Posts tagged Cloudflare.https://cloudsecop.net/https://cloudsecop.net/en/blog/migration-aws-to-cloudflare-en/https://cloudsecop.net/en/blog/migration-aws-to-cloudflare-en/Playbook for migrating a production app from AWS (Lambda, DynamoDB, RDS, S3, SQS, ElastiCache) to Cloudflare: per-primitive mapping, 3 strategies, cutover, rollback, 10 pitfalls.Sun, 28 Dec 2025 00:00:00 GMTCloudflareCloudflare DeveloperMigrationAWSServerlessKhaVanhttps://cloudsecop.net/en/blog/cost-model-production-en/https://cloudsecop.net/en/blog/cost-model-production-en/Per-primitive Cloudflare pricing (Workers, D1, KV, R2, Queues, DOs, Vectorize, Workers AI), tier breakpoints, AWS comparison, and 3 scale scenarios from blog to 100M req/month.Sun, 21 Dec 2025 00:00:00 GMTCloudflareCloudflare DeveloperCostAWSPricingKhaVanhttps://cloudsecop.net/en/blog/secrets-csp-bot-management-en/https://cloudsecop.net/en/blog/secrets-csp-bot-management-en/Defense-in-depth for Cloudflare Workers: WAF + Bot Management, Turnstile, Access JWT, secret management, CSP/HSTS, 4 auth patterns, Zod validation, and anti-patterns to avoid.Sat, 13 Dec 2025 00:00:00 GMTCloudflareCloudflare DeveloperSecurityCSPBot ManagementKhaVanhttps://cloudsecop.net/en/blog/logs-analytics-tail-workers-en/https://cloudsecop.net/en/blog/logs-analytics-tail-workers-en/Cloudflare's 4 observability layers: Workers Logs (3-day retention), Tail Workers (realtime), Logpush (batch to R2/SIEM), Analytics Engine. Structured logging, alerts, debugging.Fri, 05 Dec 2025 00:00:00 GMTCloudflareCloudflare DeveloperObservabilityLogsAnalytics EngineKhaVanhttps://cloudsecop.net/en/blog/stream-images-media-en/https://cloudsecop.net/en/blog/stream-images-media-en/Cloudflare's 3 media products: Stream (video, HLS/DASH), Images (upload-transform-deliver), and Image Resizing / cf.image. Pipelines, pricing, and when to pick which.Fri, 28 Nov 2025 00:00:00 GMTCloudflareCloudflare DeveloperStreamImagesMediaKhaVanhttps://cloudsecop.net/en/blog/durable-objects-realtime-en/https://cloudsecop.net/en/blog/durable-objects-realtime-en/Durable Objects are Cloudflare's single-writer primitive: 1 roomId = 1 instance, WebSocket Hibernation, persistent storage. 6 patterns, the API, and when DOs are overkill.Thu, 20 Nov 2025 00:00:00 GMTCloudflareCloudflare DeveloperDurable ObjectsWebSocketRealtimeKhaVanhttps://cloudsecop.net/en/blog/vectorize-rag-pattern-en/https://cloudsecop.net/en/blog/vectorize-rag-pattern-en/Vectorize is Cloudflare's native vector DB, paired with Workers AI bge-m3 for full-edge RAG. Ingest + query pipelines, chunking, metadata, hybrid search with D1, reranking.Wed, 12 Nov 2025 00:00:00 GMTCloudflareCloudflare DeveloperVectorizeRAGAIKhaVanhttps://cloudsecop.net/en/blog/workers-ai-model-catalog-en/https://cloudsecop.net/en/blog/workers-ai-model-catalog-en/Workers AI on edge GPUs, AI Gateway proxying OpenAI/Anthropic/Bedrock/Google with cache + rate limit + observability. Catalog, pricing, when to use which, retry/fallback.Tue, 04 Nov 2025 00:00:00 GMTCloudflareCloudflare DeveloperWorkers AIAI GatewayLLMKhaVanhttps://cloudsecop.net/en/blog/ci-cd-wrangler-github-actions-en/https://cloudsecop.net/en/blog/ci-cd-wrangler-github-actions-en/A 4-step pipeline: test → build → deploy → smoke. Scoped API token, 19-assertion smoke test, concurrent lock, preview envs, 10-second rollback. Full workflow file from this blog.Tue, 28 Oct 2025 00:00:00 GMTCloudflareCloudflare DeveloperCI/CDGitHub ActionsWranglerKhaVanhttps://cloudsecop.net/en/blog/astro-remix-sveltekit-workers-en/https://cloudsecop.net/en/blog/astro-remix-sveltekit-workers-en/Three full-stack frameworks on Workers differ in rendering, default JS, adapter, bindings. Real setup for each, SSG vs SSR vs hybrid, and why this blog picked Astro.Mon, 20 Oct 2025 00:00:00 GMTCloudflareCloudflare DeveloperAstroRemixSvelteKitKhaVanhttps://cloudsecop.net/en/blog/orm-d1-drizzle-prisma-en/https://cloudsecop.net/en/blog/orm-d1-drizzle-prisma-en/Three choices: raw SQL (0KB), Drizzle (10KB, TS-first), Prisma (500KB WASM). Workflow, complex queries, migrations, type safety, and when an ORM costs more than it helps.Sun, 12 Oct 2025 00:00:00 GMTCloudflareCloudflare DeveloperD1ORMDrizzlePrismaKhaVanhttps://cloudsecop.net/en/blog/router-choice-hono-itty-en/https://cloudsecop.net/en/blog/router-choice-hono-itty-en/Three options: vanilla fetch (0 bundle), Itty Router (3KB), Hono (13KB). Syntax, middleware, Zod validation, when to pick which, and why this blog uses vanilla at 40+ routes.Sun, 05 Oct 2025 00:00:00 GMTCloudflareCloudflare DeveloperWorkersRoutingKhaVanhttps://cloudsecop.net/en/blog/queues-durable-objects-en/https://cloudsecop.net/en/blog/queues-durable-objects-en/Two of the hardest Worker primitives. Queues for fire-and-forget jobs with retry and DLQ. Durable Objects for single-writer coordination. When to pick which, with real patterns.Sat, 27 Sep 2025 00:00:00 GMTCloudflareCloudflare DeveloperQueuesDurable ObjectsStorageKhaVanhttps://cloudsecop.net/en/blog/r2-object-storage-en/https://cloudsecop.net/en/blog/r2-object-storage-en/R2 is Cloudflare's S3-compatible object storage with no egress fees. R2 vs S3 in real costs, 4 access patterns, S3 migration, and gotchas around consistency, metadata, lifecycle.Fri, 19 Sep 2025 00:00:00 GMTCloudflareCloudflare DeveloperR2StorageKhaVanhttps://cloudsecop.net/en/blog/d1-production-patterns-en/https://cloudsecop.net/en/blog/d1-production-patterns-en/D1 is SQLite at the edge with a primary region and read replicas: architecture, the 5 query methods, Sessions API, prepared-statement cache, and 7 production gotchas.Thu, 11 Sep 2025 00:00:00 GMTCloudflareCloudflare DeveloperD1StorageSQLKhaVanhttps://cloudsecop.net/en/blog/kv-deep-dive-en/https://cloudsecop.net/en/blog/kv-deep-dive-en/Cloudflare KV is an eventually-consistent KV store with per-PoP caching. The real consistency model, limits that matter, 5 good patterns, 3 anti-patterns, and real gotchas.Thu, 04 Sep 2025 00:00:00 GMTCloudflareCloudflare DeveloperKVStorageKhaVanhttps://cloudsecop.net/en/blog/wrangler-miniflare-dev-loop-en/https://cloudsecop.net/en/blog/wrangler-miniflare-dev-loop-en/The practical dev loop for Workers: wrangler init, local wrangler dev with Miniflare, vitest, D1 migrations, secrets, deploying to 300+ PoPs in 30 seconds. Plus CI/CD and gotchas.Wed, 27 Aug 2025 00:00:00 GMTCloudflareCloudflare DeveloperWorkersDevOpsKhaVanhttps://cloudsecop.net/en/blog/mental-model-3-bindings-en/https://cloudsecop.net/en/blog/mental-model-3-bindings-en/A common frame for every Worker: Request is the entry point, Identity is who's calling, Storage is where you read and write. Applied to the Worker running this blog.Sat, 23 Aug 2025 00:00:00 GMTCloudflareCloudflare DeveloperWorkersArchitectureKhaVanhttps://cloudsecop.net/en/blog/workers-runtime-mental-model-en/https://cloudsecop.net/en/blog/workers-runtime-mental-model-en/The fetch handler, ExecutionContext, waitUntil, subrequest limits, CPU vs wall time, real cold starts. Six misconceptions from Node/Lambda. Code samples from this blog's Worker.Tue, 12 Aug 2025 00:00:00 GMTCloudflareCloudflare DeveloperWorkersRuntimeKhaVanhttps://cloudsecop.net/en/blog/cloudflare-developer-platform-intro/https://cloudsecop.net/en/blog/cloudflare-developer-platform-intro/Cloudflare is no longer just a CDN. Workers, D1, R2, KV, Queues, DOs, Workers AI, and Vectorize form an edge-native platform. The mental model, contrasted with Lambda.Mon, 04 Aug 2025 00:00:00 GMTCloudflareCloudflare DeveloperWorkersEdge ComputingKhaVanhttps://cloudsecop.net/en/blog/email-security-area1/https://cloudsecop.net/en/blog/email-security-area1/Email Security deep-dive for Cloudflare One: MX inline vs API journaling, the DMARC forwarder/subdomain trap, homoglyph FP calibration, user-report → retract under 1h.Sat, 12 Jul 2025 00:00:00 GMTCloudflareCloudflare OneEmail SecurityPhishingKhaVanhttps://cloudsecop.net/en/blog/dlp-data-loss-prevention/https://cloudsecop.net/en/blog/dlp-data-loss-prevention/DLP deep-dive for Cloudflare One: tuning from 55% to 3% false positives, regex vs Luhn vs context vs EDM, custom CCCD profile, Gateway HTTP inline vs CASB API.Fri, 04 Jul 2025 00:00:00 GMTCloudflareCloudflare OneDLPData ClassificationZero TrustKhaVanhttps://cloudsecop.net/en/blog/casb-saas-posture/https://cloudsecop.net/en/blog/casb-saas-posture/CASB deep-dive for Cloudflare One from 3 rollouts: the 4 Gartner pillars, inline vs API, 8,000-finding first-scan shock, shadow IT, tenant-lock, when not to use CASB.Thu, 26 Jun 2025 00:00:00 GMTCloudflareCloudflare OneCASBSaaS SecurityZero TrustKhaVanhttps://cloudsecop.net/en/blog/browser-isolation-deep-dive/https://cloudsecop.net/en/blog/browser-isolation-deep-dive/Browser Isolation deep dive for Cloudflare One: remote browser architecture (NVR), isolation triggers, data controls (copy/paste/print/download/keyboard), compliance, cost model.Sun, 15 Jun 2025 00:00:00 GMTCloudflareCloudflare OneBrowser IsolationRBIZero TrustKhaVanhttps://cloudsecop.net/en/blog/device-posture-every-request/https://cloudsecop.net/en/blog/device-posture-every-request/Device posture deep dive for Zero Trust: WARP checks (OS, disk encryption, firewall), EDR integration, continuous verification in Access policy, and response to posture loss.Wed, 11 Jun 2025 00:00:00 GMTCloudflareCloudflare OneZero TrustDevice PostureEDRKhaVanhttps://cloudsecop.net/en/blog/dex-experience-monitoring/https://cloudsecop.net/en/blog/dex-experience-monitoring/DEX deep dive for Cloudflare One: when control plane says UP but users say SLOW, latency-leg diagnosis (DNS/TCP/TLS/TTFB), SLO framework, and 5 failure modes DEX misses.Tue, 03 Jun 2025 00:00:00 GMTCloudflareCloudflare OneDEXObservabilityZero TrustKhaVanhttps://cloudsecop.net/en/blog/logs-pipeline-siem/https://cloudsecop.net/en/blog/logs-pipeline-siem/Logs deep dive for Cloudflare One: datasets, Logpush destinations (R2/S3/Splunk/Sentinel), cross-layer correlation, tiered retention, cost control, sample SIEM detection rules.Tue, 27 May 2025 00:00:00 GMTCloudflareCloudflare OneLogsSIEMObservabilityKhaVanhttps://cloudsecop.net/en/blog/network-policy-l4/https://cloudsecop.net/en/blog/network-policy-l4/Network policy deep dive: blocking non-HTTP (SSH, RDP, SMTP), preventing DoH bypass, app rules for SaaS, WARP keeping user traffic on Gateway, prod checklist, hardening playbook.Mon, 19 May 2025 00:00:00 GMTCloudflareCloudflare OneGatewayNetworkingZero TrustKhaVanhttps://cloudsecop.net/en/blog/gateway-http-filtering-tls-decryption/https://cloudsecop.net/en/blog/gateway-http-filtering-tls-decryption/HTTP inspection deep dive: installing the root CA (MDM, GPO), cert pinning gotchas, DLP patterns, CASB tenant control, legal/privacy guardrails, staged rollout, prod checklist.Wed, 07 May 2025 00:00:00 GMTCloudflareCloudflare OneGatewayTLSDLPCASBKhaVanhttps://cloudsecop.net/en/blog/gateway-dns-policies/https://cloudsecop.net/en/blog/gateway-dns-policies/Gateway DNS deep dive: resolver architecture, policy order, DoH per-device vs DNS location per-site, threat categories, custom lists, OS bypasses, SIEM pipeline, prod checklist.Sat, 03 May 2025 00:00:00 GMTCloudflareCloudflare OneGatewayDNSZero TrustKhaVanhttps://cloudsecop.net/en/blog/magic-wan-bgp-over-gre/https://cloudsecop.net/en/blog/magic-wan-bgp-over-gre/Magic WAN deep dive: a network-layer replacement for SD-WAN/MPLS. Four tunnel options (IPsec, GRE, Anycast IP, CNI), BGP peering, multi-cloud, realistic migration playbook.Tue, 22 Apr 2025 00:00:00 GMTCloudflareCloudflare OneMagic WANNetworkingSD-WANKhaVanhttps://cloudsecop.net/en/blog/warp-client-device-enrollment/https://cloudsecop.net/en/blog/warp-client-device-enrollment/WARP architecture, enrollment flow, device posture checkers (built-in vs CrowdStrike/Intune), split tunnel modes, Local Domain Fallback, DNS, MDM deployment, troubleshooting.Mon, 07 Apr 2025 00:00:00 GMTCloudflareCloudflare OneWARPDevice PostureKhaVanhttps://cloudsecop.net/en/blog/cloudflare-tunnel-deep-dive-guide/https://cloudsecop.net/en/blog/cloudflare-tunnel-deep-dive-guide/cloudflared daemon, ingress rules, HA replicas, non-HTTP (SSH/RDP/SMB), VPN migration, and troubleshooting six common cases. Tunnel is the connectivity foundation for Zero Trust.Wed, 26 Mar 2025 00:00:00 GMTCloudflareCloudflare OneCloudflare TunnelNetworkingKhaVanhttps://cloudsecop.net/en/blog/scim-and-group-sync/https://cloudsecop.net/en/blog/scim-and-group-sync/SCIM closes the stale window: the IdP pushes updates in near-real time instead of Cloudflare pulling claims at login. Okta/Entra/Google setup, lifecycle phases, conflicts.Tue, 18 Mar 2025 00:00:00 GMTCloudflareCloudflare OneIdentitySCIMLifecycleKhaVanhttps://cloudsecop.net/en/blog/service-tokens-mtls-for-non-human/https://cloudsecop.net/en/blog/service-tokens-mtls-for-non-human/When the client is not a user. Service tokens vs mTLS, setup for both, a zero-downtime rotation strategy, audit logs, and common anti-patterns.Fri, 14 Mar 2025 00:00:00 GMTCloudflareCloudflare OneCloudflare AccessmTLSDevOpsKhaVanhttps://cloudsecop.net/en/blog/identity-provider-integration-guide/https://cloudsecop.net/en/blog/identity-provider-integration-guide/A matrix of the four most common IdPs with Cloudflare Access: OIDC vs SAML, per-IdP group claim pitfalls, claim mapping, group sync timing, multi-IdP patterns, prod checklist.Mon, 03 Mar 2025 00:00:00 GMTCloudflareCloudflare OneIdentityOktaEntra IDKhaVanhttps://cloudsecop.net/en/blog/cloudflare-access-ztna-fundamentals/https://cloudsecop.net/en/blog/cloudflare-access-ztna-fundamentals/Replacing VPN for internal apps with Cloudflare Access: anatomy, login flow, 5-step setup (application, IdP, policy, Tunnel, test), policy evaluation order, and troubleshooting.Thu, 27 Feb 2025 00:00:00 GMTCloudflareCloudflare OneCloudflare AccessZTNAKhaVanhttps://cloudsecop.net/en/blog/client-identity-policy-resource-mental-model/https://cloudsecop.net/en/blog/client-identity-policy-resource-mental-model/A framework for reasoning about every Cloudflare One feature: every request traverses four layers producing signals, and policy yields one of five outcomes. Rollout and debugging.Sat, 08 Feb 2025 00:00:00 GMTCloudflareCloudflare OneZero TrustArchitectureKhaVanhttps://cloudsecop.net/en/blog/sase-sse-zero-trust-terminology/https://cloudsecop.net/en/blog/sase-sse-zero-trust-terminology/Four terms routinely conflated in RFPs, design docs, and vendor marketing. Their scope, when Gartner/Forrester defined them, how to use each correctly, and a decision tree.Fri, 31 Jan 2025 00:00:00 GMTCloudflareCloudflare OneSASESSEZero TrustKhaVanhttps://cloudsecop.net/en/blog/what-is-cloudflare-one/https://cloudsecop.net/en/blog/what-is-cloudflare-one/A practical overview of Cloudflare One: SASE, SSE, Zero Trust, the six main product groups, how it compares to Zscaler and Netskope, and the mental model to have before deployment.Thu, 23 Jan 2025 00:00:00 GMTCloudflareCloudflare OneSASEZero TrustKhaVanhttps://cloudsecop.net/en/blog/cspm-multiple-aws-landing-zones/https://cloudsecop.net/en/blog/cspm-multiple-aws-landing-zones/How I built an in-house CSPM engine scanning many AWS Landing Zones in parallel with Prowler, storing findings in D1 and artifacts in R2, into one Security Operations dashboard.Tue, 24 Dec 2024 00:00:00 GMTCloud SecurityAWSCSPMProwlerCloudflareKhaVanhttps://cloudsecop.net/en/blog/pages-to-workers-assets/https://cloudsecop.net/en/blog/pages-to-workers-assets/Why the switch made sense, the practical trade-offs, and a handful of small configuration details that would have saved debugging time up front.Thu, 12 Dec 2024 00:00:00 GMTDevelopersWorkersCloudflareKhaVanhttps://cloudsecop.net/en/blog/zero-trust-rollout-notes/https://cloudsecop.net/en/blog/zero-trust-rollout-notes/What actually worked, what didn't live up to expectation, and the operational lessons from rolling out Cloudflare Zero Trust across an organisation of thousands.Sun, 08 Dec 2024 00:00:00 GMTSecurityZero TrustCloudflareKhaVanhttps://cloudsecop.net/en/blog/cloudflare-d1-schema-tips/https://cloudsecop.net/en/blog/cloudflare-d1-schema-tips/Composite primary keys, when FTS is still worth it, why intuition is a bad guide for indexing, and why row counts at the edge matter more than they look.Wed, 27 Nov 2024 00:00:00 GMTDatabaseD1CloudflareDevelopersKhaVan