Test Internal site

Blog

  • AI Gateway – Automatically retry on upstream provider failures on AI Gateway

    AI Gateway now supports automatic retries at the gateway level. When an upstream provider returns an error, your gateway retries the request based on the retry policy you configure, without requiring any client-side changes.

    You can configure the retry count (up to 5 attempts), the delay between retries (from 100ms to 5 seconds), and the backoff strategy (Constant, Linear, or Exponential). These defaults apply to all requests through the gateway, and per-request headers can override them.

    Retry Requests settings in the AI Gateway dashboard

    This is particularly useful when you do not control the client making the request and cannot implement retry logic on the caller side. For more complex failover scenarios — such as failing across different providers — use Dynamic Routing.

    For more information, refer to Manage gateways.

  • AI Gateway – Automatically retry on upstream provider failures on AI Gateway

    AI Gateway now supports automatic retries at the gateway level. When an upstream provider returns an error, your gateway retries the request based on the retry policy you configure, without requiring any client-side changes.

    You can configure the retry count (up to 5 attempts), the delay between retries (from 100ms to 5 seconds), and the backoff strategy (Constant, Linear, or Exponential). These defaults apply to all requests through the gateway, and per-request headers can override them.

    Retry Requests settings in the AI Gateway dashboard

    This is particularly useful when you do not control the client making the request and cannot implement retry logic on the caller side. For more complex failover scenarios — such as failing across different providers — use Dynamic Routing.

    For more information, refer to Manage gateways.

  • AI Gateway – Automatically retry on upstream provider failures on AI Gateway

    AI Gateway now supports automatic retries at the gateway level. When an upstream provider returns an error, your gateway retries the request based on the retry policy you configure, without requiring any client-side changes.

    You can configure the retry count (up to 5 attempts), the delay between retries (from 100ms to 5 seconds), and the backoff strategy (Constant, Linear, or Exponential). These defaults apply to all requests through the gateway, and per-request headers can override them.

    Retry Requests settings in the AI Gateway dashboard

    This is particularly useful when you do not control the client making the request and cannot implement retry logic on the caller side. For more complex failover scenarios — such as failing across different providers — use Dynamic Routing.

    For more information, refer to Manage gateways.

  • Workflows, Workers – All Wrangler commands for Workflows now support local development

    All wrangler workflows commands now accept a --local flag to target a Workflow running in a local wrangler dev session instead of the production API.

    You can now manage the full Workflow lifecycle locally, including triggering Workflows, listing instances, pausing, resuming, restarting, terminating, and sending events:

    npx wrangler workflows list --local
    npx wrangler workflows trigger my-workflow --local
    npx wrangler workflows instances list my-workflow --local
    npx wrangler workflows instances pause my-workflow <INSTANCE_ID> --local
    npx wrangler workflows instances send-event my-workflow <INSTANCE_ID> --type my-event --local

    All commands also accept --port to target a specific wrangler dev session (defaults to 8787).

    For more information, refer to Workflows local development.

  • Radar – Routing Section Expansion on Cloudflare Radar

    Radar now features an expanded Routing section with dedicated sub-pages, providing a more organized and in-depth view of the global routing ecosystem. This restructuring lays the groundwork for additional routing features and widgets coming in the near future.

    Dedicated sub-pages

    The single Routing page has been split into three focused sub-pages:

    • Overview — Routing statistics, IP address space trends, BGP announcements, and the new Top 100 ASes ranking.
    • RPKI — RPKI validation status, ASPA deployment trends, and per-ASN ASPA provider details.
    • Anomalies — BGP route leaks, origin hijacks, and Multi-Origin AS (MOAS) conflicts.

    Screenshot of the routing section menu

    New widgets

    The routing overview now includes a Top 100 ASes table ranking autonomous systems by customer cone size, IPv4 address space, or IPv6 address space. Users can switch between rankings using a segmented control.

    Screenshot of the top-100 ASes table

    The RPKI sub-page introduces a RPKI validation view for per-ASN pages, showing prefixes grouped by RPKI validation status (Valid, Invalid, Unknown) with visibility scores.

    Screenshot of the RPKI validation view

    Improved IP address space chart

    The IP address space chart now displays both IPv4 and IPv6 trends stacked vertically and is available on global, country, and AS views.

    Screenshot of the IPv4 and IPv6 combined IP space chart

    Check out the Radar routing section to explore the data, and stay tuned for more routing insights coming soon.

  • AI Search – Create, manage, search AI Search instances with Wrangler CLI

    AI Search supports a wrangler ai-search command namespace. Use it to manage instances from the command line.

    The following commands are available:

    Command Description
    wrangler ai-search create Create a new instance with an interactive wizard
    wrangler ai-search list List all instances in your account
    wrangler ai-search get Get details of a specific instance
    wrangler ai-search update Update the configuration of an instance
    wrangler ai-search delete Delete an instance
    wrangler ai-search search Run a search query against an instance
    wrangler ai-search stats Get usage statistics for an instance

    The create command guides you through setup, choosing a name, source type (r2 or web), and data source. You can also pass all options as flags for non-interactive use:

    wrangler ai-search create my-instance --type r2 --source my-bucket

    Use wrangler ai-search search to query an instance directly from the CLI:

    wrangler ai-search search my-instance --query "how do I configure caching?"

    All commands support --json for structured output that scripts and AI agents can parse directly.

    For full usage details, refer to the Wrangler commands documentation.

  • DNS – Internal DNS – now in open beta

    Internal DNS is now in open beta.

    Who can use it?

    Internal DNS is bundled as a part of Cloudflare Gateway and is now available to every Enterprise customer with one of the following subscriptions:

    • Cloudflare Zero Trust Enterprise
    • Cloudflare Gateway Enterprise

    To learn more and get started, refer to the Internal DNS documentation.

  • WAF – WAF Release – 2026-03-30

    This week’s release introduces new detections for a critical authentication bypass vulnerability in Fortinet products (CVE-2025-59718), alongside three new generic detection rules designed to identify and block HTTP Parameter Pollution attempts. Additionally, this release includes targeted protection for a high-impact unrestricted file upload vulnerability in Magento and Adobe Commerce.

    Key Findings

    • CVE-2025-59718: An improper cryptographic signature verification vulnerability in Fortinet FortiOS, FortiProxy, and FortiSwitchManager. This may allow an unauthenticated attacker to bypass the FortiCloud SSO login authentication using a maliciously crafted SAML message, if that feature is enabled on the device.

    • Magento 2 – Unrestricted File Upload: A critical flaw in Magento and Adobe Commerce allows unauthenticated attackers to bypass security checks and upload malicious files to the server, potentially leading to Remote Code Execution (RCE).

    Impact

    Successful exploitation of the Fortinet and Magento vulnerabilities could allow unauthenticated attackers to gain administrative control or deploy webshells, leading to complete server compromise and data theft.

    Ruleset Rule ID Legacy Rule ID Description Previous Action New Action Comments
    Cloudflare Managed Ruleset 4f7d513cea424c2a853881982f7f95e9 N/A Generic Rules – Parameter Pollution – Body Log Disabled This is a new detection.
    Cloudflare Managed Ruleset 60d023f3be414d379428add3319731a4 N/A Generic Rules – Parameter Pollution – Header – Form Log Disabled This is a new detection.
    Cloudflare Managed Ruleset 2dde02d792ad41ec8fd65c2bdef262dd N/A Generic Rules – Parameter Pollution – URI Log Disabled This is a new detection.
    Cloudflare Managed Ruleset ab8a96ed13034d56a81a79e570a36147 N/A Magento 2 – Unrestricted file upload Log Block This is a new detection.
    Cloudflare Managed Ruleset 0a13a38dd81c44688950444e2ffcca9f N/A Fortinet FortiCloud SSO – Authentication Bypass – CVE:CVE-2025-59718 Log Block This is a new detection.

  • Workers – New RFC 9440 mTLS certificate fields in Workers

    Four new fields are now available on request.cf.tlsClientAuth in Workers for requests that include a mutual TLS (mTLS) client certificate. These fields encode the client certificate and its intermediate chain in RFC 9440 format — the same standard format used by the Client-Cert and Client-Cert-Chain HTTP headers — so your Worker can forward them directly to your origin without any custom parsing or encoding logic.

    New fields

    Field Type Description
    certRFC9440 String The client leaf certificate in RFC 9440 format (:base64-DER:). Empty if no client certificate was presented.
    certRFC9440TooLarge Boolean true if the leaf certificate exceeded 10 KB and was omitted from certRFC9440.
    certChainRFC9440 String The intermediate certificate chain in RFC 9440 format as a comma-separated list. Empty if no intermediates were sent or if the chain exceeded 16 KB.
    certChainRFC9440TooLarge Boolean true if the intermediate chain exceeded 16 KB and was omitted from certChainRFC9440.

    Example: forwarding client certificate headers to your origin

    export default {
      async fetch(request) {
        const tls = request.cf.tlsClientAuth;
    

        // Only forward if cert was verified and chain is complete
        if (!tls || !tls.certVerified || tls.certRevoked || tls.certChainRFC9440TooLarge) {
          return new Response("Unauthorized", { status: 401 });
        }
    

        const headers = new Headers(request.headers);
        headers.set("Client-Cert", tls.certRFC9440);
        headers.set("Client-Cert-Chain", tls.certChainRFC9440);
    

        return fetch(new Request(request, { headers }));
      },
    };

    For more information, refer to Client certificate variables and Mutual TLS authentication.

  • Containers – Easily connect Containers and Sandboxes to Workers

    Containers and Sandboxes now support connecting directly to Workers over HTTP. This allows you to call Workers
    functions and bindings, like KV or R2, from within the container at specific hostnames.

    Run Worker code

    Define an outbound handler to capture any HTTP request or use outboundByHost to capture requests to individual hostnames and IPs.

    export class MyApp extends Sandbox {}
    

    MyApp.outbound = async (request, env, ctx) => {
      // you can run arbitrary functions defined in your Worker on any HTTP request
      return await someWorkersFunction(request.body);
    };
    

    MyApp.outboundByHost = {
      "my.worker": async (request, env, ctx) => {
        return await anotherFunction(request.body);
      },
    };

    In this example, requests from the container to http://my.worker will run the function defined within outboundByHost,
    and any other HTTP requests will run the outbound handler. These handlers run entirely inside the Workers runtime,
    outside of the container sandbox.

    Access Workers bindings

    Each handler has access to env, so it can call any binding set in Wrangler config.
    Code inside the container makes a standard HTTP request to that hostname and the outbound Worker translates it into a binding call.

    export class MyApp extends Sandbox {}
    

    MyApp.outboundByHost = {
      "my.kv": async (request, env, ctx) => {
        const key = new URL(request.url).pathname.slice(1);
        const value = await env.KV.get(key);
        return new Response(value ?? "", { status: value ? 200 : 404 });
      },
      "my.r2": async (request, env, ctx) => {
        const key = new URL(request.url).pathname.slice(1);
        const object = await env.BUCKET.get(key);
        return new Response(object?.body ?? "", { status: object ? 200 : 404 });
      },
    };

    Now, from inside the container sandbox, curl http://my.kv/some-key will access Workers KV and curl http://my.r2/some-object will access R2.

    Access Durable Object state

    Use ctx.containerId to reference the container’s automatically provisioned Durable Object.

    export class MyContainer extends Container {}
    

    MyContainer.outboundByHost = {
      "get-state.do": async (request, env, ctx) => {
        const id = env.MY_CONTAINER.idFromString(ctx.containerId);
        const stub = env.MY_CONTAINER.get(id);
        return stub.getStateForKey(request.body);
      },
    };

    This provides an easy way to associate state with any container instance, and includes a built-in SQLite database.

    Get Started Today

    Upgrade to @cloudflare/containers version 0.2.0 or later, or @cloudflare/sandbox version 0.8.0 or later to use outbound Workers.

    Refer to Containers outbound traffic and Sandboxes outbound traffic for more details and examples.