Cloudflare product changelog

Wrangler - 3.32.0

Thursday, Mar 7, 2024

#5148 11951f3 Thanks @dom96! - chore: bump workerd to 1.20240304.0
#5148 11951f3 Thanks @dom96! - fix: use python_workers compat flag for Python
#5089 5b85dc9 Thanks @DaniFoldi! - fix: include all currently existing bindings in wrangler types

Add support for Email Send, Vectorize, Hyperdrive, mTLS, Browser Rendering and Workers AI bindings in wrangler types

For example, from the following wrangler.toml setup:

Previously, nothing would have been included in the generated Environment. Now, the following will be generated:
Updated dependencies [ 11951f3, 11951f3]:
- miniflare@3.20240304.0

D1 - Billing for D1 usage

Tuesday, Mar 5, 2024

As of 2024-03-05, D1 usage will start to be counted and may incur charges for an account’s future billing cycle.

Developers on the Workers Paid plan with D1 usage beyond included limits will incur charges according to D1’s pricing.

Developers on the Workers Free plan can use up to the included limits. Usage beyond the limits below requires signing up for the $5/month Workers Paid plan.

Account billable metrics are available in the Cloudflare Dashboard and GraphQL API.

Wrangler - 3.31.0

Tuesday, Mar 5, 2024

#5119 b0bd413 Thanks @garrettgu10! - feature: Python support for remote dev
#5118 30694a3 Thanks @garrettgu10! - fix: Including version identifiers in Python requirements.txt will now throw an error
#5132 82a3f94 Thanks @mrbbot! - fix: switch default logging level of unstable_dev() to warn

When running unstable_dev() in its default “test mode”, the logging level was set to none. This meant any Worker startup errors or helpful warnings wouldn’t be shown. This change switches the default to warn. To restore the previous behaviour, include logLevel: "none" in your options object:
#5128 d27e2a7 Thanks @taylorlee! - fix: Add legacy_env support to experimental versions upload command.
#5087 a5231de Thanks @dario-piotrowicz! - fix: make wrangler types always generate a d.ts file for module workers

Currently if a config file doesn’t define any binding nor module, running wrangler types against such file would not produce a d.ts file.

Producing a d.ts file can however still be beneficial as it would define a correct env interface (even if empty) that can be expanded/referenced by user code (this can be particularly convenient for scaffolding tools that may want to always generate an env interface).

Example: Before wrangler types --env-interface MyEnv run with an empty wrangler.toml file would not generate any file, after these change it would instead generate a file with the following content:
```
interface MyEnv {
}
```
#5138 3dd9089 Thanks @G4brym! - fix: ensure Workers-AI local mode fetcher returns headers to client worker
Updated dependencies [ 42bcc72, 42bcc72]:
- miniflare@3.20240223.1

WAF - Scheduled changes

Monday, Mar 4, 2024

Announcement Date	Release Date	Release Behavior	Legacy Rule ID	Rule ID	Description	Comments
2024-03-04	2024-03-11	Block	100627	...dc6877e2	Wordpress:Plugin:Bricks Builder Theme - Command Injection - CVE:CVE-2024-25600	N/A
2024-03-04	2024-03-11	Block	100628	...ae685218	ConnectWise - Auth Bypass	N/A

WAF - 2024-03-04

Monday, Mar 4, 2024

Ruleset	Rule ID	Legacy Rule ID	Description	Previous Action	New Action	Comments
Cloudflare Specials	...aa290ad9	100135D	XSS - JS On Events	N/A	Block	This detection was released as ...9c1c14e6 (BETA) in new WAF

Wrangler - 3.30.1

Thursday, Feb 29, 2024

#5106 2ed7f32 Thanks @RamIdeas! - fix: automatically drain incoming request bodies

Previously, requests sent to wrangler dev with unconsumed bodies could result in Network connection lost errors. This change attempts to work around the issue by ensuring incoming request bodies are drained if they’re not used. This is a temporary fix whilst we try to address the underlying issue. Whilst we don’t think this change will introduce any other issues, it can be disabled by setting the WRANGLER_DISABLE_REQUEST_BODY_DRAINING=true environment variable. Note this fix is only applied if you’ve enabled Wrangler’s bundling—--no-bundle mode continues to have the previous behaviour.
#5107 65d0399 Thanks @penalosa! - fix: Ensures that switching to remote mode during a dev session (from local mode) will correctly use the right zone. Previously, zone detection happened before the dev session was mounted, and so dev sessions started with local mode would have no zone inferred, and would have failed to start, with an ugly error.
#5107 65d0399 Thanks @penalosa! - fix: Ensure that preview sessions created without a zone don’t switch the host on which to start the preview from the one returned by the API.
#4833 54f6bfc Thanks @admah! - fix: remove extra arguments from wrangler init deprecation message and update recommended c3 version

c3 can now infer the pre-existing type from the presence of the --existing-script flag so we can remove the extra type argument. C3 2.5.0 introduces an auto-update feature that will make sure users get the latest minor version of c3 and prevent problems where older 2.x.x versions get cached by previous runs of wrangler init.

Wrangler - 3.30.0

Tuesday, Feb 27, 2024

#4742 c2f3f1e Thanks @benycodes! - feat: allow preserving file names when defining rules for non-js modules

The developer is now able to specify the `preserve_file_names property in wrangler.toml which specifies whether Wrangler will preserve the file names additional modules that are added to the deployment bundle of a Worker.

If not set to true, files will be named using the pattern ${fileHash}-${basename}. For example, 34de60b44167af5c5a709e62a4e20c4f18c9e3b6-favicon.ico.

Resolves #4741
Updated dependencies [ 0c0949d]:
- miniflare@3.20240223.0

DDoS protection - HTTP DDoS managed ruleset - 2024-02-26 - Emergency

Monday, Feb 26, 2024

Rule ID	Description	Previous Action	New Action	Notes
...6831bff1	HTTP requests with unusual HTTP headers or URI path (signature #35).	block	block	Extend the rule to catch attacks more comprehensively.
...e269dfd6	HTTP requests with unusual HTTP headers or URI path (signature #56).	block	block	Extend the rule to catch attacks more comprehensively.

Version Management - Support for API Shield

Monday, Feb 26, 2024

API Shield no longer prevents Version Management enablement and zone settings configurations.

WAF - 2024-02-26

Monday, Feb 26, 2024

Ruleset	Rule ID	Legacy Rule ID	Description	Previous Action	New Action	Comments
Cloudflare Specials	...1d870399	100546	XSS - HTML Encoding	N/A	Block	This detection was released as ...07c62aeb (BETA) in new WAF

Queues - Explicit retries no longer impact consumer concurrency/scaling.

Saturday, Feb 24, 2024

Calling retry() or retryAll() on a message or message batch will no longer have an impact on how Queues scales consumer concurrency.

Previously, using explicit retries via retry() or retryAll() would count as an error and could result in Queues scaling down the number of concurrent consumers.

Workers - 2024-02-23

Friday, Feb 23, 2024

Sockets now support an opened attribute.
Durable Object alarm handlers now impose a maximum wall time of 15 minutes.

Wrangler - 3.29.0

Thursday, Feb 22, 2024

#5042 5693d076 Thanks @dario-piotrowicz! - feat: add new --env-interface to wrangler types

Allow users to specify the name of the interface that they want wrangler types to generate for the env parameter, via the new CLI flag --env-interface

Example:

generates

instead of
#5042 5693d076 Thanks @dario-piotrowicz! - feat: add new path positional argument to wrangler types

Allow users to specify the path to the typings (.d.ts) file they want wrangler types to generate

Example:

generates a my-env.d.ts file in the current directory instead of creating a worker-configuration.d.ts file
#5042 5693d076 Thanks @dario-piotrowicz! - feat: include command run in the wrangler types comment

In the comment added to the .d.ts file generated by wrangler types include the command run to generated the file
#4303 1c460287 Thanks @richardscarrott! - fix: allow Pages Functions to import built-in node:* modules, even when not bundling with wrangler
#4957 50f93bd2 Thanks @garrettgu10! - fix: don’t strip .py extensions from Python modules
#5042 5693d076 Thanks @dario-piotrowicz! - fix: make wrangler types honor top level config argument

The wrangler types command currently ignores the -c|--config argument (although it is still getting shown in the command’s help message). Make sure that the command honors the flag. Also, if no config file is detected present a warning to the user
#5042 5693d076 Thanks @dario-piotrowicz! - fix: make the wrangler types command pick up local secret keys from .dev.vars

Make sure that the wrangler types command correctly picks up secret keys defined in .dev.vars and includes them in the generated file (marking them as generic string types of course)
Updated dependencies [ b03db864]:
- miniflare@3.20240208.0

WAF - 2024-02-20

Tuesday, Feb 20, 2024

Ruleset	Rule ID	Legacy Rule ID	Description	Previous Action	New Action	Comments
Cloudflare Specials	...9a5581d0	100622B, 100622C	Ivanti - Command Injection - CVE:CVE-2023-46805, CVE:CVE-2024-21887, CVE:CVE-2024-22024	N/A	Block	N/A
Cloudflare Specials	...d0b325aa	N/A	Microsoft ASP.NET - Code Injection - Function response.write	N/A	Block	This detection was released as ...50c86f85 (BETA) in new WAF
Cloudflare Specials	...1b138b3e	N/A	NoSQL, MongoDB - SQLi - Comparison	N/A	Block	This detection was released as ...4ba436bb (BETA) in new WAF
Cloudflare Specials	...8f66903c	N/A	NoSQL, MongoDB - SQLi - Expression	N/A	Block	This detection was released as ...f67956b2 (BETA) in new WAF
Cloudflare Specials	...2d2e031c	N/A	PHP - Code Injection	N/A	Disabled	This detection was released as ...2a1f3a04 (BETA) in new WAF
Cloudflare Specials	...824b817c	N/A	PHP, vBulletin, jQuery File Upload - Code Injection, Dangerous File Upload - CVE:CVE-2018-9206, CVE:CVE-2019-17132	N/A	Block	This detection was released as ...dcd12482 (BETA) in new WAF

Wrangler - 3.28.4

Tuesday, Feb 20, 2024

#5050 88be4b84 Thanks @nora-soderlund! - fix: allow kv:namespace create to accept a namespace name that contains characters not allowed in a binding name

This command tries to use the namespace name as the binding. Previously, we would unnecessarily error if this namespace name did not fit the binding name constraints. Now we accept such names and then remove invalid characters when generating the binding name.

DDoS protection - HTTP DDoS managed ruleset - Scheduled changes

Monday, Feb 19, 2024

Announcement Date	Change Date	Rule ID	Description	Previous Action	New Action	Notes
N/A	N/A	N/A	N/A	N/A	N/A	N/A

DDoS protection - HTTP DDoS managed ruleset - 2024-02-19

Monday, Feb 19, 2024

Rule ID	Description	Previous Action	New Action	Notes
...0fbfd5ae	HTTP requests from known botnet (signature #32).	block	ddos_dynamic
...22807318	HTTP requests from known botnets.	ddos_dynamic	ddos_dynamic	Expand rule logic to catch more attacks.
...3ad719cd	HTTP requests from known botnet (signature #79).	ddos_dynamic	ddos_dynamic	Expand the rule scope to catch more attacks.

D1 - API changes to `.run()`

Friday, Feb 16, 2024

A previous change (made on 2024-02-13) to the run() query statement method has been reverted.

run() now returns a D1Result, including the result rows, matching its original behaviour prior to the change on 2024-02-13.

Future change to run() to return a D1ExecResult, as originally intended and documented, will be gated behind a compatibility date as to avoid breaking existing Workers relying on the way run() currently works.

Stream - Tonemapping impovements for HDR content

Friday, Feb 16, 2024

In certain cases, videos uploaded with an HDR colorspace (such as footage from certain mobile devices) appeared washed out or desaturated when played back. This issue is resolved for new uploads.

Wrangler - 3.28.3

Friday, Feb 16, 2024

#5026 04584722 Thanks @dario-piotrowicz! - fix: make sure getPlatformProxy produces a production-like caches object

make sure that the caches object returned to getPlatformProxy behaves in the same manner as the one present in production (where calling unsupported methods throws a helpful error message)

note: make sure that the unsupported methods are however not included in the CacheStorage type definition
#5030 55ea0721 Thanks @mrbbot! - fix: don’t suggest reporting user errors to GitHub

Wrangler has two different types of errors: internal errors caused by something going wrong, and user errors caused by an invalid configuration. Previously, we would encourage users to submit bug reports for user errors, even though there’s nothing we can do to fix them. This change ensures we only suggest this for internal errors.
#4900 3389f2e9 Thanks @OilyLime! - feature: allow hyperdrive users to set local connection string as environment variable

Wrangler dev now supports the HYPERDRIVE_LOCAL_CONNECTION_STRING environmental variable for connecting to a local database instance when testing Hyperdrive in local development. This environmental variable takes precedence over the localConnectionString set in wrangler.toml.
#5033 b1ace91b Thanks @mrbbot! - fix: wait for actual port before opening browser with --port=0

Previously, running wrangler dev --remote --port=0 and then immediately pressing b would open localhost:0 in your default browser. This change queues up opening the browser until Wrangler knows the port the dev server was started on.
#5026 04584722 Thanks @dario-piotrowicz! - fix: relax the getPlatformProxy’s’ cache request/response types

prior to these changes the caches obtained from getPlatformProxy would use unknowns as their types, this proved too restrictive and incompatible with the equivalent @cloudflare/workers-types types, we decided to use anys instead to allow for more flexibility whilst also making the type compatible with workers-types
Updated dependencies [ 7723ac17, 027f9719, 027f9719, 027f9719, 027f9719, 027f9719, 027f9719]:
- miniflare@3.20240129.3

Zaraz - 2024-02-15

Thursday, Feb 15, 2024

NEW: add manager.route support for Managed Components
NEW: introduce zaraz.spaPageview() for manually triggering SPA pageviews
NEW: add support for client-evaluated triggers (UI update following shortly)
Pinterest MC: Add ecommerce support
Google Ads MC: Append url and rnd params to pagead/landing endpoint
Bugfix: Add noindex robots headers for Zaraz GET endpoint responses
Bugfix: Gracefully handle responses from custom MCs without mapped endpoints

D1 - API changes to `.raw()`, `.all()` and `.run()`

Tuesday, Feb 13, 2024

D1’s raw(), all() and run() query statement methods have been updated to reflect their intended behaviour and improve compatibility with ORM libraries.

raw() now correctly returns results as an array of arrays, allowing the correct handling of duplicate column names (such as when joining tables), as compared to all(), which is unchanged and returns an array of objects. To include an array of column names in the results when using raw(), use raw({columnNames: true}).

run() no longer incorrectly returns a D1Result and instead returns a D1ExecResult as originally intended and documented.

This may be a breaking change for some applications that expected raw() to return an array of objects.

Visit the query databases documentation to review D1’s query methods, return types and TypeScript support in detail.

Wrangler - 3.28.2

Tuesday, Feb 13, 2024

#4950 05360e43 Thanks @petebacondarwin! - fix: ensure we do not rewrite external Origin headers in wrangler dev

In https://github.com/cloudflare/workers-sdk/pull/4812 we tried to fix the Origin headers to match the Host header but were overzealous and rewrote Origin headers for external origins (outside of the proxy server’s origin).

This is now fixed, and moreover we rewrite any headers that refer to the proxy server on the request with the configured host and vice versa on the response.

This should ensure that CORS is not broken in browsers when a different host is being simulated based on routes in the Wrangler configuration.
#4997 bfeefe27 Thanks @dario-piotrowicz! - chore: add missing defineNavigatorUserAgent dependency to useEsbuild hook
#4966 36692326 Thanks @penalosa! - fix: Report Custom Build failures as UserErrors
#5002 315a651b Thanks @dario-piotrowicz! - chore: rename getBindingsProxy to getPlatformProxy

initially getBindingsProxy was supposed to only provide proxies for bindings, the utility has however grown, including now cf, ctx and caches, to clarify the increased scope the utility is getting renamed to getPlatformProxy and its bindings field is getting renamed env

note: getBindingProxy with its signature is still kept available, making this a non breaking change
Updated dependencies [ 05360e43]:
- miniflare@3.20240129.2

DDoS protection - HTTP DDoS managed ruleset - 2024-02-12

Monday, Feb 12, 2024

Rule ID	Description	Previous Action	New Action	Notes
...c47bdca6	HTTP requests with unusual HTTP headers or URI path (signature #62).	N/A	block

WAF - 2024-02-12

Monday, Feb 12, 2024

Ruleset	Rule ID	Legacy Rule ID	Description	Previous Action	New Action	Comments
Cloudflare Specials	...901523c0	100625	Jenkins - Information Disclosure - CVE:CVE-2024-23897	N/A	Block	N/A
Cloudflare Specials	...d5e015dd	100514	Log4j Headers	N/A	Block	N/A
Cloudflare Specials	...dc29b753	100515B	Log4j Body Obfuscation	N/A	Block	N/A

DDoS protection - HTTP DDoS managed ruleset - 2024-02-08 - Emergency

Thursday, Feb 8, 2024

Rule ID	Description	Previous Action	New Action	Notes
...3a679c52	Requests coming from known bad sources.	ddos_dynamic	managed_challenge	Expand the rule to mitigate on all zones.

DDoS protection - HTTP DDoS managed ruleset - 2024-02-06 - Emergency

Tuesday, Feb 6, 2024

Rule ID	Description	Previous Action	New Action	Notes
...1fc1e601	HTTP requests with unusual HTTP headers or URI path (signature #31).	block	block	Modify characteristics of the unusual HTTP headers or URI path.
...3a679c52	Requests coming from known bad sources.	N/A	ddos_dynamic
...3ad719cd	HTTP requests from known botnet (signature #79).	ddos_dynamic	ddos_dynamic	Expand the scope of the rule to match more attacks.

DDoS protection - HTTP DDoS managed ruleset - 2024-02-05 - Emergency

Monday, Feb 5, 2024

Rule ID	Description	Previous Action	New Action	Notes
...22807318	HTTP requests from known botnets.	ddos_dynamic	ddos_dynamic	Extend the rule to catch more attacks.

WAF - 2024-02-05

Monday, Feb 5, 2024

Ruleset	Rule ID	Legacy Rule ID	Description	Previous Action	New Action	Comments
Cloudflare Specials	...52d6027b	100624	GoAnywhere - Auth Bypass - CVE:CVE-2024-0204	N/A	Block	N/A
Cloudflare Specials	...f89ab164	100626,100626A	Anomaly:Header:Content-Type - Multiple	N/A	Disabled	New Detection
Cloudflare Specials	...7736c63c	N/A	AngularJS - XSS	N/A	Block	This detection was released as ...014fc5b9 (BETA) in new WAF
Cloudflare Specials	...a02344cb	N/A	Apache HTTP Server - Server-Side Includes	N/A	Disabled	This detection was released as ...10cae4a8 (BETA) in new WAF
Cloudflare Specials	...af52d528	N/A	Command Injection - CVE:CVE-2014-6271	N/A	Block	This detection was released as ...d2a0991c (BETA) in new WAF
Cloudflare Specials	...b090ba9a	N/A	Command Injection - Nslookup	N/A	Block	This detection was released as ...da3d944c (BETA) in new WAF
Cloudflare Specials	...d5a14a5e	N/A	Microsoft ASP.NET - Code Injection	N/A	Disabled	This detection was released as ...70f4f073 (BETA) in new WAF

Zaraz - 2024-02-05

Monday, Feb 5, 2024

Dashboard: rename “tracks” to “events” for consistency
Pinterest Conversion API MC: update parameters sent to api
HTTP MC: update _settings prefix usage handling
Bugfix: better minification of client-side js
Bugfix: fix bug where anchor link click events were not bubbling when using click listener triggers
API update: begin migration support from deprecated tool.neoEvents array to tool.actions object config schema migration

DDoS protection - HTTP DDoS managed ruleset - 2024-01-26 - Emergency

Friday, Jan 26, 2024

Rule ID	Description	Previous Action	New Action	Notes
...3ad719cd	HTTP requests from known botnet (signature #79).	N/A	ddos_dynamic
...61bc58d5	HTTP requests with unusual HTTP headers or URI path (signature #55).	managed_challenge	managed_challenge	Expanded the scope of the rule to catch attacks more consistently.

DDoS protection - HTTP DDoS managed ruleset - 2024-01-25

Thursday, Jan 25, 2024

Rule ID	Description	Previous Action	New Action	Notes
...1fc1e601	HTTP requests with unusual HTTP headers or URI path (signature #31).	block	block	Add more characteristics to the unusual HTTP headers or URI path.

DDoS protection - HTTP DDoS managed ruleset - 2024-01-23

Tuesday, Jan 23, 2024

Rule ID	Description	Previous Action	New Action	Notes
...1fc1e601	HTTP requests with unusual HTTP headers or URI path (signature #31).	block	block	Add more characteristics to the unusual HTTP headers or URI path.
...2de94fb2	HTTP requests with unusual HTTP headers or URI path (signature #3).	ddos_dynamic	block	Expand rule scope to catch more attacks.
...2f8d9a4f	HTTP requests from known botnet (signature #78).	N/A	block

WAF - 2024-01-22 - Emergency

Monday, Jan 22, 2024

Ruleset	Rule ID	Legacy Rule ID	Description	Previous Action	New Action	Comments
Cloudflare Specials	...da07a922	100623	Atlassian Confluence - Template Injection - CVE:CVE-2023-22527	N/A	Block	N/A

D1 - Support for LIMIT on UPDATE and DELETE statements

Thursday, Jan 18, 2024

D1 now supports adding a LIMIT clause to UPDATE and DELETE statements, which allows you to limit the impact of a potentially dangerous operation.

Vectorize - HTTP API query vectors request and response format change

Wednesday, Jan 17, 2024

Vectorize /query HTTP endpoint has the following changes:

returnVectors request body property is deprecated in favor of returnValues and returnMetadata properties.
Response format has changed to the below format to match [Workers API change]:(/workers/configuration/compatibility-dates/#vectorize-query-with-metadata-optionally-returned)

WAF - 2024-01-17 - Emergency

Wednesday, Jan 17, 2024

Ruleset	Rule ID	Legacy Rule ID	Description	Previous Action	New Action	Comments
Cloudflare Specials	...34ab53c5	100622	Ivanti - Auth Bypass, Command Injection - CVE:CVE-2023-46805, CVE:CVE-2024-21887	N/A	Block	N/A

WAF - 2024-01-16

Tuesday, Jan 16, 2024

Ruleset	Rule ID	Legacy Rule ID	Description	Previous Action	New Action	Comments
Cloudflare Specials	...38906cff	100620	Microsoft ASP.NET - Remote Code Execution - CVE:CVE-2023-35813	N/A	Block	N/A
Cloudflare Specials	...84f664a9	100619	Liferay - Remote Code Execution - CVE:CVE-2020-7961	N/A	Block	N/A
Cloudflare Specials	...7d29ec39	100618	pfSense - Remote Code Execution - CVE:CVE-2023-42326	N/A	Block	N/A
Cloudflare Specials	...9016ef33	100621	Clerk - Auth Bypass	N/A	Disabled	N/A

DDoS protection - HTTP DDoS managed ruleset - 2024-01-05

Friday, Jan 5, 2024

Rule ID	Description	Previous Action	New Action	Notes
...2de94fb2	HTTP requests with unusual HTTP headers or URI path (signature #3).	block	block	Fine-tune the characteristics of the unusual requests.
...177059f1	HTTP requests from known botnet (signature #31).	block	N/A	Removed due to false positives.
...6fe7a312	HTTP requests from known botnet (signature #70).	block	N/A	Removed due to false positives.
...82c0ed5f	HTTP requests from known botnet (signature #77).	N/A	block
...e4f3ea4d	HTTP requests from known botnet (signature #76).	N/A	block

WAF - 2024-01-04

Thursday, Jan 4, 2024

Ruleset	Rule ID	Legacy Rule ID	Description	Previous Action	New Action	Comments
Cloudflare Specials	...53c7ccde	100612	SnakeYAML - CVE:CVE-2022-1471	N/A	Block	N/A

DDoS protection - HTTP DDoS managed ruleset - 2023-12-19 - Emergency

Tuesday, Dec 19, 2023

Rule ID	Description	Previous Action	New Action	Notes
...1fc1e601	HTTP requests with unusual HTTP headers or URI path (signature #31).	block	block	Add more characteristics to the unusual HTTP headers or URI path.
...22807318	HTTP requests from known botnets.	log	ddos_dynamic	Extend the rule to catch more attacks.
...d2f294d7	HTTP requests trying to impersonate browsers.	ddos_dynamic	ddos_dynamic	Change the rule to catch more attacks.

Zaraz - 2023-12-19

Tuesday, Dec 19, 2023

Google Analytics 4 Managed Component: Fix Google Analytics 4 average engagement time metric.

D1 - Legacy alpha automated backups disabled

Monday, Dec 18, 2023

Databases using D1’s legacy alpha backend will no longer run automated hourly backups. You may still choose to take manual backups of these databases.

The D1 team recommends moving to D1’s new production backend, which will require you to export and import your existing data. D1’s production backend is faster than the original alpha backend. The new backend also supports Time Travel, which allows you to restore your database to any minute in the past 30 days without relying on hourly or manual snapshots.

Turnstile - 2023-12-18

Monday, Dec 18, 2023

Added Pre-Clearance mode.

WAF - 2023-12-18

Monday, Dec 18, 2023

Ruleset	Rule ID	Legacy Rule ID	Description	Previous Action	New Action	Comments
Cloudflare Specials	...1bc977d1	N/A	DotNetNuke - File Inclusion - CVE:CVE-2018-9126, CVE:CVE-2011-1892, CVE:CVE-2022-31474	N/A	Block	This rule was released as ...76abfd64

DDoS protection - HTTP DDoS managed ruleset - 2023-12-14 - Emergency

Thursday, Dec 14, 2023

Rule ID	Description	Previous Action	New Action	Notes
...6fe7a312	HTTP requests from known botnet (signature #70).	block	block	Tweak the rule to avoid false positives in some rare cases.

WAF - 2023-12-14 - Emergency

Thursday, Dec 14, 2023

Ruleset	Rule ID	Legacy Rule ID	Description	Previous Action	New Action	Comments
Cloudflare Specials	...bb6d4e13	100615	Apache Struts - Remote Code Execution - CVE:CVE-2023-50164	N/A	Block	N/A

DDoS protection - HTTP DDoS managed ruleset - 2023-12-08 - Emergency

Friday, Dec 8, 2023

Rule ID	Description	Previous Action	New Action	Notes
...6fe7a312	HTTP requests from known botnet (signature #70).	block	block	Updated the rule to avoid false positives in some rare circumstances.
...e7a37252	HTTP requests from known botnet (signature #75).	N/A	block

Vectorize - Metadata filtering

Wednesday, Dec 6, 2023

Vectorize now supports metadata filtering with equals ($eq) and not equals ($neq) operators. Metadata filtering limits query() results to only vectors that fulfill new filter property.

Only new indexes created on or after 2023-12-06 support metadata filtering. Currently, there is no way to migrate previously created indexes to work with metadata filtering.

Workers - 2023-12-04

Monday, Dec 4, 2023

The Web Platform standard navigator.sendBeacon(...) API is now provided by the Workers runtime.
V8 updated to 12.0.

DDoS protection - HTTP DDoS managed ruleset - 2023-11-29

Wednesday, Nov 29, 2023

Rule ID	Description	Previous Action	New Action	Notes
...8ed59b32	HTTP requests with unusual HTTP headers or URI path (signature #61).	ddos_dynamic	ddos_dynamic	Rename rule to avoid confusion.
...61e8d513	Global L7 WordPress attack mitigations (Deprecated)	ddos_dynamic	ddos_dynamic	Mark rule as deprecated.

Radar - Add more meta information's

Monday, Nov 27, 2023

Added meta.lastUpdated to all summaries and top endpoints (timeseries and timeseriesGroups already had this).
Fix meta.dateRange to return date ranges for all requested series.

DDoS protection - HTTP DDoS managed ruleset - 2023-11-22

Wednesday, Nov 22, 2023

Rule ID	Description	Previous Action	New Action	Notes
...254da96a	HTTP requests with unusual HTTP headers or URI path (signature #58).	log	block

WAF - 2023-11-21

Tuesday, Nov 21, 2023

Ruleset	Rule ID	Legacy Rule ID	Description	Previous Action	New Action	Comments
Cloudflare Specials	...8ed2b1d9	100611	WordPress:Plugin:WooCommerce - Unauthorized Administrator Access - CVE:CVE-2023-28121	N/A	Block	N/A
Cloudflare Specials	...c3b6a372	100593	Adobe ColdFusion - Auth Bypass, Remote Code Execution - CVE:CVE-2023-29298, CVE:CVE-2023-38203, CVE:CVE-2023-26360	N/A	Block	N/A

Radar - Add new Layer 3 endpoints and Layer 7 dimensions

Thursday, Nov 16, 2023

Added Layer 3 top origin locations and top target location.
Added Layer 7 Summaries by http_method, http_version, ip_version, managed_rules, mitigation_product.
Added Layer 7 Timeseries Groups by http_method, http_version, ip_version, managed_rules, mitigation_product, industry, vertical.
Added Layer 7 Top by industry, vertical.
Deprecated Layer 7 timeseries groups without dimension.
- To continue getting this data, switch to the new timeseries group by mitigation_product endpoint.
Deprecated Layer 7 summary without dimension).
- To continue getting this data, switch to the new summary by mitigation_product endpoint.
Added new Error codes.

DDoS protection - HTTP DDoS managed ruleset - 2023-11-13 - Emergency

Monday, Nov 13, 2023

Rule ID	Description	Previous Action	New Action	Notes
...22807318	HTTP requests from known botnets.	ddos_dynamic	ddos_dynamic	Improve this filter to catch more attacks.
...6fe7a312	HTTP requests from known botnet (signature #70).	block	block
...7c7a2f25	HTTP requests from known botnet (signature #74).	N/A	block
...d2f294d7	HTTP requests trying to impersonate browsers.	ddos_dynamic	ddos_dynamic

Zaraz - 2023-11-13

Monday, Nov 13, 2023

HTTP Request Managed Component: Re-added __zarazTrack property.

DDoS protection - HTTP DDoS managed ruleset - 2023-11-10 - Emergency

Friday, Nov 10, 2023

Rule ID	Description	Previous Action	New Action	Notes
...7d0f1e5f	HTTP requests from known botnet (signature #72).	N/A	block
...94547a95	HTTP requests with unusual HTTP headers or URI path (signature #59).	N/A	ddos_dynamic
...e269dfd6	HTTP requests with unusual HTTP headers or URI path (signature #56).	log	block	Enable filter early to mitigate widespread impact.
...f35a42a0	HTTP requests with unusual HTTP headers or URI path (signature #57).	log	block	Enable filter early to mitigate widespread impact.

Vectorize - Metadata API changes

Wednesday, Nov 8, 2023

Vectorize now supports distinct returnMetadata and returnValues arguments when querying an index, replacing the now-deprecated returnVectors argument. This allows you to return metadata without needing to return the vector values, reducing the amount of unnecessary data returned from a query. Both returnMetadata and returnValues default to false.

For example, to return only the metadata from a query, set returnMetadata: true.

New Workers projects created on or after 2023-11-08 or that update the compatibility date for an existing project will use the new return type.

Stream - HLS improvements for on-demand TS output

Tuesday, Nov 7, 2023

HLS output from Cloudflare Stream on-demand videos that use Transport Stream file format now includes a 10 second offset to timestamps. This will have no impact on most customers. A small percentage of customers will see improved playback stability. Caption files were also adjusted accordingly.

WAF - 2023-11-06 - Emergency

Monday, Nov 6, 2023

Ruleset	Rule ID	Legacy Rule ID	Description	Previous Action	New Action	Comments
Cloudflare Specials	...c54e7046	100614	Atlassian Confluence - Code Injection - CVE:CVE-2023-22518	N/A	Block	N/A

Radar - Add new Layer 3 direction parameter

Tuesday, Oct 31, 2023

Added a direction parameter to all Layer 3 endpoints. Use together with location parameter to filter by origin or target location timeseries groups.

Zaraz - 2023-10-31

Tuesday, Oct 31, 2023

Google Analytics 4 Managed Component: Remove debug_mode key if falsy or false.

WAF - 2023-10-30

Monday, Oct 30, 2023

Ruleset	Rule ID	Legacy Rule ID	Description	Previous Action	New Action	Comments
Cloudflare Specials	...d59a59db	100609	Keycloak - SSRF - CVE:CVE-2020-10770	N/A	Block	N/A

Workers - 2023-10-30

Monday, Oct 30, 2023

A new usage model called Workers Standard is available for Workers and Pages Functions pricing. This is now the default usage model for accounts that are first upgraded to the Workers Paid plan. Read the blog post for more information.
The usage model set in a script’s wrangler.toml will be ignored after an account has opted-in to Workers Standard pricing. It must be configured through the dashboard (Workers & Pages > Select your Worker > Settings > Usage Model).
Workers and Pages Functions on the Standard usage model can set custom CPU limits for their Workers

AI Gateway - 2023-10-26

Thursday, Oct 26, 2023

Real-time Logs: Logs are now real-time, showing logs for the last hour. If you have a need for persistent logs, please let the team know on Discord. We are building out a persistent logs feature for those who want to store their logs for longer.
Providers: Azure OpenAI is now supported as a provider!
Docs: Added Azure OpenAI example.
Bug Fixes: Errors with costs and tokens should be fixed.

Zaraz - 2023-10-26

Thursday, Oct 26, 2023

Custom HTML: Added support for non-JavaScript script tags.

WAF - 2023-10-23

Monday, Oct 23, 2023

Ruleset	Rule ID	Legacy Rule ID	Description	Previous Action	New Action	Comments
Cloudflare Specials	...3e3f706d	100606	JetBrains TeamCity - Auth Bypass, Remote Code Execution - CVE:CVE-2023-42793	N/A	Block	N/A
Cloudflare Specials	...469c4a38	100607	Progress WS_FTP - Information Disclosure - CVE:CVE-2023-40044	N/A	Block	N/A
Cloudflare Specials	...7ccccdce	100608	Progress WS_FTP - Remote Code Execution - CVE:CVE-2023-40044	N/A	Block	N/A

Workers - 2023-10-20

Friday, Oct 20, 2023

Added the crypto_preserve_public_exponent compatibility flag to correct a wrong type being used in the algorithm field of RSA keys in the WebCrypto API.

Zaraz - 2023-10-20

Friday, Oct 20, 2023

Bing Managed Component: Fixed an issue where some events were not being sent to Bing even after being triggered.
Dashboard: Improved welcome screen for new Zaraz users".

DDoS protection - HTTP DDoS managed ruleset - 2023-10-19

Thursday, Oct 19, 2023

Rule ID	Description	Previous Action	New Action	Notes
...61bc58d5	HTTP requests with unusual HTTP headers or URI path (signature #55).	ddos_dynamic	ddos_dynamic	Requests will be challenged by default, larger attacks are blocked.

Workers - 2023-10-18

Wednesday, Oct 18, 2023

The limit of 3 Cron Triggers per Worker has been removed. Account-level limits on the total number of Cron Triggers across all Workers still apply.

Workers - 2023-10-12

Thursday, Oct 12, 2023

A TCP Socket’s WritableStream now ensures the connection has opened before resolving the promise returned by close.

DDoS protection - HTTP DDoS managed ruleset - 2023-10-11

Wednesday, Oct 11, 2023

Rule ID	Description	Previous Action	New Action	Notes
...35675e08	HTTP requests with unusual HTTP headers or URI path (signature #24).	block	block	This rule can cause rare false positives with custom apps sending invalid headers.

WAF - 2023-10-11 - Emergency

Wednesday, Oct 11, 2023

Ruleset	Rule ID	Legacy Rule ID	Description	Previous Action	New Action	Comments
Cloudflare Specials	...ec9f34e1	100604	Atlassian Confluence - Privilege Escalation - CVE:CVE-2023-22515	N/A	Block	This rule is released for our Cloudflare Free customers as well, rule ID: ...91935fcb (Detection logic update)

Stream - SRT Audio Improvements

Tuesday, Oct 10, 2023

In some cases, playback via SRT protocol was missing an audio track regardless of existence of audio in the broadcast. This issue is now resolved.

Tenant - New Tenant Admin UI

Tuesday, Oct 10, 2023

Partners can now create and view accounts through the Cloudflare dashboard by going to Tenants > Managed Accounts.

AI Gateway - 2023-10-09

Monday, Oct 9, 2023

Logs: Logs will now be limited to the last 24h. If you have a use case that requires more logging, please reach out to the team on Discord.
Dashboard: Logs now refresh automatically.
Docs: Fixed Workers AI example in docs and dash.
Caching: Embedding requests are now cacheable. Rate limit will not apply for cached requests.
Bug Fixes: Identical requests to different providers are not wrongly served from cache anymore. Streaming now works as expected, including for the Universal endpoint.
Known Issues: There’s currently a bug with costs that we are investigating.

DDoS protection - HTTP DDoS managed ruleset - 2023-10-09 - Emergency

Monday, Oct 9, 2023

Rule ID	Description	Previous Action	New Action
...02bbdce1	HTTP requests with unusual HTTP headers or URI path (signature #47).	N/A	block
...493cb8a8	HTTP requests with unusual HTTP headers or URI path (signature #52).	N/A	block
...5c344623	HTTP requests from uncommon clients	N/A	block
...6363bb1b	HTTP requests with unusual HTTP headers or URI path (signature #48).	N/A	block
...c1fbd175	HTTP requests trying to impersonate browsers (pattern #4).	N/A	block

Workers - 2023-10-09

Monday, Oct 9, 2023

The Web Platform standard CustomEvent class is now available in Workers.
Fixed a bug in the WebCrypto API where the publicExponent field of the algorithm of RSA keys would have the wrong type. Use the crypto_preserve_public_exponent compatibility flag to enable the new behavior.

Queues - More queues per account - up to 10,000

Saturday, Oct 7, 2023

Developers building on Queues can now create up to 10,000 queues per account, enabling easier per-user, per-job and sharding use-cases.

Refer to Limits to learn more about Queues’ current limits.

Notifications - 2023-10-06

Friday, Oct 6, 2023

Added Traffic Anomalies Alerts to notify customers when traffic to their domain has an unexpected spike or drop.

Queues - Higher consumer concurrency limits

Thursday, Oct 5, 2023

Queue consumers can now scale to 20 concurrent invocations (per queue), up from 10. This allows you to scale out and process higher throughput queues more quickly.

Queues with no explicit limit specified will automatically scale to the new maximum.

This limit will continue to grow during the Queues beta.

D1 - Create up to 50,000 D1 databases

Tuesday, Oct 3, 2023

Developers using D1 on a Workers Paid plan can now create up to 50,000 databases as part of ongoing increases to D1’s limits.

This further enables database-per-user use-cases and allows you to isolate data between customers.
Total storage per account is now 50 GB.
D1’s analytics and metrics provide per-database usage data.

If you need to create more than 50,000 databases or need more per-account storage, reach out to the D1 team to discuss.

Vectorize - Increased indexes per account limits

Tuesday, Oct 3, 2023

You can now create up to 100 Vectorize indexes per account. Read the limits documentation for details on other limits, many of which will increase during the beta period.

WAF - 2023-10-04 - Emergency

Tuesday, Oct 3, 2023

Ruleset	Rule ID	Legacy Rule ID	Description	Previous Action	New Action	Comments
Cloudflare Specials	...ec9f34e1	100604,100605	Atlassian Confluence - Privilege Escalation - CVE:CVE-2023-22515	N/A	Block	This rule is released for our Cloudflare Free customers as well, rule ID: ...91935fcb

Zaraz - 2023-10-03

Tuesday, Oct 3, 2023

Bugfix: Fixed an issue that prevented some server-side requests from arriving to their destination
Google Analytics 4 Managed Component: Add support for dbg and ir fields.

WAF - 2023-10-02

Monday, Oct 2, 2023

Ruleset	Rule ID	Legacy Rule ID	Description	Previous Action	New Action	Comments
Cloudflare Specials	...34780914	100532	Vulnerability scanner activity	N/A	Block	This rule was released as 100532_BETA in legacy waf and ...6e298ed7 in new WAF

D1 - The D1 public beta is here

Thursday, Sep 28, 2023

D1 is now in public beta, and storage limits have been increased:

Developers with a Workers Paid plan now have a 2 GB per-database limit (up from 500 MB) and can create 25 databases per account (up from 10). These limits will continue to increase automatically during the public beta.
Developers with a Workers Free plan retain the 500 MB per-database limit and can create up to 10 databases per account.

Databases must be using D1’s new storage subsystem to benefit from the increased database limits.

Read the announcement blog for more details about what is new in the beta and what is coming in the future for D1.

Hyperdrive - Hyperdrive now available

Thursday, Sep 28, 2023

Hyperdrive is now available in public beta to any developer with a Workers paid plan.

To start using Hyperdrive, visit the get started guide or read the announcement blog to learn more.

Notifications - 2023-09-28

Thursday, Sep 28, 2023

Added Incident Alerts.

Vectorize - Vectorize now in open beta

Wednesday, Sep 27, 2023

Vectorize, Cloudflare’s vector database, is now in open beta. Vectorize allows you to store and efficiently query vector embeddings from AI/ML models from Workers AI, OpenAI, and other embeddings providers or machine-learning workflows.

To get started with Vectorize, see the guide.

Stream - LL-HLS Beta

Monday, Sep 25, 2023

Low-Latency HTTP Live Streaming (LL-HLS) is now in open beta. Enable LL-HLS on your live input for automatic low-latency playback using the Stream built-in player where supported.

For more information, refer to live input and custom player docs.

DDoS protection - HTTP DDoS managed ruleset - 2023-09-24 - Emergency

Sunday, Sep 24, 2023

Rule ID	Description	Previous Action	New Action	Notes
...0fb54442	HTTP requests with unusual HTTP headers or URI path (signature #49).	N/A	block
...3dd5f188	HTTP requests from known botnet (signature #71).	N/A	block
...97003a74	HTTP requests with unusual HTTP headers or URI path (signature #17).	block	block	Expand rule to catch more attacks.

WAF - 2023-09-22 - Emergency

Friday, Sep 22, 2023

Ruleset	Rule ID	Legacy Rule ID	Description	Previous Action	New Action	Comments
Cloudflare Specials	...066c0c9a	100602	Code Injection - CVE:CVE-2023-36845	N/A	Block	N/A
Cloudflare Specials	...0746d000	100603	Information Disclosure - CVE:CVE-2023-28432	N/A	Block	N/A

DDoS protection - HTTP DDoS managed ruleset - 2023-09-21 - Emergency

Thursday, Sep 21, 2023

Rule ID	Description	Previous Action	New Action	Notes
...1d73128d	HTTP requests from known botnet (signature #56).	block	block	Make the rule customizable as it might cause false positive in rare cases.
...4a95ba67	HTTP requests with unusual HTTP headers or URI path (signature #32).	ddos_dynamic	ddos_dynamic	Expand the scope of the rule to catch more attacks.
...6fe7a312	HTTP requests from known botnet (signature #70).	block	block	Update the rule to remove some rare false positives.

Version Management - Support for Bot Management

Wednesday, Sep 20, 2023

Version Management now supports versioning for Bot Management.

WAF - 2023-09-18

Monday, Sep 18, 2023

Ruleset	Rule ID	Legacy Rule ID	Description	Previous Action	New Action	Comments
Cloudflare Specials	...25ba9d7c	N/A	SSRF Cloud	N/A	Disabled	N/A

Workers - 2023-09-14

Thursday, Sep 14, 2023

An implementation of the node:crypto API from Node.js is now available when the nodejs_compat compatibility flag is enabled.

Pages - Support for D1's new storage subsystem and build error message improvements

Wednesday, Sep 13, 2023

Added support for D1’s new storage subsystem. All Git builds and deployments done with Wrangler v3.5.0 and up can use the new subsystem.
Builds which fail due to exceeding the build time limit will return a proper error message indicating so rather than Internal error.
New and improved error messages for other build failures

Zaraz - 2023-09-13

Wednesday, Sep 13, 2023

Consent Management: Add support for custom button translations.
Consent Management: Modal stays fixed when scrolling.
Google Analytics 4 Managed Component: hideOriginalIP and ga-audiences can be set from tool event.

Zaraz - 2023-09-11

Monday, Sep 11, 2023

Reddit Managed Component: Support new “Account ID” formats (e.g. “ax_xxxxx”).

Radar - Add Connection Tampering endpoints

Friday, Sep 8, 2023

Added Connection Tampering summary and timeseries endpoints.

Waiting Room - Waiting Room coverage for multiple hostnames and paths

Wednesday, Sep 6, 2023

Advanced Waiting Room customers can now add multiple hostname and path combinations to a single waiting room via the UI and API.

Zaraz - 2023-09-06

Wednesday, Sep 6, 2023

Consent Management: Consent cookie name can now be customized.

DDoS protection - HTTP DDoS managed ruleset - 2023-09-05 - Emergency

Tuesday, Sep 5, 2023

Rule ID	Description	Previous Action	New Action	Notes
...22807318	HTTP requests from known botnets.	ddos_dynamic	ddos_dynamic	Expand filter to catch attacks more comprehensively.
...4346874d	HTTP requests with unusual HTTP headers or URI path (signature #46).	N/A	block
...6fe7a312	HTTP requests from known botnet (signature #70).	N/A	block	Expand filter to catch more attacks. It is now configurable.

Zaraz - 2023-09-05

Tuesday, Sep 5, 2023

Segment Managed Component: API Endpoint can be customized.

WAF - 2023-09-04

Monday, Sep 4, 2023

Ruleset	Rule ID	Legacy Rule ID	Description	Previous Action	New Action	Comments
Cloudflare Specials	...c5f041ac	100597	Information Disclosure - Path Normalization	Log	Block	N/A
Cloudflare Specials	...50cec478	100598	Remote Code Execution - Common Bash Bypass	Log	Block	N/A
Cloudflare Specials	...ec5b0d04	100599	Ivanti - Auth Bypass - CVE:CVE-2023-38035	Log	Block	N/A
Cloudflare Specials	...6912c055	100601	Malware - Polymorphic Encoder	Log	Block	N/A
Cloudflare Specials	...8242627b	100146B	SSRF Local BETA	Log	Disabled	N/A

DDoS protection - HTTP DDoS managed ruleset - 2023-08-30 - Emergency

Wednesday, Aug 30, 2023

Rule ID	Description	Previous Action	New Action	Notes
...22807318	HTTP requests from known botnets.	ddos_dynamic	ddos_dynamic
...46082508	HTTP requests with unusual HTTP headers or URI path (signature #45).	N/A	block

DDoS protection - HTTP DDoS managed ruleset - 2023-08-29 - Emergency

Tuesday, Aug 29, 2023

Rule ID	Description	Previous Action	New Action	Notes
...22807318	HTTP requests from known botnets.	managed_challenge	ddos_dynamic
...3fe55678	HTTP requests with unusual HTTP headers or URI path (signature #44).	N/A	block

DDoS protection - HTTP DDoS managed ruleset - 2023-08-25 - Emergency

Friday, Aug 25, 2023

Rule ID	Description	Previous Action	New Action	Notes
...20c5afb5	HTTP requests with unusual HTTP headers or URI path (signature #36).	block	block	This rule was previously readonly, but can cause false positives in rare cases. It is now possible to override it.
...cb26e2e2	HTTP requests from known botnet (signature #69).	N/A	block
...ebff5ef1	HTTP requests with unusual HTTP headers or URI path (signature #43).	N/A	block

Turnstile - 2023-08-24

Thursday, Aug 24, 2023

Added Client-side errors.

Notifications - 2023-08-23

Wednesday, Aug 23, 2023

Added Logo Match Alert.

Pages - Commit message limit increase

Wednesday, Aug 23, 2023

Commit messages can now be up to 384 characters before being trimmed.

WAF - 2023-08-21

Monday, Aug 21, 2023

Ruleset	Rule ID	Legacy Rule ID	Description	Previous Action	New Action	Comments
Cloudflare Specials	...84dadf5a	100595	MobileIron - Auth Bypass - CVE:CVE-2023-35082	Log	Block	N/A
Cloudflare Specials	...48a60154	N/A	SQLi - Keyword + SubExpress + Comment + BETA	N/A	Disabled	N/A

Zaraz - 2023-08-21

Monday, Aug 21, 2023

TikTok Managed Component: Support setting ttp and event_id.
Consent Management: Accessibility improvements.
Facebook Managed Component: Support for using “Limited Data Use” features.

D1 - Row count now returned per query

Saturday, Aug 19, 2023

D1 now returns a count of rows_written and rows_read for every query executed, allowing you to assess the cost of query for both pricing and index optimization purposes.

The meta object returned in D1’s Client API contains a total count of the rows read (rows_read) and rows written (rows_written) by that query. For example, a query that performs a full table scan (for example, SELECT * FROM users) from a table with 5000 rows would return a rows_read value of 5000:

Refer to D1 pricing documentation to understand how reads and writes are measured. D1 remains free to use during the alpha period.

WAF - 2023-08-17 - Emergency

Thursday, Aug 17, 2023

Ruleset	Rule ID	Legacy Rule ID	Description	Previous Action	New Action	Comments
Cloudflare Specials	...cac42ce2	100596	Citrix Content Collaboration ShareFile - Remote Code Execution - CVE:CVE-2023-24489	N/A	Block	N/A

DDoS protection - HTTP DDoS managed ruleset - 2023-08-16 - Emergency

Wednesday, Aug 16, 2023

Rule ID	Description	Previous Action	New Action	Notes
...9721fd20	HTTP requests trying to impersonate browsers (pattern #3).	N/A	ddos_dynamic

DDoS protection - HTTP DDoS managed ruleset - 2023-08-14

Monday, Aug 14, 2023

Rule ID	Description	Previous Action	New Action	Notes
...22807318	HTTP requests from known botnets.	ddos_dynamic	managed_challenge	Expand the filter to catch more attacks.
...d2f294d7	HTTP requests trying to impersonate browsers.	ddos_dynamic	ddos_dynamic	Expand the filter to catch more attacks.

Radar - Deprecate old layer 3 dataset

Monday, Aug 14, 2023

Added Regional Internet Registry (see field source in response) to get asn by id and get asn by ip endpoints.
Stopped collecting data in the old Layer 3 data source.
Updated Layer 3 timeseries endpoint to start using the new Layer 3 data source by default, fetching the old data source now requires sending the parameter metric=bytes_old.
Deprecated Layer 3 summary endpoint, this will stop receiving data after 2023-08-14.
- To continue getting this data, switch to the new timeseries group protocol endpoint.
Deprecated Layer 3 timeseries groups endpoint, this will stop receiving data after 2023-08-14.
- To continue getting this data, switch to the new timeseries group protocol endpoint.

DDoS protection - HTTP DDoS managed ruleset - 2023-08-11 - Emergency

Friday, Aug 11, 2023

Rule ID	Description	Previous Action	New Action
...1de9523e	HTTP requests with unusual HTTP headers or URI path (signature #41).	N/A	block
...22807318	HTTP requests from known botnets.	managed_challenge	ddos_dynamic
...aa03a345	HTTP requests from known botnet (signature #68).	N/A	block
...efca86eb	HTTP requests from known botnet (signature #66).	N/A	block
...f93fb5d6	HTTP requests from known botnet (signature #67).	N/A	block

D1 - Bind D1 from the Cloudflare dashboard

Wednesday, Aug 9, 2023

You can now bind a D1 database to your Workers directly in the Cloudflare dashboard. To bind D1 from the Cloudflare dashboard, select your Worker project -> Settings -> Variables -> and select D1 Database Bindings.

Note: If you have previously deployed a Worker with a D1 database binding with a version of wrangler prior to 3.5.0, you must upgrade to wrangler v3.5.0 first before you can edit your D1 database bindings in the Cloudflare dashboard. New Workers projects do not have this limitation.

Legacy D1 alpha users who had previously prefixed their database binding manually with __D1_BETA__ should remove this as part of this upgrade. Your Worker scripts should call your D1 database via env.BINDING_NAME only. Refer to the latest D1 getting started guide for best practices.

We recommend all D1 alpha users begin using wrangler 3.5.0 (or later) to benefit from improved TypeScript types and future D1 API improvements.

Stream - Scheduled Deletion

Tuesday, Aug 8, 2023

Stream now supports adding a scheduled deletion date to new and existing videos. Live inputs support deletion policies for automatic recording deletion.

For more, refer to the video on demand or live input docs.

D1 - Per-database limit now 500 MB

Tuesday, Aug 1, 2023

Databases using D1’s new storage subsystem can now grow to 500 MB each, up from the previous 100 MB limit. This applies to both existing and newly created databases.

Refer to Limits to learn about D1’s limits.

Pages - Support for newer TLDs

Tuesday, Aug 1, 2023

Support newer TLDs such as .party and .music.

DDoS protection - HTTP DDoS managed ruleset - 2023-07-31

Monday, Jul 31, 2023

Rule ID	Description	Previous Action	New Action	Notes
...9aec0913	HTTP requests from known botnet (signature #52).	block	block	Expose existing read-only filter publicly as it might cause false positives in rare cases.
...c5f479f0	HTTP requests from known botnet (signature #62).	N/A	block
...d0e36f9c	HTTP requests from known botnet (signature #63).	N/A	block

DDoS protection - Network-layer DDoS managed ruleset - 2023-07-31

Monday, Jul 31, 2023

Rule ID	Description	Previous Action	New Action	Notes
...aa772b5c	Adaptive DDoS Protection for Location-Based UDP (Available only to Enterprise accounts).	N/A	log	Enable UDP geolocation Adaptive DDoS rule

Radar - Fix HTTP timeseries endpoint urls

Monday, Jul 31, 2023

Updated HTTP timeseries endpoints urls to timeseries_groups ( example) due to consistency. Old timeseries endpoints are still available, but will soon be removed.

Turnstile - 2023-07-31

Monday, Jul 31, 2023

Added [turnstile.isExpired].
Added uk language.

D1 - New default storage subsystem

Thursday, Jul 27, 2023

Databases created via the Cloudflare dashboard and Wrangler (as of v3.4.0) now use D1’s new storage subsystem by default. The new backend can be 6 - 20x faster than D1’s original alpha backend.

To understand which storage subsystem your database uses, run wrangler d1 info YOUR_DATABASE and inspect the version field in the output.

Databases with version: beta use the new storage backend and support the Time Travel API. Databases with version: alpha only use D1’s older, legacy backend.

D1 - Time Travel

Thursday, Jul 27, 2023

Time Travel is now available. Time Travel allows you to restore a D1 database back to any minute within the last 30 days (Workers Paid plan) or 7 days (Workers Free plan), at no additional cost for storage or restore operations.

Refer to the Time Travel documentation to learn how to travel backwards in time.

Databases using D1’s new storage subsystem can use Time Travel. Time Travel replaces the snapshot-based backups used for legacy alpha databases.

Radar - Add URL Scanner endpoints

Thursday, Jul 20, 2023

Added urlscanner endpoints, read more here.

Workers - 2023-07-14

Friday, Jul 14, 2023

An implementation of the util.MIMEType API from Node.js is now available when the nodejs_compat compatibility flag is enabled.

Pages - V2 build system enabled by default

Tuesday, Jul 11, 2023

V2 build system is now default for all new projects.

Pages - Sped up project creation

Monday, Jul 10, 2023

Sped up project creation.

Workers - 2023-07-07

Friday, Jul 7, 2023

An implementation of the process.env API from Node.js is now available when using the nodejs_compat compatibility flag.
An implementation of the diagnostics_channel API from Node.js is now available when using the nodejs_compat compatibility flag.

R2 - 2023-07-05

Wednesday, Jul 5, 2023

Improved performance for ranged reads on very large files. Previously ranged reads near the end of very large files would be noticeably slower than ranged reads on smaller files. Performance should now be consistently good independent of filesize.

D1 - Metrics and analytics

Wednesday, Jun 28, 2023

You can now view per-database metrics via both the Cloudflare dashboard and the GraphQL Analytics API.

D1 currently exposes read & writes per second, query response size, and query latency percentiles.

Workers - 2023-06-22

Thursday, Jun 22, 2023

Added the strict_crypto_checks compatibility flag to enable additional Web Crypto API error and security checking.
Fixes regression in the TCP Sockets API where connect("google.com:443") would fail with a TypeError.

R2 - 2023-06-21

Wednesday, Jun 21, 2023

Multipart ETags are now MD5 hashes.

Radar - Add Quality endpoints

Tuesday, Jun 20, 2023

Added quality endpoints.

Workers - 2023-06-19

Monday, Jun 19, 2023

The TCP Sockets API now reports clearer errors when a connection cannot be established.
Updated V8 to 11.5.

D1 - Generated columns documentation

Friday, Jun 16, 2023

New documentation has been published on how to use D1’s support for generated columns to define columns that are dynamically generated on write (or read). Generated columns allow you to extract data from JSON objects or use the output of other SQL functions.

R2 - 2023-06-16

Friday, Jun 16, 2023

Fixed a bug where calling GetBucket on a non-existent bucket would return a 500 instead of a 404.
Improved S3 compatibility for ListObjectsV1, now nextmarker is only set when truncated is true.
The R2 worker bindings now support parsing conditional headers with multiple etags. These etags can now be strong, weak or a wildcard. Previously the bindings only accepted headers containing a single strong etag.
S3 putObject now supports sha256 and sha1 checksums. These were already supported by the R2 worker bindings.
CopyObject in the S3 compatible api now supports Cloudflare specific headers which allow the copy operation to be conditional on the state of the destination object.

D1 - Deprecating Error.cause

Monday, Jun 12, 2023

As of wrangler v3.1.1 the D1 client API now returns detailed error messages within the top-level Error.message property, and no longer requires developers to inspect the Error.cause.message property.

To facilitate a transition from the previous Error.cause behaviour, detailed error messages will continue to be populated within Error.cause as well as the top-level Error object until approximately July 14th, 2023. Future versions of both wrangler and the D1 client API will no longer populate Error.cause after this date.

Workers - 2023-06-09

Friday, Jun 9, 2023

AbortSignal.any() is now available.
Updated V8 to 11.4.
Following an update to the WHATWG URL spec, the delete() and has() methods of the URLSearchParams class now accept an optional second argument to specify the search parameter’s value. This is potentially a breaking change, so it is gated behind the new urlsearchparams_delete_has_value_arg and url_standard compatibility flags.
Added the strict_compression_checks compatibility flag for additional DecompressionStream error checking.

Radar - Add BGP stats, pfx2as and moas endpoint

Wednesday, Jun 7, 2023

Added BGP stats, pfx2as and moas endpoints.

Workers - 2023-05-26

Friday, May 26, 2023

A new Hibernatable WebSockets API (beta) has been added to Durable Objects. The Hibernatable WebSockets API allows a Durable Object that is not currently running an event handler (for example, processing a WebSocket message or alarm) to be removed from memory while keeping its WebSockets connected (“hibernation”). A Durable Object that hibernates will not incur billable Duration (GB-sec) charges.

Turnstile - 2023-05-25

Thursday, May 25, 2023

Added idempotency support for POST /siteverify requests via the idempotency_key parameter.

D1 - New experimental backend

Friday, May 19, 2023

D1 has a new experimental storage back end that dramatically improves query throughput, latency and reliability. The experimental back end will become the default back end in the near future. To create a database using the experimental backend, use wrangler and set the --experimental-backend flag when creating a database:

Read more about the experimental back end in the announcement blog.

D1 - Location hints

Friday, May 19, 2023

You can now provide a location hint when creating a D1 database, which will influence where the leader (writer) is located. By default, D1 will automatically create your database in a location close to where you issued the request to create a database. In most cases this allows D1 to choose the optimal location for your database on your behalf.

Pages - Build error message improvement

Friday, May 19, 2023

Builds which fail due to Out of memory (OOM) will return a proper error message indicating so rather than Internal error.

D1 - Query JSON

Wednesday, May 17, 2023

New documentation has been published that covers D1’s extensive JSON function support. JSON functions allow you to parse, query and modify JSON directly from your SQL queries, reducing the number of round trips to your database, or data queried.

Pages - V2 build system beta

Wednesday, May 17, 2023

The V2 build system is now available in open beta. Enable the V2 build system by going to your Pages project in the Cloudflare dashboard and selecting Settings > Build & deployments > Build system version.

Pages - Support for Smart Placement

Tuesday, May 16, 2023

Smart placement can now be enabled for Pages within your Pages Project by going to Settings > Functions.

Stream - Multiple audio tracks now generally available

Tuesday, May 16, 2023

Stream supports adding multiple audio tracks to an existing video.

For more, refer to the documentation to get started.

Workers - 2023-05-16

Tuesday, May 16, 2023

The new connect() method allows you to connect to any TCP-speaking services directly from your Workers. To learn more about other protocols supported on the Workers platform, visit the new Protocols documentation.
We have added new native database integrations for popular serverless database providers, including Neon, PlanetScale, and Supabase. Native integrations automatically handle the process of creating a connection string and adding it as a Secret to your Worker.
You can now also connect directly to databases over TCP from a Worker, starting with PostgreSQL. Support for PostgreSQL is based on the popular pg driver, and allows you to connect to any PostgreSQL instance over TLS from a Worker directly.
The R2 Migrator (Super Slurper), which automates the process of migrating from existing object storage providers to R2, is now Generally Available.

Workers - 2023-05-15

Monday, May 15, 2023

Cursor, an experimental AI assistant, trained to answer questions about Cloudflare’s Developer Platform, is now available to preview! Cursor can answer questions about Workers and the Cloudflare Developer Platform, and is itself built on Workers. You can read more about Cursor in the announcement blog.

Workers - 2023-05-12

Friday, May 12, 2023

The performance.now() and performance.timeOrigin APIs can now be used in Cloudflare Workers. Just like Date.now(), for security reasons time only advances after I/O.

Radar - Added `IOS` as an option for the OS parameter in all HTTP

Wednesday, May 10, 2023

Added IOS as an option for the OS parameter in all HTTP endpoints ( example).

Workers - 2023-05-05

Friday, May 5, 2023

The new nodeJsCompatModule type can be used with a Worker bundle to emulate a Node.js environment. Common Node.js globals such as process and Buffer will be present, and require('...') can be used to load Node.js built-ins without the node: specifier prefix.
Fixed an issue where websocket connections would be disconnected when updating workers. Now, only websockets connected to Durable Object instances are disconnected by updates to that Durable Object’s code.

Workers - 2023-04-28

Friday, Apr 28, 2023

The Web Crypto API now supports curves Ed25519 and X25519 defined in the Secure Curves specification.
The global connect method has been moved to a cloudflare:sockets module.

Stream - Player Enhancement Properties

Wednesday, Apr 26, 2023

Cloudflare Stream now supports player enhancement properties.

With player enhancements, you can modify your video player to incorporate elements of your branding, such as your logo, and customize additional options to present to your viewers.

For more, refer to the documentation to get started.

Notifications - 2023-04-19

Wednesday, Apr 19, 2023

Added Maintenance Notification Alerts.

DDoS protection - Network-layer DDoS managed ruleset - 2023-04-17

Monday, Apr 17, 2023

Previously, only a subset of rules were exposed publicly. In rare situations, these rules can cause false positives. When this happens, you can customize their behavior using overrides.

Besides these rules, the DDoS managed rules contain other rules that do not cause issues. Until now, these rules were not shown in the dashboard or referenced in the documentation.

Cloudflare now shows all rules in the dashboard, including these high-confidence rules. This means that packets matching these rules will now have the correct rule identifier. The newly published rules are read-only and you cannot disable them.

Turnstile - 2023-04-17

Monday, Apr 17, 2023

Added references to Turnstile Public API.
Added references for [after-interactive-callback], [before-interactive-callback], and [unsupported-callback].

Workers - 2023-04-14

Friday, Apr 14, 2023

No externally-visible changes this week.

Workers - 2023-04-10

Monday, Apr 10, 2023

URL.canParse(...) is a new standard API for testing that an input string can be parsed successfully as a URL without the additional cost of creating and throwing an error.
The Workers-specific IdentityTransformStream and FixedLengthStream classes now support specifying a highWaterMark for the writable-side that is used for backpressure signaling using the standard writer.desiredSize/writer.ready mechanisms.

R2 - 2023-04-01

Saturday, Apr 1, 2023

GetBucket is now available for use through the Cloudflare API.
Location hints can now be set when creating a bucket, both through the S3 API, and the dashboard.

Queues - Consumer concurrency (enabled)

Tuesday, Mar 28, 2023

Queue consumers will now automatically scale up based on the number of messages being written to the queue. To control or limit concurrency, you can explicitly define a max_concurrency for your consumer.

Workers - 2023-03-24

Friday, Mar 24, 2023

Fixed a bug in Wrangler tail and and live logs on the dashboard that prevented the Administrator Read-Only and Workers Tail Read roles from successfully tailing Workers.

Pages - Git projects can now see files uploaded

Thursday, Mar 23, 2023

Files uploaded are now visible for Git projects, you can view them in the Cloudflare dashboard.

Stream - Limits for downloadable MP4s for live recordings

Tuesday, Mar 21, 2023

Previously, generating a download for a live recording exceeding four hours resulted in failure.

To fix the issue, now video downloads are only available for live recordings under four hours. Live recordings exceeding four hours can still be played but cannot be downloaded.

Pages - Notifications for Pages are now available

Monday, Mar 20, 2023

Notifications for Pages events are now available in the Cloudflare dashboard. Events supported include:
- Deployment started.
- Deployment succeeded.
- Deployment failed.

Radar - Add AS112 and email endpoints

Monday, Mar 20, 2023

Added AS112 endpoints.
Added email endpoints.

R2 - 2023-03-16

Thursday, Mar 16, 2023

The ListParts API has been implemented and is available for use.
HTTP2 is now enabled by default for new custom domains linked to R2 buckets.
Object Lifecycles are now available for use.
Bug fix: Requests to public buckets will now return the Content-Encoding header for gzip files when Accept-Encoding: gzip is used.

Queues - Consumer concurrency (upcoming)

Wednesday, Mar 15, 2023

Queue consumers will soon automatically scale up concurrently as a queues’ backlog grows in order to keep overall message processing latency down. Concurrency will be enabled on all existing queues by 2023-03-28.

To opt-out, or to configure a fixed maximum concurrency, set max_concurrency = 1 in your wrangler.toml file or via the queues dashboard.

To opt-in, you do not need to take any action: your consumer will begin to scale out as needed to keep up with your message backlog. It will scale back down as the backlog shrinks, and/or if a consumer starts to generate a higher rate of errors. To learn more about how consumers scale, refer to the consumer concurrency documentation.

Notifications - 2023-03-13

Monday, Mar 13, 2023

Added Pages Alerts.

Workers - 2023-03-09

Thursday, Mar 9, 2023

No externally-visible changes.

Turnstile - 2023-03-06

Monday, Mar 6, 2023

Added [execution] and [appearance].

Workers - 2023-03-06

Monday, Mar 6, 2023

Workers Logpush now supports 300 characters per log line. This is an increase from the previous limit of 150 characters per line.

Notifications - 2023-03-02

Thursday, Mar 2, 2023

Added Brand Protection Alerts.

Queues - Explicit acknowledgement (new feature)

Thursday, Mar 2, 2023

You can now acknowledge individual messages with a batch by calling .ack() on a message.

This allows you to mark a message as delivered as you process it within a batch, and avoids the entire batch from being redelivered if your consumer throws an error during batch processing. This can be particularly useful when you are calling external APIs, writing messages to a database, or otherwise performing non-idempotent actions on individual messages within a batch.

Queues - Higher per-queue throughput

Wednesday, Mar 1, 2023

The per-queue throughput limit has now been raised to 400 messages per second.

Turnstile - 2023-02-15

Wednesday, Feb 15, 2023

Added the [turnstile.ready] callback.

Pages - Analytics Engine now available in Functions

Tuesday, Feb 14, 2023

Added support for Analytics Engine in Functions.

Workers - 2023-02-06

Monday, Feb 6, 2023

Fixed a bug where transferring large request bodies to a Durable Object was unexpectedly slow.
Previously, an error would be thrown when trying to access unimplemented standard Request and Response properties. Now those will be left as undefined.

Turnstile - 2023-02-01

Wednesday, Feb 1, 2023

Added the [data-]language parameter.

R2 - 2023-01-27

Friday, Jan 27, 2023

R2 authentication tokens created via the R2 token page are now scoped to a single account by default.

Radar - Updated IPv6 calculation method

Monday, Jan 23, 2023

IPv6 percentage started to be calculated as (IPv6 requests / requests for dual-stacked content), where as before it was calculated as (IPv6 requests / IPv4+IPv6 requests).

Workers - 2023-01-13

Friday, Jan 13, 2023

Durable Objects can now use jurisdictions with idFromName via a new subnamespace API.
V8 updated to 10.9.

Radar - Add new layer 3 dataset

Wednesday, Jan 11, 2023

Added new Layer 3 data source and related endpoints.
Updated Layer 3 timeseries endpoint to support fetching both current and new data sources. For retro-compatibility reasons, fetching the new data source requires sending the parameter metric=bytes else the current data source will be returned.
Deprecated old Layer 3 endpoints TimeseriesGroups and Summary. Users should upgrade to newer endpoints.

Pages - Queues now available in Functions

Thursday, Jan 5, 2023

Added support for Queues producer in Functions.

Stream - Earlier detection (and rejection) of non-video uploads

Wednesday, Jan 4, 2023

Cloudflare Stream now detects non-video content on upload using the POST API and returns a 400 Bad Request HTTP error with code 10059.

Previously, if you or one of your users attempted to upload a file that is not a video (ex: an image), the request to upload would appear successful, but then fail to be encoded later on.

With this change, Stream responds to the upload request with an error, allowing you to give users immediate feedback if they attempt to upload non-video content.

Pages - API messaging update

Thursday, Dec 15, 2022

Updated all API messaging to be more helpful.

Queues - sendBatch support

Tuesday, Dec 13, 2022

The JavaScript API for Queue producers now includes a sendBatch method which supports sending up to 100 messages at a time.

Queues - Increased per-account limits

Monday, Dec 12, 2022

Queues now allows developers to create up to 100 queues per account, up from the initial beta limit of 10 per account. This limit will continue to increase over time.

Turnstile - 2022-12-12

Monday, Dec 12, 2022

POST /siteverify supports JSON requests now.

Stream - Faster mp4 downloads of live recordings

Thursday, Dec 8, 2022

Generating MP4 downloads of live stream recordings is now significantly faster. For more, refer to the docs.

R2 - 2022-12-07

Wednesday, Dec 7, 2022

Fix CORS preflight requests for the S3 API, which allows using the S3 SDK in the browser.
Passing a range header to the get operation in the R2 bindings API should now work as expected.

DDoS protection - Network-layer DDoS managed ruleset - 2022-12-02

Friday, Dec 2, 2022

Rule ID	Description	Previous Action	New Action	Notes
...58e4914a	Adaptive DDoS Protection for UDP (Available only to Enterprise accounts).	log	log	Lower sensitivity to avoid false positives
...76d5e15c	Adaptive DDoS Protection for Other IPv6 Protocols (Available only to Enterprise accounts).	log	log	Lower sensitivity to avoid false positives
...8de83ef6	Adaptive DDoS Protection for IPv6 GRE (Available only to Enterprise accounts).	log	log	Lower sensitivity to avoid false positives
...938e978c	Adaptive DDoS Protection for IPv6 ESP (Available only to Enterprise accounts).	log	log	Lower sensitivity to avoid false positives
...9c173480	Adaptive DDoS Protection for ICMP (Available only to Enterprise accounts).	log	log	Lower sensitivity to avoid false positives
...ad8078b8	Adaptive DDoS Protection for IPv4 GRE (Available only to Enterprise accounts).	log	log	Lower sensitivity to avoid false positives
...ae3f5e4e	Adaptive DDoS Protection for ICMPv6 (Available only to Enterprise accounts).	log	log	Lower sensitivity to avoid false positives
...c7dc52df	Adaptive DDoS Protection for Other IPv4 Protocols (Available only to Enterprise accounts).	log	log	Lower sensitivity to avoid false positives
...e4e7541c	Adaptive DDoS Protection for IPv4 ESP (Available only to Enterprise accounts).	log	log	Lower sensitivity to avoid false positives

Pages - Ability to delete aliased deployments

Thursday, Dec 1, 2022

Aliased deployments can now be deleted. If using the API, you will need to add the query parameter force=true.

R2 - 2022-11-30

Wednesday, Nov 30, 2022

Requests with the header x-amz-acl: public-read are no longer rejected.
Fixed issues with wildcard CORS rules and presigned URLs.
Fixed an issue where ListObjects would time out during delimited listing of unicode-normalized keys.
S3 API’s PutBucketCors now rejects requests with unknown keys in the XML body.
Signing additional headers no longer breaks CORS preflight requests for presigned URLs.

Stream - Multiple audio tracks (closed beta)

Tuesday, Nov 29, 2022

Stream now supports adding multiple audio tracks to an existing video upload. This allows you to:

Provide viewers with audio tracks in multiple languages
Provide dubbed audio tracks, or audio commentary tracks (ex: Director’s Commentary)
Allow your users to customize the customize the audio mix, by providing separate audio tracks for music, speech or other audio tracks.
Provide Audio Description tracks to ensure your content is accessible. ( WCAG 2.0 Guideline 1.2 1)

To request an invite to the beta, refer to this post.

Stream - VP9 support for WebRTC live streams (beta)

Tuesday, Nov 22, 2022

Cloudflare Stream now supports VP9 when streaming using WebRTC (WHIP), currently in beta.

R2 - 2022-11-21

Monday, Nov 21, 2022

Fixed a bug in ListObjects where startAfter would skip over objects with keys that have numbers right after the startAfter prefix.
Add worker bindings for multipart uploads.

Pages - Deep linking to a Pages deployment

Saturday, Nov 19, 2022

You can now deep-link to a Pages deployment in the dashboard with :pages-deployment. An example would be https://dash.cloudflare.com?to=/:account/pages/view/:pages-project/:pages-deployment.

Pages - Functions GA and other updates

Thursday, Nov 17, 2022

Pages functions are now GA. For more information, refer to the blog post.
We also made the following updates to Functions:
- Functions metrics are now available in the dashboard.
- Functions billing is now available.
- The Unbound usage model is now available for Functions.
- Secrets are now available.
- Functions tailing is now available via the dashboard or with Wrangler (wrangler pages deployment tail).

R2 - 2022-11-17

Thursday, Nov 17, 2022

Unconditionally return HTTP 206 on ranged requests to match behavior of other S3 compatible implementations.
Fixed a CORS bug where AllowedHeaders in the CORS config were being treated case-sensitively.

Pages - Service bindings now available in Functions

Tuesday, Nov 15, 2022

Service bindings are now available in Functions. For more details, refer to the docs.

Turnstile - 2022-11-11

Friday, Nov 11, 2022

Added retry and retry-interval for controlling retry behavior.

R2 - 2022-11-08

Tuesday, Nov 8, 2022

Copying multipart objects via CopyObject is re-enabled.
UploadPartCopy is re-enabled.

Stream - Reduced time to start WebRTC streaming and playback with Trickle ICE

Tuesday, Nov 8, 2022

Cloudflare Stream’s WHIP and WHEP implementations now support Trickle ICE, reducing the time it takes to initialize WebRTC connections, and increasing compatibility with WHIP and WHEP clients.

For more, refer to the docs.

Stream - Deprecating the 'per-video' Analytics API

Monday, Nov 7, 2022

The “per-video” analytics API is being deprecated. If you still use this API, you will need to switch to using the GraphQL Analytics API by February 1, 2023. After this date, the per-video analytics API will be no longer available.

The GraphQL Analytics API provides the same functionality and more, with additional filters and metrics, as well as the ability to fetch data about multiple videos in a single request. Queries are faster, more reliable, and built on a shared analytics system that you can use across many Cloudflare products.

For more about this change and how to migrate existing API queries, refer to this post and the GraphQL Analytics API docs.

Pages - Ansi color codes in build logs

Thursday, Nov 3, 2022

Build log now supports ansi color codes.

Stream - Create an unlimited number of live inputs

Tuesday, Nov 1, 2022

Cloudflare Stream now has no limit on the number of live inputs you can create. Stream is designed to allow your end-users to go live — live inputs can be created quickly on-demand via a single API request for each of user of your platform or app.

For more on creating and managing live inputs, get started with the docs.

R2 - 2022-10-28

Friday, Oct 28, 2022

Multipart upload part sizes are always expected to be of the same size, but this enforcement is now done when you complete an upload instead of being done very time you upload a part.
Fixed a performance issue where concurrent multipart part uploads would get rejected.

Turnstile - 2022-10-28

Friday, Oct 28, 2022

Renamed the [data-]expired-callback callback to [data-]timeout-callback (called when the challenge times out).
Added the [data-]expired-callback callback (called when the token expires).

R2 - 2022-10-26

Wednesday, Oct 26, 2022

Fixed ranged reads for multipart objects with part sizes unaligned to 64KiB.

Turnstile - 2022-10-24

Monday, Oct 24, 2022

Added response-field and response-field-name for controlling the input element created by Turnstile.
Added option for changing the size of the Turnstile widget.

Stream - More accurate bandwidth estimates for live video playback

Thursday, Oct 20, 2022

When playing live video, Cloudflare Stream now provides significantly more accurate estimates of the bandwidth needs of each quality level to client video players. This ensures that live video plays at the highest quality that viewers have adequate bandwidth to play.

As live video is streamed to Cloudflare, we transcode it to make it available to viewers at mulitple quality levels. During transcoding, we learn about the real bandwidth needs of each segment of video at each quality level, and use this to provide an estimate of the bandwidth requirements of each quality level the in HLS (.m3u8) and DASH (.mpd) manifests.

If a live stream contains content with low visual complexity, like a slideshow presentation, the bandwidth estimates provided in the HLS manifest will be lower, ensuring that the most viewers possible view the highest quality level, since it requires relatively little bandwidth. Conversely, if a live stream contains content with high visual complexity, like live sports with motion and camera panning, the bandwidth estimates provided in the HLS manifest will be higher, ensuring that viewers with inadequate bandwidth switch down to a lower quality level, and their playback does not buffer.

This change is particularly helpful if you’re building a platform or application that allows your end users to create their own live streams, where these end users have their own streaming software and hardware that you can’t control. Because this new functionality adapts based on the live video we receive, rather than just the configuration advertised by the broadcaster, even in cases where your end users’ settings are less than ideal, client video players will not receive excessively high estimates of bandwidth requirements, causing playback quality to decrease unnecessarily. Your end users don’t have to be OBS Studio experts in order to get high quality video playback.

No work is required on your end — this change applies to all live inputs, for all customers of Cloudflare Stream. For more, refer to the docs.

R2 - 2022-10-19

Wednesday, Oct 19, 2022

HeadBucket now sets x-amz-bucket-region to auto in the response.

Turnstile - 2022-10-13

Thursday, Oct 13, 2022

Added validation for action: /^[a-z0-9_-]{0,32}$/i
Added validation for cData: /^[a-z0-9_-]{0,255}$/i

Turnstile - 2022-10-11

Tuesday, Oct 11, 2022

Added turnstile.remove

R2 - 2022-10-06

Thursday, Oct 6, 2022

Temporarily disabled UploadPartCopy while we investigate an issue.

Pages - Deep linking to a Pages project

Wednesday, Oct 5, 2022

You can now deep-link to a Pages project in the dashboard with :pages-project. An example would be https://dash.cloudflare.com?to=/:account/pages/view/:pages-project.

Stream - AV1 Codec support for live streams and recordings (beta)

Wednesday, Oct 5, 2022

Cloudflare Stream now supports playback of live videos and live recordings using the AV1 codec, which uses 46% less bandwidth than H.264.

For more, read the blog post.

R2 - 2022-09-29

Thursday, Sep 29, 2022

Fixed a CORS issue where Access-Control-Allow-Headers was not being set for preflight requests.

R2 - 2022-09-28

Wednesday, Sep 28, 2022

Fixed a bug where CORS configuration was not being applied to S3 endpoint.
No-longer render the Access-Control-Expose-Headers response header if ExposeHeader is not defined.
Public buckets will no-longer return the Content-Range response header unless the response is partial.
Fixed CORS rendering for the S3 HeadObject operation.
Fixed a bug where no matching CORS configuration could result in a 403 response.
Temporarily disable copying objects that were created with multipart uploads.
Fixed a bug in the Workers bindings where an internal error was being returned for malformed ranged .get requests.

R2 - 2022-09-27

Tuesday, Sep 27, 2022

CORS preflight responses and adding CORS headers for other responses is now implemented for S3 and public buckets. Currently, the only way to configure CORS is via the S3 API.
Fixup for bindings list truncation to work more correctly when listing keys with custom metadata that have " or when some keys/values contain certain multi-byte UTF-8 values.
The S3 GetObject operation now only returns Content-Range in response to a ranged request.

Stream - WebRTC live streaming and playback (beta)

Tuesday, Sep 27, 2022

Cloudflare Stream now supports live video streaming over WebRTC, with sub-second latency, to unlimited concurrent viewers.

For more, read the blog post or the get started with example code in the docs.

R2 - 2022-09-19

Monday, Sep 19, 2022

The R2 put() binding options can now be given an onlyIf field, similar to get(), that performs a conditional upload.
The R2 delete() binding now supports deleting multiple keys at once.
The R2 put() binding now supports user-specified SHA-1, SHA-256, SHA-384, SHA-512 checksums in options.
User-specified object checksums will now be available in the R2 get() and head() bindings response. MD5 is included by default for non-multipart uploaded objects.

Stream - Manually control when you start and stop simulcasting

Thursday, Sep 15, 2022

You can now enable and disable individual live outputs via the API or Stream dashboard, allowing you to control precisely when you start and stop simulcasting to specific destinations like YouTube and Twitch. For more, read the docs.

Pages - Increased domain limits

Monday, Sep 12, 2022

Previously, all plans had a maximum of 10 custom domains per project.

Now, the limits are:

Free: 100 custom domains.
Pro: 250 custom domains.
Business and Enterprise: 500 custom domains.

Pages - Support for _routes.json

Thursday, Sep 8, 2022

Pages now offers support for _routes.json. For more details, refer to the documentation.

R2 - 2022-09-06

Tuesday, Sep 6, 2022

The S3 CopyObject operation now includes x-amz-version-id and x-amz-copy-source-version-id in the response headers for consistency with other methods.
The ETag for multipart files uploaded until shortly after Open Beta uploaded now include the number of parts as a suffix.

Pages - Increased build log expiration time

Thursday, Aug 25, 2022

Build log expiration time increased from 2 weeks to 1 year.

R2 - 2022-08-17

Wednesday, Aug 17, 2022

The S3 DeleteObjects operation no longer trims the space from around the keys before deleting. This would result in files with leading / trailing spaces not being able to be deleted. Additionally, if there was an object with the trimmed key that existed it would be deleted instead. The S3 DeleteObject operation was not affected by this.
Fixed presigned URL support for the S3 ListBuckets and ListObjects operations.

Stream - Unique subdomain for your Stream Account

Monday, Aug 15, 2022

URLs in the Stream Dashboard and Stream API now use a subdomain specific to your Cloudflare Account: customer-{CODE}.cloudflarestream.com. This change allows you to:

Use Content Security Policy (CSP) directives specific to your Stream subdomain, to ensure that only videos from your Cloudflare account can be played on your website.
Allowlist only your Stream account subdomain at the network-level to ensure that only videos from a specific Cloudflare account can be accessed on your network.

No action is required from you, unless you use Content Security Policy (CSP) on your website. For more on CSP, read the docs.

Pages - New bindings supported

Monday, Aug 8, 2022

R2 and D1 bindings are now supported.

R2 - 2022-08-06

Saturday, Aug 6, 2022

Uploads will automatically infer the Content-Type based on file body if one is not explicitly set in the PutObject request. This functionality will come to multipart operations in the future.

Stream - Clip videos using the Stream API

Tuesday, Aug 2, 2022

You can now change the start and end times of a video uploaded to Cloudflare Stream. For more information, refer to Clip videos.

R2 - 2022-07-30

Saturday, Jul 30, 2022

Fixed S3 conditionals to work properly when provided the LastModified date of the last upload, bindings fixes will come in the next release.
If-Match / If-None-Match headers now support arrays of ETags, Weak ETags and wildcard (*) as per the HTTP standard and undocumented AWS S3 behavior.

Stream - Live inputs

Tuesday, Jul 26, 2022

The Live Inputs API now supports optional pagination, search, and filter parameters. For more information, refer to the Live Inputs API documentation.

R2 - 2022-07-21

Thursday, Jul 21, 2022

Added dummy implementation of the following operation that mimics the response that a basic AWS S3 bucket will return when first created: GetBucketAcl.

R2 - 2022-07-20

Wednesday, Jul 20, 2022

Added dummy implementations of the following operations that mimic the response that a basic AWS S3 bucket will return when first created:
- GetBucketVersioning
- GetBucketLifecycleConfiguration
- GetBucketReplication
- GetBucketTagging
- GetObjectLockConfiguration

R2 - 2022-07-19

Tuesday, Jul 19, 2022

Fixed an S3 compatibility issue for error responses with MinIO .NET SDK and any other tooling that expects no xmlns namespace attribute on the top-level Error tag.
List continuation tokens prior to 2022-07-01 are no longer accepted and must be obtained again through a new list operation.
The list() binding will now correctly return a smaller limit if too much data would otherwise be returned (previously would return an Internal Error).

R2 - 2022-07-14

Thursday, Jul 14, 2022

Improvements to 500s: we now convert errors, so things that were previously concurrency problems for some operations should now be TooMuchConcurrency instead of InternalError. We’ve also reduced the rate of 500s through internal improvements.
ListMultipartUpload correctly encodes the returned Key if the encoding-type is specified.

R2 - 2022-07-13

Wednesday, Jul 13, 2022

S3 XML documents sent to R2 that have an XML declaration are not rejected with 400 Bad Request / MalformedXML.
Minor S3 XML compatibility fix impacting Arq Backup on Windows only (not the Mac version). Response now contains XML declaration tag prefix and the xmlns attribute is present on all top-level tags in the response.
Beta ListMultipartUploads support.

R2 - 2022-07-06

Wednesday, Jul 6, 2022

Support the r2_list_honor_include compat flag coming up in an upcoming runtime release (default behavior as of 2022-07-14 compat date). Without that compat flag/date, list will continue to function implicitly as include: ['httpMetadata', 'customMetadata'] regardless of what you specify.
cf-create-bucket-if-missing can be set on a PutObject/CreateMultipartUpload request to implicitly create the bucket if it does not exist.
Fix S3 compatibility with MinIO client spec non-compliant XML for publishing multipart uploads. Any leading and trailing quotes in CompleteMultipartUpload are now optional and ignored as it seems to be the actual non-standard behavior AWS implements.

Pages - Added support for .dev.vars in wrangler pages

Tuesday, Jul 5, 2022

Pages now supports .dev.vars in wrangler pages, which allows you to use use environmental variables during your local development without chaining --envs.

This functionality requires Wrangler v2.0.16 or higher.

R2 - 2022-07-01

Friday, Jul 1, 2022

Unsupported search parameters to ListObjects/ListObjectsV2 are now rejected with 501 Not Implemented.
Fixes for Listing:
- Fix listing behavior when the number of files within a folder exceeds the limit (you’d end up seeing a CommonPrefix for that large folder N times where N = number of children within the CommonPrefix / limit).
- Fix corner case where listing could cause objects with sharing the base name of a "folder" to be skipped.
- Fix listing over some files that shared a certain common prefix.
DeleteObjects can now handle 1000 objects at a time.
S3 CreateBucket request can specify x-amz-bucket-object-lock-enabled with a value of false and not have the requested rejected with a NotImplemented error. A value of true will continue to be rejected as R2 does not yet support object locks.

R2 - 2022-06-17

Friday, Jun 17, 2022

Fixed a regression for some clients when using an empty delimiter.
Added support for S3 pre-signed URLs.

R2 - 2022-06-16

Thursday, Jun 16, 2022

Fixed a regression in the S3 API UploadPart operation where TooMuchConcurrency & NoSuchUpload errors were being returned as NoSuchBucket.

Pages - Added deltas to wrangler pages publish

Monday, Jun 13, 2022

Pages has added deltas to wrangler pages publish.

We now keep track of the files that make up each deployment and intelligently only upload the files that we have not seen. This means that similar subsequent deployments should only need to upload a minority of files and this will hopefully make uploads even faster.

This functionality requires Wrangler v2.0.11 or higher.

R2 - 2022-06-13

Monday, Jun 13, 2022

Fixed a bug with the S3 API ListObjectsV2 operation not returning empty folder/s as common prefixes when using delimiters.
The S3 API ListObjectsV2 KeyCount parameter now correctly returns the sum of keys and common prefixes rather than just the keys.
Invalid cursors for list operations no longer fail with an InternalError and now return the appropriate error message.

R2 - 2022-06-10

Friday, Jun 10, 2022

The ContinuationToken field is now correctly returned in the response if provided in a S3 API ListObjectsV2 request.
Fixed a bug where the S3 API AbortMultipartUpload operation threw an error when called multiple times.

Pages - Added branch alias to PR comments

Wednesday, Jun 8, 2022

PR comments for Pages previews now include the branch alias.

R2 - 2022-05-27

Friday, May 27, 2022

Fixed a bug where the S3 API’s PutObject or the .put() binding could fail but still show the bucket upload as successful.
If conditional headers are provided to S3 API UploadObject or CreateMultipartUpload operations, and the object exists, a 412 Precondition Failed status code will be returned if these checks are not met.

Stream - Picture-in-Picture support

Tuesday, May 24, 2022

The Stream Player now displays a button to activate Picture-in-Picture mode, if the viewer’s web browser supports the Picture-in-Picture API.

R2 - 2022-05-20

Friday, May 20, 2022

Fixed a bug when Accept-Encoding was being used in SignedHeaders when sending requests to the S3 API would result in a SignatureDoesNotMatch response.

R2 - 2022-05-17

Tuesday, May 17, 2022

Fixed a bug where requests to the S3 API were not handling non-encoded parameters used for the authorization signature.
Fixed a bug where requests to the S3 API where number-like keys were being parsed as numbers instead of strings.

R2 - 2022-05-16

Monday, May 16, 2022

Add support for S3 virtual-hosted style paths, such as ..r2.cloudflarestorage.com instead of path-based routing (.r2.cloudflarestorage.com/).
Implemented GetBucketLocation for compatibility with external tools, this will always return a LocationConstraint of auto.

Stream - Creator ID property

Friday, May 13, 2022

During or after uploading a video to Stream, you can now specify a value for a new field, creator. This field can be used to identify the creator of the video content, linking the way you identify your users or creators to videos in your Stream account. For more, read the blog post.

R2 - 2022-05-06

Friday, May 6, 2022

S3 API GetObject ranges are now inclusive (bytes=0-0 will correctly return the first byte).
S3 API GetObject partial reads return the proper 206 Partial Content response code.
Copying from a non-existent key (or from a non-existent bucket) to another bucket now returns the proper NoSuchKey / NoSuchBucket response.
The S3 API now returns the proper Content-Type: application/xml response header on relevant endpoints.
Multipart uploads now have a -N suffix on the etag representing the number of parts the file was published with.
UploadPart and UploadPartCopy now return proper error messages, such as TooMuchConcurrency or NoSuchUpload, instead of ‘internal error’.
UploadPart can now be sent a 0-length part.

R2 - 2022-05-05

Thursday, May 5, 2022

When using the S3 API, an empty string and us-east-1 will now alias to the auto region for compatibility with external tools.
GetBucketEncryption, PutBucketEncryption and DeleteBucketEncrypotion are now supported (the only supported value currently is AES256).
Unsupported operations are explicitly rejected as unimplemented rather than implicitly converting them into ListObjectsV2/PutBucket/DeleteBucket respectively.
S3 API CompleteMultipartUploads requests are now properly escaped.

R2 - 2022-05-03

Tuesday, May 3, 2022

Pagination cursors are no longer returned when the keys in a bucket is the same as the MaxKeys argument.
The S3 API ListBuckets operation now accepts cf-max-keys, cf-start-after and cf-continuation-token headers behave the same as the respective URL parameters.
The S3 API ListBuckets and ListObjects endpoints now allow per_page to be 0.
The S3 API CopyObject source parameter now requires a leading slash.
The S3 API CopyObject operation now returns a NoSuchBucket error when copying to a non-existent bucket instead of an internal error.
Enforce the requirement for auto in SigV4 signing and the CreateBucket LocationConstraint parameter.
The S3 API CreateBucket operation now returns the proper location response header.

R2 - 2022-04-14

Thursday, Apr 14, 2022

The S3 API now supports unchunked signed payloads.
Fixed .put() for the Workers R2 bindings.
Fixed a regression where key names were not properly decoded when using the S3 API.
Fixed a bug where deleting an object and then another object which is a prefix of the first could result in errors.
The S3 API DeleteObjects operation no longer returns an error even though an object has been deleted in some cases.
Fixed a bug where startAfter and continuationToken were not working in list operations.
The S3 API ListObjects operation now correctly renders Prefix, Delimiter, StartAfter and MaxKeys in the response.
The S3 API ListObjectsV2 now correctly honors the encoding-type parameter.
The S3 API PutObject operation now works with POST requests for s3cmd compatibility.

R2 - 2022-04-04

Monday, Apr 4, 2022

The S3 API DeleteObjects request now properly returns a MalformedXML error instead of InternalError when provided with more than 128 keys.

Stream - Analytics panel in Stream Dashboard

Thursday, Mar 17, 2022

The Stream Dashboard now has an analytics panel that shows the number of minutes of both live and recorded video delivered. This view can be filtered by Creator ID, Video UID, and Country. For more in-depth analytics data, refer to the bulk analytics documentation.

Stream - Custom letterbox color configuration option for Stream Player

Wednesday, Mar 16, 2022

The Stream Player can now be configured to use a custom letterbox color, displayed around the video (’letterboxing’ or ‘pillarboxing’) when the video’s aspect ratio does not match the player’s aspect ratio. Refer to the documentation on configuring the Stream Player here.

Stream - Support for SRT live streaming protocol

Thursday, Mar 10, 2022

Cloudflare Stream now supports the SRT live streaming protocol. SRT is a modern, actively maintained streaming video protocol that delivers lower latency, and better resilience against unpredictable network conditions. SRT supports newer video codecs and makes it easier to use accessibility features such as captions and multiple audio tracks.

For more, read the blog post.

Stream - Faster video quality switching in Stream Player

Thursday, Feb 17, 2022

When viewers manually change the resolution of video they want to receive in the Stream Player, this change now happens immediately, rather than once the existing resolution playback buffer has finished playing.

Stream - Volume and playback controls accessible during playback of VAST Ads

Wednesday, Feb 9, 2022

When viewing ads in the VAST format in the Stream Player, viewers can now manually start and stop the video, or control the volume.

Stream - DASH and HLS manifest URLs accessible in Stream Dashboard

Tuesday, Jan 25, 2022

If you choose to use a third-party player with Cloudflare Stream, you can now easily access HLS and DASH manifest URLs from within the Stream Dashboard. For more about using Stream with third-party players, read the docs here.

Stream - Input health status in the Stream Dashboard

Saturday, Jan 22, 2022

When a live input is connected, the Stream Dashboard now displays technical details about the connection, which can be used to debug configuration issues.

Stream - Live viewer count in the Stream Player

Thursday, Jan 6, 2022

The Stream Player now shows the total number of people currently watching a video live.

Stream - Webhook notifications for live stream connections events

Tuesday, Jan 4, 2022

You can now configure Stream to send webhooks each time a live stream connects and disconnects. For more information, refer to the Webhooks documentation.

Stream - FedRAMP Support

Tuesday, Dec 7, 2021

The Stream Player can now be served from a FedRAMP compliant subdomain.

Stream - 24/7 Live streaming support

Tuesday, Nov 23, 2021

You can now use Cloudflare Stream for 24/7 live streaming.

Stream - Persistent Live Stream IDs

Wednesday, Nov 17, 2021

You can now start and stop live broadcasts without having to provide a new video UID to the Stream Player (or your own player) each time the stream starts and stops. Read the docs.

Stream - MP4 video file downloads for live videos

Thursday, Oct 14, 2021

Once a live video has ended and been recorded, you can now give viewers the option to download an MP4 video file of the live recording. For more, read the docs here.

Stream - Serverless Live Streaming

Thursday, Sep 30, 2021

Stream now supports live video content! For more information, read the blog post and get started by reading the docs.

Stream - Thumbnail previews in Stream Player seek bar

Monday, Jul 26, 2021

The Stream Player now displays preview images when viewers hover their mouse over the seek bar, making it easier to skip to a specific part of a video.

Stream - MP4 video file downloads (GA)

Monday, Jul 26, 2021

All Cloudflare Stream customers can now give viewers the option to download videos uploaded to Stream as an MP4 video file. For more, read the docs here.

Stream - Stream Connect (open beta)

Saturday, Jul 10, 2021

You can now opt-in to the Stream Connect beta, and use Cloudflare Stream to restream live video to any platform that accepts RTMPS input, including Facebook, YouTube and Twitch.

For more, read the blog post or the docs.

Stream - Simplified signed URL token generation

Thursday, Jun 10, 2021

You can now obtain a signed URL token via a single API request, without needing to generate signed tokens in your own application. Read the docs.

Stream - Stream Connect (closed beta)

Tuesday, Jun 8, 2021

You can now use Cloudflare Stream to restream or simulcast live video to any platform that accepts RTMPS input, including Facebook, YouTube and Twitch.

For more, read the blog post or the docs.

Stream - MP4 video file downloads (beta)

Monday, May 3, 2021

You can now give your viewers the option to download videos uploaded to Stream as an MP4 video file. For more, read the docs here.

Stream - Picture quality improvements

Monday, Mar 29, 2021

Cloudflare Stream now encodes videos with fewer artifacts, resulting in improved video quality for your viewers.

Stream - Improved client bandwidth hints for third-party video players

Thursday, Mar 25, 2021

If you use Cloudflare Stream with a third party player, and send the clientBandwidthHint parameter in requests to fetch video manifests, Cloudflare Stream now selects the ideal resolution to provide to your client player more intelligently. This ensures your viewers receive the ideal resolution for their network connection.

Stream - Improved client bandwidth hints for third-party video players

Thursday, Mar 25, 2021

Stream - Less bandwidth, identical video quality

Wednesday, Mar 17, 2021

Cloudflare Stream now delivers video using 3-10x less bandwidth, with no reduction in quality. This ensures faster playback for your viewers with less buffering, particularly when viewers have slower network connections.

Stream - Stream Player 2.0 (preview)

Wednesday, Mar 10, 2021

A brand new version of the Stream Player is now available for preview. New features include:

Unified controls across desktop and mobile devices
Keyboard shortcuts
Intelligent mouse cursor interactions with player controls
Phased out support for Internet Explorer 11

For more, refer to this post on the Cloudflare Community Forum.

Stream - Faster video encoding

Thursday, Mar 4, 2021

Videos uploaded to Cloudflare Stream are now available to view 5x sooner, reducing the time your users wait between uploading and viewing videos.

Stream - Removed weekly upload limit, increased max video upload size

Sunday, Jan 17, 2021

You can now upload videos up to 30GB in size to Cloudflare Stream and also now upload an unlimited number of videos to Cloudflare Stream each week

Stream - Tus support for direct creator uploads

Monday, Dec 14, 2020

You can now use the tus protocol when allowing creators (your end users) to upload their own videos directly to Cloudflare Stream.

In addition, all uploads to Cloudflare Stream made using tus are now faster and more reliable as part of this change.

Stream - Multiple audio track mixdown

Wednesday, Dec 9, 2020

Videos with multiple audio tracks (ex: 5.1 surround sound) are now mixed down to stereo when uploaded to Stream. The resulting video, with stereo audio, is now playable in the Stream Player.

Stream - Storage limit notifications

Wednesday, Dec 2, 2020

Cloudflare now emails you if your account is using 75% or more of your prepaid video storage, so that you can take action and plan ahead.