At Cloudflare we're dedicated to constantly improving our product. Read below to find out the latest updates.
Access service tokens
Thu, February 7, 2019
Access improves the security of service-to-service connections by adding service token authentication to the protections offered by Cloudflare. With service tokens, customers can now extend access control to automated tools, scripts, and bots.
Cache API now works with Workers to give customers greater, more fine grained control over Cloudflare's caching behavior. This API will now allow customers to cache objects that were traditionally uncacheable, for example caching POST requests.
Customers on Free, Pro and Business plans can now purchase load balancing support for up to 20 origins. This increased support allows customers to build a more resilient global infrastructure that ensures their customers are served content from locations closest to them, with the lowest latency.
We’re excited to announce early access for Traffic Acceleration with Cloudflare Mobile SDK. Acceleration uses novel transport algorithms built into the SDK to accelerate apps beyond the performance they would see with TCP. Enabling Acceleration through the SDK reduces latency, drives down network timeouts, and improves app user experiences.
Access now supports mutual TLS (mTLS) authentication. Mutual TLS authentication ensures that the traffic is secure and trusted in both directions between a client and server. This type of authentication can be used for allowing requests such as Internet of Things devices, that do not login with an identity provider, to demonstrate that they have permissions to reach a given resource.
Organizations will be able to use mutual TLS authentication as a second layer of authentication for users or as the primary method of authentication for connected devices.
Access can authenticate users who want to use SSH (Secure Shell). This removes the need for a VPN by developers, IT, and support to use this service while providing secure authentication and integration with major identity providers.
Access enables a Zero Trust Command Line Interface (CLI) authentication to APIs
Fri, October 5, 2018
Increase performance for users using APIs over CLI by authenticating near them, not in a far away VPN server. Simplify and reduce costs for deployment, configuration, and maintenance. Tightly control authorization through granular policies based on attributes such as users, IP ranges, and application URLs.
The Cloudflare dashboard now supports Single Sign On (SSO) for ease of centralized identity and access management. Reduce user provisioning times and avoid password sprawl, with a seamless SSO experience that supports your existing identity providers.
Cloudflare Workers now support the inclusion of WebAssembly modules. WebAssembly support allows developers to run code inside of Cloudflare Workers written in almost any language including: Rust, Go, C, C++, and others.
Cloudflare Workers KV provides access to a secure low latency key-value store at all 154 Cloudflare data centers. Developers can use Cloudflare Workers and Workers KV to augment existing applications or to build entirely new applications on top of Cloudflare's global cloud network. Workers KV scales seamlessly to support applications serving dozens or millions of users.
Cloudflare Registrar lets you securely register and manage your domain names with transparent, no-markup pricing that eliminates surprise renewal fees and hidden add-on charges. Be one of the first to transfer your domains to Cloudflare. Sign up today for the Cloudflare Registrar Early Access.
Server Name Indication (SNI) does not conceal the requested hostname in the ClientHello message during TLS negotiation. This allows intermediaries to have visibility into the hostnames of websites visited by users. Exposing the hostname means that the privacy of users can be compromised, content can be censored, or traffic can be served with discriminatory quality-of-service.
Encrypted SNI keeps the hostname private when a user is visiting an ESNI-enabled site on Cloudflare by concealing the browser’s requested hostname from anyone listening on the Internet.
All domains on Cloudflare using our authoritative name servers get Encrypted SNI enabled as default.
Cloudflare improves the accuracy of time for TLS handshakes through a rough, authenticated time-synchronization based on Google’s Roughtime protocol. By running a Roughtime service, we enable clients to securely keep approximately correct time, which reduces erroneous authentication from 'clock skew' and increases security through wider adoption of short-lived HTTPS certificates.
__Layer 4 Load Balancing__
Cloudflare now supports load balancing for non-HTTP/S traffic across multiple origins for increased availability and performance when deployed with Spectrum.
The Cloudflare Onion Service
Thu, September 20, 2018
Cloudflare will run an Onion Service on its network. Tor users visiting sites that have enabled this feature will be scored for reputation differently from general Tor traffic. This will result in fewer CAPTCHAs for human Tor users while protecting the site from malicious actors and reducing exit node tampering.
Cloudflare supports the RPKI-framework for two important parts of Internet transit: signing BGP routes it announces for all Cloudflare domains, and validating announced IP addresses when routing traffic through its global network. Authenticating BGP routes with public key signing helps prevents visitors or origins on RPKI compliant ISP's from being hijacked.
The Cloudflare Provider for Terraform now supports deployment and configuration of Cloudflare Workers. Users of Terraform can now include Cloudflare Workers as another part of their configuration as code approach to infrastructure.
Spectrum supports multiple ports for TCP applications
Thu, August 23, 2018
Spectrum allows TCP applications to support proxying multiple ports on the same hostname. A single application with multiple ports, (e.g. SMTP, which uses ports 25, 465, and 587) can be proxied through Cloudflare using the same hostname to protect it from DDoS attacks.
Cloudflare Stream makes streaming high quality video at a global scale easy and affordable. Eliminate the effort of delivering high quality video with a massive, globally distributed video delivery network. Use a single, integrated workflow through a robust API or drag and drop UI that includes video encoding, global delivery, and customizable player.
Access supports reusable nested groups and bypass policies
Tue, July 24, 2018
Cloudflare Access now provides more granular control by supporting reusable nested user groups and bypass policies that include IP address whitelisting. Access policies based on user groups automatically apply rules to all users in the defined group, simplifying the creation and management of policies. Access rules can also enable traffic to bypass authentication. You can whitelist specific IP addresses, address ranges, or open up specified endpoints to the public internet.
No VPN required. Cloudflare Access enables easy, secure, and fast access to internal applications wherever they are, from whatever device. Leverage a Zero Trust security framework with existing identity providers like Google™, Facebook™, Okta™, Github™, and more. Get your first 5 users per month for free.
Dynamic steering is a load balancing feature that automates traffic steering across origins in multiple geographic regions. Round-trip time (RTT) for health checks is calculated across multiple pools of load balanced servers and origins to determine the fastest server pools. This RTT data enables the load balancers to identify the fastest pools, and to direct user requests to the most responsive origins.
Cloudflare's DNS now supports the following record types: CERT, DNSKEY, DS, NAPTR, SMIMEA, SSHFP, TLSA, and URI via the web and API.
FQDN Resolution of Load Balanced Origins at the Edge
Thu, June 28, 2018
Cloudflare now resolves fully qualified domain name (FQDN) origins at the edge rather than centrally. This allows load balancers to better support origins that utilize geo-DNS or other dynamic responses.
Developer Portal Q2 Update
Mon, June 11, 2018
The Developer Portal has been updated in Q2 to include improved search, documentation for new products, and listings of upcoming Cloudflare community events.
On June 4, Cloudflare will be dropping support for TLS 1.0 and 1.1 on api.cloudflare.com. Additionally, the dashboard will be moved from www.cloudflare.com/a to dash.cloudflare.com and will require a browser that supports TLS 1.2 or higher.
Rate Limiting has two new features: challenges (CAPTCHA and JS Challenge) as an Action; and matching Header attributes in the response (from either origin or the cache) as the Trigger. These features give more control over how Cloudflare Rate Limiting responds to threshold violations, giving customers granularity over the types of requests to "count" to fit their different applications.
To learn more, go to the blog post.
Starting May 2 2018, users can go to the new home of Cloudflare’s Dashboard at dash.cloudflare.com and share account access. This has been supported at our Enterprise level of service, but is now being extended to all customers.
Support full SSL (Strict) mode validation for CNAME domains
Thu, April 12, 2018
Cloudflare is now able to validate origin certificates that use a hostname's CNAME target in Full SSL (Strict) mode. Previously, Cloudflare would not validate any certificate without a direct match of the HTTP hostname and the certificate's Common Name or SAN. This update allows SSL for SaaS customers to more easily enable end-to-end security.
Argo Tunnel ensures that no visitor or attacker can reach your web server unless they first pass through Cloudflare.
Using a lightweight agent installed on origin infrastructure, including containers or virtual machines, Cloudflare creates an encrypted tunnel between its nearest data center and an application’s origin server without opening a public inbound port.
Cloudflare is strengthening the Certificate Transparency (CT) ecosystem with our introduction of Nimbus, a free and open CT log. Certificate Transparency improves security online by bringing accountability to the system that protects HTTPs. Additionally, we have published Merkle Town, a dashboard for exploring and monitoring the certificate transparency ecosystem.
Create a rule to block or challenge a specific User Agent from accessing your domain. This works similarly to Zone Lockdown, except the block examines incoming User-Agent strings rather than IPs. User Agent blocking applies to an entire zone, and sub-domains cannot not be specified.
Zone Lockdown allows for the whitelisting of specific IP addresses and IP ranges, whereby all other IPs are effectively blacklisted. This supports specific sub-domains and URLs and is useful to protect an administrative area from non-specified IP addresses.
Cloudflare now supports additional HTTP cache-control directives. These headers allow more control over content caching behavior and enable our cache to handle more complex instructions for handling online assets.
Cloudflare now supports Certification Authority Authorization (CAA). CAA records allow domain owners to specify which CAs are authorized to issue certificates for their domain (or subdomain, as CAAs can be defined at any level of the hierarchy).
When people use anonymity services or shared IPs, it makes it more difficult for website protection services like Cloudflare to identify their requests as coming from legitimate users and not bots. The Privacy Pass browser extension reduces the number of challenge pages presented by Cloudflare by letting users prove their identity across multiple sites anonymously. The Privacy Pass extension is available for both Chrome and Firefox.
Cloudflare Load Balancing now supports session affinity, using automatically generated cookies. If session affinity is enabled, the same target receives the request and can use the automated cookie to recover an existing session with the origin server.
Geo Key Manager provides the ability to choose which Cloudflare data centers have access to private keys in order to establish HTTPS connections. Cloudflare has preconfigured options to select from either US or EU data centers as well as the highest security data centers in the Cloudflare network. Data centers without access to private keys can still terminate TLS, but they will experience a slight initial delay when contacting the nearest Cloudflare data center storing the private key.