Skip to content
Cloudflare Docs

Changelog

New updates and improvements at Cloudflare.

Subscribe to RSS
View all RSS feeds

Select...
hero image
  1. You can now use IP, Autonomous System (AS), and Hostname custom lists to route traffic to Snippets and Cloud Connector, giving you greater precision and control over how you match and process requests at the edge.

    In Snippets, you can now also match on Bot Score and WAF Attack Score, unlocking smarter edge logic for everything from request filtering and mitigation to tarpitting and logging.

    What’s new:

    • Custom lists matching – Snippets and Cloud Connector now support user-created IP, AS, and Hostname lists via dashboard or Lists API. Great for shared logic across zones.
    • Bot Score and WAF Attack Score – Use Cloudflare’s intelligent traffic signals to detect bots or attacks and take advanced, tailored actions with just a few lines of code.
    New fields in Snippets

    These enhancements unlock new possibilities for building smarter traffic workflows with minimal code and maximum efficiency.

    Learn more in the Snippets and Cloud Connector documentation.

  1. Enterprise customers can now choose the geographic location from which a URL scan is performed — either via Security Center in the Cloudflare dashboard or via the URL Scanner API.

    This feature gives security teams greater insight into how a website behaves across different regions, helping uncover targeted, location-specific threats.

    What’s new:

    • Location Picker: Select a location for the scan via Security Center → Investigate in the dashboard or through the API.
    • Region-aware scanning: Understand how content changes by location — useful for detecting regionally tailored attacks.
    • Default behavior: If no location is set, scans default to the user’s current geographic region.

    Learn more in the Security Center documentation.

  1. We have upgraded WAF Payload Logging to enhance rule diagnostics and usability:

    • Targeted logging: Logs now capture only the specific portions of requests that triggered WAF rules, rather than entire request segments.
    • Visual highlighting: Matched content is visually highlighted in the UI for faster identification.
    • Enhanced context: Logs now include surrounding context to make diagnostics more effective.
    Log entry showing payload logging details

    Payload Logging is available to all Enterprise customers. If you have not used Payload Logging before, check how you can get started.

    Note: The structure of the encrypted_matched_data field in Logpush has changed from Map<Field, Value> to Map<Field, {Before: bytes, Content: Value, After: bytes}>. If you rely on this field in your Logpush jobs, you should review and update your processing logic accordingly.

  1. FinalizationRegistry is now available in Workers. You can opt-in using the enable_weak_ref compatibility flag.

    This can reduce memory leaks when using WebAssembly-based Workers, which includes Python Workers and Rust Workers. The FinalizationRegistry works by enabling toolchains such as Emscripten and wasm-bindgen to automatically free WebAssembly heap allocations. If you are using WASM and seeing Exceeded Memory errors and cannot determine a cause using memory profiling, you may want to enable the FinalizationRegistry.

    For more information refer to the enable_weak_ref compatibility flag documentation.

  1. Earlier this year, we announced the launch of the new Terraform v5 Provider. Unlike the earlier Terraform providers, v5 is automatically generated based on the OpenAPI Schemas for our REST APIs. Since launch, we have seen an unexpectedly high number of issues reported by customers. These issues currently impact about 15% of resources. We have been working diligently to address these issues across the company, and have released the v5.4.0 release which includes a number of bug fixes. Please keep an eye on this changelog for more information about upcoming releases.

    Changes

    • Removes the worker_platforms_script_secret resource from the provider
    • Removes duplicated fields in cloudflare_cloud_connector_rules resource
    • Fixes cloudflare_workers_route id issues #5134 #5501
    • Fixes issue around refreshing resources that have unsupported response types
      Affected resources
      • cloudflare_certificate_pack
      • cloudflare_registrar_domain
      • cloudflare_stream_download
      • cloudflare_stream_webhook
      • cloudflare_user
      • cloudflare_workers_kv
      • cloudflare_workers_script
    • Fixes cloudflare_workers_kv state refresh issues
    • Fixes issues around configurability of nested properties without computed values for the following resources
      Affected resources
      • cloudflare_account
      • cloudflare_account_dns_settings
      • cloudflare_account_token
      • cloudflare_api_token
      • cloudflare_cloud_connector_rules
      • cloudflare_custom_ssl
      • cloudflare_d1_database
      • cloudflare_dns_record
      • email_security_trusted_domains
      • cloudflare_hyperdrive_config
      • cloudflare_keyless_certificate
      • cloudflare_list_item
      • cloudflare_load_balancer
      • cloudflare_logpush_dataset_job
      • cloudflare_magic_network_monitoring_configuration
      • cloudflare_magic_transit_site
      • cloudflare_magic_transit_site_lan
      • cloudflare_magic_transit_site_wan
      • cloudflare_magic_wan_static_route
      • cloudflare_notification_policy
      • cloudflare_pages_project
      • cloudflare_queue
      • cloudflare_queue_consumer
      • cloudflare_r2_bucket_cors
      • cloudflare_r2_bucket_event_notification
      • cloudflare_r2_bucket_lifecycle
      • cloudflare_r2_bucket_lock
      • cloudflare_r2_bucket_sippy
      • cloudflare_ruleset
      • cloudflare_snippet_rules
      • cloudflare_snippets
      • cloudflare_spectrum_application
      • cloudflare_workers_deployment
      • cloudflare_zero_trust_access_application
      • cloudflare_zero_trust_access_group

    The detailed changelog is available on GitHub.

    Upgrading

    If you are evaluating a move from v4 to v5, please make use of the migration guide. We have provided automated migration scripts using Grit which simplify the transition, although these do not support implementations which use Terraform modules, so customers making use of modules need to migrate manually. Please make use of terraform plan to test your changes before applying, and let us know if you encounter any additional issues either by reporting to our GitHub repository, or by opening a support ticket.

    For more info

  1. Cloudflare Load Balancing now supports UDP (Layer 4) and ICMP (Layer 3) health monitors for private endpoints. This makes it simple to track the health and availability of internal services that don’t respond to HTTP, TCP, or other protocol probes.

    What you can do:

    • Set up ICMP ping monitors to check if your private endpoints are reachable.
    • Use UDP monitors for lightweight health checks on non-TCP workloads, such as DNS, VoIP, or custom UDP-based services.
    • Gain better visibility and uptime guarantees for services running behind Private Network Load Balancing, without requiring public IP addresses.

    This enhancement is ideal for internal applications that rely on low-level protocols, especially when used in conjunction with Cloudflare Tunnel, WARP, and Magic WAN to create a secure and observable private network.

    Learn more about Private Network Load Balancing or view the full list of supported health monitor protocols.

  1. We're excited to announce several improvements to the Cloudflare R2 dashboard experience that make managing your object storage easier and more intuitive:

    Cloudflare R2 Dashboard

    All-new settings page

    We've redesigned the bucket settings page, giving you a centralized location to manage all your bucket configurations in one place.

    Improved navigation and sharing

    • Deeplink support for prefix directories: Navigate through your bucket hierarchy without losing your state. Your browser's back button now works as expected, and you can share direct links to specific prefix directories with teammates.
    • Objects as clickable links: Objects are now proper links that you can copy or CMD + Click to open in a new tab.

    Clearer public access controls

    • Renamed "r2.dev domain" to "Public Development URL" for better clarity when exposing bucket contents for non-production workloads.
    • Public Access status now clearly displays "Enabled" when your bucket is exposed to the internet (via Public Development URL or Custom Domains).

    We've also made numerous other usability improvements across the board to make your R2 experience smoother and more productive.

  1. A new Browser Isolation Overview page is now available in the Cloudflare Zero Trust dashboard. This centralized view simplifies the management of Remote Browser Isolation (RBI) deployments, providing:

    This update consolidates previously disparate settings, accelerating deployment, improving visibility into isolation activity, and making it easier to ensure your protections are working effectively.

    Browser Isolation Overview

    To access the new overview, log in to your Cloudflare Zero Trust dashboard and find Browser Isolation in the side navigation bar.

  1. The Cloudflare Zero Trust dashboard now supports Cloudflare's native dark mode for all accounts and plan types.

    Zero Trust Dashboard will automatically accept your user-level preferences for system settings, so if your Dashboard appearance is set to 'system' or 'dark', the Zero Trust dashboard will enter dark mode whenever the rest of your Cloudflare account does.

    Zero Trust dashboard supports dark mode

    To update your view preference in the Zero Trust dashboard:

    1. Log into the Zero Trust dashboard.
    2. Select your user icon.
    3. Select Dark Mode.

  1. Cloudflare One administrators can now control which egress IP is used based on a destination's fully qualified domain name (FDQN) within Gateway Egress policies.

    • Host, Domain, Content Categories, and Application selectors are now available in the Gateway Egress policy builder in beta.
    • During the beta period, you can use these selectors with traffic on-ramped to Gateway with the WARP client, proxy endpoints (commonly deployed with PAC files), or Cloudflare Browser Isolation.

    This will help apply egress IPs to your users' traffic when an upstream application or network requires it, while the rest of their traffic can take the most performant egress path.