Blog

A new GA release for the macOS WARP client is now available on the stable releases downloads page.

This release contains minor fixes, improvements, and new features, including the ability to manage WARP client connectivity for all devices in your fleet using an external signal.

Changes and improvements

• The Local Domain Fallback feature has been fixed for devices running WARP client version 2025.4.929.0 and newer. Previously, these devices could experience failures with Local Domain Fallback unless a fallback server was explicitly configured. This configuration is no longer a requirement for the feature to function correctly.
• Proxy mode now supports transparent HTTP proxying in addition to CONNECT-based proxying.
• Added a new feature to manage WARP client connectivity for all devices using an external signal. This feature allows administrators to send a global signal from an on-premises HTTPS endpoint that force disconnects or reconnects all WARP clients in an account based on configuration set on the endpoint.

A new GA release for the Linux WARP client is now available on the stable releases downloads page.

This release contains minor fixes, improvements, and new features, including the ability to manage WARP client connectivity for all devices in your fleet using an external signal.

WARP client version 2025.8.779.0 introduced an updated public key for Linux packages. The public key must be updated if it was installed before September 12, 2025 to ensure the repository remains functional after December 4, 2025. Instructions to make this update are available at pkg.cloudflareclient.com.

Changes and improvements

• The Local Domain Fallback feature has been fixed for devices running WARP client version 2025.4.929.0 and newer. Previously, these devices could experience failures with Local Domain Fallback unless a fallback server was explicitly configured. This configuration is no longer a requirement for the feature to function correctly.
• Linux disk encryption posture check now supports non-filesystem encryption types like dm-crypt.
• Proxy mode now supports transparent HTTP proxying in addition to CONNECT-based proxying.
• Fixed an issue where the GUI becomes unresponsive when the Re-Authenticate in browser button is clicked.
• Added a new feature to manage WARP client connectivity for all devices using an external signal. This feature allows administrators to send a global signal from an on-premises HTTPS endpoint that force disconnects or reconnects all WARP clients in an account based on configuration set on the endpoint.

Wrangler now supports a --check flag for the wrangler types command. This flag validates that your generated types are up to date without writing any changes to disk.

This is useful in CI/CD pipelines where you want to ensure that developers have regenerated their types after making changes to their Wrangler configuration. If the types are out of date, the command will exit with a non-zero status code.

npx wrangler types --check

If your types are up to date, the command will succeed silently. If they are out of date, you’ll see an error message indicating which files need to be regenerated.

For more information, see the Wrangler types documentation.

This week’s release focuses on improvements to existing detections to enhance coverage.

Key Findings

• Existing rule enhancements have been deployed to improve detection resilience against SQL Injection.

We are excited to announce that Cloudflare Threat Events now supports the STIX2 (Structured Threat Information Expression) format. This was a highly requested feature designed to streamline how security teams consume and act upon our threat intelligence.

By adopting this industry-standard format, you can now integrate Cloudflare’s threat events data more effectively into your existing security ecosystem.

Key benefits

• Eliminate the need for custom parsers, as STIX2 allows for “out of the box” ingestion into major Threat Intel Platforms (TIPs), SIEMs, and SOAR tools.

• STIX2 provides a standardized way to represent relationships between indicators, sightings, and threat actors, giving your analysts a clearer picture of the threat landscape.

For technical details on how to query events using this format, please refer to our Threat Events API Documentation.

The ip.src.metro_code field in the Ruleset Engine is now populated with DMA (Designated Market Area) data.

You can use this field to build rules that target traffic based on geographic market areas, enabling more granular location-based policies for your applications.

Field details

Example filter expression:

ip.src.metro_code eq "501"

For more information, refer to the Fields reference.

This week’s release focuses on improvements to existing detections to enhance coverage.

Key Findings

• Existing rule enhancements have been deployed to improve detection resilience against SQL Injection.

We are excited to announce that Cloudflare Threat Events now supports the STIX2 (Structured Threat Information Expression) format. This was a highly requested feature designed to streamline how security teams consume and act upon our threat intelligence.

By adopting this industry-standard format, you can now integrate Cloudflare’s threat events data more effectively into your existing security ecosystem.

Key benefits

• Eliminate the need for custom parsers, as STIX2 allows for “out of the box” ingestion into major Threat Intel Platforms (TIPs), SIEMs, and SOAR tools.

• STIX2 provides a standardized way to represent relationships between indicators, sightings, and threat actors, giving your analysts a clearer picture of the threat landscape.

For technical details on how to query events using this format, please refer to our Threat Events API Documentation.

You can now receive notifications when your Workers’ builds start, succeed, fail, or get cancelled using Event Subscriptions.

Workers Builds publishes events to a Queue that your Worker can read messages from, and then send notifications wherever you need — Slack, Discord, email, or any webhook endpoint.

You can deploy this Worker to your own Cloudflare account to send build notifications to Slack:

The template includes:

• Build status with Preview/Live URLs for successful deployments
• Inline error messages for failed builds
• Branch, commit hash, and author name

For setup instructions, refer to the template README or the Event Subscriptions documentation.

You can now receive notifications when your Workers’ builds start, succeed, fail, or get cancelled using Event Subscriptions.

Workers Builds publishes events to a Queue that your Worker can read messages from, and then send notifications wherever you need — Slack, Discord, email, or any webhook endpoint.

You can deploy this Worker to your own Cloudflare account to send build notifications to Slack:

The template includes:

• Build status with Preview/Live URLs for successful deployments
• Inline error messages for failed builds
• Branch, commit hash, and author name

For setup instructions, refer to the template README or the Event Subscriptions documentation.