Cloudflare R2: object storage without egress fees

The post-quantum EO is an important milestone. Now it’s time to get to work

Sắc lệnh hành pháp 14409 của Mỹ yêu cầu các cơ quan liên bang và nhà thầu phải chuyển sang mã hóa hậu lượng tử (PQC) vào năm 2030 và xác thực hậu lượng tử vào năm 2031, nhằm ngăn chặn các cuộc tấn công "thu thập giờ đây giải mã sau". Cloudflare khuyến nghị cần làm rõ tiêu chuẩn "chuyển đổi", ưu tiên khả năng thích ứng mật mã (crypto agility) và thúc đẩy sự thống nhất toàn cầu về thuật toán NIST để tránh phân mảnh.

Lập trình viên nên đọc bài này để hiểu cách chuyển đổi sang các giải pháp mã hóa chống lượng tử (post-quantum) không chỉ là một yêu cầu pháp lý mà là một chiến lược bảo mật cấp hệ thống, giúp bảo vệ ứng dụng của bạn trước các mối đe dọa tương lai từ máy tính lượng tử trong thời gian ngắn nhất.

How Cloudflare Solved a Congestion Bug in quiche

Cloudflare engineers uncovered a bug in their Rust-based CUBIC congestion control implementation within quiche, their open-source QUIC library. The bug caused a never-ending recovery loop when heavy packet loss occurred at connection start, preventing the congestion window from growing. Through instrumented testing with simulated 30% packet loss, they traced the root cause to how CUBIC calculated idle time — when in-flight bytes dropped to zero during a noisy slow start, the idle period optimisation became self-reinforcing, locking the state in recovery. The fix was elegant: measure idle time from both the last sent data and the last ACK received, breaking the cycle and restoring a 100% test pass rate.

Wrangler: the Cloudflare Workers command line tool

Wrangler is the CLI for Cloudflare Workers, used to run code locally, deploy, stream logs, manage secrets, and provision resources like D1 databases, KV, R2, and Queues. Key commands covered include wrangler dev for local development, wrangler deploy for publishing, wrangler tail for live log streaming, wrangler secret put for secure credential storage, and wrangler types for TypeScript binding generation. The config file wrangler.jsonc drives all behavior, and named environments allow separate staging and production setups.

Cloudflare Ships Agent Skills for Zero Trust Deployment and Migration

Cloudflare released the Cloudflare One stack, an open-source library of agent skills that enables AI agents to plan, deploy, manage, and migrate Zero Trust environments. The library ships as two lightweight files: one for product guidance and one for vendor-to-vendor migration, with explicit logic for migrating from Zscaler and Palo Alto Networks. The migration logic is the same used in Cloudflare's Descaler and Deskope programs, which have moved enterprise customers in hours rather than months. When paired with the Cloudflare MCP server, agents can query live account configurations and make changes through curated workflows. The stack uses a review-before-apply pattern so practitioners approve changes before they are committed.

Cloudflare-First Networking as Code with Pulumi

A tutorial on building a version-controlled Cloudflare edge baseline using Pulumi and TypeScript. Covers defining DNS records, WAF custom rules, a Cloudflare Worker canary for header validation, and Zero Trust Access policies — all as code. Includes a complete TypeScript Pulumi program and validation steps to confirm each component works correctly after deployment.

Unlocking the Cloudflare app ecosystem with OAuth for all

Cloudflare has opened self-managed OAuth to all developers, allowing anyone to create OAuth applications and build integrations on top of the Cloudflare API. Previously, third-party OAuth was limited to a small number of manually onboarded partners. To make this possible, Cloudflare executed a zero-downtime migration of its underlying OAuth engine (Ory Hydra) from an older version to 2.X using a blue-green deployment strategy. Key engineering challenges included avoiding exclusive table locks during schema migrations (solved with CREATE INDEX CONCURRENTLY), handling refresh token invalidation issues, and preserving revocation events during the cutover window using Cloudflare Queues. The upgrade resulted in significant performance improvements: API P95 latency dropped 45% (185ms to 101ms), Go heap allocation fell 40%, and CPU usage dropped 37%.

Cloudflare KV: a key-value store for your Workers

Cloudflare Workers KV is an edge key-value store that lets you store and retrieve data globally with very low read latency. The guide covers creating a KV namespace, binding it to a Worker via wrangler.jsonc, and using the put/get/delete/list API. It also covers storing JSON objects, setting TTL-based key expiration for sessions and caches, and listing keys by prefix. A key caveat: KV is optimized for read-heavy workloads — writes propagate across regions within a few seconds, making it unsuitable for data requiring immediate consistency (e.g., financial records). For those cases, Cloudflare D1 or Durable Objects are recommended.