cloudflare · pedrosousa · Feb 13, 2025 · Feb 13, 2025
@@ -9,5 +9,5 @@ Network Analytics requires the following:
 
 * A Cloudflare Enterprise plan.
 * Cloudflare Magic Transit or Spectrum.
-* Cloudflare Magic WAN. 
+* Cloudflare Magic WAN.
   :::
@@ -4,6 +4,6 @@
 ---
 
 | Description | 2xx response codes | 4xx, 5xx response codes |
-| --- | --- | --- | 
+| --- | --- | --- |
 | If all requests are missing authentication, Cloudflare will apply the label: | `cf-missing-auth` | Without successful responses, no label will be added. |
 | If only some requests are missing authentication, Cloudflare will apply the label: | `cf-mixed-auth` | Without successful responses, no label will be added. |
@@ -5,5 +5,5 @@
 
 :::note
 
-While API Shield is not required to use mTLS, many teams may use mTLS to protect their APIs. 
+While API Shield is not required to use mTLS, many teams may use mTLS to protect their APIs.
 :::
@@ -5,5 +5,5 @@
 
 :::note
 
-You can reorder path variables if they are present. For example, you can route `/api/{var1}/users/{var2}` to `/{var2}/users/{var1}`. Segments of the path that are not variables may be added or omitted entirely. 
+You can reorder path variables if they are present. For example, you can route `/api/{var1}/users/{var2}` to `/{var2}/users/{var1}`. Segments of the path that are not variables may be added or omitted entirely.
 :::
@@ -12,7 +12,7 @@
 :::note
 The session identifier cookie must comply with RFC 6265. Otherwise, it will be rejected.
 
-If you are using a JWT claim, choose the [Token Configuration](/api-shield/security/jwt-validation/configure/#token-configurations) that will verify the JWT. Token Configurations are required to use JWT claims as session identifiers. Refer to [JWT Validation](/api-shield/security/jwt-validation/) for more information. 
+If you are using a JWT claim, choose the [Token Configuration](/api-shield/security/jwt-validation/configure/#token-configurations) that will verify the JWT. Token Configurations are required to use JWT claims as session identifiers. Refer to [JWT Validation](/api-shield/security/jwt-validation/) for more information.
 :::
 
 6. Enter the name of the session identifier.

@@ -3,7 +3,7 @@
 
 ---
 
-You can block artificial intelligence (AI) bots, crawlers, and scrapers from scraping your website content and training large language models (LLM) to recreate it without your permission. 
+You can block artificial intelligence (AI) bots, crawlers, and scrapers from scraping your website content and training large language models (LLM) to recreate it without your permission.
 
 When you enable this feature, all verified bots that are classified as AI Search, AI Assistant, AI Crawler, or an Archiver, as well as a number of unverified bots that fall into the [verified bot categories](/bots/reference/verified-bot-categories/) are blocked. It does not block verified bots that fall into the Search Engine categories.
 
@@ -19,11 +19,11 @@ When you enable this feature via a pre-configured managed rule, Cloudflare can d
 
 The rule to block AI bots takes precedence over all other Super Bot Fight Mode rules. For example, if you have enabled **Block AI bots** and **Allow verified bots**, verified AI bots will also be blocked even if you allow other verified bots on your website or application.
 
-For Bot Management customers, if you have set a rule to serve managed challenges to definitely automated bots, AI bots will also be challenged because custom rules run in a phase before Super Bot Fight Mode, which is the phase when the rule to block AI bots runs. 
+For Bot Management customers, if you have set a rule to serve managed challenges to definitely automated bots, AI bots will also be challenged because custom rules run in a phase before Super Bot Fight Mode, which is the phase when the rule to block AI bots runs.
 
-This behavior remains the same if the setting for verified, definitely automated, and likely bots is set to `block` or `allow`. If you have an action to `allow` for these rules, the request is not matched to any rule and proceeds to the next ruleset phase. Similarly, if the action is set to `block`, they will be blocked in the earlier phase and do not move on to match the AI rule at all. However, when the action is `challenge`, the request matches a rule and therefore will not be matched to any rules after. 
+This behavior remains the same if the setting for verified, definitely automated, and likely bots is set to `block` or `allow`. If you have an action to `allow` for these rules, the request is not matched to any rule and proceeds to the next ruleset phase. Similarly, if the action is set to `block`, they will be blocked in the earlier phase and do not move on to match the AI rule at all. However, when the action is `challenge`, the request matches a rule and therefore will not be matched to any rules after.
 
-For self-serve non-Bot Management customers, all rules for verified, definitely automated, and likely bots run in the phase following the AI bots rule. 
+For self-serve non-Bot Management customers, all rules for verified, definitely automated, and likely bots run in the phase following the AI bots rule.
 
 ```mermaid
 ---

@@ -5,5 +5,5 @@
 
 :::caution[Change notice for Super Bot Fight Mode rulesets]
 
-Updating Super Bot Fight Mode rules via the Rulesets API is no longer supported and may cause unexpected behavior if you do so. 
+Updating Super Bot Fight Mode rules via the Rulesets API is no longer supported and may cause unexpected behavior if you do so.
 :::
@@ -5,7 +5,7 @@ inputParameters: param1
 
 import { Markdown } from "~/components"
 
-To block [AI bots](/bots/concepts/bot/#ai-bots): 
+To block [AI bots](/bots/concepts/bot/#ai-bots):
 
 1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/) and select your account and domain.
 2. Go to **Security** > **Bots**.

@@ -5,7 +5,7 @@
 
 :::note
 
-[JavaScript detections](/bots/reference/javascript-detections/) are stored in the `cf_clearance` cookie. 
+[JavaScript detections](/bots/reference/javascript-detections/) are stored in the `cf_clearance` cookie.
 
 The `cf_clearance` cookie cannot exceed the maximum size of 4096 bytes.
 :::
@@ -8,8 +8,8 @@ The Bot Management Corporate Proxy field contains identified cloud-based corpora
 You can access the Corporate Proxy field in [custom rules](/waf/custom-rules/), [rate limiting rules](/waf/rate-limiting-rules/), or [Workers](/workers/) to provide different security rules for traffic from these sources. You can also exempt them from rules using Bot Management scores.
 
 ```txt title="Example"
-not cf.bot_management.verified_bot 
-and not cf.bot_management.static_resource 
+not cf.bot_management.verified_bot
+and not cf.bot_management.static_resource
 and not  cf.bot_management.corporate_proxy
 and cf.bot_management.score lt 30
 ```
@@ -7,5 +7,5 @@ You can begin the process of disabling the `__cf_bm` cookie [via the API](/api/r
 
 :::note
 
-The `__cf_bm` cookie cannot be disabled if you have Behavioral Analysis enabled. 
+The `__cf_bm` cookie cannot be disabled if you have Behavioral Analysis enabled.
 :::
@@ -15,5 +15,5 @@ To start using Super Bot Fight Mode:
 
 :::caution[Warning]
 
-If your organization also uses [Cloudflare Tunnel](/cloudflare-one/connections/connect-networks/), keep **Definitely Automated** set to **Allow**. Otherwise, tunnels might fail with a `websocket: bad handshake` error. 
+If your organization also uses [Cloudflare Tunnel](/cloudflare-one/connections/connect-networks/), keep **Definitely Automated** set to **Allow**. Otherwise, tunnels might fail with a `websocket: bad handshake` error.
 :::
@@ -4,7 +4,7 @@
 ---
 
 :::note
-If you are upgrading from Bot Fight Mode to Super Bot Fight Mode, you must disable Bot Fight Mode in your Bot settings. 
+If you are upgrading from Bot Fight Mode to Super Bot Fight Mode, you must disable Bot Fight Mode in your Bot settings.
 
-To turn off Bot Fight Mode, go to **Security** > **Bots** and select **Configure Super Bot Fight Mode**. 
+To turn off Bot Fight Mode, go to **Security** > **Bots** and select **Configure Super Bot Fight Mode**.
 :::
@@ -21,7 +21,7 @@ Links to applications not protected by Access can be added as bookmarks. To add
 
    :::note
 
-   If you are having issues specifying a custom logo, check that the image is served from an HTTPS endpoint. For example, `http://www.example.com/upload/logo.png` will not work. However, `https://www.example.com/upload/logo.png` will. 
+   If you are having issues specifying a custom logo, check that the image is served from an HTTPS endpoint. For example, `http://www.example.com/upload/logo.png` will not work. However, `https://www.example.com/upload/logo.png` will.
    :::
 
 7. Select **Add application** to save and exit.

@@ -128,7 +128,7 @@ These small pattern assessments are dynamic in nature and — in many cases —
 
 ### Mobile phishing
 
-- **Example**: Remote employee getting phished while outside the corporate network. 
+- **Example**: Remote employee getting phished while outside the corporate network.
 - **Detections applied**: Employee email protection and web and DNS services enforcement in remote users (typically through an MDM integration or an always-on VPN solution).
 
 ### Network phishing

@@ -11,5 +11,5 @@ DLS does not support UDP traffic with Cloudflare Secure Web Gateway. To prevent
 2. Under **Firewall**, disable **UDP**.
 3. Enable **TLS decryption**.
 
-If you wish to apply HTTP filtering to all HTTPS traffic, you must also [disable QUIC](/cloudflare-one/policies/gateway/http-policies/http3/#prevent-inspection-bypass) in your users' browsers, either manually or through your mobile device management (MDM) software. For more information, refer to [HTTP/3 inspection](/cloudflare-one/policies/gateway/http-policies/http3/). 
+If you wish to apply HTTP filtering to all HTTPS traffic, you must also [disable QUIC](/cloudflare-one/policies/gateway/http-policies/http3/#prevent-inspection-bypass) in your users' browsers, either manually or through your mobile device management (MDM) software. For more information, refer to [HTTP/3 inspection](/cloudflare-one/policies/gateway/http-policies/http3/).
 :::
@@ -18,7 +18,7 @@ Firefox is now configured to use your DoH endpoint. For more information on conf
 
 :::note
 
-If you want to enforce DNS policies through WARP instead of over DoH, you can disable DoH for your organization by blocking the [Firefox DoH canary domain](https://support.mozilla.org/kb/canary-domain-use-application-dnsnet). 
+If you want to enforce DNS policies through WARP instead of over DoH, you can disable DoH for your organization by blocking the [Firefox DoH canary domain](https://support.mozilla.org/kb/canary-domain-use-application-dnsnet).
 :::
 
 
@@ -62,5 +62,5 @@ Read more about [enabling DNS over HTTPS](https://www.chromium.org/developers/dn
 
 
 <Details header="Safari">
-Currently, Safari does not support DNS over HTTPS. 
+Currently, Safari does not support DNS over HTTPS.
 </Details>
@@ -19,5 +19,5 @@ To switch to a different organization as a user:
 
 :::note
 
-Only admins can [add additional organizations](#mdm-file-format) to the WARP GUI. To connect to an organization that is not displayed in the GUI, go to <strong>{props.two}</strong> to manually log out of the old organization and log into the new organization. 
+Only admins can [add additional organizations](#mdm-file-format) to the WARP GUI. To connect to an organization that is not displayed in the GUI, go to <strong>{props.two}</strong> to manually log out of the old organization and log into the new organization.
 :::
@@ -5,5 +5,5 @@
 
 :::note
 
-If the parameter `ns_set` is omitted, the default set `1` will be assigned. 
+If the parameter `ns_set` is omitted, the default set `1` will be assigned.
 :::
@@ -7,5 +7,5 @@ To recover a deleted domain, [re-add it in Cloudflare](/fundamentals/setup/manag
 
 :::caution
 
-Cloudflare support is unable to restore DNS or settings for deleted domains. 
+Cloudflare support is unable to restore DNS or settings for deleted domains.
 :::
@@ -5,5 +5,5 @@
 
 :::note
 
-The TSIG names configured at your primary and secondary DNS providers have to be exactly the same. Any differences in TSIG names will cause zone transfers to fail. 
+The TSIG names configured at your primary and secondary DNS providers have to be exactly the same. Any differences in TSIG names will cause zone transfers to fail.
 :::
@@ -5,5 +5,5 @@
 
 :::note
 
-Email Security (formerly Area 1) supports Microsoft Office 365 Government Community Cloud (GCC). Refer to [Microsoft 365 Government Community Cloud](/email-security/reference/office365-gcc/) for more information. 
+Email Security (formerly Area 1) supports Microsoft Office 365 Government Community Cloud (GCC). Refer to [Microsoft 365 Government Community Cloud](/email-security/reference/office365-gcc/) for more information.
 :::
@@ -45,7 +45,7 @@ To create the transport rules that will send emails with certain <GlossaryToolti
     * **Apply this rule if**: Select **+** to add a second condition.
     * **And**: *The sender* > *IP address is in any of these ranges or exactly matches* > enter the egress IPs in the [Egress IPs page](/email-security/deployment/inline/reference/egress-ips/).
     * **Do the following**: *{props.seven}*.
-    
+
  {/* todo   <Image src={`~/assets/email-security/static/flexible-partial-images/o365-area1-mx/${props.eight}`} alt="set rule conditions" /> */}
 
 11. Select **Next**.

@@ -37,11 +37,11 @@ To configure anti-spam policies:
   - **Select quarantine policy**: {props.three}.
 - **Retain spam in quarantine for this many days**: Default is 15 days. Email Security (formerly Area 1) recommends 15-30 days.
   - Select the spam actions in the above step:
-    
+
     <div class="large-img">
-    
+
     ![Select the spam actions in the above step](~/assets/images/email-security/deployment/inline-setup/o365-area1-mx/case2-step7-spam.png)
-    
+
     </div>
 
 8. Select **Save**.
@@ -5,5 +5,5 @@
 
 :::note[Note]
 
-Email Security (formerly Area 1) does not currently manage outbound email. If you intend to remove other existing services that manage outbound email, you will have to plan accordingly on migrating outbound functions back to your email services (such as Office 365 / Google Workspace). 
+Email Security (formerly Area 1) does not currently manage outbound email. If you intend to remove other existing services that manage outbound email, you will have to plan accordingly on migrating outbound functions back to your email services (such as Office 365 / Google Workspace).
 :::
@@ -9,5 +9,5 @@ To facilitate compliance with CIPA requirements, administrators can [enable a si
 
 It is important to note that while our recommended CIPA compliance rule covers the essential filter categories, CIPA is designed to be flexible, allowing administrators to adjust filtering policies based on local standards and requirements.
 
-Administrators should carefully assess their specific location and userbase to determine if additional categories may need to be added or modified to ensure comprehensive protection. 
+Administrators should carefully assess their specific location and userbase to determine if additional categories may need to be added or modified to ensure comprehensive protection.
 :::
@@ -23,7 +23,7 @@ To set up those notifications:
    * **Notification email**
 
    :::note
-   Some plans also have access to alerts through [PagerDuty](/notifications/get-started/configure-pagerduty/) and [Webhooks](/notifications/get-started/configure-webhooks/). 
+   Some plans also have access to alerts through [PagerDuty](/notifications/get-started/configure-pagerduty/) and [Webhooks](/notifications/get-started/configure-webhooks/).
    :::
 
 6. Select **Save**.
@@ -3,16 +3,16 @@
 ---
 import { Tabs, TabItem } from "~/components"
 
-Whether to preserve animation frames from input files. Default is `true`. Setting it to `false` reduces animations to still images. This setting is recommended when enlarging images or processing arbitrary user content, because large GIF animations can weigh tens or even hundreds of megabytes. It is also useful to set `anim:false` when using `format:"json"` to get the response quicker without the number of frames. 
+Whether to preserve animation frames from input files. Default is `true`. Setting it to `false` reduces animations to still images. This setting is recommended when enlarging images or processing arbitrary user content, because large GIF animations can weigh tens or even hundreds of megabytes. It is also useful to set `anim:false` when using `format:"json"` to get the response quicker without the number of frames.
 
 <Tabs>
   <TabItem label="URL format">
-    ```js 
+    ```js
     anim=false
     ```
   </TabItem>
   <TabItem label="Workers">
-  ```js 
+  ```js
   cf: {image: {anim: false}}
   ```
   </TabItem>

@@ -3,11 +3,11 @@
 ---
 import { Tabs, TabItem } from "~/components"
 
-Background color to add underneath the image. Applies to images with transparency (for example, PNG) and images resized with `fit=pad`. Accepts any CSS color using CSS4 modern syntax, such as `rgb(255 255 0)` and `rgba(255 255 0 100)`. 
+Background color to add underneath the image. Applies to images with transparency (for example, PNG) and images resized with `fit=pad`. Accepts any CSS color using CSS4 modern syntax, such as `rgb(255 255 0)` and `rgba(255 255 0 100)`.
 
 <Tabs>
   <TabItem label="URL format">
-    ```js 
+    ```js
     background=%23RRGGBB
 
     OR
@@ -16,7 +16,7 @@ Background color to add underneath the image. Applies to images with transparenc
     ```
   </TabItem>
   <TabItem label="Workers">
-  ```js 
+  ```js
   cf: {image: {background: "#RRGGBB"}}
   ```
   </TabItem>

@@ -7,12 +7,12 @@ Blur radius between `1` (slight blur) and `250` (maximum). Be aware that you can
 
 <Tabs>
   <TabItem label="URL format">
-    ```js 
+    ```js
     blur=50
     ```
   </TabItem>
   <TabItem label="Workers">
-  ```js 
+  ```js
   cf: {image: {blur: 50}}
   ```
   </TabItem>

@@ -7,7 +7,7 @@ Adds a border around the image. The border is added after resizing. Border width
 
 <Tabs>
   <TabItem label="Workers">
-  ```js 
+  ```js
   cf: {image: {border: {color: "rgb(0,0,0,0)", top: 5, right: 10, bottom: 5, left: 10}}}
   cf: {image: {border: {color: "#FFFFFF", width: 10}}}
   ```

@@ -7,12 +7,12 @@ Increase brightness by a factor. A value of `1.0` equals no change, a value of `
 
 <Tabs>
   <TabItem label="URL format">
-    ```js 
+    ```js
     brightness=0.5
     ```
   </TabItem>
   <TabItem label="Workers">
-  ```js 
+  ```js
   cf: {image: {brightness: 0.5}}
   ```
   </TabItem>

@@ -7,12 +7,12 @@ Slightly reduces latency on a cache miss by selecting a quickest-to-compress fil
 
 <Tabs>
   <TabItem label="URL format">
-    ```js 
+    ```js
     compression=fast
     ```
   </TabItem>
   <TabItem label="Workers">
-  ```js 
+  ```js
   cf: {image: {compression: "fast"}}
   ```
   </TabItem>

@@ -7,12 +7,12 @@ Increase contrast by a factor. A value of `1.0` equals no change, a value of `0.
 
 <Tabs>
   <TabItem label="URL format">
-    ```js 
+    ```js
     contrast=0.5
     ```
   </TabItem>
   <TabItem label="Workers">
-  ```js 
+  ```js
   cf: {image: {contrast: 0.5}}
   ```
   </TabItem>

@@ -7,12 +7,12 @@ Device Pixel Ratio. Default is `1`. Multiplier for `width`/`height` that makes i
 
 <Tabs>
   <TabItem label="URL format">
-    ```js 
+    ```js
     dpr=1
     ```
   </TabItem>
   <TabItem label="Workers">
-  ```js 
+  ```js
   cf: {image: {dpr: 1}}
   ```
   </TabItem>
-Original file line number
+Diff line change
@@ Expand Up / @@ -5,5 +5,5 @@ @@
     :::note
-    While API Shield is not required to use mTLS, many teams may use mTLS to protect their APIs.
+    While API Shield is not required to use mTLS, many teams may use mTLS to protect their APIs.
     :::