Skip to content
Cloudflare Docs

Changelog

New updates and improvements at Cloudflare.

Subscribe to RSS
View all RSS feeds

Select...
hero image

  1. Introducing Origin Restrictions for Media Transformations

    Stream

    We are adding source origin restrictions to the Media Transformations beta. This allows customers to restrict what sources can be used to fetch images and video for transformations. This feature is the same as --- and uses the same settings as --- Image Transformations sources.

    When transformations is first enabled, the default setting only allows transformations on images and media from the same website or domain being used to make the transformation request. In other words, by default, requests to example.com/cdn-cgi/media can only reference originals on example.com.

    Enable allowed origins from the Cloudflare dashboard

    Adding access to other sources, or allowing any source, is easy to do in the Transformations tab under Stream. Click each domain enabled for Transformations and set its sources list to match the needs of your content. The user making this change will need permission to edit zone settings.

    For more information, learn about Transforming Videos.

  1. Domain Categories improvements

    Gateway

    New categories added

    Parent IDParent NameCategory IDCategory Name
    1Ads66Advertisements
    3Business & Economy185Personal Finance
    3Business & Economy186Brokerage & Investing
    21Security Threats187Compromised Domain
    21Security Threats188Potentially Unwanted Software
    6Education189Reference
    9Government & Politics190Charity and Non-profit

    Changes to existing categories

    Original NameNew Name
    ReligionReligion & Spirituality
    GovernmentGovernment/Legal
    RedirectURL Alias/Redirect

    Refer to Gateway domain categories to learn more.

  1. New Applications Added for DNS Filtering

    Gateway

    You can now create DNS policies to manage outbound traffic for an expanded list of applications. This update adds support for 273 new applications, giving you more control over your organization's outbound traffic.

    With this update, you can:

    • Create DNS policies for a wider range of applications
    • Manage outbound traffic more effectively
    • Improve your organization's security and compliance posture

    For more information on creating DNS policies, see our DNS policy documentation.

  1. SAML HTTP-POST bindings support for RBI

    Browser Isolation

    Remote Browser Isolation (RBI) now supports SAML HTTP-POST bindings, enabling seamless authentication for SSO-enabled applications that rely on POST-based SAML responses from Identity Providers (IdPs) within a Remote Browser Isolation session. This update resolves a previous limitation that caused 405 errors during login and improves compatibility with multi-factor authentication (MFA) flows.

    With expanded support for major IdPs like Okta and Azure AD, this enhancement delivers a more consistent and user-friendly experience across authentication workflows. Learn how to set up Remote Browser Isolation.

  1. WARP client for Linux (version 2025.4.929.0)

    Zero Trust WARP Client

    A new GA release for the Linux WARP client is now available on the Stable release downloads page. This release contains two significant changes all customers should be aware of:

    1. All DNS traffic now flows inside the WARP tunnel. Customers are no longer required to configure their local Firewall rules to allow our DoH IP Address or domains.
    2. When using MASQUE, the connection will fall back to HTTP/2 (TCP) when we detect that HTTP/3 traffic is blocked. This allows for a much more reliable connection on some public WiFi networks.

    Changes and improvements

    • Fixed an issue where the managed network policies could incorrectly report network location beacons as missing.
    • Improved DEX Test Error reporting.
    • Fixed an issue causing client notifications to fail in IPv6 only environments which prevented the client from receiving configuration changes to settings like device profile.
    • Added a TCP fallback for the MASQUE tunnel protocol to improve connectivity on networks that block UDP or http/3 specifically.
    • Added new IP addresses for tunnel connectivity checks. If your organization uses a firewall or other policies you will need to exempt these IPs.
    • Fixed an issue where frequent network changes could cause WARP to become unresponsive.
    • DNS over HTTPS traffic is now included in the WARP tunnel by default.
    • Improvement for WARP to check if tunnel connectivity fails or times out at device wake before attempting to reconnect.
    • Fixed an issue causing WARP connection disruptions after network changes.

  1. WARP client for macOS (version 2025.4.929.0)

    Zero Trust WARP Client

    A new GA release for the macOS WARP client is now available on the Stable release downloads page. This release contains two significant changes all customers should be aware of:

    1. All DNS traffic now flows inside the WARP tunnel. Customers are no longer required to configure their local Firewall rules to allow our DoH IP Address or domains.
    2. When using MASQUE, the connection will fall back to HTTP/2 (TCP) when we detect that HTTP/3 traffic is blocked. This allows for a much more reliable connection on some public WiFi networks.

    Changes and improvements

    • Fixed an issue where the managed network policies could incorrectly report network location beacons as missing.
    • Improved DEX Test Error reporting.
    • Fixed an issue causing client notifications to fail in IPv6 only environments which prevented the client from receiving configuration changes to settings like device profile.
    • Improved captive portal detection.
    • Added a TCP fallback for the MASQUE tunnel protocol to improve connectivity on networks that block UDP or http/3 specifically.
    • Added new IP addresses for tunnel connectivity checks. If your organization uses a firewall or other policies you will need to exempt these IPs.
    • DNS over HTTPS traffic is now included in the WARP tunnel by default.
    • Improved the error message displayed in the client GUI when the rate limit for entering an incorrect admin override code is met.
    • Improved handling of non-SLAAC IPv6 interface addresses for better connectivity in IPv6 only environments.
    • Fixed an issue where frequent network changes could cause WARP to become unresponsive.
    • Improvement for WARP to check if tunnel connectivity fails or times out at device wake before attempting to reconnect.
    • Fixed an issue causing WARP connection disruptions after network changes.

    Known issues

    • macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later.

  1. More ways to match — Snippets now support Custom Lists, Bot Score, and WAF Attack Score

    Rules

    You can now use IP, Autonomous System (AS), and Hostname custom lists to route traffic to Snippets and Cloud Connector, giving you greater precision and control over how you match and process requests at the edge.

    In Snippets, you can now also match on Bot Score and WAF Attack Score, unlocking smarter edge logic for everything from request filtering and mitigation to tarpitting and logging.

    What’s new:

    • Custom lists matching – Snippets and Cloud Connector now support user-created IP, AS, and Hostname lists via dashboard or Lists API. Great for shared logic across zones.
    • Bot Score and WAF Attack Score – Use Cloudflare’s intelligent traffic signals to detect bots or attacks and take advanced, tailored actions with just a few lines of code.
    New fields in Snippets

    These enhancements unlock new possibilities for building smarter traffic workflows with minimal code and maximum efficiency.

    Learn more in the Snippets and Cloud Connector documentation.

  1. Open email attachments with Browser Isolation

    Email Security (formerly Area 1)

    You can now safely open email attachments to view and investigate them.

    What this means is that messages now have a Attachments section. Here, you can view processed attachments and their classifications (for example, Malicious, Suspicious, Encrypted). Next to each attachment, a Browser Isolation icon allows your team to safely open the file in a clientless, isolated browser with no risk to the analyst or your environment.

    To use this feature, you must:

    • Enable Clientless Web Isolation in your Zero Trust settings.
    • Have Browser Isolation (BISO) seats assigned.

    For more details, refer to our setup guide.

    Some attachment types may not render in Browser Isolation. If there is a file type that you would like to be opened with Browser Isolation, reach out to your Cloudflare contact.

    This feature is available across all CES packages:

    • CES_ADVANTAGE
    • CES_ENTERPRISE
    • CES_ENTERPRISE_PHISHGUARD

  1. URL Scanner now supports geo-specific scanning

    Security Center

    Enterprise customers can now choose the geographic location from which a URL scan is performed — either via Security Center in the Cloudflare dashboard or via the URL Scanner API.

    This feature gives security teams greater insight into how a website behaves across different regions, helping uncover targeted, location-specific threats.

    What’s new:

    • Location Picker: Select a location for the scan via Security Center → Investigate in the dashboard or through the API.
    • Region-aware scanning: Understand how content changes by location — useful for detecting regionally tailored attacks.
    • Default behavior: If no location is set, scans default to the user’s current geographic region.

    Learn more in the Security Center documentation.

  1. Improved Payload Logging for WAF Managed Rules

    WAF

    We have upgraded WAF Payload Logging to enhance rule diagnostics and usability:

    • Targeted logging: Logs now capture only the specific portions of requests that triggered WAF rules, rather than entire request segments.
    • Visual highlighting: Matched content is visually highlighted in the UI for faster identification.
    • Enhanced context: Logs now include surrounding context to make diagnostics more effective.
    Log entry showing payload logging details

    Payload Logging is available to all Enterprise customers. If you have not used Payload Logging before, check how you can get started.

    Note: The structure of the encrypted_matched_data field in Logpush has changed from Map<Field, Value> to Map<Field, {Before: bytes, Content: Value, After: bytes}>. If you rely on this field in your Logpush jobs, you should review and update your processing logic accordingly.