--- title: Changelogs image: https://developers.cloudflare.com/cf-twitter-card.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/changelog/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # Changelog New updates and improvements at Cloudflare. [ Subscribe to RSS ](https://developers.cloudflare.com/changelog/rss/index.xml) [ View RSS feeds ](https://developers.cloudflare.com/fundamentals/new-features/available-rss-feeds/) All products ![hero image](https://developers.cloudflare.com/_astro/hero.CVYJHPAd_26AMqX.svg) May 01, 2026 1. ### [Run Workflows inside Dynamic Workers with the @cloudflare/dynamic-workflows library](https://developers.cloudflare.com/changelog/post/2026-05-01-dynamic-workflows/) [ Workflows ](https://developers.cloudflare.com/workflows/)[ Workers ](https://developers.cloudflare.com/workers/) You can now use [@cloudflare/dynamic-workflows ↗](https://github.com/cloudflare/dynamic-workflows) to run a [Workflow](https://developers.cloudflare.com/workflows/) inside a [Dynamic Worker](https://developers.cloudflare.com/dynamic-workers/), ensuring durable execution for code that is loaded at runtime. The Worker Loader loads Dynamic Workers on demand, which previously made durability challenging. Even within a Dynamic Worker, a Workflow might sleep for hours or days between steps, and by the time it resumes, the original Dynamic Worker code would no longer be in memory. The library solves this by tagging each Workflow instance with metadata that identifies which Dynamic Worker to load — for example, a tenant ID — then reloading the matching Dynamic Worker through the Worker Loader whenever a Workflow awakens. Because Dynamic Workers are created on-demand, you do not have to register each Workflow up front or manage them individually. Load the Workflow code in the Dynamic Worker when it is needed, and the Workflows engine handles persistence and retries behind the scenes. Your Workflow code itself is unaffected by the routing and behaves as normal. This unlocks patterns where the Workflow code itself is dynamic. For example, this is useful with: * **SaaS platforms** where each tenant defines their own automation, such as onboarding sequences, approval chains, or billing retry logic. * **AI agent frameworks** where agents generate and execute multi-step plans at runtime, surviving restarts and waiting for human approval between tool calls. * **Multi-tenant job systems** where each customer submits their own processing logic and every step persists progress and retries on failure. TypeScript ``` import { createDynamicWorkflowEntrypoint, DynamicWorkflowBinding, wrapWorkflowBinding, type WorkflowRunner, } from "@cloudflare/dynamic-workflows"; export { DynamicWorkflowBinding }; interface Env { WORKFLOWS: Workflow; LOADER: WorkerLoader; } function loadTenant(env: Env, tenantId: string) { return env.LOADER.get(tenantId, async () => ({ compatibilityDate: "2026-01-01", mainModule: "index.js", modules: { "index.js": await fetchTenantCode(tenantId) }, // The Dynamic Worker uses this exactly like a real Workflow binding; // every create() is tagged with { tenantId } automatically. env: { WORKFLOWS: wrapWorkflowBinding({ tenantId }) }, })); } // The entrypoint name must match `class_name` in the workflows binding of your Wrangler config file. export const DynamicWorkflow = createDynamicWorkflowEntrypoint( async ({ env, metadata }) => { const stub = loadTenant(env, metadata.tenantId as string); return stub.getEntrypoint("TenantWorkflow") as unknown as WorkflowRunner; }, ); export default { fetch(request: Request, env: Env) { const tenantId = request.headers.get("x-tenant-id")!; return loadTenant(env, tenantId).getEntrypoint().fetch(request); }, }; ``` For a full walkthrough, refer to the [Dynamic Workflows guide](https://developers.cloudflare.com/dynamic-workers/usage/dynamic-workflows/). Apr 30, 2026 1. ### [Post-quantum IPsec interoperability with third-party devices](https://developers.cloudflare.com/changelog/post/2026-04-30-ipsec-post-quantum-third-party/) [ Cloudflare One ](https://developers.cloudflare.com/cloudflare-one/)[ Cloudflare WAN ](https://developers.cloudflare.com/cloudflare-wan/) Cloudflare IPsec now supports post-quantum key agreement with compatible third-party devices. [Cisco ↗](https://www.cisco.com/) and [Fortinet ↗](https://www.fortinet.com/) are the first third-party vendors validated to interoperate with Cloudflare IPsec using ML-KEM (Module-Lattice-Based Key-Encapsulation Mechanism). Post-quantum IPsec uses [RFC 9370 ↗](https://datatracker.ietf.org/doc/rfc9370/) and [draft-ietf-ipsecme-ikev2-mlkem ↗](https://datatracker.ietf.org/doc/draft-ietf-ipsecme-ikev2-mlkem/) to negotiate hybrid key agreement during the IKEv2 `IKE_INTERMEDIATE` phase. This combines classical Diffie-Hellman (Group 20) with ML-KEM-768 or ML-KEM-1024 to protect against [harvest-now, decrypt-later ↗](https://en.wikipedia.org/wiki/Harvest%5Fnow,%5Fdecrypt%5Flater) attacks. Key details: * Compatible with Cisco 8000 Series Secure Routers with IOS XR Release 26.1.1 and Fortinet FortiOS 7.6.6 and later. * Uses ML-KEM-768 or ML-KEM-1024 as an additional Key Exchange to DH Group 20. * Follows RFC 9370 and draft-ietf-ipsecme-ikev2-mlkem standards. * No additional licensing required. Post-quantum IPsec with third-party devices is now generally available with confirmed interoperability for the platforms listed above. Cloudflare intends to support interoperability with more vendors as they build out support for draft-ietf-ipsecme-ikev2-mlkem. Contact your account team to discuss support for additional vendors. For supported key exchange methods and the list of validated platforms, refer to [GRE and IPsec tunnels](https://developers.cloudflare.com/cloudflare-wan/reference/gre-ipsec-tunnels/#tested-third-party-vendor-interoperability). Apr 30, 2026 1. ### [Classify sensitive content with Data Classification](https://developers.cloudflare.com/changelog/post/2026-04-30-data-classification/) [ Data Loss Prevention ](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/) Cloudflare DLP now includes **Data Classification**, which lets administrators organize and label sensitive content using labels, templates, and reusable data classes. With Data Classification, administrators can define labels such as sensitivity schemas and levels, and data tag groups and tags. Administrators can also build from Cloudflare-managed templates and create reusable data classes that combine detection entries, other data classes, sensitivity levels, and data tags. You can then use those classifications in custom DLP profiles to identify the severity of sensitive content, understand where it exists, and apply that logic consistently across DLP profiles. For more information, refer to [Data Classification](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/data-classification/). Apr 30, 2026 1. ### [New predefined detection entries are available](https://developers.cloudflare.com/changelog/post/2026-04-30-standalone-predefined-detection-entries/) [ Data Loss Prevention ](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/) Cloudflare DLP now includes new predefined detection entries. The expanded catalog includes detections for specific credential types, webhooks, addresses, tax identifiers, national IDs, financial data, and crypto wallets. Examples include `GitHub PAT`, `OpenAI API Key`, `Slack Webhook`, `Discord Webhook`, `US Physical Address`, and `Bitcoin Wallet`. For the full list, refer to [Predefined detection entries](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/detection-entries/predefined-detection-entries/). Apr 30, 2026 1. ### [Empty buckets and delete folders from the R2 dashboard](https://developers.cloudflare.com/changelog/post/2026-04-30-r2-empty-bucket-folder-delete/) [ R2 ](https://developers.cloudflare.com/r2/) You can now empty an entire [R2](https://developers.cloudflare.com/r2/) bucket or delete folders directly from the dashboard. Emptying a bucket is required before you can delete it. Previously, this required scripting or configuring [lifecycle rules](https://developers.cloudflare.com/r2/buckets/object-lifecycles/). Now, the dashboard can handle it in a single action. #### Empty a bucket Go to your bucket's **Settings** tab and select **Empty** under the **Empty Bucket** section. This deletes all objects in the bucket while preserving the bucket and its configuration. For large buckets, the operation runs in the background and the dashboard displays progress. Emptying a bucket is also a prerequisite for deleting it. The dashboard now guides you through both steps in one place. ![Empty Bucket and Delete Bucket sections in the R2 dashboard Settings tab](https://developers.cloudflare.com/_astro/empty-bucket-changelog.DjuMZppm_11Omax.webp) #### Delete folders R2 uses a flat object structure. The dashboard groups objects that share a common prefix into folders when the **View prefixes as directories** checkbox is selected. Deleting a folder removes every object under that prefix. From the **Objects** tab, you can select one or more folders and delete them alongside individual objects. For step-by-step instructions, refer to [Delete buckets](https://developers.cloudflare.com/r2/buckets/delete-buckets/) and [Delete objects](https://developers.cloudflare.com/r2/objects/delete-objects/). Apr 30, 2026 1. ### [Cloud Observatory connection metrics improvements](https://developers.cloudflare.com/changelog/post/2026-04-30-radar-cloud-observatory-connection-metrics/) [ Radar ](https://developers.cloudflare.com/radar/) The [Cloud Observatory ↗](https://radar.cloudflare.com/cloud-observatory) on [**Radar**](https://developers.cloudflare.com/radar/) now provides improved connection metric insights, offering new ways to explore TCP round-trip time, TCP handshake duration, TLS handshake duration, and response header receive duration across cloud provider origin servers. The [Cloud Observatory overview ↗](https://radar.cloudflare.com/cloud-observatory#connection-metrics) now shows connection metrics broken down by cloud provider, making it easy to compare connection performance across Amazon Web Services, Google Cloud, Microsoft Azure, and Oracle Cloud. ![Screenshot of Cloud Observatory connection metrics broken down by cloud provider](https://developers.cloudflare.com/_astro/cloud-observatory-connection-metrics-by-provider.Bk9nSitV_ZDoxOq.webp) Each [provider page ↗](https://radar.cloudflare.com/cloud-observatory/amazon#connection-metrics) now shows connection metrics for the top five regions, with a selector to rank by lowest or highest values. ![Screenshot of Cloud Observatory connection metrics broken down by region for a provider](https://developers.cloudflare.com/_astro/cloud-observatory-connection-metrics-by-region.CbHAKXoc_Z1uDr6d.webp) Each [region page ↗](https://radar.cloudflare.com/cloud-observatory/amazon/us-east-1#connection-metrics) now displays connection metrics as percentile distributions (25th percentile, median, and 75th percentile), providing insight into the range and variability of connection times. ![Screenshot of Cloud Observatory connection metrics with percentile distribution for a region](https://developers.cloudflare.com/_astro/cloud-observatory-connection-metrics-percentiles.DJ9eAE0-_28jUar.webp) These views are also available through the [Origins API](https://developers.cloudflare.com/api/resources/radar/subresources/origins/), using the `timeseries_groups` endpoint with the `ORIGIN`, `REGION`, or `PERCENTILE` dimension. Apr 30, 2026 1. ### [Dark mode support on Cloudflare Radar](https://developers.cloudflare.com/changelog/post/2026-04-30-radar-dark-mode/) [ Radar ](https://developers.cloudflare.com/radar/) [**Radar**](https://developers.cloudflare.com/radar/) now supports **dark mode**. A theme selector in the upper right corner of the page lets users explicitly choose between three display options: * **Light** — standard light theme * **Dark** — full dark theme * **System** — follows the operating system preference ![Screenshot of the theme selector showing Light, Dark, and System options](https://developers.cloudflare.com/_astro/dark-mode-theme-selector.D5ih8e4q_2p6pP4.webp) The selected theme applies consistently across all Radar pages and widgets. ![Screenshot of the Cloudflare Radar overview page in dark mode](https://developers.cloudflare.com/_astro/dark-mode-overview.D-39RJlY_Z18x0mf.webp) The theme choice also applies to shared and embedded graphs. Try it out at [Cloudflare Radar ↗](https://radar.cloudflare.com). Apr 30, 2026 1. ### [Shared dictionaries passthrough now in open beta](https://developers.cloudflare.com/changelog/post/2026-04-30-shared-dictionaries-passthrough-beta/) [ Speed ](https://developers.cloudflare.com/speed/) [Shared dictionaries](https://developers.cloudflare.com/speed/optimization/content/shared-dictionaries/) ([RFC 9842 ↗](https://www.rfc-editor.org/rfc/rfc9842.html)) let an origin compress a response against a previous version of the same resource that the browser already has cached, so only the difference between versions travels over the wire. Shared dictionaries passthrough is now in open beta on all plans. #### What changed In passthrough mode, Cloudflare: * Forwards the `Use-As-Dictionary` and `Available-Dictionary` headers between client and origin without modification. * Treats `dcb` (Dictionary-Compressed Brotli) and `dcz` (Dictionary-Compressed Zstandard) as valid `Content-Encoding` values end to end, without recompressing them. * Extends the cache key to vary on `Available-Dictionary` and `Accept-Encoding` so each delta-compressed variant is cached correctly. Your origin manages the dictionary lifecycle: deciding which assets are dictionaries, attaching `Use-As-Dictionary` headers, and producing deltas in response to `Available-Dictionary` requests. Cloudflare handles the transport and the cache. In internal testing on a 272 KB JavaScript bundle, the asset shrinks from 92.1 KB with Gzip to 2.6 KB with delta Zstandard against the previous version — a 97% reduction over standard compression — with download times improving by 81–89% versus Gzip. Shared dictionaries work with browsers that advertise `dcb` or `dcz` in `Accept-Encoding`. Today, this includes Chrome 130 or later and Edge 130 or later. #### Get started Turn on passthrough for your zone with a single API call: Terminal window ``` curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/settings/shared_dictionary_mode" \ --request PATCH \ --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \ --json '{ "value": "passthrough" }' ``` You can also turn it on under **Speed** \> **Settings** \> **Content Optimization** in the [Cloudflare dashboard ↗](https://dash.cloudflare.com/?to=/:account/:zone/speed/optimization). For full origin setup instructions and a working test recipe, refer to [Shared dictionaries](https://developers.cloudflare.com/speed/optimization/content/shared-dictionaries/), or try the live demo at [canicompress.com ↗](https://canicompress.com/). Apr 30, 2026 1. ### [WAF Release - 2026-04-30 - Emergency](https://developers.cloudflare.com/changelog/post/2026-04-30-emergency-waf-release/) [ WAF ](https://developers.cloudflare.com/waf/) This emergency release introduces a new rule to block a cPanel & WHM Authentication Bypass related to CVE-2026-41940. **Key Findings** * CVE-2026-41940: A critical authentication bypass vulnerability in cPanel & WHM allows unauthenticated remote attackers to bypass authentication mechanisms and gain unauthorized administrative access to the web hosting control panel. This vulnerability affects the session validation logic, enabling attackers to craft malicious requests that circumvent normal authentication checks. **Impact** Successful exploitation allows unauthenticated attackers to gain administrative control over affected cPanel & WHM installations. This leads to complete server compromise, potential theft or manipulation of hosted data, and significant service disruption across managed environments. We strongly recommend applying official vendor patches for cPanel & WHM immediately to address the underlying vulnerability. | Ruleset | Rule ID | Legacy Rule ID | Description | Previous Action | New Action | Comments | | -------------------------- | ----------- | -------------- | ----------------------------------------- | --------------- | ---------- | ------------------------ | | Cloudflare Managed Ruleset | ...eb2b9e2f | N/A | cPanel - Auth Bypass - CVE:CVE-2026-41940 | N/A | Block | This is a new detection. | Apr 30, 2026 1. ### [Web Analytics adds Navigation Type filtering and reporting](https://developers.cloudflare.com/changelog/post/2026-04-30-rum-navigation-types/) [ Cloudflare Web Analytics ](https://developers.cloudflare.com/web-analytics/) Cloudflare Web Analytics now supports **Navigation Type** reporting and filtering. This update allows developers and performance analysts to see how users are navigating between pages — whether through a link click or form submission, a page reload, or using the browser's back/forward buttons — and whether a browser cache hit occurred for these behaviors. Understanding navigation types is critical for optimizing user experience. For example, if a high volume of your traffic consists of "Back-forward" navigations versus "Back-forward Cache", those visitors are not benefiting from the Back/Forward Cache (bfcache) and therefore are experiencing higher load times due to potentially unnecessary network requests. The same applies for regular "Navigate" entries — where "Navigate Cache", "Navigate Prefetch Cache" and "Prerender" would provide instant document retrieval — and "Reload", where "Reload cache" would be more optimal. A high volume of "Reload" entries can also indicate a potential stability problem with your website. By identifying these patterns, you can tune your browser caching strategies to ensure HTML documents are served instantaneously from local caches rather than requiring a roundtrip to the network. For more information, refer to [Navigation Types](https://developers.cloudflare.com/web-analytics/data-metrics/dimensions/#navigation-types). #### Key benefits * **Monitor Cache Effectiveness:** See how often your site is served from the HTTP cache or bfcache. * **Identify Performance Bottlenecks:** Filter by the different types to understand performance opportunity of improving browser cache hit ratio. #### Analyze navigation types in the Cloudflare dashboard You can now find the **Navigation Type** dimension in the Web Analytics dashboard. You can filter to include/exclude one or more specific types using "equals", "does not equal", "in", or "not in" matchers. ![Navigation Type filter](https://developers.cloudflare.com/_astro/dash-web_analytics-navigation-type-filter.Cculflhp_Xm5Gz.webp) To check the list of popular navigation types, select **Page views** on the Web Analytics sidebar and scroll down to the bottom: ![Navigation Types list in Page Views tab](https://developers.cloudflare.com/_astro/dash-web_analytics-navigation-types-list.CWaiEQzO_Z1jlU23.webp) Apr 29, 2026 1. ### [Digital experience tests to authenticated resources and enhanced configuration](https://developers.cloudflare.com/changelog/post/2026-04-29-dex-tests-to-auth/) [ Digital Experience Monitoring ](https://developers.cloudflare.com/cloudflare-one/insights/dex/) [Digital experience tests](https://developers.cloudflare.com/cloudflare-one/insights/dex/tests/) now support testing applications protected by Cloudflare Access or third-party authentication. All authentication secrets are managed via [Cloudflare Secret Store](https://developers.cloudflare.com/secrets-store/). Digital experience tests also have enhanced configuration options including: * New HTTP methods (DELETE, PATCH, POST, PUT) * Secret Store headers, custom plain text headers, and custom request bodies * Advanced settings: follow redirects, response bodies, response headers, and allow untrusted certificates ![Digital experience test configuration for Cloudflare Access applications](https://developers.cloudflare.com/_astro/dex_test_auth_config.CD3G3zb__o7m7g.webp)![Digital experience enhanced test configuration](https://developers.cloudflare.com/_astro/dex_test_enhanced_config.Nsv7Vcob_ppxh5.webp) Apr 29, 2026 1. ### [Gateway Authorization Proxy and hosted PAC files are now generally available](https://developers.cloudflare.com/changelog/post/2026-04-29-gateway-authorization-proxy-pac-files-ga/) [ Gateway ](https://developers.cloudflare.com/cloudflare-one/traffic-policies/) The [Gateway Authorization Proxy](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/#authorization-endpoint) and [hosted PAC files](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/#create-a-hosted-pac-file) are now generally available for all plan types. Authorization proxy endpoints add an identity-aware option alongside the existing [source IP proxy endpoints](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/#source-ip-endpoint), using [Cloudflare Access](https://developers.cloudflare.com/cloudflare-one/access-controls/policies/) authentication to verify who a user is before applying Gateway filtering — without installing the [Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/). Cloudflare-hosted PAC files let you create and distribute PAC files directly from Cloudflare One on Cloudflare's global network. These features are ideal for environments where deploying a device client is not an option, such as virtual desktops (VDI) or compliance-restricted endpoints. To get started, refer to the [proxy endpoints documentation](https://developers.cloudflare.com/cloudflare-one/networks/resolvers-and-proxies/proxy-endpoints/). Apr 29, 2026 1. ### [Hyperdrive support for private databases with Workers VPC](https://developers.cloudflare.com/changelog/post/2026-04-29-hyperdrive-vpc-private-databases/) [ Hyperdrive ](https://developers.cloudflare.com/hyperdrive/) You can now connect Hyperdrive to a private database through a [Workers VPC service](https://developers.cloudflare.com/workers-vpc/). This is the recommended way to connect Hyperdrive to a private database that is not exposed to the public Internet. When creating a Hyperdrive configuration in the Cloudflare dashboard, choose **Connect to private database** and then **Workers VPC**. From there, you can select an existing VPC service or create a new one inline by picking a Cloudflare Tunnel and entering your origin host and TCP port. You can also create a Hyperdrive configuration backed by a Workers VPC service from the command line: Terminal window ``` npx wrangler hyperdrive create my-vpc-database \ --service-id \ --database \ --user \ --password \ --scheme postgresql ``` Workers VPC services are reusable across Hyperdrive configurations and can also be bound directly to Workers, so you can share the same private connection across multiple products. To get started, refer to [Connect Hyperdrive to a private database using Workers VPC](https://developers.cloudflare.com/hyperdrive/configuration/connect-to-private-database-vpc/). Apr 28, 2026 1. ### [Internet outage notifications for devices](https://developers.cloudflare.com/changelog/post/2026-04-28-dex-internet-outage-notification/) [ Digital Experience Monitoring ](https://developers.cloudflare.com/cloudflare-one/insights/dex/) [Digital Experience](https://developers.cloudflare.com/cloudflare-one/insights/dex/) will display a dashboard notification when an Internet outage or traffic anomaly may impact a [Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) device based on its geographic location or network connection. This Internet outage and traffic anomaly data is pulled from [Cloudflare Radar ↗](https://radar.cloudflare.com/). All Internet outage and traffic anomaly observations can be viewed in the [Radar Outage Center ↗](https://radar.cloudflare.com/outage-center). ![Digital Experience Monitoring dashboard notification for Internet outage impacting Cloudflare One Client devices](https://developers.cloudflare.com/_astro/dex_radar_ux_notification.CpdrUVYA_ZSzgIe.webp)![Digital Experience Monitoring dashboard analytics for Internet outage impacting Cloudflare One Client devices](https://developers.cloudflare.com/_astro/dex_radar_analytics.GaPxWM6C_2jLyzS.webp) Apr 28, 2026 1. ### [Cloudflare One Client speed tests](https://developers.cloudflare.com/changelog/post/2026-04-28-dex-speed-test/) [ Digital Experience Monitoring ](https://developers.cloudflare.com/cloudflare-one/insights/dex/) IT teams can now remotely run speed tests from the [Cloudflare One Client](https://developers.cloudflare.com/cloudflare-one/team-and-resources/devices/cloudflare-one-client/) to Cloudflare's network edge. Each speed test includes the following metrics: * Internet speed: download and upload throughput * Latency: download, upload, unloaded latency, and jitter * Network quality score: video streaming, webchat/real-time communication (RTC) In the [Cloudflare dashboard ↗](https://dash.cloudflare.com/), go to **Zero Trust** \> **Insights** \> **Digital experience** \> **Diagnostics** and select **Run diagnostics** to use the feature today. ![Cloudflare One client speed test result](https://developers.cloudflare.com/_astro/dex_speed_test.DukupcRs_gXUVw.webp) Apr 28, 2026 1. ### [Create and manage DLP detection entries outside of profiles](https://developers.cloudflare.com/changelog/post/2026-04-28-detection-entries-outside-profiles/) [ Data Loss Prevention ](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/) You can now create, view, and manage DLP detection entries outside of profiles. Detection entries are no longer hidden inside individual profiles. Administrators can manage detection entries directly from the **Detection entries** section and use them in custom DLP profiles. For more information, refer to [Configure detection entries](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/detection-entries/configure-detection-entries/). Apr 28, 2026 1. ### [Detect PII records with a new predefined DLP profile](https://developers.cloudflare.com/changelog/post/2026-04-28-pii-record-profile/) [ Data Loss Prevention ](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/) Cloudflare DLP now includes a new predefined profile designed to detect PII records that contain multiple types of personal data: **Personally Identifiable Information (PII) Record**. Most predefined and custom DLP profiles match when any enabled detection entry matches. The **Personally Identifiable Information (PII) Record** profile is different. It only matches when at least three unique detection entries are found in close proximity, which reduces false positives from standalone values that may not represent a real PII record. Detection entries included in the profile: * AU Passport Number * American Express Card Number * Diners Club Card Number * US Driver's License Number * Email Address * Full Name * US Mailing Address * Mastercard Card Number * US Individual Tax Identification Number (ITIN) * US Passport Number * US Phone Number * Union Pay Card Number * United States SSN Numeric Detection * Visa Card Number For more information, refer to [predefined DLP profiles](https://developers.cloudflare.com/cloudflare-one/data-loss-prevention/dlp-profiles/predefined-profiles/). Apr 28, 2026 1. ### [Account-level enforce DNS-only](https://developers.cloudflare.com/changelog/post/2026-04-28-enforce-dns-only/) [ DNS ](https://developers.cloudflare.com/dns/) You can now disable Cloudflare's reverse proxy across all zones in your account simultaneously using the new `enforce_dns_only` setting. When enabled, Cloudflare responds to DNS queries for all proxied records with your origin IP addresses instead of Cloudflare's anycast IPs. This account-level kill switch is designed for incident response scenarios where you need to quickly route traffic directly to your origin servers. Warning Enabling this setting exposes your origin IP addresses and removes all Cloudflare protections — including DDoS mitigation, WAF, caching, and all other proxy-based features — for every zone in your account. Use with extreme caution and only after proper [preparations](https://developers.cloudflare.com/dns/proxy-status/enforce-dns-only/#preparation). #### Key characteristics * **Account-level** — Affects all zones in the account simultaneously with a single API call. * **Non-destructive** — Does not modify your DNS records. Disabling the setting restores normal proxy behavior. * **API-only** — Available through the API only, not in the Cloudflare dashboard. #### What's affected **Included:** Standard proxied A, AAAA, and CNAME records, Load Balancing records, and records matching Worker routes. **Excluded:** Spectrum applications, Cloudflare Tunnel CNAMEs, R2 custom domains, Web3 gateways, and Workers custom domains continue to operate normally. #### Before you enable * Verify your origin servers can handle direct traffic without Cloudflare's caching and filtering. * Review which origin IPs will become publicly visible through DNS queries. * Test the API in a staging account before relying on it for incident response. #### Availability Available via API to all Cloudflare customers. For information on how to use it, refer to [Enforce DNS-only developer documentation](https://developers.cloudflare.com/dns/proxy-status/enforce-dns-only/) . Apr 28, 2026 1. ### [Realtime backlog metrics now available for Queues](https://developers.cloudflare.com/changelog/post/2026-04-28-improved-queues-metrics/) [ Queues ](https://developers.cloudflare.com/queues/) [Queues](https://developers.cloudflare.com/queues/), Cloudflare's managed message queue, now exposes realtime backlog metrics via the dashboard, REST API, and JavaScript API. Three new fields are available: * **`backlog_count`** — the number of unacknowledged messages in the queue * **`backlog_bytes`** — the total size of those messages in bytes * **`oldest_message_timestamp_ms`** — the timestamp of the oldest unacknowledged message The following endpoints also now include a `metadata.metrics` object on the result field after successful message consumption: * `/accounts/{account_id}/queues/{queue_id}/messages/pull` * `/accounts/{account_id}/queues/{queue_id}/messages` * `/accounts/{account_id}/queues/{queue_id}/messages/batch` #### Javascript APIs Call `env.QUEUE.metrics()` to get realtime backlog metrics: TypeScript ``` const { backlogCount, // number backlogBytes, // number oldestMessageTimestamp, // Date | undefined } = await env.QUEUE.metrics(); ``` `env.QUEUE.send()` and `env.QUEUE.sendBatch()` also now return a metrics object on the response. You can also query these fields via the [GraphQL Analytics API](https://developers.cloudflare.com/analytics/graphql-api/) or view realtime backlog on the [dashboard ↗](https://dash.cloudflare.com/?to=/:account/workers/queues). ![Queues realtime backlog](https://developers.cloudflare.com/_astro/2026-04-28-queues-metrics.BYi0hgrD_149xlT.webp) For more information, refer to [Queues metrics](https://developers.cloudflare.com/queues/observability/metrics/). Apr 28, 2026 1. ### [Direct access to Support from the dashboard](https://developers.cloudflare.com/changelog/post/2026-04-28-direct-support-navigation/) [ Support ](https://developers.cloudflare.com/support/) #### Direct access to Support from the dashboard The **Support** button in the dashboard global navigation header now takes you directly to the [Cloudflare Support Portal ↗](https://support.cloudflare.com), eliminating the previous dropdown menu. This change ensures that when you need help, you spend less time navigating the UI and more time getting the answers you need. #### What changed? * **Previous behavior**: Selecting **? Support** opened a dropdown menu with various links (Help Center, Cloudflare Community, etc.). * **New behavior**: Selecting **Support** immediately redirects your current tab to the Support Portal. To learn more about the resources available to you, refer to the [Cloudflare Support documentation ↗](https://developers.cloudflare.com/support/contacting-cloudflare-support/). Apr 27, 2026 1. ### [Cache Response Rules now support zone versioning](https://developers.cloudflare.com/changelog/post/2026-04-27-cache-response-rules-zone-versioning/) [ Cache / CDN ](https://developers.cloudflare.com/cache/) Cache Response Rules now work with [Version Management](https://developers.cloudflare.com/version-management/). You can version response-phase cache settings and promote them through environments, just like Cache Rules and other supported configurations. #### What changed Previously, Cache Response Rules were excluded from zone versioning. Any response-phase rule you created applied globally across all environments with no way to test changes in staging first. Cache Rules already supported versioning, but the response phase, where you modify `Cache-Control` directives, manage cache tags, and strip headers, did not. Cache Response Rules are now fully integrated with Version Management. You can create or modify response-phase rules within a version, and those changes stay scoped to that version until promoted. #### Benefits * **Safe rollout of cache behavior changes**: Test response-phase rules in a staging environment before promoting to production. Catch unintended caching side effects early. * **Parity with Cache Rules**: Cache Response Rules now follow the same versioning workflow as Cache Rules, so you can manage all cache configuration through a single promotion pipeline. * **Independent environment control**: Run different response-phase cache settings per environment. For example, strip `Set-Cookie` headers in staging to validate cacheability without affecting production traffic. #### Get started Configure Cache Response Rules in the [Cloudflare dashboard ↗](https://dash.cloudflare.com/?to=/:account/:zone/caching/cache-rules) under **Caching** \> **Cache Rules**, or via the [Rulesets API](https://developers.cloudflare.com/ruleset-engine/rulesets-api/). For more details, refer to the [Cache Response Rules documentation](https://developers.cloudflare.com/cache/how-to/cache-response-rules/) and the [Version Management documentation](https://developers.cloudflare.com/version-management/). Apr 27, 2026 1. ### [Structured error responses for Cloudflare 5xx errors](https://developers.cloudflare.com/changelog/post/2026-04-27-structured-responses-for-5xx-errors/) [ Cloudflare Fundamentals ](https://developers.cloudflare.com/fundamentals/) Cloudflare-generated 5xx error responses now return structured JSON and Markdown when agents request them, matching the format already available for 1xxx errors. Responses follow [RFC 9457 (Problem Details for HTTP APIs) ↗](https://www.rfc-editor.org/rfc/rfc9457) and include a `Retry-After` HTTP header on retryable codes. #### Changes **5xx coverage.** Ten Cloudflare-generated error codes (500, 502, 504, 520-526) now serve structured responses. These are errors Cloudflare itself generates when it cannot reach or understand the origin server. Origin-generated 5xx responses that Cloudflare passes through are not affected. **Fault attribution.** The `error_category` field tells agents where the fault lies: * `origin` (502, 504, 520-524) — the origin server is responsible. Transient; retry with the backoff in `retry_after`. * `cloudflare` (500) — Cloudflare's fault, not the website or the request. Short retry. * `ssl` (525, 526) — the origin's TLS configuration is broken. Do not retry. **Retry-After header.** Retryable codes (500, 502, 504, 520-524) include a `Retry-After` HTTP header matching the `retry_after` body field. Non-retryable codes (525, 526) do not include the header. #### Negotiation behavior | Request header sent | Response format | | --------------------------------------------- | -------------------------------------------- | | Accept: application/json | JSON (application/json content type) | | Accept: application/problem+json | JSON (application/problem+json content type) | | Accept: application/json, text/markdown;q=0.9 | JSON | | Accept: text/markdown | Markdown | | Accept: text/markdown, application/json | Markdown (equal q, first-listed wins) | | Accept: \*/\* | HTML (default) | #### Availability Available now for all zones on all plans. #### Get started Get JSON response for error 522: Terminal window ``` curl -s --compressed -H "Accept: application/json" -A "TestAgent/1.0" -H "Accept-Encoding: gzip, deflate" "/cdn-cgi/error/522" | jq . ``` Check presence of the `Retry-After` HTTP header associated with the JSON response for error 521: Terminal window ``` curl -s --compressed -D - -o /dev/null -H "Accept: application/json" -A "TestAgent/1.0" -H "Accept-Encoding: gzip, deflate" "/cdn-cgi/error/521" | grep -i retry-after ``` References: * [RFC 9457 — Problem Details for HTTP APIs ↗](https://www.rfc-editor.org/rfc/rfc9457) * [Cloudflare 5xx error documentation](https://developers.cloudflare.com/support/troubleshooting/http-status-codes/cloudflare-5xx-errors/) Apr 27, 2026 1. ### [Resource Tagging enters public beta](https://developers.cloudflare.com/changelog/post/2026-04-27-resource-tagging-public-beta/) [ Cloudflare Fundamentals ](https://developers.cloudflare.com/fundamentals/)[ Resource Tagging ](https://developers.cloudflare.com/resource-tagging/) Resource Tagging is now in public beta and rolling out to all Cloudflare accounts over the coming days. You can attach custom key-value metadata to your Cloudflare resources and query across your entire account to find what you need. #### What's included * **Broad resource type support** — Tag zones, custom hostnames, Cloudflare Tunnels, Workers, D1 databases, R2 buckets, KV namespaces, Durable Object namespaces, Queues, Stream videos, Images, Access applications, Gateway rules, AI Gateways, and more. Refer to the [full list of supported resource types](https://developers.cloudflare.com/resource-tagging/reference/resource-types/). * **Powerful filtering** — Query tagged resources using AND/OR logic, negation, and key-only matching. Combine up to 20 filters per query to build precise resource views. * **Account and zone-level endpoints** — Full CRUD operations across both scopes. * **Token-based authentication** — Tagging supports [Account Owned Tokens](https://developers.cloudflare.com/fundamentals/api/get-started/account-owned-tokens/) that persist independently of individual users, so your automation keeps running through credential rotations and team changes. * **Flexible role support** — Super Administrators, Workers Admins, and Tag Admins can all manage tags. #### API-first by design The API is the primary interface for Resource Tagging and the recommended path for all workflows — scripting tag assignments, building CI/CD pipelines, or integrating with your infrastructure-as-code toolchain. #### Dashboard UI You can also view and manage tagged resources directly in the Cloudflare dashboard. Navigate to **Manage Account** \> **Resource Tagging** to see all tagged resources across your account, filter by resource name or tag, and add or edit tags inline. ![Tagged Resources dashboard](https://developers.cloudflare.com/_astro/tagged-resources-dashboard.Dg5WvwiN_24xl6P.webp) #### What's coming next In future releases, expect support for additional resource types across the Cloudflare platform, tag-based access control policies for scoping user permissions to tagged resources, billing and usage attribution by tag for breaking down costs by team, project, or environment, and Terraform provider support for managing tags declaratively. #### Current limitations * `PUT` replaces all tags on a resource (no partial update). Use the [GET, merge, PUT workflow](https://developers.cloudflare.com/resource-tagging/how-to/manage-tags/#add-a-single-tag) to modify individual tags safely. * `DELETE` removes all tags from a resource. To remove a single tag, PUT the remaining tags back. * Querying tags for a resource that has never been tagged returns `500` instead of `404`. This is a known beta limitation. To get started, refer to the [Resource Tagging documentation](https://developers.cloudflare.com/resource-tagging/). Apr 27, 2026 1. ### [Unified workspace for Brand Protection](https://developers.cloudflare.com/changelog/post/2026-04-27-unified-workspace-brand-protection/) [ Security Center ](https://developers.cloudflare.com/security-center/) We have introduced a unified investigation workspace within Brand Protection to help analysts manage complex brand portfolios. Instead of jumping between individual queries, you can now consolidate your workflow into a single, cohesive view. #### What's new * You can now elect multiple saved queries from your dashboard to generate a consolidated "Combined Matches" view. This allows you to triage results from different brand queries in one unified table * You can open query extended views in distinct tabs within the Brand Protection dashboard. This enables you to maintain multiple investigation contexts simultaneously and switch between them without losing your place. * You can reset your workspace using the new "Clear Selection" action, making it easier to pivot between different investigation sets. #### Key benefits * Eliminate fragmented workflows by viewing all matches across different query buckets in a single table, reducing the need to click through dozens of individual query pages * Correlate related campaigns by seeing similar domains or infrastructure patterns that appear across multiple saved queries Learn more in our [Brand Protection documentation](https://developers.cloudflare.com/security-center/brand-protection/). Apr 27, 2026 1. ### [WAF Release - 2026-04-27](https://developers.cloudflare.com/changelog/post/2026-04-27-waf-release/) [ WAF ](https://developers.cloudflare.com/waf/) This week's release focuses on new improvements to enhance coverage. **Key Findings** * Existing rule enhancements have been deployed to improve detection resilience against broad classes of web attacks and strengthen behavioral coverage. **Continuous Rule Improvements** We are continuously refining our managed rules to provide more resilient protection and deeper insights into attack patterns. To ensure an optimal security posture, we recommend consistently monitoring the Security Events dashboard and adjusting rule actions as these enhancements are deployed. | Ruleset | Rule ID | Legacy Rule ID | Description | Previous Action | New Action | Comments | | -------------------------- | ----------- | -------------- | -------------------------------------------- | --------------- | ---------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Cloudflare Managed Ruleset | ...80cec1dd | N/A | PostgreSQL - SQLi - COPY - Beta | Log | Block | This is a new detection. This rule is merged into the original rule "PostgreSQL - SQLi - COPY - Body (ID: ...e7265a4e ). The rule previously known as "PostgreSQL - SQLi - COPY" is now renamed to "PostgreSQL - SQLi - COPY - Body". | | Cloudflare Managed Ruleset | ...2903de89 | N/A | PostgreSQL - SQLi - COPY - Headers | Log | Block | This is a new detection. | | Cloudflare Managed Ruleset | ...1036cfa6 | N/A | PostgreSQL - SQLi - COPY - URI | Log | Block | This is a new detection. | | Cloudflare Managed Ruleset | ...55ff389e | N/A | SQLi - AND/OR MAKE\_SET/ELT - Beta | Log | Block | This is a new detection. This rule is merged into the original rule "SQLi - AND/OR MAKE\_SET/ELT - Body" (ID: ...252d3934 ). The rule previously known as "SQLi - AND/OR MAKE\_SET/ELT" is now renamed to "SQLi - AND/OR MAKE\_SET/ELT - Body". | | Cloudflare Managed Ruleset | ...346487f9 | N/A | SQLi - AND/OR MAKE\_SET/ELT - Headers | Log | Block | This is a new detection. | | Cloudflare Managed Ruleset | ...1ac6ceca | N/A | SQLi - AND/OR MAKE\_SET/ELT - URI | Log | Block | This is a new detection. | | Cloudflare Managed Ruleset | ...dd471337 | N/A | SQLi - Common Patterns - Beta | Log | Block | This is a new detection. This rule is merged into the original rule "SQLi - Common Patterns - Body" (ID: ...cb5d0b9b ). The rule previously known as "SQLi - Common Patterns" is now renamed to "SQLi - Common Patterns - Body". | | Cloudflare Managed Ruleset | ...975c07b7 | N/A | SQLi - Common Patterns - Headers | Log | Block | This is a new detection. | | Cloudflare Managed Ruleset | ...05b1b06b | N/A | SQLi - Common Patterns - URI | Log | Block | This is a new detection. | | Cloudflare Managed Ruleset | ...dd0ba3c7 | N/A | SQLi - Equation - Beta | Log | Block | This is a new detection. This rule is merged into the original rule "SQLi - Equation - Body" (ID: ...c2eb3e7f ). The rule previously known as "SQLi - Equation" is now renamed to "SQLi - Equation - Body". | | Cloudflare Managed Ruleset | ...3d1c2384 | N/A | SQLi - Equation - Headers | Log | Block | This is a new detection. | | Cloudflare Managed Ruleset | ...e1149ea6 | N/A | SQLi - Equation - URI | Log | Block | This is a new detection. | | Cloudflare Managed Ruleset | ...205adbb0 | N/A | SQLi - AND/OR Digit Operator Digit - Beta | Log | Block | This is a new detection. This rule is merged into the original rule "SQLi - AND/OR Digit Operator Digit - Body" (ID: ...3893c564 ). The rule previously known as "SQLi - AND/OR Digit Operator Digit" is now renamed to "SQLi - AND/OR Digit Operator Digit - Body". | | Cloudflare Managed Ruleset | ...ad2abbaa | N/A | SQLi - AND/OR Digit Operator Digit - Headers | Log | Block | This is a new detection. | | Cloudflare Managed Ruleset | ...53acbc0d | N/A | SQLi - AND/OR Digit Operator Digit - URI | Log | Block | This is a new detection. | | Cloudflare Managed Ruleset | ...2b45a97d | N/A | SQLi - Benchmark Function - Beta | Log | Block | This is a new detection. This rule is merged into the original rule "SQLi - Benchmark Function - Body" (ID: ...2ebc44ad ). The rule previously known as "SQLi - Benchmark Function" is now renamed to "SQLi - Benchmark Function - Body". | | Cloudflare Managed Ruleset | ...9889aadc | N/A | SQLi - Benchmark Function - Headers | Log | Block | This is a new detection. | | Cloudflare Managed Ruleset | ...491b28e9 | N/A | SQLi - Benchmark Function - URI | Log | Block | This is a new detection. | | Cloudflare Managed Ruleset | ...2aa649de | N/A | SQLi - Comparison - Beta | Log | Block | This is a new detection. This rule is merged into the original rule "SQLi - Comparison - Body" (ID: ...e7907480 ). The rule previously known as "SQLi - Comparison" is now renamed to "SQLi - Comparison - Body". | | Cloudflare Managed Ruleset | ...39e3e013 | N/A | SQLi - Comparison - Headers | Log | Block | This is a new detection. | | Cloudflare Managed Ruleset | ...f4bdb492 | N/A | SQLi - Comparison - URI | Log | Block | This is a new detection. | | Cloudflare Managed Ruleset | ...a1ff3b34 | N/A | SQLi - String Concatenation - Body - Beta | Log | Block | This is a new detection. This rule is merged into the original rule "SQLi - String Concatenation - Headers" (ID: ...2116d2fe ).The rule previously known as "SQLi - String Concatenation - Headers" is now renamed to "SQLi - String Concatenation - Body". | | Cloudflare Managed Ruleset | ...0d0e6c3b | N/A | SQLi - String Concatenation - Headers | Log | Block | This is a new detection.(Former Id was ...846d1940 ) | | Cloudflare Managed Ruleset | ...26cc211f | N/A | SQLi - String Concatenation - URI | Log | Block | This is a new detection. (Former Id was ...8fae8c84 ) | | Cloudflare Managed Ruleset | ...eacc78ab | N/A | SQLi - SELECT Expression - Beta | Log | Block | This is a new detection. This rule is merged into the original rule "SQLi - SELECT Expression - Body" (ID: ...d0023a36 ). The rule previously known as "SQLi - SELECT Expression" is now renamed to "SQLi - SELECT Expression - Body". | | Cloudflare Managed Ruleset | ...630bb223 | N/A | SQLi - SELECT Expression - Headers | Log | Block | This is a new detection. | | Cloudflare Managed Ruleset | ...dcd6efb5 | N/A | SQLi - SELECT Expression - URI | Log | Block | This is a new detection. | | Cloudflare Managed Ruleset | ...18c47cea | N/A | SQLi - ORD and ASCII - Beta | Log | Block | This is a new detection. This rule is merged into the original rule "SQLi - ORD and ASCII- Body" (ID: ...d0d207f9 ). The rule previously known as "SQLi - ORD and ASCII" is now renamed to "SQLi - ORD and ASCII- Body". | | Cloudflare Managed Ruleset | ...bdb1618f | N/A | SQLi - ORD and ASCII - URI | Log | Block | This is a new detection. | | Cloudflare Managed Ruleset | ...1d0906b6 | N/A | SQLi - ORD and ASCII - Headers | Log | Block | This is a new detection. | | Cloudflare Managed Ruleset | ...9fe4eff5 | N/A | SQLi - Destructive Operations | Log | Block | This is a new detection. | [Search all changelog entries](https://developers.cloudflare.com/search/?contentType=Changelog+entry)