Skip to content
Cloudflare Docs

Changelog

New updates and improvements at Cloudflare.

Subscribe to RSS
View all RSS feeds

Select...
hero image

  1. Durable Objects are now supported in Python Workers

    Workers Durable Objects

    You can now create Durable Objects using Python Workers. A Durable Object is a special kind of Cloudflare Worker which uniquely combines compute with storage, enabling stateful long-running applications which run close to your users. For more info see here.

    You can define a Durable Object in Python in a similar way to JavaScript:

    from workers import DurableObject, Response, handler
    

    from urllib.parse import urlparse
    

    class MyDurableObject(DurableObject):
        def __init__(self, ctx, env):
            self.ctx = ctx
            self.env = env
    

        def on_fetch(self, request):
            result = self.ctx.storage.sql.exec("SELECT 'Hello, World!' as greeting").one()
            return Response(result.greeting)
    

    @handler
    async def on_fetch(request, env, ctx):
        url = urlparse(request.url)
        id = env.MY_DURABLE_OBJECT.idFromName(url.path)
        stub = env.MY_DURABLE_OBJECT.get(id)
        greeting = await stub.fetch(request.url)
        return greeting

    Define the Durable Object in your Wrangler configuration file:

    {
      "durable_objects": {
        "bindings": [
          {
            "name": "MY_DURABLE_OBJECT",
            "class_name": "MyDurableObject"
          }
        ]
      }
    }

    Then define the storage backend for your Durable Object:

    {
      "migrations": [
        {
          "tag": "v1",
          "new_sqlite_classes": [
            "MyDurableObject"
          ]
        }
      ]
    }

    Then test your new Durable Object locally by running wrangler dev:

    npx wrangler dev

    Consult the Durable Objects documentation for more details.

  1. New Access Analytics in the Cloudflare One Dashboard

    Access Cloudflare Zero Trust

    A new Access Analytics dashboard is now available to all Cloudflare One customers. Customers can apply and combine multiple filters to dive into specific slices of their Access metrics. These filters include:

    • Logins granted and denied
    • Access events by type (SSO, Login, Logout)
    • Application name (Salesforce, Jira, Slack, etc.)
    • Identity provider (Okta, Google, Microsoft, onetimepin, etc.)
    • Users (chris@cloudflare.com, sally@cloudflare.com, rachel@cloudflare.com, etc.)
    • Countries (US, CA, UK, FR, BR, CN, etc.)
    • Source IP address
    • App type (self-hosted, Infrastructure, RDP, etc.)
    Access Analytics

    To access the new overview, log in to your Cloudflare Zero Trust dashboard and find Analytics in the side navigation bar.

  1. WARP client for Windows (version 2025.4.929.0)

    Zero Trust WARP Client

    A new GA release for the Windows WARP client is now available on the stable releases downloads page.

    This release contains two significant changes all customers should be aware of:

    1. All DNS traffic now flows inside the WARP tunnel. Customers are no longer required to configure their local firewall rules to allow our DoH IP addresses and domains.
    2. When using MASQUE, the connection will fall back to HTTP/2 (TCP) when we detect that HTTP/3 traffic is blocked. This allows for a much more reliable connection on some public WiFi networks.

    Changes and improvements

    • Fixed an issue causing reconnection loops when captive portals are detected.
    • Fixed an issue that caused WARP client disk encryption posture checks to fail due to missing drive names.
    • Fixed an issue where managed network policies could incorrectly report network location beacons as missing.
    • Improved DEX test error reporting.
    • Fixed an issue where some parts of the WARP Client UI were missing in high contrast mode.
    • Fixed an issue causing client notifications to fail in IPv6 only environments which prevented the client from receiving configuration changes to settings like device profile.
    • Added a TCP fallback for the MASQUE tunnel protocol to improve connectivity on networks that block UDP or HTTP/3 specifically.
    • Added new IP addresses for tunnel connectivity checks. If your organization uses a firewall or other policies you will need to exempt these IPs.
    • DNS over HTTPS traffic is now included in the WARP tunnel by default.
    • Improved the error message displayed in the client GUI when the rate limit for entering an incorrect admin override code is met.
    • Improved handling of non-SLAAC IPv6 interface addresses for better connectivity in IPv6 only environments.
    • Fixed an issue where frequent network changes could cause WARP to become unresponsive.
    • Improvement for WARP to check if tunnel connectivity fails or times out at device wake before attempting to reconnect.
    • Fixed an issue causing WARP connection disruptions after network changes.

    Known issues

    • DNS resolution may be broken when the following conditions are all true:

      • WARP is in Secure Web Gateway without DNS filtering (tunnel-only) mode.
      • A custom DNS server address is configured on the primary network adapter.
      • The custom DNS server address on the primary network adapter is changed while WARP is connected.

      To work around this issue, reconnect the WARP client by toggling off and back on.

    • We have received reports of performance issues from some customers that have upgraded to 24H2 with the Windows Filtering Platform and local device firewall rules. Before rolling out this Windows version, we highly encourage customers to test thoroughly as we continue to debug with Microsoft.

    • Devices with KB5055523 installed may receive a warning about Win32/ClickFix.ABA being present in the installer. To resolve this false positive, update Microsoft Security Intelligence to version 1.429.19.0 or later.

  1. Hyperdrive achieves FedRAMP Moderate-Impact Authorization

    Hyperdrive

    Hyperdrive has been approved for FedRAMP Authorization and is now available in the FedRAMP Marketplace.

    FedRAMP is a U.S. government program that provides standardized assessment and authorization for cloud products and services. As a result of this product update, Hyperdrive has been approved as an authorized service to be used by U.S. federal agencies at the Moderate Impact level.

    For detailed information regarding FedRAMP and its implications, please refer to the official FedRAMP documentation for Cloudflare.

  1. Introducing Origin Restrictions for Media Transformations

    Stream

    We are adding source origin restrictions to the Media Transformations beta. This allows customers to restrict what sources can be used to fetch images and video for transformations. This feature is the same as --- and uses the same settings as --- Image Transformations sources.

    When transformations is first enabled, the default setting only allows transformations on images and media from the same website or domain being used to make the transformation request. In other words, by default, requests to example.com/cdn-cgi/media can only reference originals on example.com.

    Enable allowed origins from the Cloudflare dashboard

    Adding access to other sources, or allowing any source, is easy to do in the Transformations tab under Stream. Click each domain enabled for Transformations and set its sources list to match the needs of your content. The user making this change will need permission to edit zone settings.

    For more information, learn about Transforming Videos.

  1. Domain Categories improvements

    Gateway

    New categories added

    Parent IDParent NameCategory IDCategory Name
    1Ads66Advertisements
    3Business & Economy185Personal Finance
    3Business & Economy186Brokerage & Investing
    21Security Threats187Compromised Domain
    21Security Threats188Potentially Unwanted Software
    6Education189Reference
    9Government & Politics190Charity and Non-profit

    Changes to existing categories

    Original NameNew Name
    ReligionReligion & Spirituality
    GovernmentGovernment/Legal
    RedirectURL Alias/Redirect

    Refer to Gateway domain categories to learn more.

  1. New Applications Added for DNS Filtering

    Gateway

    You can now create DNS policies to manage outbound traffic for an expanded list of applications. This update adds support for 273 new applications, giving you more control over your organization's outbound traffic.

    With this update, you can:

    • Create DNS policies for a wider range of applications
    • Manage outbound traffic more effectively
    • Improve your organization's security and compliance posture

    For more information on creating DNS policies, see our DNS policy documentation.

  1. SAML HTTP-POST bindings support for RBI

    Browser Isolation

    Remote Browser Isolation (RBI) now supports SAML HTTP-POST bindings, enabling seamless authentication for SSO-enabled applications that rely on POST-based SAML responses from Identity Providers (IdPs) within a Remote Browser Isolation session. This update resolves a previous limitation that caused 405 errors during login and improves compatibility with multi-factor authentication (MFA) flows.

    With expanded support for major IdPs like Okta and Azure AD, this enhancement delivers a more consistent and user-friendly experience across authentication workflows. Learn how to set up Remote Browser Isolation.

  1. WARP client for Linux (version 2025.4.929.0)

    Zero Trust WARP Client

    A new GA release for the Linux WARP client is now available on the stable releases downloads page.

    This release contains two significant changes all customers should be aware of:

    1. All DNS traffic now flows inside the WARP tunnel. Customers are no longer required to configure their local firewall rules to allow our DoH IP addresses and domains.
    2. When using MASQUE, the connection will fall back to HTTP/2 (TCP) when we detect that HTTP/3 traffic is blocked. This allows for a much more reliable connection on some public WiFi networks.

    Changes and improvements

    • Fixed an issue where the managed network policies could incorrectly report network location beacons as missing.
    • Improved DEX test error reporting.
    • Fixed an issue causing client notifications to fail in IPv6 only environments which prevented the client from receiving configuration changes to settings like device profile.
    • Added a TCP fallback for the MASQUE tunnel protocol to improve connectivity on networks that block UDP or HTTP/3 specifically.
    • Added new IP addresses for tunnel connectivity checks. If your organization uses a firewall or other policies you will need to exempt these IPs.
    • Fixed an issue where frequent network changes could cause WARP to become unresponsive.
    • DNS over HTTPS traffic is now included in the WARP tunnel by default.
    • Improvement for WARP to check if tunnel connectivity fails or times out at device wake before attempting to reconnect.
    • Fixed an issue causing WARP connection disruptions after network changes.

  1. WARP client for macOS (version 2025.4.929.0)

    Zero Trust WARP Client

    A new GA release for the macOS WARP client is now available on the stable releases downloads page.

    This release contains two significant changes all customers should be aware of:

    1. All DNS traffic now flows inside the WARP tunnel. Customers are no longer required to configure their local firewall rules to allow our DoH IP addresses and domains.
    2. When using MASQUE, the connection will fall back to HTTP/2 (TCP) when we detect that HTTP/3 traffic is blocked. This allows for a much more reliable connection on some public WiFi networks.

    Changes and improvements

    • Fixed an issue where the managed network policies could incorrectly report network location beacons as missing.
    • Improved DEX test error reporting.
    • Fixed an issue causing client notifications to fail in IPv6 only environments which prevented the client from receiving configuration changes to settings like device profile.
    • Improved captive portal detection.
    • Added a TCP fallback for the MASQUE tunnel protocol to improve connectivity on networks that block UDP or HTTP/3 specifically.
    • Added new IP addresses for tunnel connectivity checks. If your organization uses a firewall or other policies you will need to exempt these IPs.
    • DNS over HTTPS traffic is now included in the WARP tunnel by default.
    • Improved the error message displayed in the client GUI when the rate limit for entering an incorrect admin override code is met.
    • Improved handling of non-SLAAC IPv6 interface addresses for better connectivity in IPv6 only environments.
    • Fixed an issue where frequent network changes could cause WARP to become unresponsive.
    • Improvement for WARP to check if tunnel connectivity fails or times out at device wake before attempting to reconnect.
    • Fixed an issue causing WARP connection disruptions after network changes.

    Known issues

    • macOS Sequoia: Due to changes Apple introduced in macOS 15.0.x, the WARP client may not behave as expected. Cloudflare recommends the use of macOS 15.4 or later.