We are excited to announce that Cloudflare Threat Events now supports the STIX2 (Structured Threat Information Expression) format. This was a highly requested feature designed to streamline how security teams consume and act upon our threat intelligence. By adopting this industry-standard format, you can now integrate Cloudflare's threat events data more effectively into your existing security ecosystem. Key benefits
Eliminate the need for custom parsers, as STIX2 allows for "out of the box" ingestion into major Threat Intel Platforms (TIPs), SIEMs, and SOAR tools.
STIX2 provides a standardized way to represent relationships between indicators, sightings, and threat actors, giving your analysts a clearer picture of the threat landscape.
For technical details on how to query events using this format, please refer to our Threat Events API Documentation.
This week's release focuses on improvements to existing detections to enhance coverage. Key Findings
Existing rule enhancements have been deployed to improve detection resilience against SQL Injection.
RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionCommentsCloudflare Managed Ruleset72963b917ef74697b5bde02f48a1841a N/ASQLi - AND/OR MAKE_SET/ELT - BetaLogBlockThis rule is merged into the original rule "SQLi - AND/OR MAKE_SET/ELT" (ID: 0f41a593c8fe42c38a26f709252d3934 )Cloudflare Managed Rulesetadf076af09b2484ca9e7881f9e553ad3 N/A SQLi - Benchmark Function - Beta Log Block This rule is merged into the original rule "SQLi - Benchmark Function" (ID: ac4e9ebfb43a4f3998f6072d2ebc44ad )
You can now receive notifications when your Workers' builds start, succeed, fail, or get cancelled using Event Subscriptions. Workers Builds publishes events to a Queue that your Worker can read messages from, and then send notifications wherever you need — Slack, Discord, email, or any webhook endpoint. You can deploy this Worker to your own Cloudflare account to send build notifications to Slack: The template includes:
Build status with Preview/Live URLs for successful deployments Inline error messages for failed builds Branch, commit hash, and author name
For setup instructions, refer to the template README or the Event Subscriptions documentation.
Wrangler now includes built-in shell tab completion support, making it faster and easier to navigate commands without memorizing every option. Press Tab as you type to autocomplete commands, subcommands, flags, and even option values like log levels. Tab completions are supported for Bash, Zsh, Fish, and PowerShell. Setup Generate the completion script for your shell and add it to your configuration file:
After adding the script, restart your terminal or source your configuration file for the changes to take effect. Then you can simply press Tab to see available completions: wrangler d # completes to 'deploy', 'dev', 'd1', etc.wrangler kv # shows subcommands: namespace, key, bulk Tab completions are dynamically generated from Wrangler's command registry, so they stay up-to-date as new commands and options are added. This feature is powered by @bomb.sh/tab. See the wrangler complete documentation for more details.
Cloudflare admin activity logs now capture each time a DNS over HTTP (DoH) user is created. These logs can be viewed from the Cloudflare One dashboard, pulled via the Cloudflare API, and exported through Logpush.
You can now use the HAVING clause and LIKE pattern matching operators in Workers Analytics Engine. Workers Analytics Engine allows you to ingest and store high-cardinality data at scale and query your data through a simple SQL API. Filtering using HAVING The HAVING clause complements the WHERE clause by enabling you to filter groups based on aggregate values. While WHERE filters rows before aggregation, HAVING filters groups after aggregation is complete. You can use HAVING to filter groups where the average exceeds a threshold: SELECT blob1 AS probe_name, avg(double1) AS average_tempFROM temperature_readingsGROUP BY probe_nameHAVING average_temp > 10 You can also filter groups based on aggregates such as the number of items in the group: SELECT blob1 AS probe_name, count() AS num_readingsFROM temperature_readingsGROUP BY probe_nameHAVING num_readings > 100 Pattern matching using LIKE The new pattern matching operators enable you to search for strings that match specific patterns using wildcard characters:
LIKE - case-sensitive pattern matching NOT LIKE - case-sensitive pattern exclusion ILIKE - case-insensitive pattern matching NOT ILIKE - case-insensitive pattern exclusion
Pattern matching supports two wildcard characters: % (matches zero or more characters) and _ (matches exactly one character). You can match strings starting with a prefix: SELECT *FROM logsWHERE blob1 LIKE 'error%' You can also match file extensions (case-insensitive): SELECT *FROM requestsWHERE blob2 ILIKE '%.jpg' Another example is excluding strings containing specific text: SELECT *FROM eventsWHERE blob3 NOT ILIKE '%debug%' Ready to get started? Learn more about the HAVING clause or pattern matching operators in the Workers Analytics Engine SQL reference documentation.
Custom instance types are now enabled for all Cloudflare Containers users. You can now specify specific vCPU, memory, and disk amounts, rather than being limited to pre-defined instance types. Previously, only select Enterprise customers were able to customize their instance type. To use a custom instance type, specify the instance_type property as an object with vcpu, memory_mib, and disk_mb fields in your Wrangler configuration: [[containers]]image = "./Dockerfile"instance_type = { vcpu = 2, memory_mib = 6144, disk_mb = 12000 } Individual limits for custom instance types are based on the standard-4 instance type (4 vCPU, 12 GiB memory, 20 GB disk). You must allocate at least 1 vCPU for custom instance types. For workloads requiring less than 1 vCPU, use the predefined instance types like lite or basic. See the limits documentation for the full list of constraints on custom instance types. See the getting started guide to deploy your first Container,
You can now deploy microfrontends to Cloudflare, splitting a single application into smaller, independently deployable units that render as one cohesive application. This lets different teams using different frameworks develop, test, and deploy each microfrontend without coordinating releases. Microfrontends solve several challenges for large-scale applications:
Independent deployments: Teams deploy updates on their own schedule without redeploying the entire application Framework flexibility: Build multi-framework applications (for example, Astro, Remix, and Next.js in one app) Gradual migration: Migrate from a monolith to a distributed architecture incrementally
Create a microfrontend project: This template automatically creates a router worker with pre-configured routing logic, and lets you configure Service bindings to Workers you have already deployed to your Cloudflare account. The router Worker analyzes incoming requests, matches them against configured routes, and forwards requests to the appropriate microfrontend via service bindings. The router automatically rewrites HTML, CSS, and headers to ensure assets load correctly from each microfrontend's mount path. The router includes advanced features like preloading for faster navigation between microfrontends, smooth page transitions using the View Transitions API, and automatic path rewriting for assets, redirects, and cookies. Each microfrontend can be a full-framework application, a static site with Workers Static Assets, or any other Worker-based application. Get started with the microfrontends template, or read the microfrontends documentation for implementation details.
Magic WAN Connector now exports NetFlow data for breakout traffic to Magic Network Monitoring (MNM), providing visibility into traffic that bypasses Cloudflare's security filtering. This feature allows you to:
Monitor breakout traffic statistics in the Cloudflare dashboard. View traffic patterns for applications configured to bypass Cloudflare. Maintain visibility across all traffic passing through your Magic WAN Connector.
For more information, refer to NetFlow statistics.
We've shipped a new release for the Agents SDK v0.3.0 bringing full compatibility with AI SDK v6 and introducing the unified tool pattern, dynamic tool approval, and enhanced React hooks with improved tool handling. This release includes improved streaming and tool support, dynamic tool approval (for "human in the loop" systems), enhanced React hooks with onToolCall callback, improved error handling for streaming responses, and seamless migration from v5 patterns. This makes it ideal for building production AI chat interfaces with Cloudflare Workers AI models, agent workflows, human-in-the-loop systems, or any application requiring reliable tool execution and approval workflows. Additionally, we've updated workers-ai-provider v3.0.0, the official provider for Cloudflare Workers AI models, and ai-gateway-provider v3.0.0, the provider for Cloudflare AI Gateway, to be compatible with AI SDK v6. Agents SDK v0.3.0 Unified Tool Pattern AI SDK v6 introduces a unified tool pattern where all tools are defined on the server using the tool() function. This replaces the previous client-side AITool pattern. Server-Side Tool Definition import { tool } from "ai";import { z } from "zod"; // Server: Define ALL tools on the serverconst tools = { // Server-executed tool getWeather: tool({ description: "Get weather for a city", inputSchema: z.object({ city: z.string() }), execute: async ({ city }) => fetchWeather(city) }), // Client-executed tool (no execute = client handles via onToolCall) getLocation: tool({ description: "Get user location from browser", inputSchema: z.object({}) // No execute function }), // Tool requiring approval (dynamic based on input) processPayment: tool({ description: "Process a payment", inputSchema: z.object({ amount: z.number() }), needsApproval: async ({ amount }) => amount > 100, execute: async ({ amount }) => charge(amount) })}; Client-Side Tool Handling // Client: Handle client-side tools via onToolCall callbackimport { useAgentChat } from "agents/ai-react"; const { messages, sendMessage, addToolOutput } = useAgentChat({ agent, onToolCall: async ({ toolCall, addToolOutput }) => { if (toolCall.toolName === "getLocation") { const position = await new Promise((resolve, reject) => { navigator.geolocation.getCurrentPosition(resolve, reject); }); addToolOutput({ toolCallId: toolCall.toolCallId, output: { lat: position.coords.latitude, lng: position.coords.longitude } }); } }}); Key benefits of the unified tool pattern:
Server-defined tools: All tools are defined in one place on the server Dynamic approval: Use needsApproval to conditionally require user confirmation Cleaner client code: Use onToolCall callback instead of managing tool configs Type safety: Full TypeScript support with proper tool typing
useAgentChat(options) Creates a new chat interface with enhanced v6 capabilities. // Basic chat setup with onToolCallconst { messages, sendMessage, addToolOutput } = useAgentChat({ agent, onToolCall: async ({ toolCall, addToolOutput }) => { // Handle client-side tool execution await addToolOutput({ toolCallId: toolCall.toolCallId, output: { result: "success" } }); }}); Dynamic Tool Approval Use needsApproval on server tools to conditionally require user confirmation: const paymentTool = tool({ description: "Process a payment", inputSchema: z.object({ amount: z.number(), recipient: z.string() }), needsApproval: async ({ amount }) => amount > 1000, execute: async ({ amount, recipient }) => { return await processPayment(amount, recipient); }}); Tool Confirmation Detection The isToolUIPart and getToolName functions now check both static and dynamic tool parts: import { isToolUIPart, getToolName } from "ai"; const pendingToolCallConfirmation = messages.some((m) => m.parts?.some( (part) => isToolUIPart(part) && part.state === "input-available", ),); // Handle tool confirmationif (pendingToolCallConfirmation) { await addToolOutput({ toolCallId: part.toolCallId, output: "User approved the action" });} If you need the v5 behavior (static-only checks), use the new functions: import { isStaticToolUIPart, getStaticToolName } from "ai"; convertToModelMessages() is now async The convertToModelMessages() function is now asynchronous. Update all calls to await the result: import { convertToModelMessages } from "ai"; const result = streamText({ messages: await convertToModelMessages(this.messages), model: openai("gpt-4o")}); ModelMessage type The CoreMessage type has been removed. Use ModelMessage instead: import { convertToModelMessages, type ModelMessage } from "ai"; const modelMessages: ModelMessage[] = await convertToModelMessages(messages); generateObject mode option removed The mode option for generateObject has been removed: // Before (v5)const result = await generateObject({ mode: "json", model, schema, prompt}); // After (v6)const result = await generateObject({ model, schema, prompt}); Structured Output with generateText While generateObject and streamObject are still functional, the recommended approach is to use generateText/streamText with the Output.object() helper: import { generateText, Output, stepCountIs } from "ai"; const { output } = await generateText({ model: openai("gpt-4"), output: Output.object({ schema: z.object({ name: z.string() }) }), stopWhen: stepCountIs(2), prompt: "Generate a name"});
Note: When using structured output with generateText, you must configure multiple steps with stopWhen because generating the structured output is itself a step.
workers-ai-provider v3.0.0
Seamless integration with Cloudflare Workers AI models through the updated workers-ai-provider v3.0.0 with AI SDK v6 support.
Model Setup with Workers AI
Use Cloudflare Workers AI models directly in your agent workflows:
import { createWorkersAI } from "workers-ai-provider";import { useAgentChat } from "agents/ai-react";
// Create Workers AI model (v3.0.0 - enhanced v6 internals)const model = createWorkersAI({ binding: env.AI,})("@cf/meta/llama-3.2-3b-instruct");
Enhanced File and Image Support
Workers AI models now support v6 file handling with automatic conversion:
// Send images and files to Workers AI modelssendMessage({ role: "user", parts: [ { type: "text", text: "Analyze this image:" }, { type: "file", data: imageBuffer, mediaType: "image/jpeg", }, ],});
// Workers AI provider automatically converts to proper format
Streaming with Workers AI
Enhanced streaming support with automatic warning detection:
// Streaming with Workers AI modelsconst result = await streamText({ model: createWorkersAI({ binding: env.AI })("@cf/meta/llama-3.2-3b-instruct"), messages: await convertToModelMessages(messages), onChunk: (chunk) => { // Enhanced streaming with warning handling console.log(chunk); },});
ai-gateway-provider v3.0.0
The ai-gateway-provider v3.0.0 now supports AI SDK v6, enabling you to use Cloudflare AI Gateway with multiple AI providers including Anthropic, Azure, AWS Bedrock, Google Vertex, and Perplexity.
AI Gateway Setup
Use Cloudflare AI Gateway to add analytics, caching, and rate limiting to your AI applications:
import { createAIGateway } from "ai-gateway-provider";
// Create AI Gateway provider (v3.0.0 - enhanced v6 internals)const model = createAIGateway({ gatewayUrl: "https://gateway.ai.cloudflare.com/v1/your-account-id/gateway", headers: { "Authorization": Bearer ${env.AI_GATEWAY_TOKEN} }})({ provider: "openai", model: "gpt-4o"});
Migration from v5
Deprecated APIs
The following APIs are deprecated in favor of the unified tool pattern:
DeprecatedReplacementAITool typeUse AI SDK's tool() function on serverextractClientToolSchemas()Define tools on server, no client schemas neededcreateToolsFromClientSchemas()Define tools on server with tool()toolsRequiringConfirmation optionUse needsApproval on server toolsexperimental_automaticToolResolutionUse onToolCall callbacktools option in useAgentChatUse onToolCall for client-side executionaddToolResult()Use addToolOutput() Breaking Changes Summary
Unified Tool Pattern: All tools must be defined on the server using tool() convertToModelMessages() is async: Add await to all calls CoreMessage removed: Use ModelMessage instead generateObject mode removed: Remove mode option isToolUIPart behavior changed: Now checks both static and dynamic tool parts
Installation Update your dependencies to use the latest versions: npm install agents@^0.3.0 workers-ai-provider@^3.0.0 ai-gateway-provider@^3.0.0 ai@^6.0.0 @ai-sdk/react@^3.0.0 @ai-sdk/openai@^3.0.0 Resources
Migration Guide - Comprehensive migration documentation from v5 to v6 AI SDK v6 Documentation - Official AI SDK migration guide AI SDK v6 Announcement - Learn about new features in v6 AI SDK Documentation - Complete AI SDK reference GitHub Issues - Report bugs or request features
Feedback Welcome We'd love your feedback! We're particularly interested in feedback on:
Migration experience - How smooth was the upgrade from v5 to v6? Unified tool pattern - How does the new server-defined tool pattern work for you? Dynamic tool approval - Does the needsApproval feature meet your needs? AI Gateway integration - How well does the new provider work with your setup?
TanStack Start apps can now prerender routes to static HTML at build time with access to build time environment variables and bindings, and serve them as static assets. To enable prerendering, configure the prerender option of the TanStack Start plugin in your Vite config: import { defineConfig } from "vite";import { cloudflare } from "@cloudflare/vite-plugin";import { tanstackStart } from "@tanstack/react-start/plugin/vite"; export default defineConfig({ plugins: [ cloudflare({ viteEnvironment: { name: "ssr" } }), tanstackStart({ prerender: { enabled: true, }, }), ],}); This feature requires @tanstack/react-start v1.138.0 or later. See the TanStack Start framework guide for more details.
Earlier this year, we announced the launch of the new Terraform v5 Provider. We are aware of the high number of issues reported by the Cloudflare community related to the v5 release. We have committed to releasing improvements on a 2-3 week cadence to ensure its stability and reliability, including the v5.15 release. We have also pivoted from an issue-to-issue approach to a resource-per-resource approach - we will be focusing on specific resources to not only stabilize the resource but also ensure it is migration-friendly for those migrating from v4 to v5. Thank you for continuing to raise issues. They make our provider stronger and help us build products that reflect your needs. This release includes bug fixes, the stabilization of even more popular resources, and more. Features
ai_search: Add AI Search endpoints (6f02adb) certificate_pack: Ensure proper Terraform resource ID handling for path parameters in API calls (081f32a) worker_version: Support startup_time_ms (286ab55) zero_trust_dlp_custom_entry: Support upload_status (7dc0fe3) zero_trust_dlp_entry: Support upload_status (7dc0fe3) zero_trust_dlp_integration_entry: Support upload_status (7dc0fe3) zero_trust_dlp_predefined_entry: Support upload_status (7dc0fe3) zero_trust_gateway_policy: Support forensic_copy (5741fd0) zero_trust_list: Support additional types (category, location, device) (5741fd0)
Bug fixes
access_rules: Add validation to prevent state drift. Ideally, we'd use Semantic Equality but since that isn't an option, this will remove a foot-gun. (4457791) cloudflare_pages_project: Addressing drift issues (6edffcf) (3db318e) cloudflare_worker: Can be cleanly imported (4859b52) cloudflare_worker: Ensure clean imports (5b525bc) list_items: Add validation for IP List items to avoid inconsistent state (b6733dc) zero_trust_access_application: Remove all conditions from sweeper (3197f1a) spectrum_application: Map missing fields during spectrum resource import (#6495) (ddb4e72)
Upgrade to newer version We suggest waiting to migrate to v5 while we work on stabilization. This helps with avoiding any blocking issues while the Terraform resources are actively being stabilized. We will be releasing a new migration tool in March 2026 to help support v4 to v5 transitions for our most popular resources. For more information
Terraform Provider Documentation on using Terraform with Cloudflare
The cached/uncached classification logic used in Zone Overview analytics has been updated to improve accuracy. Previously, requests were classified as "cached" based on an overly broad condition that included blocked 403 responses, Snippets requests, and other non-cache request types. This caused inflated cache hit ratios — in some cases showing near-100% cached — and affected approximately 15% of requests classified as cached in rollups. The condition has been removed from the Zone Overview page. Cached/uncached classification now aligns with the heuristics used in HTTP Analytics, so only requests genuinely served from cache are counted as cached. What changed:
Zone Overview — Cache ratios now reflect actual cache performance. HTTP Analytics — No change. HTTP Analytics already used the correct classification logic. Historical data — This fix applies to new requests only. Previously logged data is not retroactively updated.
The Overview tab is now the default view in AI Crawl Control. The previous default view with controls for individual AI crawlers is available in the Crawlers tab. What's new
Executive summary — Monitor total requests, volume change, most common status code, most popular path, and high-volume activity Operator grouping — Track crawlers by their operating companies (OpenAI, Microsoft, Google, ByteDance, Anthropic, Meta) Customizable filters — Filter your snapshot by date range, crawler, operator, hostname, or path
Get started
Log in to the Cloudflare dashboard and select your account and domain. Go to AI Crawl Control, where the Overview tab opens by default with your activity snapshot. Use filters to customize your view by date range, crawler, operator, hostname, or path. Navigate to the Crawlers tab to manage controls for individual crawlers.
Learn more about analyzing AI traffic and managing AI crawlers.
R2 Data Catalog now supports automatic snapshot expiration for Apache Iceberg tables. In Apache Iceberg, a snapshot is metadata that represents the state of a table at a given point in time. Every mutation creates a new snapshot which enable powerful features like time travel queries and rollback capabilities but will accumulate over time. Without regular cleanup, these accumulated snapshots can lead to:
Metadata overhead Slower table operations Increased storage costs.
Snapshot expiration in R2 Data Catalog automatically removes old table snapshots based on your configured retention policy, improving performance and storage costs.
Snapshot expiration uses two parameters to determine which snapshots to remove:
--older-than-days: age threshold in days --retain-last: minimum snapshot count to retain
Both conditions must be met before a snapshot is expired, ensuring you always retain recent snapshots even if they exceed the age threshold. This feature complements automatic compaction, which optimizes query performance by combining small data files into larger ones. Together, these automatic maintenance operations keep your Iceberg tables performant and cost-efficient without manual intervention. To learn more about snapshot expiration and how to configure it, visit our table maintenance documentation or see how to manage catalogs.
This week's release focuses on improvements to existing detections to enhance coverage. Key Findings
Existing rule enhancements have been deployed to improve detection resilience against broad classes of web attacks and strengthen behavioral coverage.
RulesetRule IDLegacy Rule IDDescriptionPrevious ActionNew ActionCommentsCloudflare Managed Ruleset6429f7386b1546cf9dfce631be5ec20c N/AAtlassian Confluence - Code Injection - CVE:CVE-2021-26084 - BetaLogBlockThis rule is merged into the original rule "Atlassian Confluence - Code Injection - CVE:CVE-2021-26084" (ID: e8c550810618437c953cf3a969e0b97a )Cloudflare Managed Ruleset9108ddb347b3497e9f9351640d9206e3 N/A PostgreSQL - SQLi - Copy - Beta Log Block This rule is merged into the original rule "PostgreSQL - SQLi - COPY" (ID: 705a6b5569d5472596910e3ce7265a4e )Cloudflare Managed Rulesetcb687d73cc954092b58b90b00cd00ba7 N/A Generic Rules - Command Execution - Body Log Disabled This is a new detection.Cloudflare Managed Rulesetbf30657ffa2a424cbf6570dbcd679ad4 N/AGeneric Rules - Command Execution - HeaderLogDisabledThis is a new detection.Cloudflare Managed Ruleset6df040f716194070a242967cfd181fb3 N/AGeneric Rules - Command Execution - URILogDisabledThis is a new detection.Cloudflare Managed Ruleset39a4fdc37be948709fa7492e7a95bc3a N/ASQLi - Tautology - URI - BetaLogBlockThis rule is merged into the original rule "SQLi - Tautology - URI" (ID: 4c580ea1b5174183b7f5e940b3de2e0a )Cloudflare Managed Ruleset810e0ffe1dd84e67b159129b432ac90d N/ASQLi - WaitFor Function - BetaLogBlockThis rule is merged into the original rule "SQLi - WaitFor Function" (ID: b16fe708799441dea3049a99d5faba59 )Cloudflare Managed Ruleset80690005fef342e0ad6bc9af596c741e N/ASQLi - AND/OR Digit Operator Digit 2 - BetaLogBlockThis rule is merged into the original rule "SQLi - AND/OR Digit Operator Digit" (ID: 98e7e08ae64247e2801ca4b388d80772 )Cloudflare Managed Ruleseteaf11ab80b0d491cbb7186f303b2f3fe N/ASQLi - Equation 2 - BetaLogBlockThis rule is merged into the original rule "SQLi - Equation" (ID: 133c6f83cdf14509a4ca6b82a72a6b3a )