--- title: Docs collections Changelog image: https://developers.cloudflare.com/cf-twitter-card.png --- [Skip to content](#%5Ftop) # Changelog New updates and improvements at Cloudflare. [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/index.xml) [ View RSS feeds ](https://developers.cloudflare.com/fundamentals/new-features/available-rss-feeds/) Docs collections ![hero image](https://developers.cloudflare.com/_astro/hero.CVYJHPAd_26AMqX.svg) Apr 07, 2026 1. ### [Redesigned Support Portal for faster, personalized help](https://developers.cloudflare.com/changelog/post/2026-04-06-redesigned-support-portal/) [ Support ](https://developers.cloudflare.com/support/) #### Redesigned "Get Help" Portal for faster, personalized help Cloudflare has officially launched a redesigned "Get Help" Support Portal to eliminate friction and get you to a resolution faster. Previously, navigating support meant clicking through multiple tiles, categorizing your own technical issues across 50+ conditional fields, and translating your problem into Cloudflare's internal taxonomy. The new experience replaces that complexity with a personalized front door built around your specific account plan. Whether you are under a DDoS attack or have a simple billing question, the portal now presents a single, clean page that surfaces the direct paths available to you — such as "Ask AI", "Chat with a human", or "Community" — without the manual triage. #### What's New * **One Page, Clear Choices**: No more navigating a grid of overlapping categories. The portal now uses action cards tailored to your plan (Free, Pro, Business, or Enterprise), ensuring you only see the support channels you can actually use. * **A Radically Simpler Support Form**: We've reduced the ticket submission process from four+ screens and 50+ fields to a single screen with five critical inputs. You describe the issue in your own words, and our backend handles the categorization. * **AI-Driven Triage**: Using [Cloudflare Workers AI ↗](https://developers.cloudflare.com/workers-ai/) and [Vectorize ↗](https://developers.cloudflare.com/vectorize/), the portal now automatically generates case subjects and predicts product categories. #### Moving complexity to the backend Behind the scenes, we've moved the complexity from the user to our own developer stack. When you describe an issue, we use semantic embeddings to capture intent rather than just keywords. By leveraging case-based reasoning, our system compares your request against millions of resolved cases to route your inquiry to the specialist best equipped to help. This ensures that while the front-end experience is simpler for you, the back-end routing is more accurate than ever. To learn more, refer to the [Support documentation](https://developers.cloudflare.com/support/contacting-cloudflare-support/) or select **Get Help** directly in the [Cloudflare Dashboard ↗](https://dash.cloudflare.com/). Apr 06, 2026 1. ### [Organizations is now in public beta for enterprises](https://developers.cloudflare.com/changelog/post/2026-04-06-organizations-public-beta/) [ Cloudflare Fundamentals ](https://developers.cloudflare.com/fundamentals/) We're announcing the public beta of **Organizations** for enterprise customers, a new top-level Cloudflare container that lets Cloudflare customers manage multiple accounts, members, analytics, and shared policies from one centralized location. **What's New** **Organizations \[BETA\]**: [Organizations](https://developers.cloudflare.com/fundamentals/organizations/) are a new top-level container for centrally managing multiple accounts. Each Organization supports up to 500 accounts and 500 zones, giving larger teams a single place to administer resources at scale. **Self-serve onboarding**: Enterprise customers can [create an Organization](https://developers.cloudflare.com/fundamentals/organizations/setup/) in the dashboard and assign accounts where they are already Super Administrators. **Centralized Account Management**: At launch, every Organization member has the Organization Super Admin role. Organization Super Admins can invite other users and manage any child account under the Organization implicitly.**Shared policies**: Share [WAF](https://developers.cloudflare.com/waf/custom-rules/) or [Gateway](https://developers.cloudflare.com/cloudflare-one/traffic-policies/tiered-policies/organizations/) policies across multiple accounts within your Organization to simplify centralized policy management.**Implicit access**: Members of an Organization automatically receive Super Administrator permissions across child accounts, removing the need for explicit membership on each account. Additional Org-level roles will be available over the course of the year. **Unified analytics**: View, filter, and download aggregate HTTP analytics across all Organization child accounts from a single dashboard for centralized visibility into traffic patterns and security events. **Terraform provider support**: Manage Organizations with infrastructure as code from day one. Provision organizations, assign accounts, and configure settings programmatically with the [Cloudflare Terraform provider ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/resources/organization). **Shared policies**: Share [WAF](https://developers.cloudflare.com/waf/custom-rules/) or [Gateway](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) policies across multiple accounts within your Organization to simplify centralized policy management. Note Organizations is in Public Beta. You must have an Enterprise account to create an organization, but once created, you can add accounts of any plan type where you are a Super Administrator. For more info: * [Get started with Organizations](https://developers.cloudflare.com/fundamentals/organizations/) * [Set up your Organization](https://developers.cloudflare.com/fundamentals/organizations/setup/) * [Review limitations](https://developers.cloudflare.com/fundamentals/organizations/limitations/) Mar 19, 2026 1. ### [Service Key authentication deprecated](https://developers.cloudflare.com/changelog/post/2026-03-19-service-key-authentication-deprecated/) [ Cloudflare Fundamentals ](https://developers.cloudflare.com/fundamentals/) Service Key authentication for the Cloudflare API is deprecated. Service Keys will stop working on September 30, 2026. [API Tokens](https://developers.cloudflare.com/fundamentals/api/get-started/create-token/) replace Service Keys with fine-grained permissions, expiration, and revocation. #### What you need to do Replace any use of the `X-Auth-User-Service-Key` header with an [API Token](https://developers.cloudflare.com/fundamentals/api/get-started/create-token/) scoped to the permissions your integration requires. If you use `cloudflared`, update to a version from November 2022 or later. These versions already use API Tokens. If you use [origin-ca-issuer ↗](https://github.com/cloudflare/origin-ca-issuer), update to a version that supports API Token authentication. For more information, refer to [API deprecations](https://developers.cloudflare.com/fundamentals/api/reference/deprecations/). Mar 18, 2026 1. ### [SCIM provisioning for Authentik is now Generally Available](https://developers.cloudflare.com/changelog/post/2026-03-17-scim-authentik-support/) [ Cloudflare Fundamentals ](https://developers.cloudflare.com/fundamentals/) Cloudflare dashboard SCIM provisioning now supports [Authentik ↗](https://goauthentik.io/) as an identity provider, joining Okta and Microsoft Entra ID as explicitly supported providers. Customers can now sync users and group information from Authentik to Cloudflare, apply Permission Policies to those groups, and manage the lifecycle of users & groups directly from your Authentik Identity Provider. Note SCIM provisioning for the Cloudflare dashboard is available to Enterprise customers. You must be a Super Administrator to complete the initial setup. For more information: * [SCIM provisioning overview](https://developers.cloudflare.com/fundamentals/account/account-security/scim-setup/) * [Provision with Authentik](https://developers.cloudflare.com/fundamentals/account/account-security/scim-setup/authentik/) Mar 18, 2026 1. ### [SCIM audit logging Support](https://developers.cloudflare.com/changelog/post/2026-03-18-scim-audit-logging/) [ Cloudflare Fundamentals ](https://developers.cloudflare.com/fundamentals/) Cloudflare dashboard SCIM provisioning operations are now captured in [Audit Logs v2](https://developers.cloudflare.com/fundamentals/account/account-security/audit-logs/), giving you visibility into user and group changes made by your identity provider. ![SCIM audit logging](https://developers.cloudflare.com/_astro/2026-03-18-scim-audit-logging.DPKMiE8X_ZojL4c.webp) **Logged actions:** | Action Type | Description | | ----------------- | --------------------------------------- | | Create SCIM User | User provisioned from IdP | | Replace SCIM User | User fully replaced (PUT) | | Update SCIM User | User attributes modified (PATCH) | | Delete SCIM User | Member deprovisioned | | Create SCIM Group | Group provisioned from IdP | | Update SCIM Group | Group membership or attributes modified | | Delete SCIM Group | Group deprovisioned | For more details, refer to the [Audit Logs v2 documentation](https://developers.cloudflare.com/fundamentals/account/account-security/audit-logs/). Mar 12, 2026 1. ### [Retry-After HTTP header for retryable 1xxx errors](https://developers.cloudflare.com/changelog/post/2026-03-12-retry-after-header-for-1xxx-errors/) [ Cloudflare Fundamentals ](https://developers.cloudflare.com/fundamentals/) Cloudflare-generated 1xxx error responses now include a standard `Retry-After` HTTP header when the error is retryable. Agents and HTTP clients can read the recommended wait time from response headers alone — no body parsing required. #### Changes Seven retryable error codes now emit `Retry-After`: | Error code | Retry-After (seconds) | Error name | | ---------- | --------------------- | --------------------------- | | 1004 | 120 | DNS resolution error | | 1005 | 120 | Banned zone | | 1015 | 30 | Rate limited | | 1033 | 120 | Argo Tunnel error | | 1038 | 60 | HTTP headers limit exceeded | | 1200 | 60 | Cache connection limit | | 1205 | 5 | Too many redirects | The header value matches the existing `retry_after` body field in JSON and Markdown responses. If a WAF rate limiting rule has already set a dynamic `Retry-After` value on the response, that value takes precedence. #### Availability Available for all zones on all plans. #### Verify Check for the header on any retryable error: Terminal window ``` curl -s --compressed -D - -o /dev/null -H "Accept: application/json" -A "TestAgent/1.0" -H "Accept-Encoding: gzip, deflate" "/cdn-cgi/error/1015" | grep -i retry-after ``` References: * [RFC 9110 section 10.2.3 - Retry-After ↗](https://www.rfc-editor.org/rfc/rfc9110#section-10.2.3) * [Cloudflare 1xxx error documentation](https://developers.cloudflare.com/support/troubleshooting/http-status-codes/cloudflare-1xxx-errors/) Mar 11, 2026 1. ### [JSON responses and RFC 9457 support for Cloudflare 1xxx errors](https://developers.cloudflare.com/changelog/post/2026-03-11-json-rfc9457-responses-for-1xxx-errors/) [ Cloudflare Fundamentals ](https://developers.cloudflare.com/fundamentals/) Cloudflare-generated 1xxx errors now return structured JSON when clients send `Accept: application/json` or `Accept: application/problem+json`. JSON responses follow [RFC 9457 (Problem Details for HTTP APIs) ↗](https://www.rfc-editor.org/rfc/rfc9457), so any HTTP client that understands Problem Details can parse the base members without Cloudflare-specific code. #### Breaking change The Markdown frontmatter field `http_status` has been renamed to `status`. Agents consuming Markdown frontmatter should update parsers accordingly. #### Changes **JSON format.** Clients sending `Accept: application/json` or `Accept: application/problem+json` now receive a structured JSON object with the same operational fields as Markdown frontmatter, plus RFC 9457 standard members. **RFC 9457 standard members (JSON only):** * `type` — URI pointing to Cloudflare documentation for the specific error code * `status` — HTTP status code (matching the response status) * `title` — short, human-readable summary * `detail` — human-readable explanation specific to this occurrence * `instance` — Ray ID identifying this specific error occurrence **Field renames:** * `http_status` \-> `status` (JSON and Markdown) * `what_happened` \-> `detail` (JSON only — Markdown prose sections are unchanged) **Content-Type mirroring.** Clients sending `Accept: application/problem+json` receive `Content-Type: application/problem+json; charset=utf-8` back; `Accept: application/json` receives `application/json; charset=utf-8`. Same body in both cases. #### Negotiation behavior | Request header sent | Response format | | --------------------------------------------- | -------------------------------------------- | | Accept: application/json | JSON (application/json content type) | | Accept: application/problem+json | JSON (application/problem+json content type) | | Accept: application/json, text/markdown;q=0.9 | JSON | | Accept: text/markdown | Markdown | | Accept: text/markdown, application/json | Markdown (equal q, first-listed wins) | | Accept: \*/\* | HTML (default) | #### Availability Available now for Cloudflare-generated 1xxx errors. #### Get started Terminal window ``` curl -s --compressed -H "Accept: application/json" -A "TestAgent/1.0" -H "Accept-Encoding: gzip, deflate" "/cdn-cgi/error/1015" | jq . ``` Terminal window ``` curl -s --compressed -H "Accept: application/problem+json" -A "TestAgent/1.0" -H "Accept-Encoding: gzip, deflate" "/cdn-cgi/error/1015" | jq . ``` References: * [RFC 9457 — Problem Details for HTTP APIs ↗](https://www.rfc-editor.org/rfc/rfc9457) * [Cloudflare 1xxx error documentation](https://developers.cloudflare.com/support/troubleshooting/http-status-codes/cloudflare-1xxx-errors/) Feb 26, 2026 1. ### [Markdown responses for Cloudflare 1xxx errors](https://developers.cloudflare.com/changelog/post/2026-02-26-markdown-responses-for-1xxx-errors/) [ Cloudflare Fundamentals ](https://developers.cloudflare.com/fundamentals/) Cloudflare now returns structured Markdown responses for Cloudflare-generated 1xxx errors when clients send `Accept: text/markdown`. Each response includes YAML frontmatter plus guidance sections (`What happened` / `What you should do`) so agents can make deterministic retry and escalation decisions without parsing HTML. In measured 1,015 comparisons, Markdown reduced payload size and token footprint by over 98% versus HTML. Included frontmatter fields: * `error_code`, `error_name`, `error_category`, `http_status` * `ray_id`, `timestamp`, `zone` * `cloudflare_error`, `retryable`, `retry_after` (when applicable), `owner_action_required` Default behavior is unchanged: clients that do not explicitly request Markdown continue to receive HTML error pages. #### Negotiation behavior Cloudflare uses standard HTTP content negotiation on the `Accept` header. * `Accept: text/markdown` \-> Markdown * `Accept: text/markdown, text/html;q=0.9` \-> Markdown * `Accept: text/*` \-> Markdown * `Accept: */*` \-> HTML (default browser behavior) When multiple values are present, Cloudflare selects the highest-priority supported media type using `q` values. If Markdown is not explicitly preferred, HTML is returned. #### Availability Available now for Cloudflare-generated 1xxx errors. #### Get started Terminal window ``` curl -H "Accept: text/markdown" https:///cdn-cgi/error/1015 ``` Reference: [Cloudflare 1xxx error documentation](https://developers.cloudflare.com/support/troubleshooting/http-status-codes/cloudflare-1xxx-errors/) Feb 16, 2026 1. ### [Content encoding support for Markdown for Agents and other improvements](https://developers.cloudflare.com/changelog/post/2026-02-16-markdown-for-agents-improvements/) [ Cloudflare Fundamentals ](https://developers.cloudflare.com/fundamentals/) When AI systems request pages from any website that uses Cloudflare and has [Markdown for Agents](https://developers.cloudflare.com/fundamentals/reference/markdown-for-agents/) enabled, they can express the preference for `text/markdown` in the request: our network will automatically and efficiently convert the HTML to markdown, when possible, on the fly. This release adds the following improvements: * The origin response limit was raised from 1 MB to 2 MB (2,097,152 bytes). * We no longer require the origin to send the `content-length` header. * We now support content encoded responses from the origin. If you haven’t enabled automatic Markdown conversion yet, visit the [AI Crawl Control ↗](https://dash.cloudflare.com/?to=/:account/:zone/ai) section of the Cloudflare dashboard and enable **Markdown for Agents**. Refer to our [developer documentation](https://developers.cloudflare.com/fundamentals/reference/markdown-for-agents/) for more details. Feb 13, 2026 1. ### [Fine-grained permissions for Access policies and service tokens](https://developers.cloudflare.com/changelog/post/2026-02-13-access-policy-service-token-permissions/) [ Cloudflare Fundamentals ](https://developers.cloudflare.com/fundamentals/)[ Access ](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) Fine-grained permissions for **Access policies** and **Access service tokens** are available. These new resource-scoped roles expand the existing RBAC model, enabling administrators to grant permissions scoped to individual resources. #### New roles * **Cloudflare Access policy admin**: Can edit a specific [Access policy](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) in an account. * **Cloudflare Access service token admin**: Can edit a specific [Access service token](https://developers.cloudflare.com/cloudflare-one/access-controls/service-credentials/service-tokens/) in an account. These roles complement the existing resource-scoped roles for Access applications, identity providers, and infrastructure targets. For more information: * [Resource-scoped roles](https://developers.cloudflare.com/fundamentals/manage-members/roles/#resource-scoped-roles) * [Role scopes](https://developers.cloudflare.com/fundamentals/manage-members/scope/) Note Resource-scoped roles is currently in beta. Feb 13, 2026 1. ### [Cloudflare Python SDK v5.0.0-beta.1 now available](https://developers.cloudflare.com/changelog/post/2026-02-13-cloudflare-python-v500-beta1/) [ Cloudflare Fundamentals ](https://developers.cloudflare.com/fundamentals/)[ SDK ](https://developers.cloudflare.com/sdk/) > **Disclaimer:** Please note that v5.0.0-beta.1 is in Beta and we are still testing it for stability. Full Changelog: [v4.3.1...v5.0.0-beta.1 ↗](https://github.com/cloudflare/cloudflare-python/compare/v4.3.1...v5.0.0-beta.1) In this release, you'll see a large number of breaking changes. This is primarily due to a change in OpenAPI definitions, which our libraries are based off of, and codegen updates that we rely on to read those OpenAPI definitions and produce our SDK libraries. As the codegen is always evolving and improving, so are our code bases. There may be changes that are not captured in this changelog. Feel free to open an issue to report any inaccuracies, and we will make sure it gets into the changelog before the v5.0.0 release. Most of the breaking changes below are caused by improvements to the accuracy of the base OpenAPI schemas, which sometimes translates to breaking changes in downstream clients that depend on those schemas. Please ensure you read through the list of changes below and the migration guide before moving to this version - this will help you understand any down or upstream issues it may cause to your environments. #### Breaking Changes **The following resources have breaking changes. See the [v5 Migration Guide ↗](https://github.com/cloudflare/cloudflare-python/blob/main/docs/v5-migration-guide.md) for detailed migration instructions.** * `abusereports` * `acm.totaltls` * `apigateway.configurations` * `cloudforceone.threatevents` * `d1.database` * `intel.indicatorfeeds` * `logpush.edge` * `origintlsclientauth.hostnames` * `queues.consumers` * `radar.bgp` * `rulesets.rules` * `schemavalidation.schemas` * `snippets` * `zerotrust.dlp` * `zerotrust.networks` #### Features #### New API Resources * `abusereports` \- Abuse report management * `abusereports.mitigations` \- Abuse report mitigation actions * `ai.tomarkdown` \- AI-powered markdown conversion * `aigateway.dynamicrouting` \- AI Gateway dynamic routing configuration * `aigateway.providerconfigs` \- AI Gateway provider configurations * `aisearch` \- AI-powered search functionality * `aisearch.instances` \- AI Search instance management * `aisearch.tokens` \- AI Search authentication tokens * `alerting.silences` \- Alert silence management * `brandprotection.logomatches` \- Brand protection logo match detection * `brandprotection.logos` \- Brand protection logo management * `brandprotection.matches` \- Brand protection match results * `brandprotection.queries` \- Brand protection query management * `cloudforceone.binarystorage` \- CloudForce One binary storage * `connectivity.directory` \- Connectivity directory services * `d1.database` \- D1 database management * `diagnostics.endpointhealthchecks` \- Endpoint health check diagnostics * `fraud` \- Fraud detection and prevention * `iam.sso` \- IAM Single Sign-On configuration * `loadbalancers.monitorgroups` \- Load balancer monitor groups * `organizations` \- Organization management * `organizations.organizationprofile` \- Organization profile settings * `origintlsclientauth.hostnamecertificates` \- Origin TLS client auth hostname certificates * `origintlsclientauth.hostnames` \- Origin TLS client auth hostnames * `origintlsclientauth.zonecertificates` \- Origin TLS client auth zone certificates * `pipelines` \- Data pipeline management * `pipelines.sinks` \- Pipeline sink configurations * `pipelines.streams` \- Pipeline stream configurations * `queues.subscriptions` \- Queue subscription management * `r2datacatalog` \- R2 Data Catalog integration * `r2datacatalog.credentials` \- R2 Data Catalog credentials * `r2datacatalog.maintenanceconfigs` \- R2 Data Catalog maintenance configurations * `r2datacatalog.namespaces` \- R2 Data Catalog namespaces * `radar.bots` \- Radar bot analytics * `radar.ct` \- Radar certificate transparency data * `radar.geolocations` \- Radar geolocation data * `realtimekit.activesession` \- Real-time Kit active session management * `realtimekit.analytics` \- Real-time Kit analytics * `realtimekit.apps` \- Real-time Kit application management * `realtimekit.livestreams` \- Real-time Kit live streaming * `realtimekit.meetings` \- Real-time Kit meeting management * `realtimekit.presets` \- Real-time Kit preset configurations * `realtimekit.recordings` \- Real-time Kit recording management * `realtimekit.sessions` \- Real-time Kit session management * `realtimekit.webhooks` \- Real-time Kit webhook configurations * `tokenvalidation.configuration` \- Token validation configuration * `tokenvalidation.rules` \- Token validation rules * `workers.beta` \- Workers beta features #### New Endpoints (Existing Resources) #### `acm.totaltls` * `edit()` * `update()` #### `cloudforceone.threatevents` * `list()` #### `contentscanning` * `create()` * `get()` * `update()` #### `dns.records` * `scan_list()` * `scan_review()` * `scan_trigger()` #### `intel.indicatorfeeds` * `create()` * `delete()` * `list()` #### `leakedcredentialchecks.detections` * `get()` #### `queues.consumers` * `list()` #### `radar.ai` * `summary()` * `timeseries()` * `timeseries_groups()` #### `radar.bgp` * `changes()` * `snapshot()` #### `workers.subdomains` * `delete()` #### `zerotrust.networks` * `create()` * `delete()` * `edit()` * `get()` * `list()` #### General Fixes and Improvements #### Type System & Compatibility * **Type inference improvements**: Allow Pyright to properly infer TypedDict types within SequenceNotStr * **Type completeness**: Add missing types to method arguments and response models * **Pydantic compatibility**: Ensure compatibility with Pydantic versions prior to 2.8.0 when using additional fields #### Request/Response Handling * **Multipart form data**: Correctly handle sending multipart/form-data requests with JSON data * **Header handling**: Do not send headers with default values set to omit * **GET request headers**: Don't send Content-Type header on GET requests * **Response body model accuracy**: Broad improvements to the correctness of models #### Parsing & Data Processing * **Discriminated unions**: Correctly handle nested discriminated unions in response parsing * **Extra field types**: Parse extra field types correctly * **Empty metadata**: Ignore empty metadata fields during parsing * **Singularization rules**: Update resource name singularization rules for better consistency Feb 12, 2026 1. ### [Introducing Markdown for Agents](https://developers.cloudflare.com/changelog/post/2026-02-12-markdown-for-agents/) [ Cloudflare Fundamentals ](https://developers.cloudflare.com/fundamentals/) Cloudflare's network now supports real-time content conversion at the source, for enabled zones using [content negotiation ↗](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/Content%5Fnegotiation) headers. When AI systems request pages from any website that uses Cloudflare and has Markdown for Agents enabled, they can express the preference for `text/markdown` in the request: our network will automatically and efficiently convert the HTML to markdown, when possible, on the fly. Here is a curl example with the `Accept` negotiation header requesting this page from our developer documentation: Terminal window ``` curl https://developers.cloudflare.com/fundamentals/reference/markdown-for-agents/ \ -H "Accept: text/markdown" ``` The response to this request is now formatted in markdown: ``` HTTP/2 200 date: Wed, 11 Feb 2026 11:44:48 GMT content-type: text/markdown; charset=utf-8 content-length: 2899 vary: accept x-markdown-tokens: 725 content-signal: ai-train=yes, search=yes, ai-input=yes --- title: Markdown for Agents · Cloudflare Agents docs --- ## What is Markdown for Agents Markdown has quickly become the lingua franca for agents and AI systems as a whole. The format’s explicit structure makes it ideal for AI processing, ultimately resulting in better results while minimizing token waste. ... ``` Refer to our [developer documentation](https://developers.cloudflare.com/fundamentals/reference/markdown-for-agents/) and our [blog announcement ↗](https://blog.cloudflare.com/markdown-for-agents/) for more details. Feb 12, 2026 1. ### [Terraform v5.17.0 now available](https://developers.cloudflare.com/changelog/post/2026-02-12-terraform-v5170-provider/) [ Cloudflare Fundamentals ](https://developers.cloudflare.com/fundamentals/)[ Terraform ](https://developers.cloudflare.com/terraform/) In January 2025, we announced the launch of the new Terraform v5 Provider. We greatly appreciate the proactive engagement and valuable feedback from the Cloudflare community following the v5 release. In response, we have established a consistent and rapid [2-3 week cadence ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/5774) for releasing targeted improvements, demonstrating our commitment to stability and reliability. With the help of the community, we have a growing number of resources that we have marked as [stable ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6237), with that list continuing to grow with every release. The most used [resources ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6237) are on track to be stable by the end of March 2026, when we will also be releasing a new migration tool to help you migrate from v4 to v5 with ease. This release brings new capabilities for AI Search, enhanced Workers Script placement controls, and numerous bug fixes based on community feedback. We also begun laying foundational work for improving the v4 to v5 migration process. Stay tuned for more details as we approach the March 2026 release timeline. Thank you for continuing to raise issues. They make our provider stronger and help us build products that reflect your needs. #### Features * **ai\_search\_instance:** add data source for querying AI Search instances * **ai\_search\_token:** add data source for querying AI Search tokens * **account:** add support for tenant unit management with new `unit` field * **account:** add automatic mapping from `managed_by.parent_org_id` to `unit.id` * **authenticated\_origin\_pulls\_certificate:** add data source for querying authenticated origin pull certificates * **authenticated\_origin\_pulls\_hostname\_certificate:** add data source for querying hostname-specific authenticated origin pull certificates * **authenticated\_origin\_pulls\_settings:** add data source for querying authenticated origin pull settings * **workers\_kv:** add `value` field to data source to retrieve KV values directly * **workers\_script:** add `script` field to data source to retrieve script content * **workers\_script:** add support for `simple` rate limit binding * **workers\_script:** add support for targeted placement mode with `placement.target` array for specifying placement targets (region, hostname, host) * **workers\_script:** add `placement_mode` and `placement_status` computed fields * **zero\_trust\_dex\_test:** add data source with filter support for finding specific tests * **zero\_trust\_dlp\_predefined\_profile:** add `enabled_entries` field for flexible entry management #### Bug Fixes * **account:** map `managed_by.parent_org_id` to `unit.id` in unmarshall and add acceptance tests * **authenticated\_origin\_pulls\_certificate:** add certificate normalization to prevent drift * **authenticated\_origin\_pulls:** handle array response and implement full lifecycle * **authenticated\_origin\_pulls\_hostname\_certificate:** fix resource and tests * **cloudforce\_one\_request\_message:** use correct `request_id` field instead of `id` in API calls * **dns\_zone\_transfers\_incoming:** use correct `zone_id` field instead of `id` in API calls * **dns\_zone\_transfers\_outgoing:** use correct `zone_id` field instead of `id` in API calls * **email\_routing\_settings:** use correct `zone_id` field instead of `id` in API calls * **hyperdrive\_config:** add proper handling for write-only fields to prevent state drift * **hyperdrive\_config:** add normalization for empty `mtls` objects to prevent unnecessary diffs * **magic\_network\_monitoring\_rule:** use correct `account_id` field instead of `id` in API calls * **mtls\_certificates:** fix resource and test * **pages\_project:** revert build\_config to computed optional * **stream\_key:** use correct `account_id` field instead of `id` in API calls * **total\_tls:** use upsert pattern for singleton zone setting * **waiting\_room\_rules:** use correct `waiting_room_id` field instead of `id` in API calls * **workers\_script:** add support for placement mode/status * **zero\_trust\_access\_application:** update v4 version on migration tests * **zero\_trust\_device\_posture\_rule:** update tests to match API * **zero\_trust\_dlp\_integration\_entry:** use correct `entry_id` field instead of `id` in API calls * **zero\_trust\_dlp\_predefined\_entry:** use correct `entry_id` field instead of `id` in API calls * **zero\_trust\_organization:** fix plan issues #### Chores * add state upgraders to 95+ resources to lay the foundation for replacing Grit (still under active development) * **certificate\_pack:** add state migration handler for SDKv2 to Framework conversion * **custom\_hostname\_fallback\_origin:** add comprehensive lifecycle test and migration support * **dns\_record:** add state migration handler for SDKv2 to Framework conversion * **leaked\_credential\_check:** add import functionality and tests * **load\_balancer\_pool:** add state migration handler with detection for v4 vs v5 format * **pages\_project:** add state migration handlers * **tiered\_cache:** add state migration handlers * **zero\_trust\_dlp\_predefined\_profile:** deprecate `entries` field in favor of `enabled_entries` #### For more information * [Terraform Provider ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs) * [Documentation on using Terraform with Cloudflare](https://developers.cloudflare.com/terraform/) * [List of stabilized resources ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6237) Jan 27, 2026 1. ### [Added Timezone preferences settings](https://developers.cloudflare.com/changelog/post/2026-01-27-timezone-preferences/) [ Cloudflare Fundamentals ](https://developers.cloudflare.com/fundamentals/) You can now set the timezone in the Cloudflare dashboard as Coordinated Universal Time (UTC) or your browser or system's timezone. #### What's New Unless otherwise specified in the user interface, all dates and times in the Cloudflare dashboard are now displayed in the selected timezone. You can change the timezone setting from the user profile dropdown. ![Timezone preference dropdown](https://developers.cloudflare.com/_astro/2026-01-27-set-timezone.CUmMl54E_2ucVUh.webp) The page will reload to apply the new timezone setting. Jan 23, 2026 1. ### [New 2FA Experience for Login](https://developers.cloudflare.com/changelog/post/2026-01-23-new-2fa-experience/) [ Cloudflare Fundamentals ](https://developers.cloudflare.com/fundamentals/) ![Screenshot of new 2FA enrollment experience](https://developers.cloudflare.com/_astro/2026-01-23-2fa-interstitial.TXFGNSth_ZOKoRB.webp) In an effort to improve overall user security, users without 2FA will be prompted upon login to enroll in email 2FA. This will improve user security posture while minimizing friction. Users without email 2FA enabled will see a prompt to secure their account with additional factors upon logging in. Enrolling in 2FA remains optional, but strongly encouraged as it is the best way to prevent account takeovers. We also made changes to existing 2FA screens to improve the user experience. Now we have distinct experiences for each 2FA factor type, reflective of the way that factor works. #### For more information * [Configure Email Two Factor Authentication](https://developers.cloudflare.com/fundamentals/user-profiles/2fa/#configure-email-two-factor-authentication) Jan 20, 2026 1. ### [Cloudflare Typescript SDK v6.0.0-beta.1 now available](https://developers.cloudflare.com/changelog/post/2026-01-20-cloudflare-typescript-v600-beta1/) [ Cloudflare Fundamentals ](https://developers.cloudflare.com/fundamentals/)[ SDK ](https://developers.cloudflare.com/sdk/) > **Disclaimer:** Please note that v6.0.0-beta.1 is in Beta and we are still testing it for stability. Full Changelog: [v5.2.0...v6.0.0-beta.1 ↗](https://github.com/cloudflare/cloudflare-typescript/compare/v5.2.0...v6.0.0-beta.1) In this release, you'll see a large number of breaking changes. This is primarily due to a change in OpenAPI definitions, which our libraries are based off of, and codegen updates that we rely on to read those OpenAPI definitions and produce our SDK libraries. As the codegen is always evolving and improving, so are our code bases. Some breaking changes were introduced due to bug fixes, also listed below. Please ensure you read through the list of changes below before moving to this version - this will help you understand any down or upstream issues it may cause to your environments. --- #### Breaking Changes #### Addressing - Parameter Requirements Changed * `BGPPrefixCreateParams.cidr`: optional → **required** * `PrefixCreateParams.asn`: `number | null` → `number` * `PrefixCreateParams.loa_document_id`: required → **optional** * `ServiceBindingCreateParams.cidr`: optional → **required** * `ServiceBindingCreateParams.service_id`: optional → **required** #### API Gateway * `ConfigurationUpdateResponse` removed * `PublicSchema` → `OldPublicSchema` * `SchemaUpload` → `UserSchemaCreateResponse` * `ConfigurationUpdateParams.properties` removed; use `normalize` #### CloudforceOne - Response Type Changes * `ThreatEventBulkCreateResponse`: `number` → complex object with counts and errors #### D1 Database - Query Parameters * `DatabaseQueryParams`: simple interface → union type (`D1SingleQuery | MultipleQueries`) * `DatabaseRawParams`: same change * Supports batch queries via `batch` array #### DNS Records - Type Renames (21 types) All record type interfaces renamed from `*Record` to short names: * `RecordResponse.ARecord` → `RecordResponse.A` * `RecordResponse.AAAARecord` → `RecordResponse.AAAA` * `RecordResponse.CNAMERecord` → `RecordResponse.CNAME` * `RecordResponse.MXRecord` → `RecordResponse.MX` * `RecordResponse.NSRecord` → `RecordResponse.NS` * `RecordResponse.PTRRecord` → `RecordResponse.PTR` * `RecordResponse.TXTRecord` → `RecordResponse.TXT` * `RecordResponse.CAARecord` → `RecordResponse.CAA` * `RecordResponse.CERTRecord` → `RecordResponse.CERT` * `RecordResponse.DNSKEYRecord` → `RecordResponse.DNSKEY` * `RecordResponse.DSRecord` → `RecordResponse.DS` * `RecordResponse.HTTPSRecord` → `RecordResponse.HTTPS` * `RecordResponse.LOCRecord` → `RecordResponse.LOC` * `RecordResponse.NAPTRRecord` → `RecordResponse.NAPTR` * `RecordResponse.SMIMEARecord` → `RecordResponse.SMIMEA` * `RecordResponse.SRVRecord` → `RecordResponse.SRV` * `RecordResponse.SSHFPRecord` → `RecordResponse.SSHFP` * `RecordResponse.SVCBRecord` → `RecordResponse.SVCB` * `RecordResponse.TLSARecord` → `RecordResponse.TLSA` * `RecordResponse.URIRecord` → `RecordResponse.URI` * `RecordResponse.OpenpgpkeyRecord` → `RecordResponse.Openpgpkey` #### IAM Resource Groups * `ResourceGroupCreateResponse.scope`: optional single → **required array** * `ResourceGroupCreateResponse.id`: optional → **required** #### Origin CA Certificates - Parameter Requirements Changed * `OriginCACertificateCreateParams.csr`: optional → **required** * `OriginCACertificateCreateParams.hostnames`: optional → **required** * `OriginCACertificateCreateParams.request_type`: optional → **required** #### Pages * Renamed: `DeploymentsSinglePage` → `DeploymentListResponsesV4PagePaginationArray` * Domain response fields: many optional → **required** #### Pipelines - v0 to v1 Migration * Entire v0 API deprecated; use v1 methods (`createV1`, `listV1`, etc.) * New sub-resources: `Sinks`, `Streams` #### R2 * `EventNotificationUpdateParams.rules`: optional → **required** * Super Slurper: `bucket`, `secret` now required in source params #### Radar * `dataSource`: `string` → typed enum (23 values) * `eventType`: `string` → typed enum (6 values) * V2 methods require `dimension` parameter (breaking signature change) #### Resource Sharing * Removed: `status_message` field from all recipient response types #### Schema Validation * Consolidated `SchemaCreateResponse`, `SchemaListResponse`, `SchemaEditResponse`, `SchemaGetResponse` → `PublicSchema` * Renamed: `SchemaListResponsesV4PagePaginationArray` → `PublicSchemasV4PagePaginationArray` #### Spectrum * Renamed union members: `AppListResponse.UnionMember0` → `SpectrumConfigAppConfig` * Renamed union members: `AppListResponse.UnionMember1` → `SpectrumConfigPaygoAppConfig` #### Workers * Removed: `WorkersBindingKindTailConsumer` type (all occurrences) * Renamed: `ScriptsSinglePage` → `ScriptListResponsesSinglePage` * Removed: `DeploymentsSinglePage` #### Zero-Trust DLP * `datasets.create()`, `update()`, `get()` return types changed * `PredefinedGetResponse` union members renamed to `UnionMember0-5` #### Zero-Trust Tunnels * Removed: `CloudflaredCreateResponse`, `CloudflaredListResponse`, `CloudflaredDeleteResponse`, `CloudflaredEditResponse`, `CloudflaredGetResponse` * Removed: `CloudflaredListResponsesV4PagePaginationArray` --- #### Features #### Abuse Reports (`client.abuseReports`) * **Reports**: `create`, `list`, `get` * **Mitigations**: sub-resource for abuse mitigations #### AI Search (`client.aisearch`) * **Instances**: `create`, `update`, `list`, `delete`, `read`, `stats` * **Items**: `list`, `get` * **Jobs**: `create`, `list`, `get`, `logs` * **Tokens**: `create`, `update`, `list`, `delete`, `read` #### Connectivity (`client.connectivity`) * **Directory Services**: `create`, `update`, `list`, `delete`, `get` * Supports IPv4, IPv6, dual-stack, and hostname configurations #### Organizations (`client.organizations`) * **Organizations**: `create`, `update`, `list`, `delete`, `get` * **OrganizationProfile**: `update`, `get` * Hierarchical organization support with parent/child relationships #### R2 Data Catalog (`client.r2DataCatalog`) * **Catalog**: `list`, `enable`, `disable`, `get` * **Credentials**: `create` * **MaintenanceConfigs**: `update`, `get` * **Namespaces**: `list` * **Tables**: `list`, maintenance config management * Apache Iceberg integration #### Realtime Kit (`client.realtimeKit`) * **Apps**: `get`, `post` * **Meetings**: `create`, `get`, participant management * **Livestreams**: 10+ methods for streaming * **Recordings**: start, pause, stop, get * **Sessions**: transcripts, summaries, chat * **Webhooks**: full CRUD * **ActiveSession**: polls, kick participants * **Analytics**: organization analytics #### Token Validation (`client.tokenValidation`) * **Configuration**: `create`, `list`, `delete`, `edit`, `get` * **Credentials**: `update` * **Rules**: `create`, `list`, `delete`, `bulkCreate`, `bulkEdit`, `edit`, `get` * JWT validation with RS256/384/512, PS256/384/512, ES256, ES384 #### Alerting Silences (`client.alerting.silences`) * `create`, `update`, `list`, `delete`, `get` #### IAM SSO (`client.iam.sso`) * `create`, `update`, `list`, `delete`, `get`, `beginVerification` #### Pipelines v1 (`client.pipelines`) * **Sinks**: `create`, `list`, `delete`, `get` * **Streams**: `create`, `update`, `list`, `delete`, `get` #### Zero-Trust AI Controls / MCP (`client.zeroTrust.access.aiControls.mcp`) * **Portals**: `create`, `update`, `list`, `delete`, `read` * **Servers**: `create`, `update`, `list`, `delete`, `read`, `sync` #### Accounts * `managed_by` field with `parent_org_id`, `parent_org_name` #### Addressing LOA Documents * `auto_generated` field on `LOADocumentCreateResponse` #### Addressing Prefixes * `delegate_loa_creation`, `irr_validation_state`, `ownership_validation_state`, `ownership_validation_token`, `rpki_validation_state` #### AI * Added `toMarkdown.supported()` method to get all supported conversion formats #### AI Gateway * `zdr` field added to all responses and params #### Alerting * New alert type: `abuse_report_alert` * `type` field added to PolicyFilter #### Browser Rendering * `ContentCreateParams`: refined to discriminated union (`Variant0 | Variant1`) * Split into URL-based and HTML-based parameter variants for better type safety #### Client Certificates * `reactivate` parameter in edit #### CloudforceOne * `ThreatEventCreateParams.indicatorType`: required → optional * `hasChildren` field added to all threat event response types * `datasetIds` query parameter on `AttackerListParams`, `CategoryListParams`, `TargetIndustryListParams` * `categoryUuid` field on `TagCreateResponse` * `indicators` array for multi-indicator support per event * `uuid` and `preserveUuid` fields for UUID preservation in bulk create * `format` query parameter (`'json' | 'stix2'`) on `ThreatEventListParams` * `createdAt`, `datasetId` fields on `ThreatEventEditParams` #### Content Scanning * Added `create()`, `update()`, `get()` methods #### Custom Pages * New page types: `basic_challenge`, `under_attack`, `waf_challenge` #### D1 * `served_by_colo` \- colo that handled query * `jurisdiction` \- `'eu' | 'fedramp'` * **Time Travel** (`client.d1.database.timeTravel`): `getBookmark()`, `restore()` \- point-in-time recovery #### Email Security * New fields on `InvestigateListResponse`/`InvestigateGetResponse`: `envelope_from`, `envelope_to`, `postfix_id_outbound`, `replyto` * New detection classification: `'outbound_ndr'` * Enhanced `Finding` interface with `attachment`, `detection`, `field`, `portion`, `reason`, `score` * Added `cursor` query parameter to `InvestigateListParams` #### Gateway Lists * New list types: `CATEGORY`, `LOCATION`, `DEVICE` #### Intel * New issue type: `'configuration_suggestion'` * `payload` field: `unknown` → typed `Payload` interface with `detection_method`, `zone_tag` #### Leaked Credential Checks * Added `detections.get()` method #### Logpush * New datasets: `dex_application_tests`, `dex_device_state_events`, `ipsec_logs`, `warp_config_changes`, `warp_toggle_changes` #### Load Balancers * `Monitor.port`: `number` → `number | null` * `Pool.load_shedding`: `LoadShedding` → `LoadShedding | null` * `Pool.origin_steering`: `OriginSteering` → `OriginSteering | null` #### Magic Transit * `license_key` field on connectors * `provision_license` parameter for auto-provisioning * IPSec: `custom_remote_identities` with FQDN support * Snapshots: Bond interface, `probed_mtu` field #### Pages * New response types: `ProjectCreateResponse`, `ProjectListResponse`, `ProjectEditResponse`, `ProjectGetResponse` * Deployment methods return specific response types instead of generic `Deployment` #### Queues * Added `subscriptions.get()` method * Enhanced `SubscriptionGetResponse` with typed event source interfaces * New event source types: Images, KV, R2, Vectorize, Workers AI, Workers Builds, Workflows #### R2 * Sippy: new provider `s3` (S3-compatible endpoints) * Sippy: `bucketUrl` field for S3-compatible sources * Super Slurper: `keys` field on source response schemas (specify specific keys to migrate) * Super Slurper: `pathPrefix` field on source schemas * Super Slurper: `region` field on S3 source params #### Radar * Added `geolocations.list()`, `geolocations.get()` methods * Added V2 dimension-based methods (`summaryV2`, `timeseriesGroupsV2`) to radar sub-resources #### Resource Sharing * Added `terminal` boolean field to Resource Error interfaces #### Rules * Added `id` field to `ItemDeleteParams.Item` #### Rulesets * New buffering fields on `SetConfigRule`: `request_body_buffering`, `response_body_buffering` #### Secrets Store * New scopes: `'dex'`, `'access'` (in addition to `'workers'`, `'ai_gateway'`) #### SSL Certificate Packs * Response types now proper interfaces (was `unknown`) * Fields now required: `id`, `certificates`, `hosts`, `status`, `type` #### Security Center * `payload` field: `unknown` → typed `Payload` interface with `detection_method`, `zone_tag` #### Shared Types * Added: `CloudflareTunnelsV4PagePaginationArray` pagination class #### Workers * Added `subdomains.delete()` method * `Worker.references` \- track external dependencies (domains, Durable Objects, queues) * `Worker.startup_time_ms` \- startup timing * `Script.observability` \- observability settings with logging * `Script.tag`, `Script.tags` \- immutable ID and tags * Placement: support for region, hostname, host-based placement * `tags`, `tail_consumers` now accept `| null` * Telemetry: `traces` field, `$containers` event info, `durableObjectId`, `transactionName`, `abr_level` fields #### Workers for Platforms * `ScriptUpdateResponse`: new fields `entry_point`, `observability`, `tag`, `tags` * `placement` field now union of 4 variants (smart mode, region, hostname, host) * `tags`, `tail_consumers` now nullable * `TagUpdateParams.body` now accepts `null` #### Workflows * `instance_retention`: `unknown` → typed `InstanceRetention` interface with `error_retention`, `success_retention` * New status option: `'restart'` added to `StatusEditParams.status` #### Zero-Trust Devices * External emergency disconnect settings (4 new fields) * `antivirus` device posture check type * `os_version_extra` documentation improvements #### Zones * New response types: `SubscriptionCreateResponse`, `SubscriptionUpdateResponse`, `SubscriptionGetResponse` #### Zero-Trust Access Applications * New `ApplicationType` values: `'mcp'`, `'mcp_portal'`, `'proxy_endpoint'` * New destination type: `ViaMcpServerPortalDestination` for MCP server access #### Zero-Trust Gateway * Added `rules.listTenant()` method #### Zero-Trust Gateway - Proxy Endpoints * `ProxyEndpoint`: interface → discriminated union (`ZeroTrustGatewayProxyEndpointIP | ZeroTrustGatewayProxyEndpointIdentity`) * `ProxyEndpointCreateParams`: interface → union type * Added `kind` field: `'ip' | 'identity'` #### Zero-Trust Tunnels * `WARPConnector*Response`: union type → interface --- #### Deprecations * **API Gateway**: `UserSchemas`, `Settings`, `SchemaValidation` resources * **Audit Logs**: `auditLogId.not` (use `id.not`) * **CloudforceOne**: `ThreatEvents.get()`, `IndicatorTypes.list()` * **Devices**: `public_ip` field (use DEX API) * **Email Security**: `item_count` field in Move responses * **Pipelines**: v0 methods (use v1) * **Radar**: old `summary()` and `timeseriesGroups()` methods (use V2) * **Rulesets**: `disable_apps`, `mirage` fields * **WARP Connector**: `connections` field * **Workers**: `environment` parameter in Domains * **Zones**: `ResponseBuffering` page rule --- #### Bug Fixes * **mcp:** correct code tool API endpoint ([599703c ↗](https://github.com/cloudflare/cloudflare-typescript/commit/599703c45672dc899455d74b124018efd4b75095)) * **mcp:** return correct lines on typescript errors ([5d6f999 ↗](https://github.com/cloudflare/cloudflare-typescript/commit/5d6f9998ed9999aaa95e1bda8cf50929f3555cf1)) * **organization\_profile:** fix bad reference ([d84ea77 ↗](https://github.com/cloudflare/cloudflare-typescript/commit/d84ea77094400055c06554812b84c2f0c8d00cc4)) * **schema\_validation:** correctly reflect model to openapi mapping ([bb86151 ↗](https://github.com/cloudflare/cloudflare-typescript/commit/bb861516774b159d80e0f46a5f3abc5a4c9f9d49)) * **workers:** fix tests ([2ee37f7 ↗](https://github.com/cloudflare/cloudflare-typescript/commit/2ee37f7adf5a4637d65f61fc225e135eec2579fc)) --- #### Documentation * Added deprecation notices with migration paths * **api\_gateway:** deprecate API Shield Schema Validation resources ([8a4b20f ↗](https://github.com/cloudflare/cloudflare-typescript/commit/8a4b20f7a572422f74179fbdb4f1c4fb555e3e40)) * Improved JSDoc examples across all resources * **workers:** expose subdomain delete documentation ([4f7cc1f ↗](https://github.com/cloudflare/cloudflare-typescript/commit/4f7cc1f2b8861a5b8abc193d287f78264a425062)) Jan 20, 2026 1. ### [Terraform v5.16.0 now available](https://developers.cloudflare.com/changelog/post/2026-01-20-terraform-v5160-provider/) [ Cloudflare Fundamentals ](https://developers.cloudflare.com/fundamentals/)[ Terraform ](https://developers.cloudflare.com/terraform/) In January 2025, we announced the launch of the new Terraform v5 Provider. We greatly appreciate the proactive engagement and valuable feedback from the Cloudflare community following the v5 release. In response, we've established a consistent and rapid [2-3 week cadence ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/5774) for releasing targeted improvements, demonstrating our commitment to stability and reliability. With the help of the community, we have a growing number of resources that we have marked as [stable ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6237), with that list continuing to grow with every release. The most used [resources ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6237) are on track to be stable by the end of March 2026, when we will also be releasing a new migration tool to you migrate from v4 to v5 with ease. Thank you for continuing to raise issues. They make our provider stronger and help us build products that reflect your needs. This release includes bug fixes, the stabilization of even more popular resources, and more. #### Features * **custom\_pages:** add "waf\_challenge" as new supported error page type identifier in both resource and data source schemas * **list:** enhance CIDR validator to check for normalized CIDR notation requiring network address for IPv4 and IPv6 * **magic\_wan\_gre\_tunnel:** add automatic\_return\_routing attribute for automatic routing control * **magic\_wan\_gre\_tunnel:** add BGP configuration support with new BGP model attribute * **magic\_wan\_gre\_tunnel:** add bgp\_status computed attribute for BGP connection status information * **magic\_wan\_gre\_tunnel:** enhance schema with BGP-related attributes and validators * **magic\_wan\_ipsec\_tunnel:** add automatic\_return\_routing attribute for automatic routing control * **magic\_wan\_ipsec\_tunnel:** add BGP configuration support with new BGP model attribute * **magic\_wan\_ipsec\_tunnel:** add bgp\_status computed attribute for BGP connection status information * **magic\_wan\_ipsec\_tunnel:** add custom\_remote\_identities attribute for custom identity configuration * **magic\_wan\_ipsec\_tunnel:** enhance schema with BGP and identity-related attributes * **ruleset:** add request body buffering support * **ruleset:** enhance ruleset data source with additional configuration options * **workers\_script:** add observability logs attributes to list data source model * **workers\_script:** enhance list data source schema with additional configuration options #### Bug Fixes * **account\_member**: fix resource importability issues * **dns\_record:** remove unnecessary fmt.Sprintf wrapper around LoadTestCase call in test configuration helper function * **load\_balancer:** fix session\_affinity\_ttl type expectations to match Float64 in initial creation and Int64 after migration * **workers\_kv:** handle special characters correctly in URL encoding #### Documentation * **account\_subscription:** update schema description for rate\_plan.sets attribute to clarify it returns an array of strings * **api\_shield:** add resource-level description for API Shield management of auth ID characteristics * **api\_shield:** enhance auth\_id\_characteristics.name attribute description to include JWT token configuration format requirements * **api\_shield:** specify JSONPath expression format for JWT claim locations * **hyperdrive\_config:** add description attribute to name attribute explaining its purpose in dashboard and API identification * **hyperdrive\_config:** apply description improvements across resource, data source, and list data source schemas * **hyperdrive\_config:** improve schema descriptions for cache settings to clarify default values * **hyperdrive\_config:** update port description to clarify defaults for different database types #### For more information * [Terraform Provider ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs) * [Documentation on using Terraform with Cloudflare](https://developers.cloudflare.com/terraform/) * [List of stabilized resources ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6237) Jan 19, 2026 1. ### [Enhanced HTTP/3 request cancellation visibility](https://developers.cloudflare.com/changelog/post/2026-01-19-http3-499-reporting-improvement/) [ Cloudflare Fundamentals ](https://developers.cloudflare.com/fundamentals/) #### Enhanced HTTP/3 request cancellation visibility Cloudflare now provides more accurate visibility into HTTP/3 client request cancellations, giving you better insight into real client behavior and reducing unnecessary load on your origins. Previously, when an HTTP/3 client cancelled a request, the cancellation was not always actioned immediately. This meant requests could continue through the CDN — potentially all the way to your origin — even after the client had abandoned them. In these cases, logs would show the upstream response status (such as `200` or a timeout-related code) rather than reflecting the client cancellation. Now, Cloudflare terminates cancelled HTTP/3 requests immediately and accurately logs them with a `499` status code. --- #### Better observability for client behavior When HTTP/3 clients cancel requests, Cloudflare now immediately reflects this in your logs with a `499` status code. This gives you: * **More accurate traffic analysis**: Understand exactly when and how often clients cancel requests. * **Clearer debugging**: Distinguish between true errors and intentional client cancellations. * **Better availability metrics**: Separate client-initiated cancellations from server-side issues. --- #### Reduced origin load Cloudflare now terminates cancelled requests faster, which means: * **Less wasted compute**: Your origin no longer processes requests that clients have already abandoned. * **Lower bandwidth usage**: Responses are no longer generated and transmitted for cancelled requests. * **Improved efficiency**: Resources are freed up to handle active requests. --- #### What to expect in your logs You may notice an increase in `499` status codes for HTTP/3 traffic. For HTTP/3, a `499` indicates the client [cancelled the request stream ↗](https://datatracker.ietf.org/doc/html/rfc9114#section-4.1.1) before receiving a complete response — the underlying connection may remain open. This is a normal part of web traffic. **Tip**: If you use `499` codes in availability calculations, consider whether client-initiated cancellations should be excluded from error rates. These typically represent normal user behavior — such as closing a browser, navigating away from a page, mobile network drops, or cancelling a download — rather than service issues. --- For more information, refer to [Error 499](https://developers.cloudflare.com/support/troubleshooting/http-status-codes/4xx-client-error/error-499/). Dec 19, 2025 1. ### [Terraform v5.15.0 now available](https://developers.cloudflare.com/changelog/post/2025-12-19-terraform-v5150-provider/) [ Cloudflare Fundamentals ](https://developers.cloudflare.com/fundamentals/)[ Terraform ](https://developers.cloudflare.com/terraform/) Earlier this year, we announced the launch of the new Terraform v5 Provider. We are aware of the high number of issues reported by the Cloudflare community related to the v5 release. We have committed to releasing improvements on a [2-3 week cadence ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/5774) to ensure its stability and reliability, including the v5.15 release. We have also pivoted from an [issue-to-issue approach to a resource-per-resource approach ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6237) \- we will be focusing on specific resources to not only stabilize the resource but also ensure it is migration-friendly for those migrating from v4 to v5. Thank you for continuing to raise issues. They make our provider stronger and help us build products that reflect your needs. This release includes bug fixes, the stabilization of even more popular resources, and more. #### Features * **ai\_search:** Add AI Search endpoints ([6f02adb ↗](https://github.com/cloudflare/terraform-provider-cloudflare/commit/6f02adb420e872457f71f95b49cb527663388915)) * **certificate\_pack:** Ensure proper Terraform resource ID handling for path parameters in API calls ([081f32a ↗](https://github.com/cloudflare/terraform-provider-cloudflare/commit/081f32acab4ce9a194a7ff51c8e9fcabd349895a)) * **worker\_version:** Support `startup_time_ms` ([286ab55 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/commit/286ab55bea8d5be0faa5a2b5b8b157e4a2214eba)) * **zero\_trust\_dlp\_custom\_entry:** Support `upload_status` ([7dc0fe3 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/commit/7dc0fe3b23726ead8dc075f86728a0540846d90c)) * **zero\_trust\_dlp\_entry:** Support `upload_status` ([7dc0fe3 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/commit/7dc0fe3b23726ead8dc075f86728a0540846d90c)) * **zero\_trust\_dlp\_integration\_entry:** Support `upload_status` ([7dc0fe3 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/commit/7dc0fe3b23726ead8dc075f86728a0540846d90c)) * **zero\_trust\_dlp\_predefined\_entry:** Support `upload_status` ([7dc0fe3 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/commit/7dc0fe3b23726ead8dc075f86728a0540846d90c)) * **zero\_trust\_gateway\_policy:** Support `forensic_copy` ([5741fd0 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/commit/5741fd0ed9f7270d20731cc47ec45eb0403a628b)) * **zero\_trust\_list:** Support additional types (category, location, device) ([5741fd0 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/commit/5741fd0ed9f7270d20731cc47ec45eb0403a628b)) #### Bug fixes * **access\_rules:** Add validation to prevent state drift. Ideally, we'd use Semantic Equality but since that isn't an option, this will remove a foot-gun. ([4457791 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/commit/44577911b3cbe45de6279aefa657bdee73c0794d)) * **cloudflare\_pages\_project:** Addressing drift issues ([6edffcf ↗](https://github.com/cloudflare/terraform-provider-cloudflare/commit/6edffcfcf187fdc9b10b624b9a9b90aed2fb2b2e)) ([3db318e ↗](https://github.com/cloudflare/terraform-provider-cloudflare/commit/3db318e747423bf10ce587d9149e90edcd8a77b0)) * **cloudflare\_worker:** Can be cleanly imported ([4859b52 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/commit/4859b52968bb25570b680df9813f8e07fd50728f)) * **cloudflare\_worker:** Ensure clean imports ([5b525bc ↗](https://github.com/cloudflare/terraform-provider-cloudflare/commit/5b525bc478a4e2c9c0d4fd659b92cc7f7c18016a)) * **list\_items:** Add validation for IP List items to avoid inconsistent state ([b6733dc ↗](https://github.com/cloudflare/terraform-provider-cloudflare/commit/b6733dc4be909a5ab35895a88e519fc2582ccada)) * **zero\_trust\_access\_application:** Remove all conditions from sweeper ([3197f1a ↗](https://github.com/cloudflare/terraform-provider-cloudflare/commit/3197f1aed61be326d507d9e9e3b795b9f1d18fd7)) * **spectrum\_application:** Map missing fields during spectrum resource import ([#6495 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6495)) ([ddb4e72 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/commit/ddb4e722b82c735825a549d651a9da219c142efa)) #### Upgrade to newer version We suggest waiting to migrate to v5 while we work on stabilization. This helps with avoiding any blocking issues while the Terraform resources are actively being [stabilized ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6237). We will be releasing a new migration tool in March 2026 to help support v4 to v5 transitions for our most popular resources. #### For more information * [Terraform Provider ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs) * [Documentation on using Terraform with Cloudflare](https://developers.cloudflare.com/terraform/) Dec 05, 2025 1. ### [Terraform v5.14.0 now available](https://developers.cloudflare.com/changelog/post/2025-12-05-terraform-v5140-provider/) [ Cloudflare Fundamentals ](https://developers.cloudflare.com/fundamentals/)[ Terraform ](https://developers.cloudflare.com/terraform/) Earlier this year, we announced the launch of the new Terraform v5 Provider. We are aware of the high number of issues reported by the Cloudflare community related to the v5 release. We have committed to releasing improvements on a [2-3 week cadence ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/5774) to ensure its stability and reliability, including the v5.14 release. We have also pivoted from an [issue-to-issue approach to a resource-per-resource approach ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6237) \- we will be focusing on specific resources to not only stabilize the resource but also ensure it is migration-friendly for those migrating from v4 to v5. Thank you for continuing to raise issues. They make our provider stronger and help us build products that reflect your needs. This release includes bug fixes, the stabilization of even more popular resources, and more. #### Deprecation notice Resource affected: `api_shield_discovery_operation` Cloudflare continuously discovers and updates API endpoints and web assets of your web applications. To improve the maintainability of these dynamic resources, we are working on reducing the need to actively engage with discovered operations. The corresponding public API endpoint of [discovered operations ↗](https://developers.cloudflare.com/api/resources/api%5Fgateway/subresources/discovery/subresources/operations/) is not affected and will continue to be supported. #### Features * **pages\_project**: Add v4 -> v5 migration tests ([#6506 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/pull/6506)) #### Bug fixes * **account\_members**: Makes member policies a set ([#6488 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6488)) * **pages\_project**: Ensures non empty refresh plans ([#6515 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6515)) * **R2**: Improves sweeper ([#6512 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6512)) * **workers\_kv**: Ignores value import state for verify ([#6521 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6521)) * **workers\_script**: No longer treats the migrations attribute as WriteOnly ([#6489 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6489)) * **workers\_script**: Resolves resource drift when worker has unmanaged secret ([#6504 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6504)) * **zero\_trust\_device\_posture\_rule**: Preserves input.version and other fields ([#6500 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6500)) and ([#6503 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6503)) * **zero\_trust\_dlp\_custom\_profile**: Adds sweepers for `dlp_custom_profile` * **zone\_subscription|account\_subscription**: Adds `partners_ent` as valid enum for `rate_plan.id` ([#6505 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6505)) * **zone**: Ensures datasource model schema parity ([#6487 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6487)) * **subscription**: Updates import signature to accept account\_id/subscription\_id to import account subscription ([#6510 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6510)) #### Upgrade to newer version We suggest waiting to migrate to v5 while we work on stabilization. This helps with avoiding any blocking issues while the Terraform resources are actively being [stabilized ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6237). We will be releasing a new migration tool in March 2026 to help support v4 to v5 transitions for our most popular resources. #### For more information * [Terraform Provider ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs) * [Documentation on using Terraform with Cloudflare ↗](https://developers.cloudflare.com/terraform/) Nov 20, 2025 1. ### [Terraform v5.13.0 now available](https://developers.cloudflare.com/changelog/post/2025-11-20-terraform-v5130-provider/) [ Cloudflare Fundamentals ](https://developers.cloudflare.com/fundamentals/)[ Terraform ](https://developers.cloudflare.com/terraform/) Earlier this year, we announced the launch of the new Terraform v5 Provider. We are aware of the high number of issues reported by the Cloudflare community related to the v5 release. We have committed to releasing improvements on a [2-3 week cadence ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/5774) to ensure its stability and reliability, including the v5.13 release. We have also pivoted from an [issue-to-issue approach to a resource-per-resource approach ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6237) \- we will be focusing on specific resources to not only stabilize the resource but also ensure it is migration-friendly for those migrating from v4 to v5. Thank you for continuing to raise issues. They make our provider stronger and help us build products that reflect your needs. This release includes new features, new resources and data sources, bug fixes, updates to our Developer Documentation, and more. #### Breaking Change Please be aware that there are breaking changes for the `cloudflare_api_token` and `cloudflare_account_token` resources. These changes eliminate configuration drift caused by policy ordering differences in the Cloudflare API. For more specific information about the changes or the actions required, please see the [detailed Repository changelog ↗](https://github.com/cloudflare/terraform-provider-cloudflare/releases/tag/v5.13.0). #### Features * **New resources and data sources added** * cloudflare\_connectivity\_directory * cloudflare\_sso\_connector * cloudflare\_universal\_ssl\_setting * **api\_token+account\_tokens:** state upgrader and schema bump ([#6472 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6472)) * **docs:** make docs explicit when a resource does not have import support * **magic\_transit\_connector:** support self-serve license key ([#6398 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6398)) * **worker\_version:** add content\_base64 support * **worker\_version:** boolean support for run\_worker\_first ([#6407 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6407)) * **workers\_script\_subdomains:** add import support ([#6375 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6375)) * **zero\_trust\_access\_application:** add proxy\_endpoint for ZT Access Application ([#6453 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6453)) * **zero\_trust\_dlp\_predefined\_profile:** Switch DLP Predefined Profile endpoints, introduce enabled\_entries attribut #### Bug Fixes * **account\_token:** token policy order and nested resources ([#6440 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6440)) * allow r2\_bucket\_event\_notification to be applied twice without failing ([#6419 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6419)) * **cloudflare\_worker+cloudflare\_worker\_version:** import for the resources ([#6357 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6357)) * **dns\_record:** inconsistent apply error ([#6452 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6452)) * **pages\_domain:** resource tests ([#6338 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6338)) * **pages\_project:** unintended resource state drift ([#6377 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6377)) * **queue\_consumer:** id population ([#6181 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6181)) * **workers\_kv:** multipart request ([#6367 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6367)) * **workers\_kv:** updating workers metadata attribute to be read from endpoint ([#6386 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6386)) * **workers\_script\_subdomain:** add note to cloudflare\_workers\_script\_subdomain about redundancy with cloudflare\_worker ([#6383 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6383)) * **workers\_script:** allow config.run\_worker\_first to accept list input * **zero\_trust\_device\_custom\_profile\_local\_domain\_fallback:** drift issues ([#6365 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6365)) * **zero\_trust\_device\_custom\_profile:** resolve drift issues ([#6364 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6364)) * **zero\_trust\_dex\_test:** correct configurability for 'targeted' attribute to fix drift * **zero\_trust\_tunnel\_cloudflared\_config:** remove warp\_routing from cloudflared\_config ([#6471 ↗](https://github.com/cloudflare/terraform-provider-cloudflare/issues/6471)) #### Upgrading We suggest holding off on migration to v5 while we work on stabilization. This help will you avoid any blocking issues while the Terraform resources are actively being stabilized. We will be releasing a new migration tool in March 2026 to help support v4 to v5 transitions for our most popular resources. #### For more info * [Terraform Provider ↗](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs) * [Documentation on using Terraform with Cloudflare ↗](https://developers.cloudflare.com/terraform/) Oct 30, 2025 1. ### [Introducing email two-factor authentication](https://developers.cloudflare.com/changelog/post/2025-10-30-email-2fa/) [ Cloudflare Fundamentals ](https://developers.cloudflare.com/fundamentals/) Two-factor authentication (2FA) is one of the best ways to protect your account from the risk of account takeover. Cloudflare has offered phishing resistant 2FA options including hardware based keys (for example, a Yubikey) and app based TOTP (time-based one-time password) options which use apps like Google or Microsoft's Authenticator app. Unfortunately, while these solutions are very secure, they can be lost if you misplace the hardware based key, or lose the phone which includes that app. The result is that users sometimes get locked out of their accounts and need to contact support. Today, we are announcing the addition of email as a 2FA factor for all Cloudflare accounts. Email 2FA is in wide use across the industry as a least common denominator for 2FA because it is low friction, loss resistant, and still improves security over username/password login only. We also know that most commercial email providers already require 2FA, so your email address is usually well protected already. You can now enable email 2FA on the Cloudflare dashboard: 1. Go to **Profile** at the top right corner. 2. Select **Authentication**. 3. Under **Two-Factor Authentication**, select **Set up**. #### Sign-in security best practices Cloudflare is critical infrastructure, and you should protect it as such. Review the following best practices and make sure you are doing your part to secure your account: * Use a unique password for every website, including Cloudflare, and store it in a password manager like 1Password or Keeper. These services are cross-platform and simplify the process of managing secure passwords. * Use 2FA to make it harder for an attacker to get into your account in the event your password is leaked. * Store your backup codes securely. A password manager is the best place since it keeps the backup codes encrypted, but you can also print them and put them somewhere safe in your home. * If you use an app to manage your 2FA keys, enable cloud backup, so that you don't lose your keys in the event you lose your phone. * If you use a custom email domain to sign in, [configure SSO](https://developers.cloudflare.com/fundamentals/manage-members/dashboard-sso/). * If you use a public email domain like Gmail or Hotmail, you can also use social login with Apple, GitHub, or Google to sign in. * If you manage a Cloudflare account for work: * Have at least two administrators in case one of them unexpectedly leaves your company. * Use SCIM to automate permissions management for members in your Cloudflare account. Oct 30, 2025 1. ### [Revamped Member Management UI](https://developers.cloudflare.com/changelog/post/2025-10-30-member-management-improvements/) [ Cloudflare Fundamentals ](https://developers.cloudflare.com/fundamentals/) As Cloudflare's platform has grown, so has the need for precise, role-based access control. We’ve redesigned the Member Management experience in the Dashboard to help administrators more easily discover, assign, and refine permissions for specific principals. #### What's New **Refreshed member invite flow** We overhauled the Invite Members UI to simplify inviting users and assigning permissions. ![Updated Invite Flow UX](https://developers.cloudflare.com/_astro/2025-10-30-invite-experience.B7F3VQ_y_2q5f79.webp) **Refreshed Members Overview Page** We've updated the Members Overview Page to clearly display: * Member 2FA status * Which members hold Super Admin privileges * API access settings per member * Member onboarding state (accepted vs pending invite) ![Updated Member Management Overview](https://developers.cloudflare.com/_astro/2025-10-30-member-management-screen.BLc2lx98_2sRE7I.webp) **New Member Permission Policies Details View** We've created a new member details screen that shows all permission policies associated with a member; including policies inherited from group associations to make it easier for members to understand the effective permissions they have. ![Updated Permission Policies Details Screen](https://developers.cloudflare.com/_astro/2025-10-30-permission-policies-screen.pMj53si2_2jP7PX.webp) **Improved Member Permission Workflow** We redesigned the permission management experience to make it faster and easier for administrators to review roles and grant access. ![Updated Member Permission Management UX](https://developers.cloudflare.com/_astro/2025-10-30-permission-policies-screen.pMj53si2_2jP7PX.webp) **Account-scoped Policies Restrictions Relaxed** Previously, customers could only associate a single account-scoped policy with a member. We've relaxed this restriction, and now Administrators can now assign multiple account-scoped policies to the same member; bringing policy assignment behavior in-line with user-groups and providing greater flexibility in managing member permissions. Oct 16, 2025 1. ### [Increased HTTP header size limit to 128 KB](https://developers.cloudflare.com/changelog/post/2025-10-16-header-limit-increase/) [ Cloudflare Fundamentals ](https://developers.cloudflare.com/fundamentals/) #### CDN now supports 128 KB request and response headers 🚀 We're excited to announce a significant increase in the maximum header size supported by Cloudflare's Content Delivery Network (CDN). Cloudflare now supports up to **128 KB** for both **request and response headers**. Previously, customers were limited to a total of 32 KB for request or response headers, with a maximum of 16 KB per individual header. Larger headers could cause requests to fail with `HTTP 413` (Request Header Fields Too Large) errors. --- #### What's new? * **Support for large headers:** You can now utilize much larger headers, whether as a single large header up to 128 KB or split over multiple headers. * **Reduces `413` and `520` HTTP errors:** This change drastically reduces the likelihood of customers encountering `HTTP 413` errors from large request headers or `HTTP 520` errors caused by oversized response headers, improving the overall reliability of your web applications. * **Enhanced functionality:** This is especially beneficial for applications that rely on: * A large number of cookies. * Large Content-Security-Policy (CSP) response headers. * Advanced use cases with Cloudflare Workers that generate large response headers. This enhancement improves compatibility with Cloudflare's CDN, enabling more use cases that previously failed due to header size limits. --- To learn more and get started, refer to the [Cloudflare Fundamentals documentation](https://developers.cloudflare.com/fundamentals/reference/connection-limits/#request-limits). Oct 14, 2025 1. ### [Single sign-on now manageable in the user experience](https://developers.cloudflare.com/changelog/post/2025-10-14-sso-self-service-ux/) [ Cloudflare Fundamentals ](https://developers.cloudflare.com/fundamentals/) ![Screenshot of new user experience for managing SSO](https://developers.cloudflare.com/_astro/2025-10-14-sso-configuration-ux.DLkIKSax_Z3pbMD.webp) During Birthday Week, we announced that [single sign-on (SSO) is available for free ↗](https://blog.cloudflare.com/enterprise-grade-features-for-all/) to everyone who signs in with a custom email domain and maintains a compatible [identity provider ↗](https://developers.cloudflare.com/cloudflare-one/integrations/identity-providers/). SSO minimizes user friction around login and provides the strongest security posture available. At the time, this could only be configured using the API. Today, we are launching a new user experience which allows users to manage their SSO configuration from within the Cloudflare dashboard. You can access this by going to **Manage account** \> **Members** \> **Settings**. #### For more information * [Cloudflare dashboard SSO](https://developers.cloudflare.com/fundamentals/manage-members/dashboard-sso/) [Search all changelog entries](https://developers.cloudflare.com/search/?contentType=Changelog+entry)