Cloudflare Queues: run work in the background

The post-quantum EO is an important milestone. Now it’s time to get to work

Sắc lệnh hành pháp 14409 của Mỹ yêu cầu các cơ quan liên bang và nhà thầu phải chuyển sang mã hóa hậu lượng tử (PQC) vào năm 2030 và xác thực hậu lượng tử vào năm 2031, nhằm ngăn chặn các cuộc tấn công "thu thập giờ đây giải mã sau". Cloudflare khuyến nghị cần làm rõ tiêu chuẩn "chuyển đổi", ưu tiên khả năng thích ứng mật mã (crypto agility) và thúc đẩy sự thống nhất toàn cầu về thuật toán NIST để tránh phân mảnh.

Lập trình viên nên đọc bài này để hiểu cách chuyển đổi sang các giải pháp mã hóa chống lượng tử (post-quantum) không chỉ là một yêu cầu pháp lý mà là một chiến lược bảo mật cấp hệ thống, giúp bảo vệ ứng dụng của bạn trước các mối đe dọa tương lai từ máy tính lượng tử trong thời gian ngắn nhất.

Cloudflare Ships Agent Skills for Zero Trust Deployment and Migration

Cloudflare released the Cloudflare One stack, an open-source library of agent skills that enables AI agents to plan, deploy, manage, and migrate Zero Trust environments. The library ships as two lightweight files: one for product guidance and one for vendor-to-vendor migration, with explicit logic for migrating from Zscaler and Palo Alto Networks. The migration logic is the same used in Cloudflare's Descaler and Deskope programs, which have moved enterprise customers in hours rather than months. When paired with the Cloudflare MCP server, agents can query live account configurations and make changes through curated workflows. The stack uses a review-before-apply pattern so practitioners approve changes before they are committed.

Cloudflare D1: a SQL database for your Workers

A practical guide to using Cloudflare D1, a SQLite-based SQL database for Cloudflare Workers. Covers creating a database with Wrangler, configuring bindings in wrangler.jsonc, managing schema changes with migrations, and querying data from a Worker using prepare/bind/all/run/first/batch APIs. Also explains when to use D1 versus R2 or KV.

How we built saga rollbacks for Cloudflare Workflows

Cloudflare Workflows now supports saga-style rollbacks, letting developers attach compensation logic directly to each step.do() call. When a multi-step workflow fails, registered rollback handlers execute in reverse step-start order, each running through Workflows' durable step machinery with retries, timeouts, and lifecycle events. The post explains the API design decisions (fluent vs. builder vs. options object), how rollback handlers are stored as callable stubs, how replay rebuilds handlers after engine restarts, and the key behavioral rules around ordering and eligibility for failed steps.

How Cloudflare Solved a Congestion Bug in quiche

Cloudflare engineers uncovered a bug in their Rust-based CUBIC congestion control implementation within quiche, their open-source QUIC library. The bug caused a never-ending recovery loop when heavy packet loss occurred at connection start, preventing the congestion window from growing. Through instrumented testing with simulated 30% packet loss, they traced the root cause to how CUBIC calculated idle time — when in-flight bytes dropped to zero during a noisy slow start, the idle period optimisation became self-reinforcing, locking the state in recovery. The fix was elegant: measure idle time from both the last sent data and the last ACK received, breaking the cycle and restoring a 100% test pass rate.

Cloudflare-First Networking as Code with Pulumi

A tutorial on building a version-controlled Cloudflare edge baseline using Pulumi and TypeScript. Covers defining DNS records, WAF custom rules, a Cloudflare Worker canary for header validation, and Zero Trust Access policies — all as code. Includes a complete TypeScript Pulumi program and validation steps to confirm each component works correctly after deployment.

Wrangler: the Cloudflare Workers command line tool

Wrangler is the CLI for Cloudflare Workers, used to run code locally, deploy, stream logs, manage secrets, and provision resources like D1 databases, KV, R2, and Queues. Key commands covered include wrangler dev for local development, wrangler deploy for publishing, wrangler tail for live log streaming, wrangler secret put for secure credential storage, and wrangler types for TypeScript binding generation. The config file wrangler.jsonc drives all behavior, and named environments allow separate staging and production setups.