Safeguard
Tag

cloudflare

Safeguard articles tagged "cloudflare" — guides, analysis, and best practices for software supply chain and application security.

12 articles

Cloud Security

Cloudflare Workers, KV, and Durable Objects: the supply chain view in 2026

Worker bundle composition, wrangler publish trust, and the deploy-from-CI credential blast radius are the supply chain shape of Cloudflare in 2026.

May 14, 20267 min read
Infrastructure Security

When DNSSEC Goes Wrong: The .de TLD Signing Failure That Took Down German Domains (May 5, 2026)

On May 5, 2026, DENIC published unvalidatable DNSSEC signatures for the .de zone after a deployment defect made its signer generate three key pairs instead of one. Validating resolvers worldwide, including Cloudflare's 1.1.1.1, were forced to return SERVFAIL.

May 7, 202613 min read
Cloud Security

Cloudflare Workers Build Attestations: A Defender's Field Guide

Workers Builds emits provenance attestations for the code it deploys. We trace how to verify them, gate on them, and integrate them into a multi-cloud supply chain program.

Apr 10, 20267 min read
Cloud Security

Cloudflare Workers: Supply Chain Threat Model

Cloudflare Workers collapse the build, deploy, and runtime into one surface. That changes the supply chain threat model in ways most teams underestimate.

Mar 1, 20268 min read
Cloud Security

Cloudflare Code Orange Fail Small: What the Resilience Plan Actually Changes

After November and December 2025 outages, Cloudflare declared Code Orange and shipped a Health Mediated Deployment system, break-glass dependency audits, and graceful-degradation rewrites.

Jan 20, 20267 min read
Cloud Security

Cloudflare November 18 2025 Outage: A Bot Management Feature File Doubled in Size

A ClickHouse permissions change caused Cloudflare's Bot Management feature file to balloon past a hard-coded proxy limit, taking the core network down for two hours and ten minutes.

Nov 21, 20257 min read
Cloud Security

Cloudflare Workers KV June 12 2025 Outage: A GCP Dependency Story

A 2-hour, 28-minute Workers KV outage rolled into Access, Gateway, WARP, and Turnstile because the central store sat on GCP. Here is the dependency chain and the R2 re-architecture that followed.

Jun 16, 20257 min read
Cloud Security

Cloudflare R2 March 21, 2025 Outage: A Credential Rotation Postmortem

A missing --env flag during a Wrangler secret rotation took R2 writes to zero for 67 minutes. Here is the failure mode and the deployment guardrails that should have caught it.

Mar 26, 20257 min read
Cloud Security

Cloudflare R2 February 6, 2025 Outage: When Abuse Tooling Took Down Production

A routine phishing-URL takedown clicked the wrong button and disabled R2 globally for 59 minutes. Here is what went wrong and the two-party approval Cloudflare added afterwards.

Feb 10, 20257 min read
Incident Analysis

Cloudflare's Thanksgiving 2023 Breach: How Okta Credentials Led to a Nation-State Intrusion

Cloudflare disclosed that a nation-state actor used credentials stolen from the October 2023 Okta breach to access their Atlassian systems. Their transparent post-mortem set a new standard.

Feb 1, 20245 min read
Case Studies

Cloudflare's Supply Chain Security Model

How Cloudflare secures the software supply chain for infrastructure that sits between the internet and millions of websites, with lessons on Rust adoption and edge computing security.

Nov 5, 20237 min read
Incident Response

0ktapus: The Phishing Campaign That Hit Cloudflare, Twilio, and 130+ Organizations

A single phishing campaign compromised over 130 companies including Cloudflare and Twilio. Here's how the 0ktapus attack chain worked.

Aug 8, 20226 min read
cloudflare — Safeguard Blog