Home / Companies / Cloudflare / Blog / April 2026

April 2026 Summaries

43 posts from Cloudflare

Filter
Month: Year:
Post Summaries Back to Blog
The integration between Cloudflare and Stripe introduces a new protocol that allows coding agents to autonomously perform tasks traditionally handled by humans, such as creating accounts, starting subscriptions, and deploying applications to production without manual intervention. This collaboration enables agents to provision Cloudflare services on behalf of users, requiring only initial permissions and acceptance of terms, thus eliminating the need for direct user actions like entering payment details or copying API tokens. The protocol, co-designed with Stripe, leverages existing standards such as OAuth and payment tokenization to streamline the process, allowing platforms with signed-in users to integrate seamlessly with Cloudflare, facilitating a frictionless deployment experience. Stripe Projects acts as the orchestrator, enabling agents to access a catalog of services, manage authorizations, and handle payment processes securely, thereby empowering users to deploy applications swiftly and efficiently. The partnership also provides incentives for startups, such as Cloudflare credits, and aims to standardize cross-product integrations, enhancing the capabilities of agents while minimizing the need for bespoke engineering solutions.
Apr 30, 2026 1,569 words in the original blog post.
Cloudflare is advancing its efforts to secure site-to-site networking with post-quantum cryptography, aiming for full implementation by 2029, spurred by recent advances in quantum computing. The company has made post-quantum encryption in its IPsec product generally available, utilizing the hybrid ML-KEM (FIPS 203) standard, which combines classical Diffie-Hellman with post-quantum security to protect against harvest-now-decrypt-later attacks. This move marks a significant step as Cloudflare successfully tested interoperability with major vendors like Fortinet and Cisco, offering compatibility with existing hardware. The process has taken longer than the implementation in TLS due to the IPsec community's previous focus on Quantum Key Distribution (QKD), which requires specialized hardware and is not suitable for Internet scale. Draft-ietf-ipsecme-ikev2-mlkem now specifies the use of ML-KEM for IPsec, addressing gaps in earlier standards and promoting interoperability. Cloudflare continues to drive the industry towards a secure, post-quantum Internet by focusing on widely compatible standards that do not require specialized hardware, ensuring that the Internet remains open and interoperable.
Apr 30, 2026 1,149 words in the original blog post.
In the first quarter of 2026, the global Internet landscape faced significant disruptions due to a variety of causes, including government-directed shutdowns, power outages, military actions, severe weather, and technical issues. Notably, Uganda and Iran experienced prolonged Internet blackouts orchestrated by their governments, while military conflicts led to connectivity disruptions in Ukraine and damage to AWS data centers in the Middle East. Severe weather affected Internet access in Portugal, and power outages were responsible for connectivity issues in countries like Cuba, Argentina, and Paraguay. Additionally, technical problems hit major providers like Verizon Wireless in the United States and Flow Grenada. These disruptions emphasize the vulnerability of global Internet infrastructure to both natural and human-induced events, highlighting the complexities of maintaining stable connectivity in an increasingly interconnected world.
Apr 28, 2026 2,945 words in the original blog post.
Cloudflare Workers have improved their handling of errors in Rust Workers by advancing error recovery mechanisms for WebAssembly (Wasm) using the wasm-bindgen toolchain. Historically, issues like panics and aborts in Rust Workers could lead to a poisoned instance, affecting subsequent requests. The text details the introduction of panic=unwind support, which enables the recovery of panics without losing state, leveraging the WebAssembly Exception Handling proposal. This advancement allows destructors to run correctly, ensuring panics are caught and surfaced as JavaScript PanicError exceptions, with promises being rejected accordingly. Additionally, abort recovery mechanisms have been developed to detect and recover from aborts, ensuring that invalid states do not persist and do not lead to cascading failures. These improvements, incorporated into the wasm-bindgen project, aim to enhance the stability of Rust Workers and contribute to a more robust WebAssembly ecosystem, with ongoing efforts to transition these features to stable Rust releases.
Apr 22, 2026 2,062 words in the original blog post.
The evolving dynamics of online interaction highlight the blurring line between human and bot activities, necessitating a shift from traditional human detection to understanding intent and behavior. As AI democratizes capabilities like news summarization and automated tasks, it disrupts the established balance between user rights and publisher interests, as AI agents bypass standard web browsers, leading to opacity in content usage. The client-server model of the internet, which allows for anonymity and decentralization, faces challenges in distinguishing between benign and malicious traffic. Bot management has traditionally relied on imprecise signals and access controls, but the increasing complexity of web interactions calls for privacy-preserving solutions like Privacy Pass, which offers proof of behavior without compromising user identity. As the landscape changes, there's a risk of websites imposing stricter access controls or moving away from open web models, emphasizing the need for an open ecosystem that balances privacy with accountability. The development of anonymous credentials and new standards aims to address these challenges, ensuring the web remains accessible and decentralized while adapting to modern demands.
Apr 21, 2026 3,865 words in the original blog post.
Cloudflare's inaugural Agents Week highlights the transformative role of AI agents in modern work environments, underscoring the need for scalable infrastructure as these agents become integral to various industries. The company has introduced a suite of new tools and platforms designed to accommodate the growing demands of AI agents, including a serverless compute environment, secure networking solutions, and an enhanced agent toolbox. These innovations aim to facilitate the deployment and management of agents by providing scalable compute resources, robust security frameworks, and advanced capabilities such as persistent memory and multimodal model support. Cloudflare's initiatives are set to redefine the Internet landscape by adapting existing web structures to better serve AI agents, marking the advent of what they term the "agentic cloud." Through these developments, Cloudflare seeks to enable developers to efficiently build, deploy, and scale AI-driven applications while ensuring security and performance across its global network.
Apr 20, 2026 1,867 words in the original blog post.
Code review is essential for identifying bugs and sharing knowledge within engineering teams, but it can often create bottlenecks, with wait times for reviews sometimes extending for hours. To address these challenges, Cloudflare experimented with AI code review tools but found existing solutions lacked the flexibility needed for their large-scale operations. Consequently, they developed a CI-native orchestration system around OpenCode, an open-source coding agent, which employs up to seven specialized AI reviewers to assess various aspects such as security, performance, and compliance. Managed by a coordinator agent, this system consolidates and prioritizes review findings into a single structured comment, enhancing the efficiency of the code review process. The architecture is built on a composable plugin framework that supports diverse version control systems and AI providers, ensuring adaptability and scalability across thousands of repositories. This innovative approach has significantly improved Cloudflare's engineering resiliency, allowing for accurate bug detection and blocking of problematic code, all while maintaining the flexibility to evolve with changing technologies and standards.
Apr 20, 2026 1,061 words in the original blog post.
Cloudflare has successfully integrated AI into its engineering stack over the past eleven months, with 93% of its R&D organization utilizing AI coding tools built on its own platform. This initiative involved creating internal MCP servers and AI tooling that led to the formation of the iMARS team, which is part of the Dev Productivity group responsible for internal tooling such as CI/CD and automation. The adoption of AI tools has significantly increased developer velocity, with a notable rise in merge requests and widespread use across 295 teams. A central component of this integration is the AI Gateway, which manages authentication, routing, and data policies, ensuring security and efficiency. Cloudflare's serverless AI inference platform, Workers AI, provides cost savings and reduced latency by running open-source models on its global network, which is crucial for various tasks, including documentation review and lightweight inference. The architecture focuses on a platform layer, knowledge layer, and enforcement layer, with a centralized proxy Worker facilitating seamless integration and management of AI tools. This infrastructure, primarily composed of shipping products, exemplifies Cloudflare's commitment to leveraging its own technologies for internal advancements, aligning with the broader goals of Agents Week.
Apr 20, 2026 1,096 words in the original blog post.
Cloudflare has introduced "Redirects for AI Training," a feature designed to ensure AI training crawlers access the most current content by automatically redirecting them from deprecated pages to updated ones using HTTP 301 status codes. This initiative addresses the issue of AI crawlers consuming outdated information, as existing signals like deprecation banners and canonical tags have proven ineffective. The feature leverages Cloudflare's verified bot classification to identify AI training bots and enforce redirects, thereby enhancing the quality of AI-generated outputs by providing up-to-date data. Cloudflare's Radar now includes a Response Status Code analysis to monitor how different types of AI crawlers interact with web content, revealing insights into how often requests are successful, redirected, or blocked. This move aims to improve the interaction between web content and AI models, ensuring more accurate and timely information is used in AI training processes.
Apr 17, 2026 1,634 words in the original blog post.
Cloudflare's new service, Flagship, introduces a native feature flagging solution built on the OpenFeature standard, designed to enhance the deployment and management of AI-generated code in production environments. Flagship operates seamlessly across various platforms like Workers, Node.js, and browsers, offering rapid feature flag evaluations directly at the edge, minimizing latency and dependency on external services. The system allows for a sophisticated rollout process, including percentage-based deployments and complex targeting rules, enabling precise control over feature visibility and reducing risks associated with new code releases. By integrating with Cloudflare's infrastructure, including Workers and KV storage, Flagship ensures that all data and logic are processed locally, providing a robust solution for teams to manage autonomous AI workflows efficiently. The service, now in closed beta, emphasizes auditability and ease of use, allowing teams to adjust features without altering code, thereby supporting the dynamic needs of modern, AI-driven development cycles.
Apr 17, 2026 1,889 words in the original blog post.
Web pages have been increasing in size by 6-9% annually over the past decade due to their richer, more interactive content, a trend that is not expected to change. However, the frequency of page rebuilds and requests, driven by automated agents, is increasing significantly, leading to challenges in efficient caching and bandwidth usage. Shared compression dictionaries offer a solution by allowing browsers and servers to communicate only the differences in files rather than re-downloading entire files, which results in a significant reduction in data transfer sizes. Cloudflare is developing support for this technology, which involves compressing new file versions against previously cached ones, thereby minimizing redundant data transfer. This approach can notably reduce bandwidth requirements and improve page load times by leveraging compression dictionaries that are specific to each client-server interaction. The adoption of shared dictionaries has been slow due to previous security flaws and technical complexities, but with the introduction of new standards like RFC 9842 and support from major browsers, the infrastructure for widespread implementation is being built. Cloudflare's phased rollout aims to make shared dictionary compression accessible and manageable for all users, thereby enhancing web performance and efficiency in the face of increasing demands from both human and automated traffic.
Apr 17, 2026 2,486 words in the original blog post.
Cloudflare has made significant strides in improving internet performance by becoming the fastest network provider in 60% of the top 1,000 global networks by December 2025, up from 40% earlier that year. This improvement is attributed to both the strategic deployment of new data centers in locations like Algeria, Indonesia, and Poland, which reduced round-trip times, and enhancements in software protocols and resource management, such as leveraging HTTP/3 and optimizing CPU and memory usage. The company measures its performance using Real User Measurements (RUM) to capture real-world connection times, and it employs a trimean approach to smooth out data noise, providing a more accurate reflection of user experience. Cloudflare’s commitment to reducing latency and enhancing connection efficiency not only illustrates its technological advancements but also its dedication to delivering a faster internet experience, as evidenced by the increased number of countries and networks where it now ranks as the fastest provider. Despite these achievements, Cloudflare acknowledges there are still networks where it aims to improve its standing, underlining its ongoing mission to be the fastest provider globally.
Apr 17, 2026 961 words in the original blog post.
As the web evolves to accommodate AI agents, a new tool, isitagentready.com, has been launched to help site owners optimize their websites for agent interaction by guiding them on authentication and content control. Cloudflare has introduced a dataset on Cloudflare Radar to track the adoption of AI agent standards, revealing that the web is still largely unprepared, with only a small percentage of sites adopting new standards like Content Signals and Markdown content negotiation. The tool provides an agent readiness score by assessing sites across four dimensions: Discoverability, Content, Bot Access Control, and Capabilities, offering actionable feedback to improve compatibility with AI agents. This initiative aims to drive the adoption of AI-friendly standards, akin to how Google Lighthouse promotes web performance and security best practices. Additionally, the tool supports agentic commerce standards and allows sites to expose MCP servers and Agent Skills indexes, facilitating seamless AI agent interaction and enhancing content accessibility while providing control over AI engagement.
Apr 17, 2026 1,609 words in the original blog post.
Cloudflare is addressing the challenge of context management in AI agent development with the introduction of Agent Memory, a managed service that enables AI agents to maintain persistent memory, thereby improving their ability to recall relevant information and perform complex reasoning tasks. This service helps to alleviate the issue of context rot by extracting and retaining important information from agent conversations without overloading the context window, allowing agents to forget irrelevant data while remembering crucial details. Agent Memory features a retrieval-based architecture and an opinionated API, designed to enhance the performance and cost-efficiency of production workloads. It offers persistent memory that can be shared across agents and teams, which transforms ephemeral knowledge into a durable asset. The service integrates with Cloudflare Workers and the Cloudflare Agents SDK, and it supports various agent architectures while ensuring data exportability to maintain user ownership of accumulated knowledge. Cloudflare is actively testing and refining Agent Memory internally, with plans for a public release, inviting interested developers to join a waitlist for early access.
Apr 17, 2026 3,323 words in the original blog post.
Unweight is a lossless compression system developed to address the memory bandwidth bottleneck in Cloudflare's inference platform by reducing the size of model weights, enabling faster and more efficient token generation on NVIDIA H100 GPUs. By compressing model weights up to 15-22% without compromising on accuracy, Unweight effectively decreases the data that must traverse from high bandwidth memory to the GPU's fast shared memory, thereby optimizing the use of tensor cores. It employs Huffman coding to compress the exponent byte of model weights, achieving significant size reductions, particularly in multilayer perceptron (MLP) weight matrices. Through multiple execution strategies and an autotuner, Unweight adapts to different workloads and batch sizes, balancing decompression and computational efforts to improve throughput. The initiative has already shown promising results with Llama 3.1-8B models, enabling cost savings and increased deployment flexibility across Cloudflare's network by reducing VRAM usage and transfer times for model distribution. This innovative approach to model weight compression opens up new possibilities for enhancing GPU efficiency and encourages further research in the field.
Apr 17, 2026 3,094 words in the original blog post.
Artifacts is a novel, distributed, versioned file system designed for agents, enabling them to efficiently handle and persist the state at an unprecedented scale. Unlike traditional source control systems built for human users, Artifacts caters to the growing demand driven by agents, allowing them to create repositories programmatically and connect through a Git-compatible interface. It introduces a REST API and native Workers API for environments where Git clients aren't suitable, facilitating operations such as creating repositories, generating credentials, and managing commits. Artifacts can be used not only for source control but also to persist state across various applications, offering features such as time-travel, forking, and diffing. Built on Cloudflare's Durable Objects and utilizing a custom Git server implemented in Zig and compiled to WebAssembly, Artifacts supports millions of Git repositories per namespace and offers rapid startup times through the ArtifactFS filesystem driver, which allows large repos to be mounted efficiently. This system is currently in private beta, with plans for a public release and further enhancements, including expanded metrics, event subscriptions, and native client SDKs. Pricing is designed to accommodate agent-scale operations, ensuring cost-effectiveness for handling millions of repositories.
Apr 16, 2026 2,377 words in the original blog post.
Cloudflare is enhancing its AI capabilities through the AI Gateway and Workers AI to provide a unified inference layer that allows developers to access over 70 models from 12+ providers with a single API, streamlining the integration of multiple AI models into applications. This approach addresses the need for flexibility in selecting models for different tasks, such as customer support agents using varied models for classification, reasoning, and task execution. Cloudflare's infrastructure facilitates fast, reliable, and cost-effective AI operations by minimizing latency, providing automatic failover to ensure reliability, and enabling centralized management of AI spending. The platform also supports the deployment of custom models, allowing users to containerize and run their fine-tuned models on Cloudflare's global network. With ongoing expansions to include image, video, and speech models, and the integration of Replicate's offerings, Cloudflare aims to support the development of multimodal applications and enhance the speed and reliability of AI-powered agents.
Apr 16, 2026 1,421 words in the original blog post.
Cloudflare's recent advancements in hosting large language models like Moonshot's Kimi K2.5 through Workers AI have significantly enhanced the efficiency and speed of processing agentic use cases. By utilizing a sophisticated architecture involving prefill decode disaggregation, Cloudflare is able to optimize GPU usage, improving performance by separating the prefill and decode stages on different servers. Additionally, the implementation of token-aware load balancing and prompt caching has increased throughput and decreased latency, particularly benefiting high-context scenarios like AI code reviews. The company leverages Mooncake's Transfer Engine and Store to efficiently manage KV-cache across multiple GPUs, extending cache beyond VRAM with NVMe storage to handle increased traffic. Moreover, speculative decoding with NVIDIA's EAGLE-3 model enhances token generation speed while maintaining quality. Their proprietary inference engine, Infire, written in Rust, supports multi-GPU configurations, reduces memory overhead, and achieves faster cold-starts, boosting tokens per second throughput by up to 20%. These innovations underscore Cloudflare's commitment to optimizing its infrastructure for high-quality machine learning inference while continuously adapting to new technologies and models.
Apr 16, 2026 1,997 words in the original blog post.
Cloudflare Email Service, now in public beta, serves as a comprehensive platform for integrating email into applications and agent workflows, making email a core interface for agents. It allows for seamless email sending and receiving through its Email Routing and Email Sending features, enabling applications to handle tasks such as notifications, customer support, and account verification. Developers can leverage the service's infrastructure, including the Agents SDK, to build email-native agents that process, classify, and respond to emails asynchronously, much like a human agent would. The service eliminates the need for separate inboxes by using address-based routing and offers tools like the MCP server and Wrangler CLI to facilitate email interactions across various environments. Additionally, Cloudflare provides a reference application, Agentic Inbox, to help developers build and customize their own email solutions, fostering a seamless and global communication channel for agents.
Apr 16, 2026 1,743 words in the original blog post.
Cloudflare has announced an enhancement in its partnership with PlanetScale that enables users to create and manage Postgres and MySQL databases directly from the Cloudflare dashboard, with billing integrated into their Cloudflare account. This integration offers Cloudflare customers, both self-serve and enterprise, seamless access to PlanetScale databases, leveraging the popular Postgres for its robust tooling and scalability, and Vitess MySQL for its reliability. The integration is facilitated through Hyperdrive, Cloudflare's database connectivity service, ensuring fast and reliable database queries by managing connection pools and query caching. Developers can benefit from PlanetScale's features like query insights and safe deployment practices while maintaining low latency by strategically placing Workers near the databases. Starting next month, new PlanetScale databases will be billed directly through Cloudflare, enhancing the developer experience by unifying services under one billing system and furthering collaboration opportunities for future innovations through Cloudflare API integration.
Apr 16, 2026 647 words in the original blog post.
AI Search, previously known as AutoRAG, serves as an efficient search solution for diverse agent needs, such as coding agents searching code repositories or support agents retrieving customer tickets and internal documents. The tool simplifies the complex task of building a search system by providing a plug-and-play option that includes a vector index, an indexing pipeline, and the ability to dynamically create instances for different agents. It supports hybrid search capabilities, combining semantic and keyword matching to deliver precise results by fusing vector search with BM25. AI Search comes with built-in storage and indexing, allowing users to upload files directly via API, and supports the creation of instances per agent or customer without requiring redeployment. In a practical application, such as customer support, it enables agents to efficiently search both shared product documentation and individual customer histories to resolve issues faster and avoid redundant solutions. The system is powered by tools such as Workers AI and allows for metadata attachment to enhance search rankings, enabling seamless, scalable, and context-rich information retrieval across various instances.
Apr 16, 2026 915 words in the original blog post.
Agent Lee is an innovative AI assistant designed to transform user interactions with Cloudflare's platform by enabling tasks through natural language prompts, thereby eliminating the need for complex navigation across multiple interfaces. Embedded within the Cloudflare dashboard, Agent Lee aids users in troubleshooting, implementing changes, and deploying resources by leveraging its understanding of account-specific configurations such as DNS settings and error rates. The AI employs Codemode to convert tool definitions into a TypeScript API, enhancing accuracy and efficiency in executing tasks while ensuring security through a robust permission system that requires user approval for write operations. With its ability to generate interactive visualizations alongside textual responses, Agent Lee provides a dynamic and collaborative experience for approximately 18,000 daily users, executing around 250,000 tool calls per day. Continuously evolving, Agent Lee promises to expand its capabilities beyond the dashboard to interface with the entire Cloudflare platform, offering proactive monitoring and context-aware interactions as it matures from its beta phase.
Apr 15, 2026 1,542 words in the original blog post.
Browser Run, formerly known as Browser Rendering, is a cloud-based browser service designed for AI agents to interact with the web, offering new features that enhance web navigation, data extraction, and real-time troubleshooting. It enables AI agents to perform tasks like navigating sites, filling forms, and taking screenshots while allowing human intervention when needed through its "Human in the Loop" feature. Browser Run provides extensive control over browser sessions via the Chrome DevTools Protocol (CDP), supports AI coding agents like Claude Desktop, and introduces WebMCP to make web navigation more reliable for AI agents. The platform allows for live monitoring via Live View and session recordings for post-session analysis, ensuring agents operate efficiently and issues are swiftly identified and resolved. It also offers higher concurrency limits, enabling more simultaneous browser sessions, and includes a redesigned dashboard for better management and visibility of tasks.
Apr 15, 2026 2,317 words in the original blog post.
Cloudflare has introduced an experimental voice pipeline for its Agents SDK, allowing developers to integrate real-time voice capabilities into their existing agent architectures without the need for a separate voice framework. The @cloudflare/voice package enables conversations with agents over a single WebSocket connection, maintaining the same Durable Object infrastructure and SQLite-backed conversation history as text interactions. This integration supports both full conversational voice agents and speech-to-text-only use cases, with built-in support for voice input and output using Workers AI providers like Deepgram. The system is designed to be provider-agnostic, allowing developers to mix and match components for their specific needs, and is compatible with various telephony and transport options, including WebRTC and Twilio. The voice pipeline aims to reduce latency by keeping the processing on Cloudflare's network and supports dynamic model switching and hooks for data interception. This approach allows for a seamless transition between voice and text inputs, providing a unified, multimodal agent experience.
Apr 15, 2026 2,438 words in the original blog post.
Project Think introduces a new set of primitives for building durable, long-running agents within the Agents SDK, providing features like durable execution, sub-agents, sandboxed code execution, and persistent sessions. The initiative builds on the idea that large language models (LLMs) can be more than mere developer tools by functioning as general-purpose assistants capable of managing tasks like calendar scheduling and data analysis. Traditional agents face challenges related to scalability and cost, as they require constant management and are typically tied to a single user or device. Project Think addresses these issues by using the actor model to give agents a persistent state and identity, enabling them to hibernate when idle and wake on demand. The platform facilitates seamless collaboration and scalability without the high costs associated with traditional virtual machines or containers, allowing for an efficient distribution of resources. By integrating various new capabilities, such as safe sandboxed code execution and an execution ladder, Project Think aims to redefine the economics of running agents at scale, offering a flexible and robust infrastructure that supports self-authored extensions and persistent memory. This approach enables agents to evolve from ephemeral tools into infrastructure-like entities, making them more reliable and scalable for various applications.
Apr 15, 2026 2,744 words in the original blog post.
Workflows, originally designed for human-triggered multi-step applications, has evolved to accommodate a growing demand for agent-triggered workflows operating at machine speed. This shift necessitated the development of a more scalable and robust control plane, leading to the introduction of a new architecture with enhanced concurrency and creation rate limits. The second version of the control plane features two new components, SousChef and Gatekeeper, which manage workflow instances more efficiently by distributing metadata and concurrency slots. The transition from the original system to the new architecture was seamless, allowing for higher throughput and flexibility without downtime. This upgrade supports up to 50,000 concurrent instances and a creation rate of 300 instances per second, ensuring that Workflows can scale effectively with user needs.
Apr 15, 2026 2,187 words in the original blog post.
Cloudflare has introduced the Registrar API in beta, marking the next chapter for Cloudflare Registrar by allowing users to programmatically search, check availability, and register domains. This API is designed to seamlessly integrate into existing software development environments, enabling agents and automation tools to manage domain registration without interrupting workflows. Originally launched to offer domains at cost without markups, Cloudflare Registrar has grown rapidly, and the new API addresses a demand from users for more streamlined processes. The API supports traditional API clients and AI agents, and it is part of the larger Cloudflare API suite, making it accessible through existing systems without additional integration requirements. This advancement allows developers to prompt their AI code editors to suggest, verify, and purchase domains directly within their current tools, enhancing efficiency by reducing the steps needed to register a domain from idea conception to execution.
Apr 15, 2026 694 words in the original blog post.
Cloudflare Mesh is a new networking solution designed to securely connect private networks and provide access for autonomous software agents, addressing the limitations of traditional tools like VPNs and SSH tunnels. It integrates with the Cloudflare Developer Platform, allowing developers to connect their agents, services, and teams to private infrastructure using familiar tools such as the Cloudflare One Client and Mesh nodes. Mesh offers a unified network that supports both human and agent traffic, leveraging Cloudflare's global network for improved reliability and security, while enabling fine-grained traffic control and access management through existing Cloudflare One policies. By routing all traffic through Cloudflare, Mesh resolves challenges like NAT traversal without requiring additional infrastructure. The integration with Workers VPC and the Agents SDK extends these capabilities to cross-cloud environments, facilitating secure, scalable agentic workflows. The platform also aims to introduce identity-aware routing and containerized Mesh nodes, enhancing network management and security for modern infrastructures.
Apr 14, 2026 2,743 words in the original blog post.
Agents in software development enable faster creation of applications, but securing these environments against mistakes and malicious activity is crucial, as outlined by the Open Web Application Security Project (OWASP), which highlights risks like credential leaks and user impersonation in agentic AI systems. These risks, if realized, can lead to significant damage, including denial of service or data leaks. Ensuring security involves managing the lifecycle of non-human identities, such as agents and scripts, by protecting credentials, ensuring visibility through OAuth, and applying granular role-based access control (RBAC). Cloudflare introduces updates to manage these aspects, including scannable tokens for credential protection, OAuth improvements for managing third-party access, and resource-scoped RBAC for precise permission allocation. With partnerships like GitHub's Secret Scanning program, Cloudflare enhances its ability to detect leaked tokens and prevent unauthorized use. Additionally, the introduction of resource-level permissions and new roles allows for finer control over access, adhering to the principle of least privilege. These measures collectively aim to bolster security by ensuring that only necessary permissions are granted, thereby minimizing potential risks in an increasingly autonomous digital environment.
Apr 14, 2026 1,993 words in the original blog post.
Cloudflare has integrated the Model Context Protocol (MCP) as a fundamental part of its AI strategy, extending its use across various departments to enhance workflow efficiency while ensuring security through a suite of controls from its platforms. They have developed a unified security architecture to mitigate risks such as authorization sprawl and supply chain vulnerabilities. By deploying centralized MCP servers and using Cloudflare Access for authentication, Cloudflare maintains control over AI resource access while enabling efficient workflows. They have introduced Code Mode in MCP server portals to significantly reduce token usage, optimizing the deployment of AI applications. Additionally, Cloudflare employs AI Gateway to manage costs and vendor flexibility and utilizes Cloudflare Gateway to detect unauthorized MCP server usage. Public-facing MCP servers are protected with AI security features to prevent prompt injection and data leaks. Through these measures, Cloudflare has established a robust framework for deploying MCP in the enterprise, providing a model for other organizations to follow.
Apr 14, 2026 2,629 words in the original blog post.
Cloudflare has introduced managed OAuth in open beta for its Access applications, enabling seamless integration of agents with internal apps by supporting OAuth 2.0 authentication, which previously posed a challenge. This advancement allows agents to authenticate and access app data securely, aligning with OAuth standards like RFC 9728 to streamline the authorization process for agents and users alike. By implementing managed OAuth, Cloudflare users can effortlessly make their internal apps agent-ready without modifying existing code, promoting security and accountability by ensuring that agents act on behalf of users with fine-grained access controls. The initiative is part of Cloudflare's broader effort to enhance the compatibility between its Workers Platform and Access applications, allowing for easier internal software development and protection. Cloudflare is also working on enabling organizations to share a single identity provider (IdP) across multiple accounts to maintain consistent security protocols and streamline configurations.
Apr 14, 2026 1,983 words in the original blog post.
Dynamic Workers, a new feature of the Workers platform, allows users to load Worker code dynamically into a secure sandbox using the Dynamic Worker Loader API, which operates on isolates rather than containers for faster and more efficient execution. These isolates are lightweight, loading 100 times faster and using only one-tenth of the memory compared to traditional containers, making them suitable for executing single-use AI-generated code securely. However, for use cases requiring persistent code and long-lived state, Dynamic Workers can be paired with Durable Objects, which are unique Workers with attached SQLite databases offering near-zero latency storage access. The challenge arises when integrating Dynamic Workers with Durable Objects, as the latter requires provisioning through the Cloudflare API, which cannot directly reference a Dynamic Worker. To address this, the newly released feature, Durable Object Facets, allows dynamic instantiation of Durable Object classes while maintaining separate storage for each facet. This approach enables developers to write supervisors that manage requests and logistics before passing them to the agent's code, ensuring control over object creation, storage usage, and observability. Each Durable Object with Facets consists of isolated SQLite databases for both the parent and the facet, ensuring data separation and security.
Apr 13, 2026 1,577 words in the original blog post.
Cloudflare Sandboxes, launched in June, provide a secure and scalable environment for AI agents to develop and run code, addressing challenges like burstiness, quick state restoration, security, control, and ergonomics. These sandboxes allow agents to clone repositories, build multi-language code, and run development servers effectively, minimizing idle compute costs through automatic sleep and wake functionality. Recent enhancements include secure credential injection, PTY support for terminal access, persistent code interpreters for Python, JavaScript, and TypeScript, and features like filesystem watching and snapshots for improved iteration speed and session recovery. By working with partners like Figma, which uses Cloudflare Containers for running untrusted code, Cloudflare aims to extend the reach of Sandboxes to more organizations, offering tools like Active CPU Pricing to deploy agents at scale efficiently.
Apr 13, 2026 574 words in the original blog post.
As AI language models and frameworks like OpenCode and Claude Code continue to evolve, they are increasingly deployed in sandboxed environments to ensure security, speed, and control when interacting with various digital platforms. Sandboxes offer a secure space where potentially untrusted agents can operate without compromising the host machine, and they can quickly load and restore states. A notable advancement in sandbox technology is the introduction of outbound Workers, which act as programmatic egress proxies to facilitate secure and observable connections to external services, enhancing authentication capabilities. Traditional authentication methods for agentic workloads, such as API tokens and workload identity tokens, have limitations in security and integration flexibility, leading to the development of more dynamic solutions like custom proxies. Outbound Workers enable a zero-trust model by injecting credentials during requests without exposing them to the workload, and they integrate seamlessly with the Cloudflare Developer Platform, allowing for dynamic and flexible access controls across services. This approach minimizes latency and enhances observability, providing a robust framework for managing authentication and authorization in sandboxed environments.
Apr 13, 2026 1,456 words in the original blog post.
Cloudflare is expanding its API offerings, with a focus on improving agent interactions through a revamped Wrangler CLI that aims to cover the entire Cloudflare API surface. This initiative is supported by a new TypeScript-based schema for consistent command generation across various interfaces, including CLI commands, SDKs, and documentation. The company has introduced Local Explorer, a tool that allows developers to manage local resources with the same APIs used for remote resources, enhancing local development and testing. The Wrangler CLI is being reimagined to provide a cohesive and intuitive experience for developers, with feedback being actively sought to refine and expand its functionality. The early technical preview of the new CLI version is available, and Cloudflare encourages developers to participate in shaping its future capabilities through feedback and suggestions.
Apr 13, 2026 1,622 words in the original blog post.
Cloudflare is embarking on "Agents Week," focusing on adapting the Internet and cloud infrastructure for the emerging era of AI-driven agents, which differ from traditional applications by requiring unique, one-to-one execution environments. Unlike the scalable, multi-user model of existing applications, agents operate on a one-user, one-task basis, necessitating a fundamental shift in computing architecture. Cloudflare's serverless Workers, based on V8 isolates, offer an efficient solution, enabling rapid deployment and teardown, which is essential for the scalability required by agents. As agents become more widespread, moving beyond early adopters like developers to mainstream users, the demand for computing capacity will vastly increase. Cloudflare is addressing this by integrating its developer and zero trust platforms to ensure both the efficiency and security of agent operations. The company is also actively participating in setting open standards and protocols to facilitate the economic and governance aspects of agents interacting with Internet services. This initiative is part of Cloudflare's broader vision to build a more adaptable and efficient Internet, aligning with the evolving requirements of modern technology paradigms.
Apr 12, 2026 2,252 words in the original blog post.
Cloudflare's global network has reached a significant milestone of 500 terabits per second (Tbps) in external capacity, encompassing connections with transit providers, private peering partners, Internet exchanges, and Cloudflare Network Interconnect ports across over 330 cities. Originating from a modest setup in Palo Alto in 2010, Cloudflare has expanded its infrastructure to protect more than 20% of the web and adapt to evolving security needs, such as mitigating a 31.4 Tbps DDoS attack autonomously. The network's architecture enables distributed computing capabilities, allowing customer applications to run on every server, and employs advanced protocols like IPv6, RPKI, and ASPA to enhance security and route validation. In response to the growing presence of AI agents, Cloudflare utilizes sophisticated detection systems to differentiate between legitimate and malicious traffic. The company continues to seek collaboration with network operators and partners to further expand its infrastructure and capabilities.
Apr 10, 2026 1,466 words in the original blog post.
Linux malware often leverages Berkeley Packet Filter (BPF) socket programs to clandestinely monitor network traffic, with some utilizing these filters to stay inactive until triggered by a specific packet. The complexity of reverse-engineering these programs manually can hinder security research, so symbolic execution, using tools like the Z3 theorem prover, has been explored to automate the process of generating the necessary packet to activate such threats. A particular focus is on the BPFDoor malware, used by China-based threat actors for cyberespionage, which exploits BPF to maintain stealthy network footholds. The post discusses a tool developed to quickly analyze BPF instructions and craft the corresponding network packet, significantly cutting down the time required for manual analysis. This tool uses symbolic execution to trace successful paths within the BPF logic, allowing analysts to understand and replicate the packet requirements for activating backdoors like BPFDoor. The research aims to further the community's capability in handling complex BPF instructions and has been made available as open-source to encourage additional advancements in this area.
Apr 08, 2026 2,269 words in the original blog post.
Cloudflare is accelerating its post-quantum security roadmap, aiming for full implementation by 2029, including crucial post-quantum authentication, in response to recent advancements in quantum computing that threaten current cryptographic systems. These developments, highlighted by Google's and Oratomic's advancements in quantum algorithms and hardware, suggest that the timeline for Q-Day, when quantum computers can break existing cryptography, may be sooner than expected, possibly by 2029 or 2030. Cloudflare, which has already implemented post-quantum encryption for most of its products, emphasizes the urgency of updating authentication systems to prevent catastrophic breaches from quantum-forged keys. As the industry shifts focus from preventing harvest-now/decrypt-later attacks to securing authentication, organizations are urged to prioritize long-term key upgrades and prepare for the extensive dependencies involved, including third-party vendors. Cloudflare remains committed to making post-quantum security the default for all customers at no additional cost, as part of its mission to protect the Internet at scale.
Apr 07, 2026 2,058 words in the original blog post.
Cloudflare has introduced a new feature called Organizations, designed to streamline management for enterprise customers who often deal with multiple accounts due to complex team structures. This addition aims to address the challenges administrators face with fragmented controls by allowing them to manage users, configurations, and analytics across numerous Cloudflare accounts from a centralized place. The feature introduces a new role, Org Super Administrator, which grants comprehensive permissions across all accounts within an organization without needing membership in each individual account. The Organizations feature is built on Cloudflare's Tenant system and offers enhanced capabilities such as shared configuration management and a roll-up analytics dashboard. Initially available in public beta for enterprise customers, the feature will soon expand to all customers, starting with pay-as-you-go users. Cloudflare emphasizes a security-first approach in rolling out Organizations, ensuring that each organization is created and managed with appropriate permissions, and plans to extend this functionality to its partner ecosystem in the future.
Apr 06, 2026 1,131 words in the original blog post.
Cloudflare's analysis reveals that 32% of the traffic on its network is generated by automated sources, including AI agents and crawlers, which are increasingly impacting web cache architectures. These AI bots, particularly AI crawlers, exhibit unique behaviors such as high unique URL ratios, content diversity, and inefficient crawling paths, leading to a significant increase in cache misses and challenges in maintaining cache efficiency. This surge in AI traffic affects user experience by increasing bandwidth usage and causing slowdowns on websites, prompting the need for new caching strategies. Cloudflare, in collaboration with ETH Zurich, is exploring AI-aware caching algorithms and the development of a separate cache layer for AI traffic to balance the needs of both human and AI-generated traffic, aiming to enhance cache performance and manage resource allocation effectively. This initiative includes experimenting with different cache replacement algorithms and machine learning-based caching solutions to address the growing influence of AI bot traffic on cloud infrastructure.
Apr 02, 2026 2,096 words in the original blog post.
Eight years since its launch, Cloudflare's 1.1.1.1 public DNS resolver remains committed to being the fastest and most private service, underscored by a recent independent audit confirming its privacy promises. Initially reviewed in 2020, Cloudflare has again undergone an extensive examination by a Big 4 accounting firm to ensure compliance with its privacy commitments, reaffirming that it does not sell or share users' personal data or target users with ads. The audit highlights that source IP addresses are anonymized and deleted within 25 hours, with randomly sampled network packets used solely for troubleshooting and attack mitigation. The audit focused exclusively on privacy commitments, whereas previous reviews included broader operational practices. Cloudflare emphasizes its dedication to privacy, advocating for industry standards that protect users' online movements, and assures that DNS query data from 1.1.1.1 will not be combined with other data to identify users. The detailed results of the audit are available on Cloudflare's compliance page, reinforcing its role as a privacy-first DNS resolver.
Apr 01, 2026 754 words in the original blog post.
The emergence of EmDash, a proposed successor to WordPress, signifies a modern shift in content management systems by addressing longstanding security vulnerabilities inherent in WordPress plugins. While WordPress has been a monumental success in democratizing publishing and continues to hold a significant place in the digital landscape, its plugin architecture remains fundamentally insecure, with 96% of its security issues originating from plugins that have unrestricted access to databases and files. EmDash, built from scratch using TypeScript and leveraging Astro for speed, introduces a serverless, open-source platform with sandboxed plugins running in isolated environments, significantly enhancing security by allowing plugins only the capabilities they explicitly declare in their manifest. This model provides a clear permission structure similar to OAuth, thus preventing unauthorized access and malicious activities. EmDash aims to build upon the legacy of WordPress by offering a more secure, flexible, and modern solution that can be deployed on various platforms, allowing developers to innovate with fewer restrictions while maintaining the open-source spirit.
Apr 01, 2026 763 words in the original blog post.