--- title: Core platform Changelog image: https://developers.cloudflare.com/cf-twitter-card.png --- [Skip to content](#%5Ftop) # Changelog New updates and improvements at Cloudflare. [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/index.xml) [ View RSS feeds ](https://developers.cloudflare.com/fundamentals/new-features/available-rss-feeds/) Core platform ![hero image](https://developers.cloudflare.com/_astro/hero.CVYJHPAd_26AMqX.svg) Nov 10, 2025 1. ### [Crawler drilldowns with extended actions menu](https://developers.cloudflare.com/changelog/post/2025-11-10-ai-crawl-control-crawler-info/) [ AI Crawl Control ](https://developers.cloudflare.com/ai-crawl-control/) AI Crawl Control now supports per-crawler drilldowns with an extended actions menu and status code analytics. Drill down into Metrics, Cloudflare Radar, and Security Analytics, or export crawler data for use in [WAF custom rules](https://developers.cloudflare.com/waf/custom-rules/), [Redirect Rules](https://developers.cloudflare.com/rules/url-forwarding/), and robots.txt files. #### What's new #### Status code distribution chart The **Metrics** tab includes a status code distribution chart showing HTTP response codes (2xx, 3xx, 4xx, 5xx) over time. Filter by individual crawler, category, operator, or time range to analyze how specific crawlers interact with your site. ![AI Crawl Control status code distribution chart](https://developers.cloudflare.com/_astro/ai-crawl-control-status-codes.DESJcAiK_TSrPM.webp) #### Extended actions menu Each crawler row includes a three-dot menu with per-crawler actions: * **View Metrics** — Filter the AI Crawl Control Metrics page to the selected crawler. * **View on Cloudflare Radar** — Access verified crawler details on Cloudflare Radar. * **Copy User Agent** — Copy user agent strings for use in WAF custom rules, Redirect Rules, or robots.txt files. * **View in Security Analytics** — Filter Security Analytics by detection IDs (Bot Management customers). * **Copy Detection ID** — Copy detection IDs for use in WAF custom rules (Bot Management customers). ![AI Crawl Control crawler actions menu](https://developers.cloudflare.com/_astro/ai-crawl-control-crawler-info.Dwc39LqI_182so6.webp) #### Get started 1. Log in to the Cloudflare dashboard, and select your account and domain. 2. Go to **AI Crawl Control** \> **Metrics** to access the status code distribution chart. 3. Go to **AI Crawl Control** \> **Crawlers** and select the three-dot menu for any crawler to access per-crawler actions. 4. Select multiple crawlers to use bulk copy buttons for user agents or detection IDs. Learn more about [AI Crawl Control](https://developers.cloudflare.com/ai-crawl-control/). Nov 05, 2025 1. ### [Logpush Permission Update for Zero Trust Datasets](https://developers.cloudflare.com/changelog/post/2025-11-05-logpush-permissions-update/) [ Logs ](https://developers.cloudflare.com/logs/) [Permissions](https://developers.cloudflare.com/logs/logpush/permissions/) for managing Logpush jobs related to [Zero Trust datasets](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/account/) (Access, Gateway, and DEX) have been updated to improve data security and enforce appropriate access controls. To view, create, update, or delete Logpush jobs for Zero Trust datasets, users must now have both of the following permissions: * Logs Edit * Zero Trust: PII Read Note Update your UI, API or Terraform configurations to include the new permissions. Requests to Zero Trust datasets will fail due to insufficient access without the additional permission. Nov 04, 2025 1. ### [Log Explorer now supports query cancellation](https://developers.cloudflare.com/changelog/post/2025-11-04-query-cancellation/) [ Log Explorer ](https://developers.cloudflare.com/log-explorer/) We're excited to announce that Log Explorer users can now cancel queries that are currently running. This new feature addresses a common pain point: waiting for a long, unintended, or misconfigured query to complete before you can submit a new, correct one. With query cancellation, you can immediately stop the execution of any undesirable query, allowing you to quickly craft and submit a new query, significantly improving your investigative workflow and productivity within Log Explorer. Nov 04, 2025 1. ### [Log Explorer now shows query result distribution](https://developers.cloudflare.com/changelog/post/2025-11-13-query-result-distribution/) [ Log Explorer ](https://developers.cloudflare.com/log-explorer/) We're excited to announce a new feature in Log Explorer that significantly enhances how you analyze query results: the Query results distribution chart. This new chart provides a graphical distribution of your results over the time window of the query. Immediately after running a query, you will see the distribution chart above your result table. This visualization allows Log Explorer users to quickly spot trends, identify anomalies, and understand the temporal concentration of log events that match their criteria. For example, you can visually confirm if a spike in traffic or errors occurred at a specific time, allowing you to focus your investigation efforts more effectively. This feature makes it faster and easier to extract meaningful insights from your vast log data. The chart will dynamically update to reflect the logs matching your current query. Oct 30, 2025 1. ### [Introducing email two-factor authentication](https://developers.cloudflare.com/changelog/post/2025-10-30-email-2fa/) [ Cloudflare Fundamentals ](https://developers.cloudflare.com/fundamentals/) Two-factor authentication (2FA) is one of the best ways to protect your account from the risk of account takeover. Cloudflare has offered phishing resistant 2FA options including hardware based keys (for example, a Yubikey) and app based TOTP (time-based one-time password) options which use apps like Google or Microsoft's Authenticator app. Unfortunately, while these solutions are very secure, they can be lost if you misplace the hardware based key, or lose the phone which includes that app. The result is that users sometimes get locked out of their accounts and need to contact support. Today, we are announcing the addition of email as a 2FA factor for all Cloudflare accounts. Email 2FA is in wide use across the industry as a least common denominator for 2FA because it is low friction, loss resistant, and still improves security over username/password login only. We also know that most commercial email providers already require 2FA, so your email address is usually well protected already. You can now enable email 2FA on the Cloudflare dashboard: 1. Go to **Profile** at the top right corner. 2. Select **Authentication**. 3. Under **Two-Factor Authentication**, select **Set up**. #### Sign-in security best practices Cloudflare is critical infrastructure, and you should protect it as such. Review the following best practices and make sure you are doing your part to secure your account: * Use a unique password for every website, including Cloudflare, and store it in a password manager like 1Password or Keeper. These services are cross-platform and simplify the process of managing secure passwords. * Use 2FA to make it harder for an attacker to get into your account in the event your password is leaked. * Store your backup codes securely. A password manager is the best place since it keeps the backup codes encrypted, but you can also print them and put them somewhere safe in your home. * If you use an app to manage your 2FA keys, enable cloud backup, so that you don't lose your keys in the event you lose your phone. * If you use a custom email domain to sign in, [configure SSO](https://developers.cloudflare.com/fundamentals/manage-members/dashboard-sso/). * If you use a public email domain like Gmail or Hotmail, you can also use social login with Apple, GitHub, or Google to sign in. * If you manage a Cloudflare account for work: * Have at least two administrators in case one of them unexpectedly leaves your company. * Use SCIM to automate permissions management for members in your Cloudflare account. Oct 30, 2025 1. ### [Revamped Member Management UI](https://developers.cloudflare.com/changelog/post/2025-10-30-member-management-improvements/) [ Cloudflare Fundamentals ](https://developers.cloudflare.com/fundamentals/) As Cloudflare's platform has grown, so has the need for precise, role-based access control. We’ve redesigned the Member Management experience in the Dashboard to help administrators more easily discover, assign, and refine permissions for specific principals. #### What's New **Refreshed member invite flow** We overhauled the Invite Members UI to simplify inviting users and assigning permissions. ![Updated Invite Flow UX](https://developers.cloudflare.com/_astro/2025-10-30-invite-experience.B7F3VQ_y_2q5f79.webp) **Refreshed Members Overview Page** We've updated the Members Overview Page to clearly display: * Member 2FA status * Which members hold Super Admin privileges * API access settings per member * Member onboarding state (accepted vs pending invite) ![Updated Member Management Overview](https://developers.cloudflare.com/_astro/2025-10-30-member-management-screen.BLc2lx98_2sRE7I.webp) **New Member Permission Policies Details View** We've created a new member details screen that shows all permission policies associated with a member; including policies inherited from group associations to make it easier for members to understand the effective permissions they have. ![Updated Permission Policies Details Screen](https://developers.cloudflare.com/_astro/2025-10-30-permission-policies-screen.pMj53si2_2jP7PX.webp) **Improved Member Permission Workflow** We redesigned the permission management experience to make it faster and easier for administrators to review roles and grant access. ![Updated Member Permission Management UX](https://developers.cloudflare.com/_astro/2025-10-30-permission-policies-screen.pMj53si2_2jP7PX.webp) **Account-scoped Policies Restrictions Relaxed** Previously, customers could only associate a single account-scoped policy with a member. We've relaxed this restriction, and now Administrators can now assign multiple account-scoped policies to the same member; bringing policy assignment behavior in-line with user-groups and providing greater flexibility in managing member permissions. Oct 30, 2025 1. ### [New TCP-based fields available in Rulesets](https://developers.cloudflare.com/changelog/post/2025-10-30-tcp-rtt-and-tcp-fields/) [ Rules ](https://developers.cloudflare.com/rules/) #### Build rules based on TCP transport and latency Cloudflare now provides two new request fields in the Ruleset engine that let you make decisions based on whether a request used TCP and the measured TCP round-trip time between the client and Cloudflare. These fields help you understand protocol usage across your traffic and build policies that respond to network performance. For example, you can distinguish TCP from QUIC traffic or route high latency requests to alternative origins when needed. --- #### New fields | Field | Type | Description | | --------------------------------- | ------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | cf.edge.client\_tcp | Boolean | Indicates whether the request used TCP. A value of true means the client connected using TCP instead of QUIC. | | cf.timings.client\_tcp\_rtt\_msec | Number | Reports the smoothed TCP round-trip time between the client and Cloudflare in milliseconds. For example, a value of 20 indicates roughly twenty milliseconds of RTT. | Example filter expression: ``` cf.edge.client_tcp && cf.timings.client_tcp_rtt_msec < 100 ``` More information can be found in the Rules language [fields reference](https://developers.cloudflare.com/ruleset-engine/rules-language/fields/reference/). Oct 27, 2025 1. ### [Azure Sentinel Connector](https://developers.cloudflare.com/changelog/post/2025-10-27-sentinel-connector/) [ Logs ](https://developers.cloudflare.com/logs/) Logpush now supports integration with [Microsoft Sentinel ↗](https://www.microsoft.com/en-us/security/business/siem-and-xdr/microsoft-sentinel).The new Azure Sentinel Connector built on Microsoft’s Codeless Connector Framework (CCF), is now avaialble. This solution replaces the previous Azure Functions-based connector, offering significant improvements in security, data control, and ease of use for customers. Logpush customers can send logs to Azure Blob Storage and configure this new Sentinel Connector to ingest those logs directly into Microsoft Sentinel. This upgrade significantly streamlines log ingestion, improves security, and provides greater control: * Simplified Implementation: Easier for engineering teams to set up and maintain. * Cost Control: New support for Data Collection Rules (DCRs) allows you to filter and transform logs at ingestion time, offering potential cost savings. * Enhanced Security: CCF provides a higher level of security compared to the older Azure Functions connector. * ata Lake Integration: Includes native integration with Data Lake. Find the new solution [here ↗](https://marketplace.microsoft.com/en-us/product/azure-application/cloudflare.azure-sentinel-solution-cloudflare-ccf?tab=Overview) and refer to the [Cloudflare's developer documention ↗](https://developers.cloudflare.com/analytics/analytics-integrations/sentinel/#supported-logs:~:text=WorkBook%20fields,-Analytic%20rules)for more information on the connector, including setup steps, supported logs and Microsfot's resources. Oct 21, 2025 1. ### [New Robots.txt tab for tracking crawler compliance](https://developers.cloudflare.com/changelog/post/2025-10-21-track-robots-txt/) [ AI Crawl Control ](https://developers.cloudflare.com/ai-crawl-control/) AI Crawl Control now includes a **Robots.txt** tab that provides insights into how AI crawlers interact with your `robots.txt` files. #### What's new The Robots.txt tab allows you to: * Monitor the health status of `robots.txt` files across all your hostnames, including HTTP status codes, and identify hostnames that need a `robots.txt` file. * Track the total number of requests to each `robots.txt` file, with breakdowns of successful versus unsuccessful requests. * Check whether your `robots.txt` files contain [Content Signals ↗](https://contentsignals.org/) directives for AI training, search, and AI input. * Identify crawlers that request paths explicitly disallowed by your `robots.txt` directives, including the crawler name, operator, violated path, specific directive, and violation count. * Filter `robots.txt` request data by crawler, operator, category, and custom time ranges. #### Take action When you identify non-compliant crawlers, you can: * Block the crawler in the [Crawlers tab](https://developers.cloudflare.com/ai-crawl-control/features/manage-ai-crawlers/) * Create custom [WAF rules](https://developers.cloudflare.com/waf/) for path-specific security * Use [Redirect Rules](https://developers.cloudflare.com/rules/url-forwarding/) to guide crawlers to appropriate areas of your site To get started, go to **AI Crawl Control** \> **Robots.txt** in the Cloudflare dashboard. Learn more in the [Track robots.txt documentation](https://developers.cloudflare.com/ai-crawl-control/features/track-robots-txt/). Oct 16, 2025 1. ### [Increased HTTP header size limit to 128 KB](https://developers.cloudflare.com/changelog/post/2025-10-16-header-limit-increase/) [ Cloudflare Fundamentals ](https://developers.cloudflare.com/fundamentals/) #### CDN now supports 128 KB request and response headers 🚀 We're excited to announce a significant increase in the maximum header size supported by Cloudflare's Content Delivery Network (CDN). Cloudflare now supports up to **128 KB** for both **request and response headers**. Previously, customers were limited to a total of 32 KB for request or response headers, with a maximum of 16 KB per individual header. Larger headers could cause requests to fail with `HTTP 413` (Request Header Fields Too Large) errors. --- #### What's new? * **Support for large headers:** You can now utilize much larger headers, whether as a single large header up to 128 KB or split over multiple headers. * **Reduces `413` and `520` HTTP errors:** This change drastically reduces the likelihood of customers encountering `HTTP 413` errors from large request headers or `HTTP 520` errors caused by oversized response headers, improving the overall reliability of your web applications. * **Enhanced functionality:** This is especially beneficial for applications that rely on: * A large number of cookies. * Large Content-Security-Policy (CSP) response headers. * Advanced use cases with Cloudflare Workers that generate large response headers. This enhancement improves compatibility with Cloudflare's CDN, enabling more use cases that previously failed due to header size limits. --- To learn more and get started, refer to the [Cloudflare Fundamentals documentation](https://developers.cloudflare.com/fundamentals/reference/connection-limits/#request-limits). Oct 14, 2025 1. ### [Enhanced AI Crawl Control metrics with new drilldowns and filters](https://developers.cloudflare.com/changelog/post/2025-10-14-enhanced-metrics-drilldowns/) [ AI Crawl Control ](https://developers.cloudflare.com/ai-crawl-control/) AI Crawl Control now provides enhanced metrics and CSV data exports to help you better understand AI crawler activity across your sites. #### What's new #### Track crawler requests over time Visualize crawler activity patterns over time, and group data by different dimensions: * **By Crawler** — Track activity from individual AI crawlers (GPTBot, ClaudeBot, Bytespider) * **By Category** — Analyze crawler purpose or type * **By Operator** — Discover which companies (OpenAI, Anthropic, ByteDance) are crawling your site * **By Host** — Break down activity across multiple subdomains * **By Status Code** — Monitor HTTP response codes to crawlers (200s, 300s, 400s, 500s) ![AI Crawl Control requests over time chart with grouping tabs](https://developers.cloudflare.com/_astro/ai-crawl-control-requests-over-time.BtRyz0OT_ZpotRm.webp "Interactive chart showing crawler requests over time with filterable dimensions") Interactive chart showing crawler requests over time with filterable dimensions #### Analyze referrer data (Paid plans) Identify traffic sources with referrer analytics: * View top referrers driving traffic to your site * Understand discovery patterns and content popularity from AI operators ![AI Crawl Control top referrers breakdown](https://developers.cloudflare.com/_astro/ai-crawl-control-top-referrers.CEUAwpd8_YrhT4.webp "Bar chart showing top referrers and their respective traffic volumes") Bar chart showing top referrers and their respective traffic volumes #### Export data Download your filtered view as a CSV: * Includes all applied filters and groupings * Useful for custom reporting and deeper analysis #### Get started 1. Log in to the Cloudflare dashboard, and select your account and domain. 2. Go to **AI Crawl Control** \> **Metrics**. 3. Use the grouping tabs to explore different views of your data. 4. Apply filters to focus on specific crawlers, time ranges, or response codes. 5. Select **Download CSV** to export your filtered data for further analysis. Learn more about [AI Crawl Control](https://developers.cloudflare.com/ai-crawl-control). Oct 14, 2025 1. ### [Single sign-on now manageable in the user experience](https://developers.cloudflare.com/changelog/post/2025-10-14-sso-self-service-ux/) [ Cloudflare Fundamentals ](https://developers.cloudflare.com/fundamentals/) ![Screenshot of new user experience for managing SSO](https://developers.cloudflare.com/_astro/2025-10-14-sso-configuration-ux.DLkIKSax_Z3pbMD.webp) During Birthday Week, we announced that [single sign-on (SSO) is available for free ↗](https://blog.cloudflare.com/enterprise-grade-features-for-all/) to everyone who signs in with a custom email domain and maintains a compatible [identity provider ↗](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/). SSO minimizes user friction around login and provides the strongest security posture available. At the time, this could only be configured using the API. Today, we are launching a new user experience which allows users to manage their SSO configuration from within the Cloudflare dashboard. You can access this by going to **Manage account** \> **Members** \> **Settings**. #### For more information * [Cloudflare dashboard SSO](https://developers.cloudflare.com/fundamentals/manage-members/dashboard-sso/) Oct 07, 2025 1. ### [Automated reminders for backup codes](https://developers.cloudflare.com/changelog/post/2025-10-07-recovery-codes/) [ Cloudflare Fundamentals ](https://developers.cloudflare.com/fundamentals/) The most common reason users contact Cloudflare support is lost two-factor authentication (2FA) credentials. Cloudflare supports both app-based and hardware keys for 2FA, but you could lose access to your account if you lose these. Over the past few weeks, we have been rolling out email and in-product reminders that remind you to also download backup codes (sometimes called recovery keys) that can get you back into your account in the event you lose your 2FA credentials. Download your backup codes now by logging into Cloudflare, then navigating to **Profile** \> **Security & Authentication** \> **Backup codes**. #### Sign-in security best practices Cloudflare is critical infrastructure, and you should protect it as such. Please review the following best practices and make sure you are doing your part to secure your account. * Use a unique password for every website, including Cloudflare, and store it in a password manager like 1Password or Keeper. These services are cross-platform and simplify the process of managing secure passwords. * Use 2FA to make it harder for an attacker to get into your account in the event your password is leaked * Store your backup codes securely. A password manager is the best place since it keeps the backup codes encrypted, but you can also print them and put them somewhere safe in your home. * If you use an app to manage your 2FA keys, enable cloud backup, so that you don't lose your keys in the event you lose your phone. * If you use a custom email domain to sign in, [configure SSO ↗](https://developers.cloudflare.com/fundamentals/manage-members/dashboard-sso/). * If you use a public email domain like Gmail or Hotmail, you can also use social login with Apple, GitHub, or Google to sign in. * If you manage a Cloudflare account for work: * Have at least two administrators in case one of them unexpectedly leaves your company * Use SCIM to automate permissions management for members in your Cloudflare account Oct 02, 2025 1. ### [Fine-grained Permissioning for Access for Apps, IdPs, & Targets now in Public Beta](https://developers.cloudflare.com/changelog/post/2025-10-01-fine-grained-permissioning-beta/) [ Cloudflare Fundamentals ](https://developers.cloudflare.com/fundamentals/)[ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) Fine-grained permissions for **Access Applications, Identity Providers (IdPs), and Targets** is now available in Public Beta. This expands our RBAC model beyond account & zone-scoped roles, enabling administrators to grant permissions scoped to individual resources. #### What's New * **[Access Applications ↗](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/http-apps/)**: Grant admin permissions to specific Access Applications. * **[Identity Providers ↗](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/)**: Grant admin permissions to individual Identity Providers. * **[Targets ↗](https://developers.cloudflare.com/cloudflare-one/access-controls/applications/non-http/infrastructure-apps/#1-add-a-target)**: Grant admin rights to specific Targets ![Updated Permissions Policy UX](https://developers.cloudflare.com/_astro/2025-10-01-fine-grained-permissioning-ux.BWVmQsVF_Z1p4MJh.webp) Note During the public beta, members must also be assigned an account-scoped, read only role to view resources in the dashboard. This restriction will be lifted in a future release. * **Account Read Only** plus a fine-grained permission for a specific App, IdP, or Target * **Cloudflare Zero Trust Read Only** plus fine-grained permission for a specific App, IdP, or Target For more info: * [Get started with Cloudflare Permissioning](https://developers.cloudflare.com/fundamentals/manage-members/roles/) * [Manage Member Permissioning via the UI & API](https://developers.cloudflare.com/fundamentals/manage-members/manage) Oct 01, 2025 1. ### [New Confidence Intervals in GraphQL Analytics API](https://developers.cloudflare.com/changelog/post/2025-10-01-confidence-intervals/) [ Analytics ](https://developers.cloudflare.com/analytics/) The GraphQL Analytics API now supports confidence intervals for `sum` and `count` fields on adaptive (sampled) datasets. Confidence intervals provide a statistical range around sampled results, helping verify accuracy and quantify uncertainty. * **Supported datasets**: Adaptive (sampled) datasets only. * **Supported fields**: All `sum` and `count` fields. * **Usage**: The confidence `level` must be provided as a decimal between 0 and 1 (e.g. `0.90`, `0.95`, `0.99`). * **Default**: If no confidence level is specified, no intervals are returned. For examples and more details, see the [GraphQL Analytics API documentation](https://developers.cloudflare.com/analytics/graphql-api/features/confidence-intervals/). Oct 01, 2025 1. ### [Return markdown](https://developers.cloudflare.com/changelog/post/2025-10-01-md-returned/) [ Cloudflare Fundamentals ](https://developers.cloudflare.com/fundamentals/) Users can now specify that they want to retrieve Cloudflare documentation as markdown rather than the previous HTML default. This can significantly reduce token consumption when used alongside Large Language Model (LLM) tools. Terminal window ``` curl https://developers.cloudflare.com/workers/ -H 'Accept: text/markdown' -v ``` If you maintain your own site and want to adopt this practice using Cloudflare Workers for your own users you can follow the example [here ↗](https://github.com/cloudflare/cloudflare-docs/pull/25493). Sep 25, 2025 1. ### [Sign in with GitHub](https://developers.cloudflare.com/changelog/post/2025-09-25-sign-in-with-github/) [ Cloudflare Fundamentals ](https://developers.cloudflare.com/fundamentals/) Cloudflare has launched sign in with GitHub as a log in option. This feature is available to all users with a verified email address who are not using SSO. To use it, simply click on the `Sign in with GitHub` button on the dashboard login page. You will be logged in with your primary GitHub email address. #### For more information * [Log in to Cloudflare](https://developers.cloudflare.com/fundamentals/user-profiles/login/) Sep 25, 2025 1. ### [SSO for all](https://developers.cloudflare.com/changelog/post/2025-09-25-sso-for-all/) [ Cloudflare Fundamentals ](https://developers.cloudflare.com/fundamentals/) Single sign-on (SSO) streamlines the process of logging into Cloudflare for Enterprise customers who manage a custom email domain and manage their own identity provider. Instead of managing a password and two-factor authentication credentials directly for Cloudflare, SSO lets you reuse your existing login infrastructure to seamlessly log in. SSO also provides additional security opportunities such as device health checks which are not available natively within Cloudflare. Historically, SSO was only available for Enterprise accounts. Today, we are announcing that we are making SSO available to all users for free. We have also added the ability to directly manage SSO configurations using the API. This removes the previous requirement to contact support to configure SSO. #### For more information * [Every Cloudflare feature, available to all ↗](https://blog.cloudflare.com/enterprise-grade-features-for-all/) * [Configure Dashboard SSO](https://developers.cloudflare.com/fundamentals/manage-members/dashboard-sso/) Sep 18, 2025 1. ### [Connect and secure any private or public app by hostname, not IP — with hostname routing for Cloudflare Tunnel](https://developers.cloudflare.com/changelog/post/2025-09-18-tunnel-hostname-routing/) [ Cloudflare Tunnel ](https://developers.cloudflare.com/tunnel/)[ Cloudflare Tunnel for SASE ](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) You can now route private traffic to [Cloudflare Tunnel](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) based on a hostname or domain, moving beyond the limitations of IP-based routing. This new capability is **free for all Cloudflare One customers**. Previously, Tunnel routes could only be defined by IP address or [CIDR range](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-cidr/). This created a challenge for modern applications with dynamic or ephemeral IP addresses, often forcing administrators to maintain complex and brittle IP lists. ![Hostname-based routing in Cloudflare Tunnel](https://developers.cloudflare.com/_astro/tunnel-hostname-routing.DSi8MP_7_Z1E6Ym4.webp) **What’s new:** * **Hostname & Domain Routing**: Create routes for individual hostnames (e.g., `payroll.acme.local`) or entire domains (e.g., `*.acme.local`) and direct their traffic to a specific Tunnel. * **Simplified Zero Trust Policies**: Build resilient policies in Cloudflare Access and Gateway using stable hostnames, making it dramatically easier to apply per-resource authorization for your private applications. * **Precise Egress Control**: Route traffic for public hostnames (e.g., `bank.example.com`) through a specific Tunnel to enforce a dedicated source IP, solving the IP allowlist problem for third-party services. * **No More IP Lists**: This feature makes the workaround of maintaining dynamic IP Lists for Tunnel connections obsolete. Get started in the Tunnels section of the Zero Trust dashboard with your first [private hostname](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/cloudflared/connect-private-hostname/) or [public hostname](https://developers.cloudflare.com/cloudflare-one/traffic-policies/egress-policies/egress-cloudflared/) route. Learn more in our [blog post ↗](https://blog.cloudflare.com/tunnel-hostname-routing/). Sep 11, 2025 1. ### [Contextual pivots](https://developers.cloudflare.com/changelog/post/2025-09-11-contextual-pivots/) [ Log Explorer ](https://developers.cloudflare.com/log-explorer/) Directly from [Log Search](https://developers.cloudflare.com/log-explorer/log-search/) results, customers can pivot to other parts of the Cloudflare dashboard to immediately take action as a result of their investigation. From the `http_requests` or `fw_events` dataset results, right click on an IP Address or JA3 Fingerprint to pivot to the Investigate portal to lookup the reputation of an IP address or JA3 fingerprint. ![Investigate IP address](https://developers.cloudflare.com/_astro/investigate-ip-address.BMVSMzDi_Z1KASOQ.webp) Easily learn about error codes by linking directly to our documentation from the **EdgeResponseStatus** or **OriginResponseStatus** fields. ![View documentation](https://developers.cloudflare.com/_astro/view-documentation.Cem5QgeO_Z1vzjwR.webp) From the `gateway_http` dataset, click on a **policyid** to link directly to the Zero Trust dashboard to review or make changes to a specific Gateway policy. ![View policy](https://developers.cloudflare.com/_astro/policyid.CVjEdahj_1GFFHp.webp) Sep 11, 2025 1. ### [New results table view](https://developers.cloudflare.com/changelog/post/2025-09-11-new-results-table-view/) [ Log Explorer ](https://developers.cloudflare.com/log-explorer/) The results table view of **Log Search** has been updated with additional functionality and a more streamlined user experience. Users can now easily: * Remove/add columns. * Resize columns. * Sort columns. * Copy values from any field. ![New results table view](https://developers.cloudflare.com/_astro/new-table.C2Q8mWJ9_ZFs2Aq.webp) Sep 08, 2025 1. ### [Reminders about two-factor authentication backup codes](https://developers.cloudflare.com/changelog/post/2025-09-08-reminders-about-two-factor-authentication-backup-codes/) [ Cloudflare Fundamentals ](https://developers.cloudflare.com/fundamentals/) Two-factor authentication is the best way to help protect your account from account takeovers, but if you lose your second factor, you could be locked out of your account. Lock outs are one of the top reasons customers contact Cloudflare support, and our policies often don't allow us to bypass two-factor authentication for customers that are locked out. Today we are releasing an improvement where Cloudflare will periodically remind you to securely save your backup codes so you don't get locked out in the future. #### For more information * [Two-factor authentication](https://developers.cloudflare.com/fundamentals/user-profiles/2fa/) Sep 03, 2025 1. ### [Introducing new headers for rate limiting on Cloudflare's API](https://developers.cloudflare.com/changelog/post/2025-09-03-rate-limiting-improvement/) [ Cloudflare Fundamentals ](https://developers.cloudflare.com/fundamentals/) Cloudflare's API now supports rate limiting headers using the pattern developed by the [IETF draft on rate limiting ↗](https://ietf-wg-httpapi.github.io/ratelimit-headers/draft-ietf-httpapi-ratelimit-headers.html). This allows API consumers to know how many more calls are left until the rate limit is reached, as well as how long you will need to wait until more capacity is available. Our SDKs automatically work with these new headers, backing off when rate limits are approached. There is no action required for users of the latest Cloudflare SDKs to take advantage of this. As always, if you need any help with rate limits, please contact Support. #### Changes #### New Headers **Headers that are always returned:** * `Ratelimit`: List of service limit items, composed of the limit name, the remaining quota (`r`) and the time next window resets (`t`). For example: `"default";r=50;t=30` * `Ratelimit-Policy`: List of quota policy items, composed of the policy name, the total quota (`q`) and the time window the quota applies to (`w`). For example: `"burst";q=100;w=60` **Returned only when a rate limit has been reached (error code: 429):** * Retry-After: Number of Seconds until more capacity is available, rounded up #### SDK Back offs * All of Cloudflare's latest SDKs will automatically respond to the headers, instituting a backoff when limits are approached. #### GraphQL and Edge APIs These new headers and back offs are only available for Cloudflare REST APIs, and will not affect GraphQL. #### For more information * [Rate limits at Cloudflare ↗](https://developers.cloudflare.com/fundamentals/api/reference/limits/) Sep 03, 2025 1. ### [Logging headers and cookies using custom fields](https://developers.cloudflare.com/changelog/post/2025-09-03-log-headers-and-cookies/) [ Log Explorer ](https://developers.cloudflare.com/log-explorer/) [Log Explorer](https://developers.cloudflare.com/log-explorer/) now supports logging and filtering on header or cookie fields in the [http\_requests dataset](https://developers.cloudflare.com/logs/logpush/logpush-job/datasets/zone/http%5Frequests/). Create a custom field to log desired header or cookie values into the `http_requests` dataset and Log Explorer will import these as searchable fields. Once configured, use the custom SQL editor in Log Explorer to view or filter on these requests. ![Edit Custom fields](https://developers.cloudflare.com/_astro/edit-custom-fields.Cy4qXSpL_1ma19s.webp) For more details, refer to [Headers and cookies](https://developers.cloudflare.com/log-explorer/log-search/#headers-and-cookies). Sep 02, 2025 1. ### [Cloudflare Tunnel and Networks API will no longer return deleted resources by default starting December 1, 2025](https://developers.cloudflare.com/changelog/post/2025-09-02-tunnel-networks-list-endpoints-new-default/) [ Cloudflare Tunnel ](https://developers.cloudflare.com/tunnel/)[ Cloudflare Tunnel for SASE ](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/) Starting **December 1, 2025**, list endpoints for the [Cloudflare Tunnel API](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/tunnels/) and [Zero Trust Networks API](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/networks/) will no longer return deleted tunnels, routes, subnets and virtual networks by default. This change makes the API behavior more intuitive by only returning active resources unless otherwise specified. No action is required if you already explicitly set `is_deleted=false` or if you only need to list active resources. This change affects the following API endpoints: * List all tunnels: [GET /accounts/{account\_id}/tunnels](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/tunnels/methods/list/) * List [Cloudflare Tunnels](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/): [GET /accounts/{account\_id}/cfd\_tunnel](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/tunnels/subresources/cloudflared/methods/list/) * List [WARP Connector](https://developers.cloudflare.com/cloudflare-one/networks/connectors/cloudflare-tunnel/private-net/warp-connector/) tunnels: [GET /accounts/{account\_id}/warp\_connector](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/tunnels/subresources/warp%5Fconnector/methods/list/) * List tunnel routes: [GET /accounts/{account\_id}/teamnet/routes](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/networks/subresources/routes/methods/list/) * List subnets: [GET /accounts/{account\_id}/zerotrust/subnets](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/networks/subresources/subnets/methods/list/) * List virtual networks: [GET /accounts/{account\_id}/teamnet/virtual\_networks](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/networks/subresources/virtual%5Fnetworks/methods/list/) #### What is changing? The default behavior of the `is_deleted` query parameter will be updated. | Scenario | Previous behavior (before December 1, 2025) | New behavior (from December 1, 2025) | | -------------------------------- | -------------------------------------------------------------------------- | --------------------------------------------------------------------- | | is\_deleted parameter is omitted | Returns **active & deleted** tunnels, routes, subnets and virtual networks | Returns **only active** tunnels, routes, subnets and virtual networks | #### Action required If you need to retrieve deleted (or all) resources, please update your API calls to explicitly include the `is_deleted` parameter before **December 1, 2025**. To get a list of only deleted resources, you must now explicitly add the `is_deleted=true` query parameter to your request: Terminal window ``` # Example: Get ONLY deleted Tunnels curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/tunnels?is_deleted=true" \ -H "Authorization: Bearer $API_TOKEN" # Example: Get ONLY deleted Virtual Networks curl "https://api.cloudflare.com/client/v4/accounts/$ACCOUNT_ID/teamnet/virtual_networks?is_deleted=true" \ -H "Authorization: Bearer $API_TOKEN" ``` Following this change, retrieving a complete list of both active and deleted resources will require two separate API calls: one to get active items (by omitting the parameter or using `is_deleted=false`) and one to get deleted items (`is_deleted=true`). #### Why we’re making this change This update is based on user feedback and aims to: * **Create a more intuitive default:** Aligning with common API design principles where list operations return only active resources by default. * **Reduce unexpected results:** Prevents users from accidentally operating on deleted resources that were returned unexpectedly. * **Improve performance:** For most users, the default query result will now be smaller and more relevant. To learn more, please visit the [Cloudflare Tunnel API](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/tunnels/) and [Zero Trust Networks API](https://developers.cloudflare.com/api/resources/zero%5Ftrust/subresources/networks/) documentation. [Search all changelog entries](https://developers.cloudflare.com/search/?contentType=Changelog+entry)