Changelog

New updates and improvements at Cloudflare.

Subscribe to RSS View RSS feeds

Application performance

May 20, 2026

1. New DNS records UX is rolling out

   DNS

   Starting today, everyone can opt in to a refreshed DNS records page in the Cloudflare dashboard. Over the coming weeks, the new experience will become the default for Free plan users first, followed by paid plans.

   

   What is new

   • Better table experience: resizable and hideable columns, row pinning, advanced filters with logical operators (AND/OR), configurable pagination, and expanded input fields so long values are no longer cut off.
   • First-class mobile experience: responsive layout with a touch-friendly, card-based UI and compact controls for small screens.
   • DNS quick reference: bite-sized explainers for DNS, proxy status, and TTL, available directly in the product to help users configure records without leaving the page.
   • Modern frontend: a refactor onto Cloudflare's new UI framework that improves performance and lays the foundation for future improvements.
   

   Rollout plan

   Dates are subject to change based on feedback received during the rollout.

   • 20 May - 05 June: ramped rollout to Free, then Pro and Business plans.
   • 08 June - 03 July: ramped rollout to Enterprise plans.

   Share your feedback

   Once the new experience is turned on for your account, look for the feedback link at the top of the DNS records page in the Cloudflare dashboard and let us know what you think. Your input helps us prioritize the next round of improvements.

May 13, 2026

1. /cdn-cgi/rum endpoint now returns 405 for non-POST requests

   Cloudflare Web Analytics

   The /cdn-cgi/rum beacon endpoint now returns 405 Method Not Allowed for non-POST requests instead of 404 Not Found. The response includes an Allow: POST, OPTIONS header per RFC 9110 §15.5.6 ↗.

   Previously, sending a GET or other non-POST request to this endpoint returned a 404, which was misleading because it suggested the endpoint did not exist. The new 405 response clearly indicates that the endpoint exists but only accepts POST requests.

   The Web Analytics beacon (beacon.min.js) already uses POST for all metric submissions, so this change does not affect normal beacon operation. OPTIONS requests for CORS preflight continue to work as before.

   For more information, refer to the Web Analytics FAQ.

May 04, 2026

1. Pingora now powers Cloudflare's cache

   Cache / CDN

   Cloudflare's cache now runs on a new proxy built on Pingora ↗, the Rust-based framework that already serves a significant portion of Cloudflare's network traffic. The new proxy is faster, more memory-safe, and designed to evolve our cache architecture. It delivers immediate performance improvements and enables new caching capabilities.

   What this brings

   • Lower latency: The new proxy reduces per-request overhead through improved connection reuse.
   • Reduced cache MISSes: Enhanced cache retention improves origin offload.
   • Better RFC compliance: Caching behavior more closely follows HTTP caching standards.
   • Foundation for future features: The new architecture enables upcoming improvements to cache functionality and efficiency.

   New features

   • Asynchronous stale-while-revalidate: Every request returns stale content immediately while revalidation happens in the background, instead of the first request after expiry blocking on the origin. Refer to the asynchronous stale-while-revalidate changelog for details.
   • Unbuffered bypass by default: Responses that bypass cache are streamed directly to the client without buffering, reducing time-to-first-byte for uncacheable content.

   Behavioral changes

   The new architecture introduces the following behavioral changes to improve RFC compliance and correctness:

   • Vary: * results in cache bypass: According to RFC 9110 Section 12.5.5 ↗, a Vary header value of * indicates the response varies on factors beyond request headers and must not be served from cache. Cloudflare now bypasses cache for these responses instead of storing them.
   • Set-Cookie stripped on MISS and EXPIRED: For cacheable assets, Set-Cookie is now stripped on MISS and EXPIRED responses, not only on HITs.
   • Floating-point TTL values: Floating-point time-to-live values (for example, max-age=1.5) are rounded down to the nearest integer instead of being rejected as invalid.

   What's next

   A deeper look at the new cache proxy is coming soon to the Cloudflare blog ↗. For background on the underlying framework, read:

   • Open sourcing Pingora: our Rust framework for building programmable network services ↗
   • How we built Pingora, the proxy that connects Cloudflare to the Internet ↗

Apr 30, 2026

1. Shared dictionaries passthrough now in open beta

   Speed

   Shared dictionaries (RFC 9842 ↗) let an origin compress a response against a previous version of the same resource that the browser already has cached, so only the difference between versions travels over the wire. Shared dictionaries passthrough is now in open beta on all plans.

   What changed

   In passthrough mode, Cloudflare:

   • Forwards the Use-As-Dictionary and Available-Dictionary headers between client and origin without modification.
   • Treats dcb (Dictionary-Compressed Brotli) and dcz (Dictionary-Compressed Zstandard) as valid Content-Encoding values end to end, without recompressing them.
   • Extends the cache key to vary on Available-Dictionary and Accept-Encoding so each delta-compressed variant is cached correctly.

   Your origin manages the dictionary lifecycle: deciding which assets are dictionaries, attaching Use-As-Dictionary headers, and producing deltas in response to Available-Dictionary requests. Cloudflare handles the transport and the cache.

   In internal testing on a 272 KB JavaScript bundle, the asset shrinks from 92.1 KB with Gzip to 2.6 KB with delta Zstandard against the previous version — a 97% reduction over standard compression — with download times improving by 81–89% versus Gzip.

   Shared dictionaries work with browsers that advertise dcb or dcz in Accept-Encoding. Today, this includes Chrome 130 or later and Edge 130 or later.

   Get started

   Turn on passthrough for your zone with a single API call:

   curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/settings/shared_dictionary_mode" \
     --request PATCH \
     --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \
     --json '{
       "value": "passthrough"
     }'

   You can also turn it on under Speed > Settings > Content Optimization in the Cloudflare dashboard ↗. For full origin setup instructions and a working test recipe, refer to Shared dictionaries, or try the live demo at canicompress.com ↗.

Apr 30, 2026

1. Web Analytics adds Navigation Type filtering and reporting

   Cloudflare Web Analytics

   Cloudflare Web Analytics now supports Navigation Type reporting and filtering.

   This update allows developers and performance analysts to see how users are navigating between pages — whether through a link click or form submission, a page reload, or using the browser's back/forward buttons — and whether a browser cache hit occurred for these behaviors.

   Understanding navigation types is critical for optimizing user experience. For example, if a high volume of your traffic consists of "Back-forward" navigations versus "Back-forward Cache", those visitors are not benefiting from the Back/Forward Cache (bfcache) and therefore are experiencing higher load times due to potentially unnecessary network requests.

   The same applies for regular "Navigate" entries — where "Navigate Cache", "Navigate Prefetch Cache" and "Prerender" would provide instant document retrieval — and "Reload", where "Reload cache" would be more optimal.

   A high volume of "Reload" entries can also indicate a potential stability problem with your website.

   By identifying these patterns, you can tune your browser caching strategies to ensure HTML documents are served instantaneously from local caches rather than requiring a roundtrip to the network.

   For more information, refer to Navigation Types.

   Key benefits

   • Monitor Cache Effectiveness: See how often your site is served from the HTTP cache or bfcache.
   • Identify Performance Bottlenecks: Filter by the different types to understand performance opportunity of improving browser cache hit ratio.

   Analyze navigation types in the Cloudflare dashboard

   You can now find the Navigation Type dimension in the Web Analytics dashboard. You can filter to include/exclude one or more specific types using "equals", "does not equal", "in", or "not in" matchers.

   

   To check the list of popular navigation types, select Page views on the Web Analytics sidebar and scroll down to the bottom:

   

Apr 28, 2026

1. Account-level enforce DNS-only

   DNS

   You can now disable Cloudflare's reverse proxy across all zones in your account simultaneously using the new enforce_dns_only setting. When enabled, Cloudflare responds to DNS queries for all proxied records with your origin IP addresses instead of Cloudflare's anycast IPs. This account-level kill switch is designed for incident response scenarios where you need to quickly route traffic directly to your origin servers.

   Warning

   Enabling this setting exposes your origin IP addresses and removes all Cloudflare protections — including DDoS mitigation, WAF, caching, and all other proxy-based features — for every zone in your account. Use with extreme caution and only after proper preparations.

   Key characteristics

   • Account-level — Affects all zones in the account simultaneously with a single API call.
   • Non-destructive — Does not modify your DNS records. Disabling the setting restores normal proxy behavior.
   • API-only — Available through the API only, not in the Cloudflare dashboard.

   What's affected

   Included: Standard proxied A, AAAA, and CNAME records, Load Balancing records, and records matching Worker routes.

   Excluded: Spectrum applications, Cloudflare Tunnel CNAMEs, R2 custom domains, Web3 gateways, and Workers custom domains continue to operate normally.

   Before you enable

   • Verify your origin servers can handle direct traffic without Cloudflare's caching and filtering.
   • Review which origin IPs will become publicly visible through DNS queries.
   • Test the API in a staging account before relying on it for incident response.

   Availability

   Available via API to all Cloudflare customers.

   For information on how to use it, refer to Enforce DNS-only developer documentation .

Apr 27, 2026

1. Cache Response Rules now support zone versioning

   Cache / CDN

   Cache Response Rules now work with Version Management. You can version response-phase cache settings and promote them through environments, just like Cache Rules and other supported configurations.

   What changed

   Previously, Cache Response Rules were excluded from zone versioning. Any response-phase rule you created applied globally across all environments with no way to test changes in staging first. Cache Rules already supported versioning, but the response phase, where you modify Cache-Control directives, manage cache tags, and strip headers, did not.

   Cache Response Rules are now fully integrated with Version Management. You can create or modify response-phase rules within a version, and those changes stay scoped to that version until promoted.

   Benefits

   • Safe rollout of cache behavior changes: Test response-phase rules in a staging environment before promoting to production. Catch unintended caching side effects early.
   • Parity with Cache Rules: Cache Response Rules now follow the same versioning workflow as Cache Rules, so you can manage all cache configuration through a single promotion pipeline.
   • Independent environment control: Run different response-phase cache settings per environment. For example, strip Set-Cookie headers in staging to validate cacheability without affecting production traffic.

   Get started

   Configure Cache Response Rules in the Cloudflare dashboard ↗ under Caching > Cache Rules, or via the Rulesets API. For more details, refer to the Cache Response Rules documentation and the Version Management documentation.

Apr 17, 2026

1. Smart Tiered Cache optimizes public cloud origins

   Cache / CDN

   You can now achieve higher cache HIT rates and reduce origin load for origins hosted on public cloud providers with Smart Tiered Cache. By setting a cloud region hint for your origin, Cloudflare selects the optimal upper-tier data center for that cloud region, funneling all cache MISSes through a single location close to your origin.

   Previously, Smart Tiered Cache could not reliably select an optimal upper tier for origins behind anycast or regional unicast networks commonly used by cloud providers. Origins on AWS, GCP, Azure, and Oracle Cloud would fall back to a multi-upper-tier topology, resulting in lower cache HIT rates and more requests reaching your origin.

   How it works

   Set a cloud region hint (for example, aws/us-east-1 or gcp/europe-west1) for your origin IP or hostname. Smart Tiered Cache uses this hint along with real-time latency data to select a primary upper tier close to your cloud region, plus a fallback in a different location for resilience.

   • Supported providers: AWS, GCP, Azure, and Oracle Cloud.
   • All plans: Available on Free, Pro, Business, and Enterprise plans at no additional cost.
   • Dashboard and API: Configure from Caching > Tiered Cache > Origin Configuration, or use the API and Terraform.

   Get started

   To get started, enable Smart Tiered Cache and set a cloud region hint for your origin in the Tiered Cache settings.

Apr 07, 2026

1. Manage mTLS and BYO CA certificates from the Cloudflare dashboard

   SSL/TLS

   You can now manage mutual TLS (mTLS) and Bring Your Own Certificate Authority (BYO CA) configurations directly from the Cloudflare dashboard — no API required.

   Previously, these advanced workflows required the Cloudflare API. The following are now available in the dashboard:

   • AOP certificate management — Upload and manage your own certificate authorities for Authenticated Origin Pulls (AOP) directly from the dashboard.
   • BYO Client mTLS certificate management — Upload and manage your own CA certificates for client mTLS enforcement without needing API access.
   • CDN hostname to client mTLS certificate mapping — Associate client mTLS certificates with specific hostnames directly from the dashboard.

Apr 01, 2026

1. New QUIC RTT and delivery rate fields

   Rules

   Two new fields are now available in rule expressions that surface Layer 4 transport telemetry from the client connection. Together with the existing cf.timings.client_tcp_rtt_msec field, these fields give you a complete picture of connection quality for both TCP and QUIC traffic — enabling transport-aware rules without requiring any client-side changes.

   Previously, QUIC RTT and delivery rate data was only available via the Server-Timing: cfL4 response header. These new fields make the same data available directly in rule expressions, so you can use them in Transform Rules, WAF Custom Rules, and other phases that support dynamic fields.

   New fields

   Field	Type	Description
   cf.timings.client_quic_rtt_msec	Integer	The smoothed QUIC round-trip time (RTT) between Cloudflare and the client in milliseconds. Only populated for QUIC (HTTP/3) connections. Returns 0 for TCP connections.
   cf.edge.l4.delivery_rate	Integer	The most recent data delivery rate estimate for the client connection, in bytes per second. Returns 0 when L4 statistics are not available for the request.

   Example: Route slow connections to a lightweight origin

   Use a request header transform rule to tag requests from high-latency connections, so your origin can serve a lighter page variant:

   Rule expression:

   cf.timings.client_tcp_rtt_msec > 200 or cf.timings.client_quic_rtt_msec > 200

   Header modifications:

   Operation	Header name	Value
   Set	X-High-Latency	true

   Example: Match low-bandwidth connections

   cf.edge.l4.delivery_rate > 0 and cf.edge.l4.delivery_rate < 100000

   For more information, refer to Request Header Transform Rules and the fields reference.

Mar 31, 2026

1. Internal DNS - now in open beta

   DNS

   Internal DNS is now in open beta.

   Who can use it?

   Internal DNS is bundled as a part of Cloudflare Gateway and is now available to every Enterprise customer with one of the following subscriptions:

   • Cloudflare Zero Trust Enterprise
   • Cloudflare Gateway Enterprise

   To learn more and get started, refer to the Internal DNS documentation.

Mar 25, 2026

1. New mTLS certificate fields for Transform Rules

   Rules

   Cloudflare now exposes four new fields in the Transform Rules phase that encode client certificate data in RFC 9440 ↗ format. Previously, forwarding client certificate information to your origin required custom parsing of PEM-encoded fields or non-standard HTTP header formats. These new fields produce output in the standardized Client-Cert and Client-Cert-Chain header format defined by RFC 9440, so your origin can consume them directly without any additional decoding logic.

   Each certificate is DER-encoded, Base64-encoded, and wrapped in colons. For example, :MIIDsT...Vw==:. A chain of intermediates is expressed as a comma-separated list of such values.

   New fields

   Field	Type	Description
   cf.tls_client_auth.cert_rfc9440	String	The client leaf certificate in RFC 9440 format. Empty if no client certificate was presented.
   cf.tls_client_auth.cert_rfc9440_too_large	Boolean	true if the leaf certificate exceeded 10 KB and was omitted. In practice this will almost always be false.
   cf.tls_client_auth.cert_chain_rfc9440	String	The intermediate certificate chain in RFC 9440 format as a comma-separated list. Empty if no intermediate certificates were sent or if the chain exceeded 16 KB.
   cf.tls_client_auth.cert_chain_rfc9440_too_large	Boolean	true if the intermediate chain exceeded 16 KB and was omitted.

   The chain encoding follows the same ordering as the TLS handshake: the certificate closest to the leaf appears first, working up toward the trust anchor. The root certificate is not included.

   Example: Forwarding client certificate headers to your origin server

   Add a request header transform rule to set the Client-Cert and Client-Cert-Chain headers on requests forwarded to your origin server. For example, to forward headers for verified, non-revoked certificates:

   Rule expression:

   cf.tls_client_auth.cert_verified and not cf.tls_client_auth.cert_revoked

   Header modifications:

   Operation	Header name	Value
   Set	Client-Cert	cf.tls_client_auth.cert_rfc9440
   Set	Client-Cert-Chain	cf.tls_client_auth.cert_chain_rfc9440

   To get the most out of these fields, upload your client CA certificate to Cloudflare so that Cloudflare validates the client certificate at the edge and populates cf.tls_client_auth.cert_verified and cf.tls_client_auth.cert_revoked.

   Prevent header injection

   You should ensure that Client-Cert and Client-Cert-Chain headers received by your origin server can only originate from this transform rule — any client could send these headers directly.

   • If you use WAF custom rules to block requests with invalid mTLS connections: The transform rule is sufficient. For all requests that reach your origin server, the rule will overwrite any existing Client-Cert and Client-Cert-Chain headers.
   • If you do not enforce mTLS at the WAF: Add another transform rule that removes any incoming Client-Cert and Client-Cert-Chain headers from all requests (use expression true), ordered before the rule above. This ensures your origin server cannot receive client-supplied values for these HTTP headers.

   For more information, refer to Mutual TLS authentication, Request Header Transform Rules, and the fields reference.

Mar 24, 2026

1. Cache Response Rules

   Cache / CDN

   You can now control how Cloudflare handles origin responses without changing your origin. Cache Response Rules let you modify Cache-Control directives, manage cache tags, and strip headers like Set-Cookie from origin responses before they reach Cloudflare's cache. Whether traffic is cached or passed through dynamically, these rules give you control over origin response behavior that was previously out of reach.

   What changed

   Cache Rules previously only operated on request attributes. Cache Response Rules introduce a new response phase that evaluates origin responses and lets you act on them before caching. You can now:

   • Modify Cache-Control directives: Set or remove individual directives like no-store, no-cache, max-age, s-maxage, stale-while-revalidate, immutable, and more. For example, remove a no-cache directive your origin sends so Cloudflare can cache the asset, or set an s-maxage to control how long Cloudflare stores it.
   • Set a different browser Cache-Control: Send a different Cache-Control header downstream to browsers and other clients than what Cloudflare uses internally, giving you independent control over edge and browser caching strategies.
   • Manage cache tags: Add, set, or remove cache tags on responses, including converting tags from another CDN's header format into Cloudflare's Cache-Tag header. This is especially useful if you are migrating from a CDN that uses a different tag header or delimiter.
   • Strip headers that block caching: Remove Set-Cookie, ETag, or Last-Modified headers from origin responses before caching, so responses that would otherwise be treated as uncacheable can be stored and served from cache.

   Benefits

   • No origin changes required: Fix caching behavior entirely from Cloudflare, even when your origin configuration is locked down or managed by a different team.
   • Simpler CDN migration: Match caching behavior from other CDN providers without rewriting your origin. Translate cache tag formats and override directives that do not align with Cloudflare's defaults.
   • Native support, fewer workarounds: Functionality that previously required workarounds is now built into Cache Rules with full Tiered Cache compatibility.
   • Fine-grained control: Use expressions to match on request and response attributes, then apply precise cache settings per rule. Rules are stackable and composable with existing Cache Rules.

   Get started

   Configure Cache Response Rules in the Cloudflare dashboard ↗ under Caching > Cache Rules, or via the Rulesets API ↗. For more details, refer to the Cache Rules documentation ↗.

Mar 20, 2026

1. DNS Analytics for Customer Metadata Boundary set to EU region

   DNS

   DNS Analytics is now available for customers with Customer Metadata Boundary (CMB) set to EU. Query your DNS analytics data while keeping metadata stored in the EU region.

   This update includes:

   • DNS Analytics — Access the same DNS analytics experience for zones in CMB=EU accounts.
   • EU data residency — Analytics data is stored and queried from the EU region, meeting data localization requirements.
   • DNS Firewall Analytics — DNS Firewall analytics is now supported for CMB=EU customers.

   Availability

   Available to customers with the Data Localization Suite who have Customer Metadata Boundary configured for the EU region.

   Where to find it

   • Authoritative DNS: In the Cloudflare dashboard, select your zone and go to the Analytics page.

     Go to Analytics

   • DNS Firewall: In the Cloudflare dashboard, go to the DNS Firewall Analytics page.

     Go to Analytics

   For more information, refer to DNS Analytics and DNS Firewall Analytics.

Mar 18, 2026

1. Worker execution timing field now available in Rules

   Rules

   The cf.timings.worker_msec field is now available in the Ruleset Engine. This field reports the wall-clock time that a Cloudflare Worker spent handling a request, measured in milliseconds.

   You can use this field to identify slow Worker executions, detect performance regressions, or build rules that respond differently based on Worker processing time, such as logging requests that exceed a latency threshold.

   Field details

   Field	Type	Description
   cf.timings.worker_msec	Integer	The time spent executing a Cloudflare Worker in milliseconds. Returns 0 if no Worker was invoked.

   Example filter expression:

   cf.timings.worker_msec > 500

   For more information, refer to the Fields reference.

Feb 26, 2026

1. Asynchronous stale-while-revalidate

   Cache / CDN

   Cloudflare's stale-while-revalidate support is now fully asynchronous. Previously, the first request for a stale (expired) asset in cache had to wait for an origin response, after which that visitor received a REVALIDATED or EXPIRED status. Now, the first request after the asset expires triggers revalidation in the background and immediately receives stale content with an UPDATING status. All following requests also receive stale content with an UPDATING status until the origin responds, after which subsequent requests receive fresh content with a HIT status.

   stale-while-revalidate is a Cache-Control directive set by your origin server that allows Cloudflare to serve an expired cached asset while a fresh copy is fetched from the origin.

   Asynchronous revalidation brings:

   • Lower latency: No visitor is waiting for the origin when the asset is already in cache. Every request is served from cache during revalidation.
   • Consistent experience: All visitors receive the same cached response during revalidation.
   • Reduced error exposure: The first request is no longer vulnerable to origin timeouts or errors. All visitors receive a cached response while revalidation happens in the background.

   Availability

   This change is live for all Free, Pro, and Business zones. Approximately 75% of Enterprise zones have been migrated, with the remaining zones rolling out throughout the quarter.

   Get started

   To use this feature, make sure your origin includes the stale-while-revalidate directive in the Cache-Control header. Refer to the Cache-Control documentation for details.

Jan 27, 2026

1. Control request and response body buffering in Configuration Rules

   Rules

   You can now control how Cloudflare buffers HTTP request and response bodies using two new settings in Configuration Rules.

   Request body buffering

   Controls how Cloudflare buffers HTTP request bodies before forwarding them to your origin server:

   Mode	Behavior
   Standard (default)	Cloudflare can inspect a prefix of the request body for enabled functionality such as WAF and Bot Management.
   Full	Buffers the entire request body before sending to origin.
   None	No buffering — the request body streams directly to origin without inspection.

   Response body buffering

   Controls how Cloudflare buffers HTTP response bodies before forwarding them to the client:

   Mode	Behavior
   Standard (default)	Cloudflare can inspect a prefix of the response body for enabled functionality.
   None	No buffering — the response body streams directly to the client without inspection.

   Warning

   Setting body buffering to None may break security functionality that requires body inspection, including the Web Application Firewall (WAF) and Bot Management. Ensure that any paths where you disable buffering do not require security inspection.

   API example

   {
     "action": "set_config",
     "action_parameters": {
       "request_body_buffering": "standard",
       "response_body_buffering": "none"
     }
   }

   For more information, refer to Configuration Rules.

Jan 22, 2026

1. New cryptographic functions — encode_base64() and sha256()

   Rules

   Cloudflare Rulesets now includes encode_base64() and sha256() functions, enabling you to generate signed request headers directly in rule expressions. These functions support common patterns like constructing a canonical string from request attributes, computing a SHA256 digest, and Base64-encoding the result.

   ---

   New functions

   Function	Description	Availability
   encode_base64(input, flags)	Encodes a string to Base64 format. Optional flags parameter: u for URL-safe encoding, p for padding (adds = characters to make the output length a multiple of 4, as required by some systems). By default, output is standard Base64 without padding.	All plans (in header transform rules)
   sha256(input)	Computes a SHA256 hash of the input string.	Requires enablement

   Note

   The sha256() function is available as an Enterprise add-on and requires a specific entitlement. Contact your account team to enable it.

   ---

   Examples

   Encode a string to Base64 format:

   encode_base64("hello world")

   Returns: aGVsbG8gd29ybGQ

   Encode a string to Base64 format with padding:

   encode_base64("hello world", "p")

   Returns: aGVsbG8gd29ybGQ=

   Perform a URL-safe Base64 encoding of a string:

   encode_base64("hello world", "u")

   Returns: aGVsbG8gd29ybGQ

   Compute the SHA256 hash of a secret token:

   sha256("my-token")

   Returns a hash that your origin can validate to authenticate requests.

   Compute the SHA256 hash of a string and encode the result to Base64 format:

   encode_base64(sha256("my-token"))

   Combines hashing and encoding for systems that expect Base64-encoded signatures.

   For more information, refer to the Functions reference.

Jan 20, 2026

1. New functions for array and map operations

   Rules

   New functions for array and map operations

   Cloudflare Rulesets now include new functions that enable advanced expression logic for evaluating arrays and maps. These functions allow you to build rules that match against lists of values in request or response headers, enabling use cases like country-based blocking using custom headers.

   ---

   New functions

   Function	Description
   split(source, delimiter)	Splits a string into an array of strings using the specified delimiter.
   join(array, delimiter)	Joins an array of strings into a single string using the specified delimiter.
   has_key(map, key)	Returns true if the specified key exists in the map.
   has_value(map, value)	Returns true if the specified value exists in the map.

   ---

   Example use cases

   Check if a country code exists in a header list:

   has_value(split(http.response.headers["x-allow-country"][0], ","), ip.src.country)

   Check if a specific header key exists:

   has_key(http.request.headers, "x-custom-header")

   Join array values for logging or comparison:

   join(http.request.headers.names, ", ")

   For more information, refer to the Functions reference.

Jan 12, 2026

1. Metro code field now available in Rules

   Rules

   The ip.src.metro_code field in the Ruleset Engine is now populated with DMA (Designated Market Area) data.

   You can use this field to build rules that target traffic based on geographic market areas, enabling more granular location-based policies for your applications.

   Field details

   Field	Type	Description
   ip.src.metro_code	String | null	The metro code (DMA) of the incoming request's IP address. Returns the designated market area code for the client's location.

   Example filter expression:

   ip.src.metro_code eq "501"

   For more information, refer to the Fields reference.

Nov 25, 2025

1. Audit Logs for Cache Purge Events

   Cache / CDN

   You can now review detailed audit logs for cache purge events, giving you visibility into what purge requests were sent, what they contained, and by whom. Audit your purge requests via the Dashboard or API for all purge methods:

   • Purge everything
   • List of prefixes
   • List of tags
   • List of hosts
   • List of files

   Example

   The detailed audit payload is visible within the Cloudflare Dashboard (under Manage Account > Audit Logs) and via the API. Below is an example of the Audit Logs v2 payload structure:

   {
     "action": {
       "result": "success",
       "type": "create"
     },
     "actor": {
       "id": "1234567890abcdef",
       "email": "user@example.com",
       "type": "user"
     },
     "resource": {
       "product": "purge_cache",
       "request": {
         "files": [
           "https://example.com/images/logo.png",
           "https://example.com/css/styles.css"
         ]
       }
     },
     "zone": {
       "id": "023e105f4ecef8ad9ca31a8372d0c353",
       "name": "example.com"
     }
   }

   Get started

   To get started, refer to the Audit Logs documentation.

Nov 07, 2025

1. Inspect Cache Keys with Cloudflare Trace

   Cache / CDN

   You can now see the exact cache key generated for any request directly in Cloudflare Trace. This visibility helps you troubleshoot cache hits and misses, and verify that your Custom Cache Keys — configured via Cache Rules or Page Rules — are working as intended.

   Previously, diagnosing caching behavior required inferring the key from configuration settings. Now, you can confirm that your custom logic for headers, query strings, and device types is correctly applied.

   Access Trace via the dashboard or API, either manually for ad-hoc debugging or automated as part of your quality-of-service monitoring.

   Example scenario

   If you have a Cache Rule that segments content based on a specific cookie (for example, user_region), run a Trace with that cookie present to confirm the user_region value appears in the resulting cache key.

   The Trace response includes the cache key in the cache object:

   {
     "step_name": "request",
     "type": "cache",
     "matched": true,
     "public_name": "Cache Parameters",
     "cache": {
       "key": {
         "zone_id": "023e105f4ecef8ad9ca31a8372d0c353",
         "scheme": "https",
         "host": "example.com",
         "uri": "/images/hero.jpg"
       },
       "key_string": "023e105f4ecef8ad9ca31a8372d0c353::::https://example.com/images/hero.jpg:::::"
     }
   }

   Get started

   To learn more, refer to the Trace documentation and our guide on Custom Cache Keys.

Oct 30, 2025

1. New TCP-based fields available in Rulesets

   Rules

   Build rules based on TCP transport and latency

   Cloudflare now provides two new request fields in the Ruleset engine that let you make decisions based on whether a request used TCP and the measured TCP round-trip time between the client and Cloudflare. These fields help you understand protocol usage across your traffic and build policies that respond to network performance. For example, you can distinguish TCP from QUIC traffic or route high latency requests to alternative origins when needed.

   ---

   New fields

   Field	Type	Description
   cf.edge.client_tcp	Boolean	Indicates whether the request used TCP. A value of true means the client connected using TCP instead of QUIC.
   cf.timings.client_tcp_rtt_msec	Number	Reports the smoothed TCP round-trip time between the client and Cloudflare in milliseconds. For example, a value of 20 indicates roughly twenty milliseconds of RTT.

   Example filter expression:

   cf.edge.client_tcp && cf.timings.client_tcp_rtt_msec < 100

   More information can be found in the Rules language fields reference.

Oct 16, 2025

1. Monitor Groups for Advanced Health Checking With Load Balancing

   Load Balancing

   Cloudflare Load Balancing now supports Monitor Groups, a powerful new way to combine multiple health monitors into a single, logical group. This allows you to create sophisticated health checks that more accurately reflect the true availability of your applications by assessing multiple services at once.

   With Monitor Groups, you can ensure that all critical components of an application are healthy before sending traffic to an origin pool, enabling smarter failover decisions and greater resilience. This feature is now available via the API for customers with an Enterprise Load Balancing subscription.

   What you can do:

   • Combine Multiple Monitors: Group different health monitors (for example, HTTP, TCP) that check various application components, like a primary API gateway and a specific /login service.
   • Isolate Monitors for Observation: Mark a monitor as "monitoring only" to receive alerts and data without it affecting a pool's health status or traffic steering. This is perfect for testing new checks or observing non-critical dependencies.
   • Improve Steering Intelligence: Latency for Dynamic Steering is automatically averaged across all active monitors in a group, providing a more holistic view of an origin's performance.

   This enhancement is ideal for complex, multi-service applications where the health of one component depends on another. By aggregating health signals, Monitor Groups provide a more accurate and comprehensive assessment of your application's true status.

   For detailed information and API configuration guides, please visit our developer documentation for Monitor Groups.

Sep 16, 2025

1. DNS Firewall Analytics — now in the Cloudflare dashboard

   DNS

   What's New

   Access GraphQL-powered DNS Firewall analytics directly in the Cloudflare dashboard.

   

   Explore Four Interactive Panels

   • Query summary: Describes trends over time, segmented by dimensions.
   • Query statistics: Describes totals, cached/uncached queries, and processing/response times.
   • DNS queries by data center: Describes global view and the top 10 data centers.
   • Top query statistics: Shows a breakdown by key dimensions, with search and expand options (up to top 100 items).

   Additional features:

   • Apply filters and time ranges once. Changes reflect across all panels.
   • Filter by dimensions like query name, query type, cluster, data center, protocol (UDP/TCP), IP version, response code/reason, and more.
   • Access up to 62 days of historical data with flexible intervals.

   Availability

   Available to all DNS Firewall customers as part of their existing subscription.

   Where to Find It

   • In the Cloudflare dashboard, go to the DNS Firewall page.

     Go to Analytics

   • Refer to the DNS Firewall Analytics to learn more.

← Prev

123

Next →