against historical data, calculating noisiness metrics before deployment.
Reduced development cycles from weeks to minutes by shifting alert validation left in the development lifecycle.

#sre #culture

Read original

Cloudflare BlogMar 4, 2026

Mind the gap: new tools for continuous enforcement from boot to login

Why it matters: These tools close critical security gaps by ensuring continuous enforcement from device boot. By decoupling MFA from the primary IdP, engineers can prevent lateral movement even if SSO credentials are compromised, significantly reducing the blast radius of potential breaches.

Cloudflare is introducing mandatory authentication to ensure devices are secured and visible from the moment of system boot.
The Cloudflare One Client now acts as a gatekeeper, using a system firewall to block all internet traffic until a user successfully authenticates.
A new independent MFA feature provides a secondary root of trust at the network edge, separate from the primary Identity Provider (IdP).
Independent MFA supports biometrics, FIDO2 security keys, and TOTP to protect against SSO session hijacking and credential compromise.
Administrators can define granular, per-application policies, requiring higher assurance authentication for sensitive resources like production databases.

#security #sre

Read original

GitHub EngineeringMar 3, 2026

How we rebuilt the search architecture for high availability in GitHub Enterprise Server

Why it matters: This architectural shift eliminates common failure modes in high-availability setups where search indexes could become locked or corrupted during upgrades. By using native Cross Cluster Replication, engineers gain a more resilient, easier-to-maintain search infrastructure.

GitHub Enterprise Server (GHES) transitioned from a single multi-node Elasticsearch cluster to independent single-node clusters per instance.
The previous architecture allowed primary shards to migrate to read-only replica nodes, causing system locks during maintenance and upgrades.
The new architecture utilizes Elasticsearch’s Cross Cluster Replication (CCR) to synchronize data between independent clusters.
CCR ensures data durability by replicating information only after it has been persisted to the underlying Lucene segments.
A custom bootstrap workflow was developed to attach followers to existing indexes and configure auto-follow for future data.
This shift aligns search infrastructure with the standard leader/follower pattern used across the rest of the GHES platform.

#sre #dist #data

Read original

Engineering at MetaMar 2, 2026

Investing in Infrastructure: Meta’s Renewed Commitment to jemalloc

Why it matters: jemalloc is a critical foundation for high-performance systems. Meta's renewed commitment ensures the allocator evolves with modern hardware like ARM64 and complex workloads, reducing technical debt and improving memory efficiency for the entire open-source ecosystem.

Meta is unarchiving and renewing its stewardship of the jemalloc open-source repository to ensure long-term infrastructure health.
The project will prioritize technical debt reduction and refactoring to improve maintainability and ease of use for the community.
A key focus is enhancing the Huge-Page Allocator (HPA) to better utilize transparent hugepages for increased CPU efficiency.
Planned improvements to packing, caching, and purging mechanisms aim to optimize overall memory efficiency and performance.
The roadmap includes specific performance optimizations for the AArch64 (ARM64) platform to ensure high out-of-the-box performance.
Meta is shifting back to principled engineering practices, moving away from short-term hacks that previously accumulated technical debt.

#sre #data

Read original

Cloudflare BlogMar 2, 2026

The truly programmable SASE platform

Why it matters: Cloudflare's programmable SASE allows engineers to build context-aware security policies using code. By executing logic at the edge, teams can integrate external data into access decisions in real-time, reducing latency and complexity compared to traditional webhook-based automation.

Cloudflare defines true programmability as the ability to intercept security events, enrich them with external context, and act in real-time.
The platform integrates SASE (Cloudflare One) with the Developer Platform (Workers), allowing security logic to run on the same global edge network.
Engineers can move beyond static 'allow/block' rules by using Workers to inject dynamic headers or query external risk APIs inline.
Managed actions provide templates for common IT and compliance workflows, while custom actions allow for bespoke logic via serverless functions.
This architecture eliminates the latency overhead typically associated with routing traffic to separate cloud environments for policy enforcement.
Real-world use cases include automated device session revocation and context-aware access based on external training or certification databases.

#security #dist #sre

Read original

Page 7 of 23

Prev 1...5 6 7 8 9...23 Next