Cloudflare KV: a key-value store for your Workers

The post-quantum EO is an important milestone. Now it’s time to get to work

Sắc lệnh hành pháp 14409 của Mỹ yêu cầu các cơ quan liên bang và nhà thầu phải chuyển sang mã hóa hậu lượng tử (PQC) vào năm 2030 và xác thực hậu lượng tử vào năm 2031, nhằm ngăn chặn các cuộc tấn công "thu thập giờ đây giải mã sau". Cloudflare khuyến nghị cần làm rõ tiêu chuẩn "chuyển đổi", ưu tiên khả năng thích ứng mật mã (crypto agility) và thúc đẩy sự thống nhất toàn cầu về thuật toán NIST để tránh phân mảnh.

Lập trình viên nên đọc bài này để hiểu cách chuyển đổi sang các giải pháp mã hóa chống lượng tử (post-quantum) không chỉ là một yêu cầu pháp lý mà là một chiến lược bảo mật cấp hệ thống, giúp bảo vệ ứng dụng của bạn trước các mối đe dọa tương lai từ máy tính lượng tử trong thời gian ngắn nhất.

How we built saga rollbacks for Cloudflare Workflows

Cloudflare Workflows now supports saga-style rollbacks, letting developers attach compensation logic directly to each step.do() call. When a multi-step workflow fails, registered rollback handlers execute in reverse step-start order, each running through Workflows' durable step machinery with retries, timeouts, and lifecycle events. The post explains the API design decisions (fluent vs. builder vs. options object), how rollback handlers are stored as callable stubs, how replay rebuilds handlers after engine restarts, and the key behavioral rules around ordering and eligibility for failed steps.

How Cloudflare Solved a Congestion Bug in quiche

Cloudflare engineers uncovered a bug in their Rust-based CUBIC congestion control implementation within quiche, their open-source QUIC library. The bug caused a never-ending recovery loop when heavy packet loss occurred at connection start, preventing the congestion window from growing. Through instrumented testing with simulated 30% packet loss, they traced the root cause to how CUBIC calculated idle time — when in-flight bytes dropped to zero during a noisy slow start, the idle period optimisation became self-reinforcing, locking the state in recovery. The fix was elegant: measure idle time from both the last sent data and the last ACK received, breaking the cycle and restoring a 100% test pass rate.

Cloudflare R2: object storage without egress fees

Cloudflare R2 is S3-compatible object storage with no egress fees, making it cost-effective for serving files at scale. This guide covers how to use R2 from a Cloudflare Worker: creating a bucket via Wrangler, storing binary uploads with a key, reading objects back as streams, setting content-type metadata, listing objects by prefix, and deleting them. It also notes the option to attach a custom domain for direct public serving without a Worker.

Cloudflare D1: a SQL database for your Workers

A practical guide to using Cloudflare D1, a SQLite-based SQL database for Cloudflare Workers. Covers creating a database with Wrangler, configuring bindings in wrangler.jsonc, managing schema changes with migrations, and querying data from a Worker using prepare/bind/all/run/first/batch APIs. Also explains when to use D1 versus R2 or KV.

Cloudflare-First Networking as Code with Pulumi

A tutorial on building a version-controlled Cloudflare edge baseline using Pulumi and TypeScript. Covers defining DNS records, WAF custom rules, a Cloudflare Worker canary for header validation, and Zero Trust Access policies — all as code. Includes a complete TypeScript Pulumi program and validation steps to confirm each component works correctly after deployment.

Unlocking the Cloudflare app ecosystem with OAuth for all

Cloudflare has opened self-managed OAuth to all developers, allowing anyone to create OAuth applications and build integrations on top of the Cloudflare API. Previously, third-party OAuth was limited to a small number of manually onboarded partners. To make this possible, Cloudflare executed a zero-downtime migration of its underlying OAuth engine (Ory Hydra) from an older version to 2.X using a blue-green deployment strategy. Key engineering challenges included avoiding exclusive table locks during schema migrations (solved with CREATE INDEX CONCURRENTLY), handling refresh token invalidation issues, and preserving revocation events during the cutover window using Cloudflare Queues. The upgrade resulted in significant performance improvements: API P95 latency dropped 45% (185ms to 101ms), Go heap allocation fell 40%, and CPU usage dropped 37%.