--- title: Core platform Changelog image: https://developers.cloudflare.com/cf-twitter-card.png --- [Skip to content](#%5Ftop) # Changelog New updates and improvements at Cloudflare. [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/index.xml) [ View RSS feeds ](https://developers.cloudflare.com/fundamentals/new-features/available-rss-feeds/) Core platform ![hero image](https://developers.cloudflare.com/_astro/hero.CVYJHPAd_26AMqX.svg) Feb 09, 2026 1. ### [Tabs and pivots](https://developers.cloudflare.com/changelog/post/2026-02-09-tabs-and-pivots/) [ Log Explorer ](https://developers.cloudflare.com/log-explorer/) Log Explorer now supports multiple concurrent queries with the new Tabs feature. Work with multiple queries simultaneously and pivot between datasets to investigate malicious activity more effectively. #### Key capabilities * **Multiple tabs:** Open and switch between multiple query tabs to compare results across different datasets. * **Quick filtering:** Select the filter button from query results to add a value as a filter to your current query. * **Pivot to new tab:** Use Cmd + click on the filter button to start a new query tab with that filter applied. * **Preserved progress:** Your query progress is preserved on each tab if you navigate away and return. For more information, refer to the [Log Explorer documentation](https://developers.cloudflare.com/log-explorer/). Feb 04, 2026 1. ### [New reference documentation](https://developers.cloudflare.com/changelog/post/2026-02-09-reference-documentation/) [ AI Crawl Control ](https://developers.cloudflare.com/ai-crawl-control/) New reference documentation is now available for AI Crawl Control: * **[GraphQL API reference](https://developers.cloudflare.com/ai-crawl-control/reference/graphql-api/)** — Query examples for crawler requests, top paths, referral traffic, and data transfer. Includes key filters for detection IDs, user agents, and referrer domains. * **[Bot reference](https://developers.cloudflare.com/ai-crawl-control/reference/bots/)** — Detection IDs and user agents for major AI crawlers from OpenAI, Anthropic, Google, Meta, and others. * **[Worker templates](https://developers.cloudflare.com/ai-crawl-control/reference/worker-templates/)** — Deploy the x402 Payment-Gated Proxy to monetize crawler access or charge bots while letting humans through free. Jan 27, 2026 1. ### [Added Timezone preferences settings](https://developers.cloudflare.com/changelog/post/2026-01-27-timezone-preferences/) [ Cloudflare Fundamentals ](https://developers.cloudflare.com/fundamentals/) You can now set the timezone in the Cloudflare dashboard as Coordinated Universal Time (UTC) or your browser or system's timezone. #### What's New Unless otherwise specified in the user interface, all dates and times in the Cloudflare dashboard are now displayed in the selected timezone. You can change the timezone setting from the user profile dropdown. ![Timezone preference dropdown](https://developers.cloudflare.com/_astro/2026-01-27-set-timezone.CUmMl54E_2ucVUh.webp) The page will reload to apply the new timezone setting. Jan 27, 2026 1. ### [Control request and response body buffering in Configuration Rules](https://developers.cloudflare.com/changelog/post/2026-01-27-body-buffering-settings/) [ Rules ](https://developers.cloudflare.com/rules/) You can now control how Cloudflare buffers HTTP request and response bodies using two new settings in [Configuration Rules](https://developers.cloudflare.com/rules/configuration-rules/). #### Request body buffering Controls how Cloudflare buffers HTTP request bodies before forwarding them to your origin server: | Mode | Behavior | | ---------------------- | ------------------------------------------------------------------------------------------------------------- | | **Standard** (default) | Cloudflare can inspect a prefix of the request body for enabled functionality such as WAF and Bot Management. | | **Full** | Buffers the entire request body before sending to origin. | | **None** | No buffering — the request body streams directly to origin without inspection. | #### Response body buffering Controls how Cloudflare buffers HTTP response bodies before forwarding them to the client: | Mode | Behavior | | ---------------------- | ----------------------------------------------------------------------------------- | | **Standard** (default) | Cloudflare can inspect a prefix of the response body for enabled functionality. | | **None** | No buffering — the response body streams directly to the client without inspection. | Warning Setting body buffering to **None** may break security functionality that requires body inspection, including the Web Application Firewall (WAF) and Bot Management. Ensure that any paths where you disable buffering do not require security inspection. Availability These settings only take effect on zones running Cloudflare's [latest CDN proxy ↗](https://blog.cloudflare.com/20-percent-internet-upgrade/). Enterprise customers can contact their account team to enable the latest proxy on their zones. #### API example ``` { "action": "set_config", "action_parameters": { "request_body_buffering": "standard", "response_body_buffering": "none" } } ``` For more information, refer to [Configuration Rules](https://developers.cloudflare.com/rules/configuration-rules/). Jan 23, 2026 1. ### [New 2FA Experience for Login](https://developers.cloudflare.com/changelog/post/2026-01-23-new-2fa-experience/) [ Cloudflare Fundamentals ](https://developers.cloudflare.com/fundamentals/) ![Screenshot of new 2FA enrollment experience](https://developers.cloudflare.com/_astro/2026-01-23-2fa-interstitial.TXFGNSth_ZOKoRB.webp) In an effort to improve overall user security, users without 2FA will be prompted upon login to enroll in email 2FA. This will improve user security posture while minimizing friction. Users without email 2FA enabled will see a prompt to secure their account with additional factors upon logging in. Enrolling in 2FA remains optional, but strongly encouraged as it is the best way to prevent account takeovers. We also made changes to existing 2FA screens to improve the user experience. Now we have distinct experiences for each 2FA factor type, reflective of the way that factor works. #### For more information * [Configure Email Two Factor Authentication](https://developers.cloudflare.com/fundamentals/user-profiles/2fa/#configure-email-two-factor-authentication) Jan 22, 2026 1. ### [New cryptographic functions — encode\_base64() and sha256()](https://developers.cloudflare.com/changelog/post/2026-01-22-sha256-base64-encode-functions/) [ Rules ](https://developers.cloudflare.com/rules/) Cloudflare Rulesets now includes `encode_base64()` and `sha256()` functions, enabling you to generate signed request headers directly in rule expressions. These functions support common patterns like constructing a canonical string from request attributes, computing a SHA256 digest, and Base64-encoding the result. --- #### New functions | Function | Description | Availability | | ---------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------- | | encode\_base64(input, flags) | Encodes a string to Base64 format. Optional flags parameter: u for URL-safe encoding, p for padding (adds \= characters to make the output length a multiple of 4, as required by some systems). By default, output is standard Base64 without padding. | All plans (in header transform rules) | | sha256(input) | Computes a SHA256 hash of the input string. | Requires enablement | Note The `sha256()` function is available as an Enterprise add-on and requires a specific entitlement. Contact your account team to enable it. --- #### Examples **Encode a string to Base64 format:** ``` encode_base64("hello world") ``` Returns: `aGVsbG8gd29ybGQ` **Encode a string to Base64 format with padding:** ``` encode_base64("hello world", "p") ``` Returns: `aGVsbG8gd29ybGQ=` **Perform a URL-safe Base64 encoding of a string:** ``` encode_base64("hello world", "u") ``` Returns: `aGVsbG8gd29ybGQ` **Compute the SHA256 hash of a secret token:** ``` sha256("my-token") ``` Returns a hash that your origin can validate to authenticate requests. **Compute the SHA256 hash of a string and encode the result to Base64 format:** ``` encode_base64(sha256("my-token")) ``` Combines hashing and encoding for systems that expect Base64-encoded signatures. For more information, refer to the [Functions reference](https://developers.cloudflare.com/ruleset-engine/rules-language/functions/). Jan 20, 2026 1. ### [New functions for array and map operations](https://developers.cloudflare.com/changelog/post/2026-01-20-array-map-functions/) [ Rules ](https://developers.cloudflare.com/rules/) #### New functions for array and map operations Cloudflare Rulesets now include new functions that enable advanced expression logic for evaluating arrays and maps. These functions allow you to build rules that match against lists of values in request or response headers, enabling use cases like country-based blocking using custom headers. --- #### New functions | Function | Description | | ------------------------ | ----------------------------------------------------------------------------- | | split(source, delimiter) | Splits a string into an array of strings using the specified delimiter. | | join(array, delimiter) | Joins an array of strings into a single string using the specified delimiter. | | has\_key(map, key) | Returns true if the specified key exists in the map. | | has\_value(map, value) | Returns true if the specified value exists in the map. | --- #### Example use cases **Check if a country code exists in a header list:** ``` has_value(split(http.response.headers["x-allow-country"][0], ","), ip.src.country) ``` **Check if a specific header key exists:** ``` has_key(http.request.headers, "x-custom-header") ``` **Join array values for logging or comparison:** ``` join(http.request.headers.names, ", ") ``` For more information, refer to the [Functions reference](https://developers.cloudflare.com/ruleset-engine/rules-language/functions/). Jan 20, 2026 1. ### [Cloudflare Typescript SDK v6.0.0-beta.1 now available](https://developers.cloudflare.com/changelog/post/2026-01-20-cloudflare-typescript-v600-beta1/) [ Cloudflare Fundamentals ](https://developers.cloudflare.com/fundamentals/)[ SDK ](https://developers.cloudflare.com/sdk/) > **Disclaimer:** Please note that v6.0.0-beta.1 is in Beta and we are still testing it for stability. Full Changelog: [v5.2.0...v6.0.0-beta.1 ↗](https://github.com/cloudflare/cloudflare-typescript/compare/v5.2.0...v6.0.0-beta.1) In this release, you'll see a large number of breaking changes. This is primarily due to a change in OpenAPI definitions, which our libraries are based off of, and codegen updates that we rely on to read those OpenAPI definitions and produce our SDK libraries. As the codegen is always evolving and improving, so are our code bases. Some breaking changes were introduced due to bug fixes, also listed below. Please ensure you read through the list of changes below before moving to this version - this will help you understand any down or upstream issues it may cause to your environments. --- #### Breaking Changes #### Addressing - Parameter Requirements Changed * `BGPPrefixCreateParams.cidr`: optional → **required** * `PrefixCreateParams.asn`: `number | null` → `number` * `PrefixCreateParams.loa_document_id`: required → **optional** * `ServiceBindingCreateParams.cidr`: optional → **required** * `ServiceBindingCreateParams.service_id`: optional → **required** #### API Gateway * `ConfigurationUpdateResponse` removed * `PublicSchema` → `OldPublicSchema` * `SchemaUpload` → `UserSchemaCreateResponse` * `ConfigurationUpdateParams.properties` removed; use `normalize` #### CloudforceOne - Response Type Changes * `ThreatEventBulkCreateResponse`: `number` → complex object with counts and errors #### D1 Database - Query Parameters * `DatabaseQueryParams`: simple interface → union type (`D1SingleQuery | MultipleQueries`) * `DatabaseRawParams`: same change * Supports batch queries via `batch` array #### DNS Records - Type Renames (21 types) All record type interfaces renamed from `*Record` to short names: * `RecordResponse.ARecord` → `RecordResponse.A` * `RecordResponse.AAAARecord` → `RecordResponse.AAAA` * `RecordResponse.CNAMERecord` → `RecordResponse.CNAME` * `RecordResponse.MXRecord` → `RecordResponse.MX` * `RecordResponse.NSRecord` → `RecordResponse.NS` * `RecordResponse.PTRRecord` → `RecordResponse.PTR` * `RecordResponse.TXTRecord` → `RecordResponse.TXT` * `RecordResponse.CAARecord` → `RecordResponse.CAA` * `RecordResponse.CERTRecord` → `RecordResponse.CERT` * `RecordResponse.DNSKEYRecord` → `RecordResponse.DNSKEY` * `RecordResponse.DSRecord` → `RecordResponse.DS` * `RecordResponse.HTTPSRecord` → `RecordResponse.HTTPS` * `RecordResponse.LOCRecord` → `RecordResponse.LOC` * `RecordResponse.NAPTRRecord` → `RecordResponse.NAPTR` * `RecordResponse.SMIMEARecord` → `RecordResponse.SMIMEA` * `RecordResponse.SRVRecord` → `RecordResponse.SRV` * `RecordResponse.SSHFPRecord` → `RecordResponse.SSHFP` * `RecordResponse.SVCBRecord` → `RecordResponse.SVCB` * `RecordResponse.TLSARecord` → `RecordResponse.TLSA` * `RecordResponse.URIRecord` → `RecordResponse.URI` * `RecordResponse.OpenpgpkeyRecord` → `RecordResponse.Openpgpkey` #### IAM Resource Groups * `ResourceGroupCreateResponse.scope`: optional single → **required array** * `ResourceGroupCreateResponse.id`: optional → **required** #### Origin CA Certificates - Parameter Requirements Changed * `OriginCACertificateCreateParams.csr`: optional → **required** * `OriginCACertificateCreateParams.hostnames`: optional → **required** * `OriginCACertificateCreateParams.request_type`: optional → **required** #### Pages * Renamed: `DeploymentsSinglePage` → `DeploymentListResponsesV4PagePaginationArray` * Domain response fields: many optional → **required** #### Pipelines - v0 to v1 Migration * Entire v0 API deprecated; use v1 methods (`createV1`, `listV1`, etc.) * New sub-resources: `Sinks`, `Streams` #### R2 * `EventNotificationUpdateParams.rules`: optional → **required** * Super Slurper: `bucket`, `secret` now required in source params #### Radar * `dataSource`: `string` → typed enum (23 values) * `eventType`: `string` → typed enum (6 values) * V2 methods require `dimension` parameter (breaking signature change) #### Resource Sharing * Removed: `status_message` field from all recipient response types #### Schema Validation * Consolidated `SchemaCreateResponse`, `SchemaListResponse`, `SchemaEditResponse`, `SchemaGetResponse` → `PublicSchema` * Renamed: `SchemaListResponsesV4PagePaginationArray` → `PublicSchemasV4PagePaginationArray` #### Spectrum * Renamed union members: `AppListResponse.UnionMember0` → `SpectrumConfigAppConfig` * Renamed union members: `AppListResponse.UnionMember1` → `SpectrumConfigPaygoAppConfig` #### Workers * Removed: `WorkersBindingKindTailConsumer` type (all occurrences) * Renamed: `ScriptsSinglePage` → `ScriptListResponsesSinglePage` * Removed: `DeploymentsSinglePage` #### Zero-Trust DLP * `datasets.create()`, `update()`, `get()` return types changed * `PredefinedGetResponse` union members renamed to `UnionMember0-5` #### Zero-Trust Tunnels * Removed: `CloudflaredCreateResponse`, `CloudflaredListResponse`, `CloudflaredDeleteResponse`, `CloudflaredEditResponse`, `CloudflaredGetResponse` * Removed: `CloudflaredListResponsesV4PagePaginationArray` --- #### Features #### Abuse Reports (`client.abuseReports`) * **Reports**: `create`, `list`, `get` * **Mitigations**: sub-resource for abuse mitigations #### AI Search (`client.aisearch`) * **Instances**: `create`, `update`, `list`, `delete`, `read`, `stats` * **Items**: `list`, `get` * **Jobs**: `create`, `list`, `get`, `logs` * **Tokens**: `create`, `update`, `list`, `delete`, `read` #### Connectivity (`client.connectivity`) * **Directory Services**: `create`, `update`, `list`, `delete`, `get` * Supports IPv4, IPv6, dual-stack, and hostname configurations #### Organizations (`client.organizations`) * **Organizations**: `create`, `update`, `list`, `delete`, `get` * **OrganizationProfile**: `update`, `get` * Hierarchical organization support with parent/child relationships #### R2 Data Catalog (`client.r2DataCatalog`) * **Catalog**: `list`, `enable`, `disable`, `get` * **Credentials**: `create` * **MaintenanceConfigs**: `update`, `get` * **Namespaces**: `list` * **Tables**: `list`, maintenance config management * Apache Iceberg integration #### Realtime Kit (`client.realtimeKit`) * **Apps**: `get`, `post` * **Meetings**: `create`, `get`, participant management * **Livestreams**: 10+ methods for streaming * **Recordings**: start, pause, stop, get * **Sessions**: transcripts, summaries, chat * **Webhooks**: full CRUD * **ActiveSession**: polls, kick participants * **Analytics**: organization analytics #### Token Validation (`client.tokenValidation`) * **Configuration**: `create`, `list`, `delete`, `edit`, `get` * **Credentials**: `update` * **Rules**: `create`, `list`, `delete`, `bulkCreate`, `bulkEdit`, `edit`, `get` * JWT validation with RS256/384/512, PS256/384/512, ES256, ES384 #### Alerting Silences (`client.alerting.silences`) * `create`, `update`, `list`, `delete`, `get` #### IAM SSO (`client.iam.sso`) * `create`, `update`, `list`, `delete`, `get`, `beginVerification` #### Pipelines v1 (`client.pipelines`) * **Sinks**: `create`, `list`, `delete`, `get` * **Streams**: `create`, `update`, `list`, `delete`, `get` #### Zero-Trust AI Controls / MCP (`client.zeroTrust.access.aiControls.mcp`) * **Portals**: `create`, `update`, `list`, `delete`, `read` * **Servers**: `create`, `update`, `list`, `delete`, `read`, `sync` #### Accounts * `managed_by` field with `parent_org_id`, `parent_org_name` #### Addressing LOA Documents * `auto_generated` field on `LOADocumentCreateResponse` #### Addressing Prefixes * `delegate_loa_creation`, `irr_validation_state`, `ownership_validation_state`, `ownership_validation_token`, `rpki_validation_state` #### AI * Added `toMarkdown.supported()` method to get all supported conversion formats #### AI Gateway * `zdr` field added to all responses and params #### Alerting * New alert type: `abuse_report_alert` * `type` field added to PolicyFilter #### Browser Rendering * `ContentCreateParams`: refined to discriminated union (`Variant0 | Variant1`) * Split into URL-based and HTML-based parameter variants for better type safety #### Client Certificates * `reactivate` parameter in edit #### CloudforceOne * `ThreatEventCreateParams.indicatorType`: required → optional * `hasChildren` field added to all threat event response types * `datasetIds` query parameter on `AttackerListParams`, `CategoryListParams`, `TargetIndustryListParams` * `categoryUuid` field on `TagCreateResponse` * `indicators` array for multi-indicator support per event * `uuid` and `preserveUuid` fields for UUID preservation in bulk create * `format` query parameter (`'json' | 'stix2'`) on `ThreatEventListParams` * `createdAt`, `datasetId` fields on `ThreatEventEditParams` #### Content Scanning * Added `create()`, `update()`, `get()` methods #### Custom Pages * New page types: `basic_challenge`, `under_attack`, `waf_challenge` #### D1 * `served_by_colo` \- colo that handled query * `jurisdiction` \- `'eu' | 'fedramp'` * **Time Travel** (`client.d1.database.timeTravel`): `getBookmark()`, `restore()` \- point-in-time recovery #### Email Security * New fields on `InvestigateListResponse`/`InvestigateGetResponse`: `envelope_from`, `envelope_to`, `postfix_id_outbound`, `replyto` * New detection classification: `'outbound_ndr'` * Enhanced `Finding` interface with `attachment`, `detection`, `field`, `portion`, `reason`, `score` * Added `cursor` query parameter to `InvestigateListParams` #### Gateway Lists * New list types: `CATEGORY`, `LOCATION`, `DEVICE` #### Intel * New issue type: `'configuration_suggestion'` * `payload` field: `unknown` → typed `Payload` interface with `detection_method`, `zone_tag` #### Leaked Credential Checks * Added `detections.get()` method #### Logpush * New datasets: `dex_application_tests`, `dex_device_state_events`, `ipsec_logs`, `warp_config_changes`, `warp_toggle_changes` #### Load Balancers * `Monitor.port`: `number` → `number | null` * `Pool.load_shedding`: `LoadShedding` → `LoadShedding | null` * `Pool.origin_steering`: `OriginSteering` → `OriginSteering | null` #### Magic Transit * `license_key` field on connectors * `provision_license` parameter for auto-provisioning * IPSec: `custom_remote_identities` with FQDN support * Snapshots: Bond interface, `probed_mtu` field #### Pages * New response types: `ProjectCreateResponse`, `ProjectListResponse`, `ProjectEditResponse`, `ProjectGetResponse` * Deployment methods return specific response types instead of generic `Deployment` #### Queues * Added `subscriptions.get()` method * Enhanced `SubscriptionGetResponse` with typed event source interfaces * New event source types: Images, KV, R2, Vectorize, Workers AI, Workers Builds, Workflows #### R2 * Sippy: new provider `s3` (S3-compatible endpoints) * Sippy: `bucketUrl` field for S3-compatible sources * Super Slurper: `keys` field on source response schemas (specify specific keys to migrate) * Super Slurper: `pathPrefix` field on source schemas * Super Slurper: `region` field on S3 source params #### Radar * Added `geolocations.list()`, `geolocations.get()` methods * Added V2 dimension-based methods (`summaryV2`, `timeseriesGroupsV2`) to radar sub-resources #### Resource Sharing * Added `terminal` boolean field to Resource Error interfaces #### Rules * Added `id` field to `ItemDeleteParams.Item` #### Rulesets * New buffering fields on `SetConfigRule`: `request_body_buffering`, `response_body_buffering` #### Secrets Store * New scopes: `'dex'`, `'access'` (in addition to `'workers'`, `'ai_gateway'`) #### SSL Certificate Packs * Response types now proper interfaces (was `unknown`) * Fields now required: `id`, `certificates`, `hosts`, `status`, `type` #### Security Center * `payload` field: `unknown` → typed `Payload` interface with `detection_method`, `zone_tag` #### Shared Types * Added: `CloudflareTunnelsV4PagePaginationArray` pagination class #### Workers * Added `subdomains.delete()` method * `Worker.references` \- track external dependencies (domains, Durable Objects, queues) * `Worker.startup_time_ms` \- startup timing * `Script.observability` \- observability settings with logging * `Script.tag`, `Script.tags` \- immutable ID and tags * Placement: support for region, hostname, host-based placement * `tags`, `tail_consumers` now accept `| null` * Telemetry: `traces` field, `$containers` event info, `durableObjectId`, `transactionName`, `abr_level` fields #### Workers for Platforms * `ScriptUpdateResponse`: new fields `entry_point`, `observability`, `tag`, `tags` * `placement` field now union of 4 variants (smart mode, region, hostname, host) * `tags`, `tail_consumers` now nullable * `TagUpdateParams.body` now accepts `null` #### Workflows * `instance_retention`: `unknown` → typed `InstanceRetention` interface with `error_retention`, `success_retention` * New status option: `'restart'` added to `StatusEditParams.status` #### Zero-Trust Devices * External emergency disconnect settings (4 new fields) * `antivirus` device posture check type * `os_version_extra` documentation improvements #### Zones * New response types: `SubscriptionCreateResponse`, `SubscriptionUpdateResponse`, `SubscriptionGetResponse` #### Zero-Trust Access Applications * New `ApplicationType` values: `'mcp'`, `'mcp_portal'`, `'proxy_endpoint'` * New destination type: `ViaMcpServerPortalDestination` for MCP server access #### Zero-Trust Gateway * Added `rules.listTenant()` method #### Zero-Trust Gateway - Proxy Endpoints * `ProxyEndpoint`: interface → discriminated union (`ZeroTrustGatewayProxyEndpointIP | ZeroTrustGatewayProxyEndpointIdentity`) * `ProxyEndpointCreateParams`: interface → union type * Added `kind` field: `'ip' | 'identity'` #### Zero-Trust Tunnels * `WARPConnector*Response`: union type → interface --- #### Deprecations * **API Gateway**: `UserSchemas`, `Settings`, `SchemaValidation` resources * **Audit Logs**: `auditLogId.not` (use `id.not`) * **CloudforceOne**: `ThreatEvents.get()`, `IndicatorTypes.list()` * **Devices**: `public_ip` field (use DEX API) * **Email Security**: `item_count` field in Move responses * **Pipelines**: v0 methods (use v1) * **Radar**: old `summary()` and `timeseriesGroups()` methods (use V2) * **Rulesets**: `disable_apps`, `mirage` fields * **WARP Connector**: `connections` field * **Workers**: `environment` parameter in Domains * **Zones**: `ResponseBuffering` page rule --- #### Bug Fixes * **mcp:** correct code tool API endpoint ([599703c ↗](https://github.com/cloudflare/cloudflare-typescript/commit/599703c45672dc899455d74b124018efd4b75095)) * **mcp:** return correct lines on typescript errors ([5d6f999 ↗](https://github.com/cloudflare/cloudflare-typescript/commit/5d6f9998ed9999aaa95e1bda8cf50929f3555cf1)) * **organization\_profile:** fix bad reference ([d84ea77 ↗](https://github.com/cloudflare/cloudflare-typescript/commit/d84ea77094400055c06554812b84c2f0c8d00cc4)) * **schema\_validation:** correctly reflect model to openapi mapping ([bb86151 ↗](https://github.com/cloudflare/cloudflare-typescript/commit/bb861516774b159d80e0f46a5f3abc5a4c9f9d49)) * **workers:** fix tests ([2ee37f7 ↗](https://github.com/cloudflare/cloudflare-typescript/commit/2ee37f7adf5a4637d65f61fc225e135eec2579fc)) --- #### Documentation * Added deprecation notices with migration paths * **api\_gateway:** deprecate API Shield Schema Validation resources ([8a4b20f ↗](https://github.com/cloudflare/cloudflare-typescript/commit/8a4b20f7a572422f74179fbdb4f1c4fb555e3e40)) * Improved JSDoc examples across all resources * **workers:** expose subdomain delete documentation ([4f7cc1f ↗](https://github.com/cloudflare/cloudflare-typescript/commit/4f7cc1f2b8861a5b8abc193d287f78264a425062)) Jan 20, 2026 1. ### [Terraform v5.16.0 now available](https://developers.cloudflare.com/changelog/post/2026-01-20-terraform-v5160-provider/) [ Cloudflare Fundamentals ](https://developers.cloudflare.com/fundamentals/)[ Terraform ](https://developers.cloudflare.com/terraform/) In January 2025, we announced the launch of the new Terraform v5 Provider. We greatly appreciate the proactive engagement and valuable feedback from the Cloudflare community following the v5 release. In response, we've established a consistent and rapid [2-3 week cadence ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/5774) for releasing targeted improvements, demonstrating our commitment to stability and reliability. With the help of the community, we have a growing number of resources that we have marked as [stable ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6237), with that list continuing to grow with every release. The most used [resources ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6237) are on track to be stable by the end of March 2026, when we will also be releasing a new migration tool to you migrate from v4 to v5 with ease. Thank you for continuing to raise issues. They make our provider stronger and help us build products that reflect your needs. This release includes bug fixes, the stabilization of even more popular resources, and more. #### Features * **custom\_pages:** add "waf\_challenge" as new supported error page type identifier in both resource and data source schemas * **list:** enhance CIDR validator to check for normalized CIDR notation requiring network address for IPv4 and IPv6 * **magic\_wan\_gre\_tunnel:** add automatic\_return\_routing attribute for automatic routing control * **magic\_wan\_gre\_tunnel:** add BGP configuration support with new BGP model attribute * **magic\_wan\_gre\_tunnel:** add bgp\_status computed attribute for BGP connection status information * **magic\_wan\_gre\_tunnel:** enhance schema with BGP-related attributes and validators * **magic\_wan\_ipsec\_tunnel:** add automatic\_return\_routing attribute for automatic routing control * **magic\_wan\_ipsec\_tunnel:** add BGP configuration support with new BGP model attribute * **magic\_wan\_ipsec\_tunnel:** add bgp\_status computed attribute for BGP connection status information * **magic\_wan\_ipsec\_tunnel:** add custom\_remote\_identities attribute for custom identity configuration * **magic\_wan\_ipsec\_tunnel:** enhance schema with BGP and identity-related attributes * **ruleset:** add request body buffering support * **ruleset:** enhance ruleset data source with additional configuration options * **workers\_script:** add observability logs attributes to list data source model * **workers\_script:** enhance list data source schema with additional configuration options #### Bug Fixes * **account\_member**: fix resource importability issues * **dns\_record:** remove unnecessary fmt.Sprintf wrapper around LoadTestCase call in test configuration helper function * **load\_balancer:** fix session\_affinity\_ttl type expectations to match Float64 in initial creation and Int64 after migration * **workers\_kv:** handle special characters correctly in URL encoding #### Documentation * **account\_subscription:** update schema description for rate\_plan.sets attribute to clarify it returns an array of strings * **api\_shield:** add resource-level description for API Shield management of auth ID characteristics * **api\_shield:** enhance auth\_id\_characteristics.name attribute description to include JWT token configuration format requirements * **api\_shield:** specify JSONPath expression format for JWT claim locations * **hyperdrive\_config:** add description attribute to name attribute explaining its purpose in dashboard and API identification * **hyperdrive\_config:** apply description improvements across resource, data source, and list data source schemas * **hyperdrive\_config:** improve schema descriptions for cache settings to clarify default values * **hyperdrive\_config:** update port description to clarify defaults for different database types #### For more information * [Terraform Provider ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs) * [Documentation on using Terraform with Cloudflare](https://developers.cloudflare.com/terraform/) * [List of stabilized resources ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6237) Jan 19, 2026 1. ### [Enhanced HTTP/3 request cancellation visibility](https://developers.cloudflare.com/changelog/post/2026-01-19-http3-499-reporting-improvement/) [ Cloudflare Fundamentals ](https://developers.cloudflare.com/fundamentals/) #### Enhanced HTTP/3 request cancellation visibility Cloudflare now provides more accurate visibility into HTTP/3 client request cancellations, giving you better insight into real client behavior and reducing unnecessary load on your origins. Previously, when an HTTP/3 client cancelled a request, the cancellation was not always actioned immediately. This meant requests could continue through the CDN — potentially all the way to your origin — even after the client had abandoned them. In these cases, logs would show the upstream response status (such as `200` or a timeout-related code) rather than reflecting the client cancellation. Now, Cloudflare terminates cancelled HTTP/3 requests immediately and accurately logs them with a `499` status code. --- #### Better observability for client behavior When HTTP/3 clients cancel requests, Cloudflare now immediately reflects this in your logs with a `499` status code. This gives you: * **More accurate traffic analysis**: Understand exactly when and how often clients cancel requests. * **Clearer debugging**: Distinguish between true errors and intentional client cancellations. * **Better availability metrics**: Separate client-initiated cancellations from server-side issues. --- #### Reduced origin load Cloudflare now terminates cancelled requests faster, which means: * **Less wasted compute**: Your origin no longer processes requests that clients have already abandoned. * **Lower bandwidth usage**: Responses are no longer generated and transmitted for cancelled requests. * **Improved efficiency**: Resources are freed up to handle active requests. --- #### What to expect in your logs You may notice an increase in `499` status codes for HTTP/3 traffic. For HTTP/3, a `499` indicates the client [cancelled the request stream ↗](https://datatracker.ietf.org/doc/html/rfc9114#section-4.1.1) before receiving a complete response — the underlying connection may remain open. This is a normal part of web traffic. **Tip**: If you use `499` codes in availability calculations, consider whether client-initiated cancellations should be excluded from error rates. These typically represent normal user behavior — such as closing a browser, navigating away from a page, mobile network drops, or cancelling a download — rather than service issues. --- For more information, refer to [Error 499](https://developers.cloudflare.com/support/troubleshooting/http-status-codes/4xx-client-error/error-499/). Jan 15, 2026 1. ### [Verify WARP Connector connectivity with a simple ping](https://developers.cloudflare.com/changelog/post/2026-01-15-warp-connector-ping-support/) [ Cloudflare Tunnel ](https://developers.cloudflare.com/tunnel/)[ Cloudflare Tunnel for SASE ](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) We have made it easier to validate connectivity when deploying [WARP Connector](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-connector/) as part of your [software-defined private network](https://developers.cloudflare.com/reference-architecture/architectures/sase/#connecting-networks). You can now `ping` the WARP Connector host directly on its LAN IP address immediately after installation. This provides a fast, familiar way to confirm that the Connector is online and reachable within your network before testing access to downstream services. Starting with [version 2025.10.186.0](https://developers.cloudflare.com/changelog/2026-01-13-warp-linux-ga/), WARP Connector responds to traffic addressed to its own LAN IP, giving you immediate visibility into Connector reachability. Learn more about deploying [WARP Connector](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-connector/) and building private network connectivity with [Cloudflare One](https://developers.cloudflare.com/cloudflare-one/). Jan 13, 2026 1. ### [AI Crawl Control Read Only role now available](https://developers.cloudflare.com/changelog/post/2026-01-13-ai-crawl-control-read-only-role/) [ AI Crawl Control ](https://developers.cloudflare.com/ai-crawl-control/) Account administrators can now assign the **AI Crawl Control Read Only** role to provide read-only access to AI Crawl Control at the domain level. Users with this role can view the **Overview**, **Crawlers**, **Metrics**, **Robots.txt**, and **Settings** tabs but cannot modify crawler actions or settings. This role is specific for AI Crawl Control. You still require correct permissions to access other areas / features of the dashboard. To assign, go to **Manage Account** \> **Members** and add a policy with the **AI Crawl Control Read Only** role scoped to the desired domain. Jan 12, 2026 1. ### [Metro code field now available in Rules](https://developers.cloudflare.com/changelog/post/2026-01-12-dma-metro-code-field/) [ Rules ](https://developers.cloudflare.com/rules/) The `ip.src.metro_code` field in the Ruleset Engine is now populated with DMA (Designated Market Area) data. You can use this field to build rules that target traffic based on geographic market areas, enabling more granular location-based policies for your applications. #### Field details | Field | Type | Description | | ------------------ | -------------- | ----------------------------------------------------------------------------------------------------------------------------- | | ip.src.metro\_code | String \| null | The metro code (DMA) of the incoming request's IP address. Returns the designated market area code for the client's location. | Example filter expression: ``` ip.src.metro_code eq "501" ``` For more information, refer to the [Fields reference](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/ip.src.metro%5Fcode/). Dec 19, 2025 1. ### [Terraform v5.15.0 now available](https://developers.cloudflare.com/changelog/post/2025-12-19-terraform-v5150-provider/) [ Cloudflare Fundamentals ](https://developers.cloudflare.com/fundamentals/)[ Terraform ](https://developers.cloudflare.com/terraform/) Earlier this year, we announced the launch of the new Terraform v5 Provider. We are aware of the high number of issues reported by the Cloudflare community related to the v5 release. We have committed to releasing improvements on a [2-3 week cadence ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/5774) to ensure its stability and reliability, including the v5.15 release. We have also pivoted from an [issue-to-issue approach to a resource-per-resource approach ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6237) \- we will be focusing on specific resources to not only stabilize the resource but also ensure it is migration-friendly for those migrating from v4 to v5. Thank you for continuing to raise issues. They make our provider stronger and help us build products that reflect your needs. This release includes bug fixes, the stabilization of even more popular resources, and more. #### Features * **ai\_search:** Add AI Search endpoints ([6f02adb ↗](https://github.com/cloudflare/terraform-provider-cloudflare/commit/6f02adb420e872457f71f95b49cb527663388915)) * **certificate\_pack:** Ensure proper Terraform resource ID handling for path parameters in API calls ([081f32a ↗](https://github.com/cloudflare/terraform-provider-cloudflare/commit/081f32acab4ce9a194a7ff51c8e9fcabd349895a)) * **worker\_version:** Support `startup_time_ms` ([286ab55 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/commit/286ab55bea8d5be0faa5a2b5b8b157e4a2214eba)) * **zero\_trust\_dlp\_custom\_entry:** Support `upload_status` ([7dc0fe3 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/commit/7dc0fe3b23726ead8dc075f86728a0540846d90c)) * **zero\_trust\_dlp\_entry:** Support `upload_status` ([7dc0fe3 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/commit/7dc0fe3b23726ead8dc075f86728a0540846d90c)) * **zero\_trust\_dlp\_integration\_entry:** Support `upload_status` ([7dc0fe3 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/commit/7dc0fe3b23726ead8dc075f86728a0540846d90c)) * **zero\_trust\_dlp\_predefined\_entry:** Support `upload_status` ([7dc0fe3 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/commit/7dc0fe3b23726ead8dc075f86728a0540846d90c)) * **zero\_trust\_gateway\_policy:** Support `forensic_copy` ([5741fd0 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/commit/5741fd0ed9f7270d20731cc47ec45eb0403a628b)) * **zero\_trust\_list:** Support additional types (category, location, device) ([5741fd0 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/commit/5741fd0ed9f7270d20731cc47ec45eb0403a628b)) #### Bug fixes * **access\_rules:** Add validation to prevent state drift. Ideally, we'd use Semantic Equality but since that isn't an option, this will remove a foot-gun. ([4457791 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/commit/44577911b3cbe45de6279aefa657bdee73c0794d)) * **cloudflare\_pages\_project:** Addressing drift issues ([6edffcf ↗](https://github.com/cloudflare/terraform-provider-cloudflare/commit/6edffcfcf187fdc9b10b624b9a9b90aed2fb2b2e)) ([3db318e ↗](https://github.com/cloudflare/terraform-provider-cloudflare/commit/3db318e747423bf10ce587d9149e90edcd8a77b0)) * **cloudflare\_worker:** Can be cleanly imported ([4859b52 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/commit/4859b52968bb25570b680df9813f8e07fd50728f)) * **cloudflare\_worker:** Ensure clean imports ([5b525bc ↗](https://github.com/cloudflare/terraform-provider-cloudflare/commit/5b525bc478a4e2c9c0d4fd659b92cc7f7c18016a)) * **list\_items:** Add validation for IP List items to avoid inconsistent state ([b6733dc ↗](https://github.com/cloudflare/terraform-provider-cloudflare/commit/b6733dc4be909a5ab35895a88e519fc2582ccada)) * **zero\_trust\_access\_application:** Remove all conditions from sweeper ([3197f1a ↗](https://github.com/cloudflare/terraform-provider-cloudflare/commit/3197f1aed61be326d507d9e9e3b795b9f1d18fd7)) * **spectrum\_application:** Map missing fields during spectrum resource import ([#6495 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6495)) ([ddb4e72 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/commit/ddb4e722b82c735825a549d651a9da219c142efa)) #### Upgrade to newer version We suggest waiting to migrate to v5 while we work on stabilization. This helps with avoiding any blocking issues while the Terraform resources are actively being [stabilized ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6237). We will be releasing a new migration tool in March 2026 to help support v4 to v5 transitions for our most popular resources. #### For more information * [Terraform Provider ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs) * [Documentation on using Terraform with Cloudflare](https://developers.cloudflare.com/terraform/) Dec 18, 2025 1. ### [New AI Crawl Control Overview tab](https://developers.cloudflare.com/changelog/post/2025-12-18-overview-tab/) [ AI Crawl Control ](https://developers.cloudflare.com/ai-crawl-control/) The **Overview** tab is now the default view in AI Crawl Control. The previous default view with controls for individual AI crawlers is available in the **Crawlers** tab. #### What's new * **Executive summary** — Monitor total requests, volume change, most common status code, most popular path, and high-volume activity * **Operator grouping** — Track crawlers by their operating companies (OpenAI, Microsoft, Google, ByteDance, Anthropic, Meta) * **Customizable filters** — Filter your snapshot by date range, crawler, operator, hostname, or path ![AI Crawl Control Overview tab showing executive summary, metrics, and crawler groups](https://developers.cloudflare.com/_astro/ai-crawl-control-overview-tab.Duwqq4bm_ZmNhCs.webp) #### Get started 1. Log in to the Cloudflare dashboard and select your account and domain. 2. Go to **AI Crawl Control**, where the **Overview** tab opens by default with your activity snapshot. 3. Use filters to customize your view by date range, crawler, operator, hostname, or path. 4. Navigate to the **Crawlers** tab to manage controls for individual crawlers. Learn more about [analyzing AI traffic](https://developers.cloudflare.com/ai-crawl-control/features/analyze-ai-traffic/) and [managing AI crawlers](https://developers.cloudflare.com/ai-crawl-control/features/manage-ai-crawlers/). Dec 18, 2025 1. ### [Improved accuracy of cached request classification in analytics](https://developers.cloudflare.com/changelog/post/2025-12-18-cached-request-classification/) [ Analytics ](https://developers.cloudflare.com/analytics/) The cached/uncached classification logic used in Zone Overview analytics has been updated to improve accuracy. Previously, requests were classified as "cached" based on an overly broad condition that included blocked 403 responses, Snippets requests, and other non-cache request types. This caused inflated cache hit ratios — in some cases showing near-100% cached — and affected approximately 15% of requests classified as cached in rollups. The condition has been removed from the Zone Overview page. Cached/uncached classification now aligns with the heuristics used in [HTTP Analytics](https://developers.cloudflare.com/analytics/account-and-zone-analytics/zone-analytics/), so only requests genuinely served from cache are counted as cached. **What changed:** * **Zone Overview** — Cache ratios now reflect actual cache performance. * **HTTP Analytics** — No change. HTTP Analytics already used the correct classification logic. * **Historical data** — This fix applies to new requests only. Previously logged data is not retroactively updated. Dec 11, 2025 1. ### [SentinelOne as Logpush destination](https://developers.cloudflare.com/changelog/post/2025-12-11-sentinelone-destination/) [ Logs ](https://developers.cloudflare.com/logs/) Cloudflare Logpush now supports **SentinelOne** as a native destination. Logs from Cloudflare can be sent to [SentinelOne AI SIEM ↗](https://www.sentinelone.com/) via [Logpush](https://developers.cloudflare.com/logs/logpush/). The destination can be configured through the Logpush UI in the Cloudflare dashboard or by using the [Logpush API](https://developers.cloudflare.com/api/resources/logpush/subresources/jobs/). For more information, refer to the [Destination Configuration](https://developers.cloudflare.com/logs/logpush/logpush-job/enable-destinations/sentinelone/) documentation. Dec 10, 2025 1. ### [Pay Per Crawl (Private beta) - Discovery API, custom pricing, and advanced configuration](https://developers.cloudflare.com/changelog/post/2025-12-10-pay-per-crawl-enhancements/) [ AI Crawl Control ](https://developers.cloudflare.com/ai-crawl-control/) Pay Per Crawl is introducing enhancements for both AI crawler operators and site owners, focusing on programmatic discovery, flexible pricing models, and granular configuration control. #### For AI crawler operators #### Discovery API A new authenticated API endpoint allows verified crawlers to programmatically discover domains participating in Pay Per Crawl. Crawlers can use this to build optimized crawl queues, cache domain lists, and identify new participating sites. This eliminates the need to discover payable content through trial requests. The API endpoint is `GET https://crawlers-api.ai-audit.cfdata.org/charged_zones` and requires Web Bot Auth authentication. Refer to [Discover payable content](https://developers.cloudflare.com/ai-crawl-control/features/pay-per-crawl/use-pay-per-crawl-as-ai-owner/discover-payable-content/) for authentication steps, request parameters, and response schema. #### Payment header signature requirement Payment headers (`crawler-exact-price` or `crawler-max-price`) must now be included in the Web Bot Auth `signature-input` header components. This security enhancement prevents payment header tampering, ensures authenticated payment intent, validates crawler identity with payment commitment, and protects against replay attacks with modified pricing. Crawlers must add their payment header to the list of signed components when [constructing the signature-input header](https://developers.cloudflare.com/ai-crawl-control/features/pay-per-crawl/use-pay-per-crawl-as-ai-owner/crawl-pages/#22-sign-your-request-with-web-bot-auth). #### New `crawler-error` header Pay Per Crawl error responses now include a new `crawler-error` header with 11 specific [error codes](https://developers.cloudflare.com/ai-crawl-control/features/pay-per-crawl/use-pay-per-crawl-as-ai-owner/error-codes/) for programmatic handling. Error response bodies remain unchanged for compatibility. These codes enable robust error handling, automated retry logic, and accurate spending tracking. #### For site owners #### Configure free pages Site owners can now offer free access to specific pages like homepages, navigation, or discovery pages while charging for other content. Create a [Configuration Rule](https://developers.cloudflare.com/ai-crawl-control/features/pay-per-crawl/use-pay-per-crawl-as-site-owner/advanced-configuration/#disable-pay-per-crawl-by-uri-pattern) in **Rules** \> **Configuration Rules**, set your URI pattern using wildcard, exact, or prefix matching on the **URI Full** field, and enable the **Disable Pay Per Crawl** setting. When disabled for a URI pattern, crawler requests pass through without blocking or charging. Some paths are always free to crawl. These paths are: `/robots.txt`, `/sitemap.xml`, `/security.txt`, `/.well-known/security.txt`, `/crawlers.json`. #### Get started **AI crawler operators**: [Discover payable content](https://developers.cloudflare.com/ai-crawl-control/features/pay-per-crawl/use-pay-per-crawl-as-ai-owner/discover-payable-content/) | [Crawl pages](https://developers.cloudflare.com/ai-crawl-control/features/pay-per-crawl/use-pay-per-crawl-as-ai-owner/crawl-pages/) **Site owners**: [Advanced configuration](https://developers.cloudflare.com/ai-crawl-control/features/pay-per-crawl/use-pay-per-crawl-as-site-owner/advanced-configuration/) Dec 05, 2025 1. ### [Terraform v5.14.0 now available](https://developers.cloudflare.com/changelog/post/2025-12-05-terraform-v5140-provider/) [ Cloudflare Fundamentals ](https://developers.cloudflare.com/fundamentals/)[ Terraform ](https://developers.cloudflare.com/terraform/) Earlier this year, we announced the launch of the new Terraform v5 Provider. We are aware of the high number of issues reported by the Cloudflare community related to the v5 release. We have committed to releasing improvements on a [2-3 week cadence ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/5774) to ensure its stability and reliability, including the v5.14 release. We have also pivoted from an [issue-to-issue approach to a resource-per-resource approach ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6237) \- we will be focusing on specific resources to not only stabilize the resource but also ensure it is migration-friendly for those migrating from v4 to v5. Thank you for continuing to raise issues. They make our provider stronger and help us build products that reflect your needs. This release includes bug fixes, the stabilization of even more popular resources, and more. #### Deprecation notice Resource affected: `api_shield_discovery_operation` Cloudflare continuously discovers and updates API endpoints and web assets of your web applications. To improve the maintainability of these dynamic resources, we are working on reducing the need to actively engage with discovered operations. The corresponding public API endpoint of [discovered operations ↗](https://developers.cloudflare.com/api/resources/api%5Fgateway/subresources/discovery/subresources/operations/) is not affected and will continue to be supported. #### Features * **pages\_project**: Add v4 -> v5 migration tests ([#6506 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/pull/6506)) #### Bug fixes * **account\_members**: Makes member policies a set ([#6488 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6488)) * **pages\_project**: Ensures non empty refresh plans ([#6515 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6515)) * **R2**: Improves sweeper ([#6512 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6512)) * **workers\_kv**: Ignores value import state for verify ([#6521 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6521)) * **workers\_script**: No longer treats the migrations attribute as WriteOnly ([#6489 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6489)) * **workers\_script**: Resolves resource drift when worker has unmanaged secret ([#6504 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6504)) * **zero\_trust\_device\_posture\_rule**: Preserves input.version and other fields ([#6500 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6500)) and ([#6503 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6503)) * **zero\_trust\_dlp\_custom\_profile**: Adds sweepers for `dlp_custom_profile` * **zone\_subscription|account\_subscription**: Adds `partners_ent` as valid enum for `rate_plan.id` ([#6505 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6505)) * **zone**: Ensures datasource model schema parity ([#6487 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6487)) * **subscription**: Updates import signature to accept account\_id/subscription\_id to import account subscription ([#6510 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6510)) #### Upgrade to newer version We suggest waiting to migrate to v5 while we work on stabilization. This helps with avoiding any blocking issues while the Terraform resources are actively being [stabilized ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6237). We will be releasing a new migration tool in March 2026 to help support v4 to v5 transitions for our most popular resources. #### For more information * [Terraform Provider ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs) * [Documentation on using Terraform with Cloudflare ↗](https://developers.cloudflare.com/terraform/) Nov 20, 2025 1. ### [Terraform v5.13.0 now available](https://developers.cloudflare.com/changelog/post/2025-11-20-terraform-v5130-provider/) [ Cloudflare Fundamentals ](https://developers.cloudflare.com/fundamentals/)[ Terraform ](https://developers.cloudflare.com/terraform/) Earlier this year, we announced the launch of the new Terraform v5 Provider. We are aware of the high number of issues reported by the Cloudflare community related to the v5 release. We have committed to releasing improvements on a [2-3 week cadence ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/5774) to ensure its stability and reliability, including the v5.13 release. We have also pivoted from an [issue-to-issue approach to a resource-per-resource approach ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6237) \- we will be focusing on specific resources to not only stabilize the resource but also ensure it is migration-friendly for those migrating from v4 to v5. Thank you for continuing to raise issues. They make our provider stronger and help us build products that reflect your needs. This release includes new features, new resources and data sources, bug fixes, updates to our Developer Documentation, and more. #### Breaking Change Please be aware that there are breaking changes for the `cloudflare_api_token` and `cloudflare_account_token` resources. These changes eliminate configuration drift caused by policy ordering differences in the Cloudflare API. For more specific information about the changes or the actions required, please see the [detailed Repository changelog ↗](https://github.com/cloudflare/terraform-provider-cloudflare/releases/tag/v5.13.0). #### Features * **New resources and data sources added** * cloudflare\_connectivity\_directory * cloudflare\_sso\_connector * cloudflare\_universal\_ssl\_setting * **api\_token+account\_tokens:** state upgrader and schema bump ([#6472 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6472)) * **docs:** make docs explicit when a resource does not have import support * **magic\_transit\_connector:** support self-serve license key ([#6398 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6398)) * **worker\_version:** add content\_base64 support * **worker\_version:** boolean support for run\_worker\_first ([#6407 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6407)) * **workers\_script\_subdomains:** add import support ([#6375 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6375)) * **zero\_trust\_access\_application:** add proxy\_endpoint for ZT Access Application ([#6453 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6453)) * **zero\_trust\_dlp\_predefined\_profile:** Switch DLP Predefined Profile endpoints, introduce enabled\_entries attribut #### Bug Fixes * **account\_token:** token policy order and nested resources ([#6440 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6440)) * allow r2\_bucket\_event\_notification to be applied twice without failing ([#6419 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6419)) * **cloudflare\_worker+cloudflare\_worker\_version:** import for the resources ([#6357 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6357)) * **dns\_record:** inconsistent apply error ([#6452 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6452)) * **pages\_domain:** resource tests ([#6338 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6338)) * **pages\_project:** unintended resource state drift ([#6377 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6377)) * **queue\_consumer:** id population ([#6181 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6181)) * **workers\_kv:** multipart request ([#6367 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6367)) * **workers\_kv:** updating workers metadata attribute to be read from endpoint ([#6386 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6386)) * **workers\_script\_subdomain:** add note to cloudflare\_workers\_script\_subdomain about redundancy with cloudflare\_worker ([#6383 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6383)) * **workers\_script:** allow config.run\_worker\_first to accept list input * **zero\_trust\_device\_custom\_profile\_local\_domain\_fallback:** drift issues ([#6365 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6365)) * **zero\_trust\_device\_custom\_profile:** resolve drift issues ([#6364 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6364)) * **zero\_trust\_dex\_test:** correct configurability for 'targeted' attribute to fix drift * **zero\_trust\_tunnel\_cloudflared\_config:** remove warp\_routing from cloudflared\_config ([#6471 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6471)) #### Upgrading We suggest holding off on migration to v5 while we work on stabilization. This help will you avoid any blocking issues while the Terraform resources are actively being stabilized. We will be releasing a new migration tool in March 2026 to help support v4 to v5 transitions for our most popular resources. #### For more info * [Terraform Provider ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs) * [Documentation on using Terraform with Cloudflare ↗](https://developers.cloudflare.com/terraform/) Nov 13, 2025 1. ### [Fixed custom SQL date picker inconsistencies](https://developers.cloudflare.com/changelog/post/2025-11-13-fixed-custom-date/) [ Log Explorer ](https://developers.cloudflare.com/log-explorer/) We've resolved a bug in Log Explorer that caused inconsistencies between the custom SQL date field filters and the date picker dropdown. Previously, users attempting to filter logs based on a custom date field via a SQL query sometimes encountered unexpected results or mismatching dates when using the interactive date picker. This fix ensures that the custom SQL date field filters now align correctly with the selection made in the date picker dropdown, providing a reliable and predictable filtering experience for your log data. This is particularly important for users creating custom log views based on time-sensitive fields. Nov 13, 2025 1. ### [Log Explorer adds 14 new datasets](https://developers.cloudflare.com/changelog/post/2025-11-13-new-datasets/) [ Log Explorer ](https://developers.cloudflare.com/log-explorer/) We've significantly enhanced Log Explorer by adding support for 14 additional Cloudflare product datasets. This expansion enables Operations and Security Engineers to gain deeper visibility and telemetry across a wider range of Cloudflare services. By integrating these new datasets, users can now access full context to efficiently investigate security incidents, troubleshoot application performance issues, and correlate logged events across different layers (like application and network) within a single interface. This capability is crucial for a complete and cohesive understanding of event flows across your Cloudflare environment. The newly supported datasets include: #### Zone Level * `Dns_logs` * `Nel_reports` * `Page_shield_events` * `Spectrum_events` * `Zaraz_events` #### Account Level * `Audit Logs` * `Audit_logs_v2` * `Biso_user_actions` * `DNS firewall logs` * `Email_security_alerts` * `Magic Firewall IDS` * `Network Analytics` * `Sinkhole HTTP` * `ipsec_logs` Note `Auditlog` and `Auditlog_v2` datasets require `audit-log.read` permission for querying. The `biso_user_actions` dataset requires either the `Super Admin` or `ZT PII` role for querying. #### Example: Correlating logs You can now use Log Explorer to query and filter with each of these datasets. For example, you can identify an IP address exhibiting suspicious behavior in the `FW_event` logs, and then instantly pivot to the `Network Analytics` logs or `Access` logs to see its network-level traffic profile or if it bypassed a corporate policy. To learn more and get started, refer to the [Log Explorer documentation](https://developers.cloudflare.com/log-explorer/) and the [Cloudflare Logs documentation](https://developers.cloudflare.com/logs/). Nov 11, 2025 1. ### [Resize your custom SQL window in Log Explorer](https://developers.cloudflare.com/changelog/post/2025-11-11-resize-sql-window/) [ Log Explorer ](https://developers.cloudflare.com/log-explorer/) We're excited to announce a quality-of-life improvement for Log Explorer users. You can now resize the custom SQL query window to accommodate longer and more complex queries. Previously, if you were writing a long custom SQL query, the fixed-size window required excessive scrolling to view the full query. This update allows you to easily drag the bottom edge of the query window to make it taller. This means you can view your entire custom query at once, improving the efficiency and experience of writing and debugging complex queries. To learn more and get started, refer to the [Log Explorer documentation](https://developers.cloudflare.com/log-explorer/). Nov 11, 2025 1. ### [Logpush Health Dashboards](https://developers.cloudflare.com/changelog/post/2025-11-11-health-dashboards/) [ Logs ](https://developers.cloudflare.com/logs/) We’re excited to introduce **Logpush Health Dashboards**, giving customers real-time visibility into the status, reliability, and performance of their [Logpush](https://developers.cloudflare.com/logs/logpush/) jobs. Health dashboards make it easier to detect delivery issues, monitor job stability, and track performance across destinations. The dashboards are divided into two sections: * **Upload Health**: See how much data was successfully uploaded, where drops occurred, and how your jobs are performing overall. This includes data completeness, success rate, and upload volume. * **Upload Reliability** – Diagnose issues impacting stability, retries, or latency, and monitor key metrics such as retry counts, upload duration, and destination availability. ![Health Dashboard](https://developers.cloudflare.com/_astro/Health-Dashboard.CP0mV0IW_Z1GdXr6.webp) Health Dashboards can be accessed from the Logpush page in the Cloudflare dashboard at the account or zone level, under the Health tab. For more details, refer to our [**Logpush Health Dashboards**](https://developers.cloudflare.com/logs/logpush/logpush-health) documentation, which includes a comprehensive troubleshooting guide to help interpret and resolve common issues. Nov 11, 2025 1. ### [cloudflared proxy-dns command will be removed starting February 2, 2026](https://developers.cloudflare.com/changelog/post/2025-11-11-cloudflared-proxy-dns/) [ Cloudflare Tunnel ](https://developers.cloudflare.com/tunnel/)[ Cloudflare Tunnel for SASE ](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) Starting February 2, 2026, the `cloudflared proxy-dns` command will be removed from all new `cloudflared` [releases](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/downloads/). This change is being made to enhance security and address a potential vulnerability in an underlying DNS library. This vulnerability is specific to the `proxy-dns` command and does not affect any other `cloudflared` features, such as the core [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) service. The `proxy-dns` command, which runs a client-side [DNS-over-HTTPS (DoH)](https://developers.cloudflare.com/1.1.1.1/encryption/dns-over-https/) proxy, has been an officially undocumented feature for several years. This functionality is fully and securely supported by our actively developed products. Versions of `cloudflared` released before this date will not be affected and will continue to operate. However, note that our [official support policy](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/downloads/#deprecated-releases) for any `cloudflared` release is one year from its release date. #### Migration paths We strongly advise users of this undocumented feature to migrate to one of the following officially supported solutions before February 2, 2026, to continue benefiting from secure [DNS-over-HTTPS](https://developers.cloudflare.com/1.1.1.1/encryption/dns-over-https/). #### End-user devices The preferred method for enabling DNS-over-HTTPS on user devices is the [Cloudflare WARP client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/). The WARP client automatically secures and proxies all DNS traffic from your device, integrating it with your organization's [Zero Trust policies](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) and [posture checks](https://developers.cloudflare.com/cloudflare-one/reusable-components/posture-checks/). #### Servers, routers, and IoT devices For scenarios where installing a client on every device is not possible (such as servers, routers, or IoT devices), we recommend using the [WARP Connector](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-connector/). Instead of running `cloudflared proxy-dns` on a machine, you can install the WARP Connector on a single Linux host within your private network. This connector will act as a gateway, securely routing all DNS and network traffic from your [entire subnet](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-connector/site-to-internet/) to Cloudflare for [filtering and logging](https://developers.cloudflare.com/cloudflare-one/traffic-policies/). [Search all changelog entries](https://developers.cloudflare.com/search/?contentType=Changelog+entry)