Merge branch 'cloudflare:production' into production

Author: Thienlta

public/__redirects

@@ -718,7 +718,6 @@
 /fundamentals/get-started/reference/ /fundamentals/reference/ 301
 /fundamentals/get-started/reference/http-request-headers/ /fundamentals/reference/http-request-headers/ 301
 /fundamentals/get-started/reference/network-ports/ /fundamentals/reference/network-ports/ 301
-/fundamentals/get-started/ /fundamentals/setup/ 301
 /fundamentals/get-started/setup/allow-cloudflare-ip-addresses/ /fundamentals/concepts/cloudflare-ip-addresses/ 301
 
 #fundamentals revamp cont

src/content/changelog/fundamentals/2025-08-15-terraform-v5.8.4-provider.mdx

@@ -0,0 +1,58 @@
+---
+title: Terraform v5.8.4 now available
+description: Terraform v5.8.4 stablizes a number of resources and known issues
+products:
+  - fundamentals
+date: 2025-08-15
+---
+
+Earlier this year, we announced the launch of the new [Terraform v5 Provider](/changelog/2025-02-03-terraform-v5-provider/). We are aware of the high number of [issues](https://github.com/cloudflare/terraform-provider-cloudflare) reported by the Cloudflare Community related to the v5 release. We have committed to releasing improvements on a two week cadence to ensure stability and reliability. 
+
+One key change we adopted in recent weeks is a pivot to more comprehensive, test-driven development. We are still evaluating individual issues, but are also investing in much deeper testing to drive our stabilization efforts. We will subsequently be investing in comprehensive migration scripts. As a result, you will see several of the highest traffic APIs have been stabilized in the most recent release, and are supported by comprehensive acceptance tests. 
+
+Thank you for continuing to raise issues. We triage them weekly and they help make our products stronger.
+
+### Changes
+- Resources stabilized:
+  - `cloudflare_argo_smart_routing`
+  - `cloudflare_bot_management`
+  - `cloudflare_list`
+  - `cloudflare_list_item`
+  - `cloudflare_load_balancer`
+  - `cloudflare_load_balancer_monitor`
+  - `cloudflare_load_balancer_pool`
+  - `cloudflare_spectrum_application`
+  - `cloudflare_managed_transforms`
+  - `cloudflare_url_normalization_settings`
+  - `cloudflare_snippet`
+  - `cloudflare_snippet_rules`
+  - `cloudflare_zero_trust_access_application`
+  - `cloudflare_zero_trust_access_group`
+  - `cloudflare_zero_trust_access_identity_provider`
+  - `cloudflare_zero_trust_access_mtls_certificate`
+  - `cloudflare_zero_trust_access_mtls_hostname_settings`
+  - `cloudflare_zero_trust_access_policy`
+  - `cloudflare_zone`
+- Multipart handling restored for `cloudflare_snippet`
+- `cloudflare_bot_management` diff issues resolves when running `terraform plan` and `terraform apply`
+- Other bug fixes
+
+For a more detailed look at all of the changes, refer to the [changelog](https://github.com/cloudflare/terraform-provider-cloudflare/releases/tag/v5.8.4) in GitHub.
+
+### Issues Closed
+- [#5017: 'Uncaught Error: No such module' using cloudflare_snippets](https://github.com/cloudflare/terraform-provider-cloudflare/issues/5017)
+- [#5701: cloudflare_workers_script migrations for Durable Objects not recorded in tfstate; cannot be upgraded between versions](https://github.com/cloudflare/terraform-provider-cloudflare/issues/5701)
+- [#5640: cloudflare_argo_smart_routing importing doesn't read the actual value](https://github.com/cloudflare/terraform-provider-cloudflare/issues/5640)
+
+If you have an unaddressed issue with the provider, we encourage you to check the [open issues](https://github.com/cloudflare/terraform-provider-cloudflare/issues) and open a new one if one does not already exist for what you are experiencing.
+
+### Upgrading
+
+We suggest holding off on migration to v5 while we work on stablization. This help will you avoid any blocking issues while the Terraform resources are actively being stablized.
+
+If you'd like more information on migrating to v5, please make use of the [migration guide](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs/guides/version-5-upgrade). We have provided automated migration scripts using Grit which simplify the transition. These migration scripts do not support implementations which use Terraform modules, so customers making use of modules need to migrate manually. Please make use of `terraform plan` to test your changes before applying, and let us know if you encounter any additional issues by reporting to our [GitHub repository](https://github.com/cloudflare/terraform-provider-cloudflare).
+
+### For more info
+
+- [Terraform provider](https://registry.terraform.io/providers/cloudflare/cloudflare/latest/docs)
+- [Documentation on using Terraform with Cloudflare](/terraform/)

src/content/changelog/fundamentals/2025-09-03-rate-limiting-improvement.mdx

@@ -0,0 +1,32 @@
+---
+title: Introducing new headers for rate limiting on Cloudflare's API
+description: Cloudflare's API handles rate limiting automatically in the SDKs and how to respond appropriately in your code. 
+products:
+  - fundamentals
+date: 2025-09-03
+---
+Cloudflare's API now supports rate limiting headers using the pattern developed by the [IETF draft on rate limiting](https://ietf-wg-httpapi.github.io/ratelimit-headers/draft-ietf-httpapi-ratelimit-headers.html). This allows API consumers to know how many more calls are left until the rate limit is reached, as well as how long you will need to wait until more capacity is available. 
+
+Our SDKs automatically work with these new headers, backing off when rate limits are approached. There is no action required for users of the latest Cloudflare SDKs to take advantage of this. 
+
+As always, if you need any help with rate limits, please contact Support. 
+
+### Changes
+#### New Headers
+
+**Headers that are always returned:**
+- X-RateLimit-Limit: Total Number of requests the caller can make
+- X-RateLimit-Remaining: Number of requests before Rate Limit kicks in
+
+**Returned only when a rate limit has been reached (error code: 429):**
+- Retry-After: Number of Seconds until more capacity is available, rounded up
+- X-RateLimit-Reset: RFC 1123 Formatted Date as to when more capacity is available
+
+#### SDK Back offs
+- All SDKs will automatically respond to the headers, instituting a backoff when limits are approached. 
+
+### GraphQL and Edge APIs
+These new headers and back offs are only available for Cloudflare REST APIs, and will not affect GraphQL. 
+
+### For more information
+* [Rate limits at Cloudflare](https://developers.cloudflare.com/fundamentals/api/reference/limits/)

src/content/changelog/waf/2025-09-08-waf-release.mdx

@@ -0,0 +1,144 @@
+---
+title: "WAF Release - 2025-09-08"
+description: Cloudflare WAF managed rulesets 2025-09-08 release
+date: 2025-09-08
+---
+
+import { RuleID } from "~/components";
+
+**This week's update** 
+
+This week’s focus highlights newly disclosed vulnerabilities in web frameworks, enterprise applications, and widely deployed CMS plugins. The vulnerabilities include SSRF, authentication bypass, arbitrary file upload, and remote code execution (RCE), exposing organizations to high-impact risks such as unauthorized access, system compromise, and potential data exposure. In addition, security rule enhancements have been deployed to cover general command injection and server-side injection attacks, further strengthening protections.
+
+**Key Findings**
+
+* Next.js (CVE-2025-57822): Improper handling of redirects in custom middleware can lead to server-side request forgery (SSRF) when user-supplied headers are forwarded. Attackers could exploit this to access internal services or cloud metadata endpoints. The issue has been resolved in versions 14.2.32 and 15.4.7. Developers using custom middleware should upgrade and verify proper redirect handling in `next()` calls.
+
+* ScriptCase (CVE-2025-47227, CVE-2025-47228): In the Production Environment extension in Netmake ScriptCase through 9.12.006 (23), two vulnerabilities allow attackers to reset admin accounts and execute system commands, potentially leading to full compromise of affected deployments.
+
+* Sar2HTML (CVE-2025-34030): In Sar2HTML version 3.2.2 and earlier, insufficient input sanitization of the plot parameter allows remote, unauthenticated attackers to execute arbitrary system commands. Exploitation could compromise the underlying server and its data.
+
+* Zhiyuan OA (CVE-2025-34040): An arbitrary file upload vulnerability exists in the Zhiyuan OA platform. Improper validation in the `wpsAssistServlet` interface allows unauthenticated attackers to upload crafted files via path traversal, which can be executed on the web server, leading to remote code execution.
+
+* WordPress:Plugin:InfiniteWP Client (CVE-2020-8772): A vulnerability in the InfiniteWP Client plugin allows attackers to perform restricted actions and gain administrative control of connected WordPress sites.
+
+**Impact**
+
+These vulnerabilities could allow attackers to gain unauthorized access, execute malicious code, or take full control of affected systems. The Next.js SSRF flaw may expose internal services or cloud metadata endpoints to attackers. Exploitations of ScriptCase and Sar2HTML could result in remote code execution, administrative takeover, and full server compromise. In Zhiyuan OA, the arbitrary file upload vulnerability allows attackers to execute malicious code on the web server, potentially exposing sensitive data and applications. The authentication bypass in WordPress InfiniteWP Client enables attackers to gain administrative access, risking data exposure and unauthorized control of connected sites.
+
+Administrators are strongly advised to apply vendor patches immediately, remove unsupported software, and review authentication and access controls to mitigate these risks.
+
+<table style="width: 100%">
+  <thead>
+    <tr>
+      <th>Ruleset</th>
+      <th>Rule ID</th>
+      <th>Legacy Rule ID</th>
+      <th>Description</th>
+      <th>Previous Action</th>
+      <th>New Action</th>
+      <th>Comments</th>
+    </tr>
+  </thead>
+  <tbody>
+    <tr>
+      <td>Cloudflare Managed Ruleset</td>
+      <td>
+        <RuleID id="7c5812a31fd94996b3299f7e963d7afc" />
+      </td>
+      <td>100007D</td>
+      <td>Command Injection - Common Attack Commands Args</td>
+      <td>Log</td>
+      <td>Block</td>
+      <td>This rule has been merged into the original rule "Command Injection - Common Attack Commands" (ID: <RuleID id="89557ce9b26e4d4dbf29e90c28345b9b" />) for New WAF customers only.</td>
+    </tr>
+    <tr>
+      <td>Cloudflare Managed Ruleset</td>
+      <td>
+        <RuleID id="cd528243d6824f7ab56182988230a75b" />
+      </td>      
+      <td>100617</td>
+      <td>Next.js - SSRF - CVE:CVE-2025-57822</td>
+      <td>Log</td>
+      <td>Block</td>
+      <td>This is a New Detection</td>
+    </tr>
+    <tr>
+      <td>Cloudflare Managed Ruleset</td>
+      <td>
+        <RuleID id="503b337dac5c409d8f833a6ba22dabf1" />
+      </td>
+      <td>100659_BETA</td>
+      <td>Common Payloads for Server-Side Template Injection - Beta</td>
+      <td>Log</td>
+      <td>Block</td>
+      <td>This rule is merged into the original rule "Common Payloads for Server-Side Template Injection" (ID: <RuleID id="21c7a963e1b749e7b1753238a28a42c4" />)</td>
+    </tr>    
+    <tr>
+      <td>Cloudflare Managed Ruleset</td>
+      <td>
+        <RuleID id="6d24266148f24f5e9fa487f8b416b7ca" />
+      </td>
+      <td>100824B</td>
+      <td>CrushFTP - Remote Code Execution - CVE:CVE-2025-54309 - 3</td>
+      <td>Log</td>
+      <td>Disabled</td>
+      <td>This is a New Detection</td>
+    </tr>    
+    <tr>
+      <td>Cloudflare Managed Ruleset</td>
+      <td>
+        <RuleID id="154b217c43d04f11a13aeff05db1fa6b" />
+      </td>
+      <td>100848</td>
+      <td>ScriptCase - Auth Bypass - CVE:CVE-2025-47227</td>
+      <td>Log</td>
+      <td>Disabled</td>
+      <td>This is a New Detection</td>
+    </tr>
+    <tr>
+      <td>Cloudflare Managed Ruleset</td>
+      <td>
+        <RuleID id="cad6f1c8c6d44ef59929e6532c62d330" />
+      </td>
+      <td>100849</td>
+      <td>ScriptCase - Command Injection - CVE:CVE-2025-47228</td>
+      <td>Log</td>
+      <td>Disabled</td>
+      <td>This is a New Detection</td>
+    </tr>
+    <tr>
+      <td>Cloudflare Managed Ruleset</td>
+      <td>
+        <RuleID id="e7464139fd3e44938b56716bef971afd" />
+      </td>
+      <td>100872</td>
+      <td>WordPress:Plugin:InfiniteWP Client - Missing Authorization - CVE:CVE-2020-8772</td>
+      <td>Log</td>
+      <td>Block</td>
+      <td>This is a New Detection</td>
+    </tr>
+    <tr>
+      <td>Cloudflare Managed Ruleset</td>
+      <td>
+        <RuleID id="0181ebb2cc234f2d863412e1bab19b0b" />
+      </td>
+      <td>100873</td>
+      <td>Sar2HTML - Command Injection - CVE:CVE-2025-34030</td>
+      <td>Log</td>
+      <td>Block</td>
+      <td>This is a New Detection</td>
+    </tr>
+    <tr>
+      <td>Cloudflare Managed Ruleset</td>
+      <td>
+        <RuleID id="34d5c7c7b08b40eaad5b2bb3f24c0fbe" />
+      </td>
+      <td>100875</td>
+      <td>Zhiyuan OA - Remote Code Execution - CVE:CVE-2025-34040</td>
+      <td>Log</td>
+      <td>Block</td>
+      <td>This is a New Detection</td>
+    </tr>    
+  </tbody>
+</table>

src/content/changelog/waf/scheduled-waf-release.mdx

@@ -1,7 +1,7 @@
 ---
-title: WAF Release - Scheduled changes for 2025-09-08
-description: WAF managed ruleset changes scheduled for 2025-09-08
-date: 2025-09-01
+title: WAF Release - Scheduled changes for 2025-09-15
+description: WAF managed ruleset changes scheduled for 2025-09-15
+date: 2025-09-08
 scheduled: true
 ---
 
@@ -21,103 +21,37 @@ import { RuleID } from "~/components";
   </thead>
   <tbody>
     <tr>
-      <td>2025-09-01</td>
       <td>2025-09-08</td>
+      <td>2025-09-15</td>
       <td>Log</td>
-      <td>100007D</td>
+      <td>100646</td>
       <td>
-        <RuleID id="7c5812a31fd94996b3299f7e963d7afc" />
+        <RuleID id="199cce9ab21e40bcb535f01b2ee2085f" />
       </td>
-      <td>Command Injection - Common Attack Commands Args</td>
-      <td>Beta detection. This will be merged into the original rule "Command Injection - Common Attack Commands" (ID: <RuleID id="89557ce9b26e4d4dbf29e90c28345b9b" />)</td>
-    </tr>
-    <tr>
-      <td>2025-09-01</td>
-      <td>2025-09-08</td>
-      <td>Log</td>
-      <td>100617</td>
-      <td>
-        <RuleID id="cd528243d6824f7ab56182988230a75b" />
-      </td>
-      <td>Next.js - SSRF - CVE:CVE-2025-57822</td>
-      <td>This is a New Detection</td>
-    </tr>
-    <tr>
-      <td>2025-09-01</td>
-      <td>2025-09-08</td>
-      <td>Log</td>
-      <td>100659_BETA</td>
-      <td>
-        <RuleID id="503b337dac5c409d8f833a6ba22dabf1" />
-      </td>
-      <td>Common Payloads for Server-Side Template Injection - Beta</td>
-      <td>Beta detection. This will be merged into the original rule "Common Payloads for Server-Side Template Injection" (ID: <RuleID id="21c7a963e1b749e7b1753238a28a42c4" />)</td>
-    </tr>    
-    <tr>
-      <td>2025-09-01</td>
-      <td>2025-09-08</td>
-      <td>Log</td>
-      <td>100824B</td>
-      <td>
-        <RuleID id="6d24266148f24f5e9fa487f8b416b7ca" />
-      </td>
-      <td>CrushFTP - Remote Code Execution - CVE:CVE-2025-54309 - 3</td>
-      <td>This is a New Detection</td>
-    </tr>    
-    <tr>
-      <td>2025-09-01</td>
-      <td>2025-09-08</td>
-      <td>Log</td>
-      <td>100848</td>
-      <td>
-        <RuleID id="154b217c43d04f11a13aeff05db1fa6b" />
-      </td>
-      <td>ScriptCase - Auth Bypass - CVE:CVE-2025-47227</td>
+      <td>Argo CD - Information Disclosure - CVE:CVE-2025-55190</td>
       <td>This is a New Detection</td>
     </tr>
     <tr>
-      <td>2025-09-01</td>
       <td>2025-09-08</td>
+      <td>2025-09-15</td>
       <td>Log</td>
-      <td>100849</td>
+      <td>100874</td>
       <td>
-        <RuleID id="cad6f1c8c6d44ef59929e6532c62d330" />
+        <RuleID id="e513bb21b6a44f9cbfcd2462f5e20788" />
       </td>
-      <td>ScriptCase - Command Injection - CVE:CVE-2025-47228</td>
+      <td>DataEase - JNDI injection - CVE:CVE-2025-57773</td>
       <td>This is a New Detection</td>
     </tr>
     <tr>
-      <td>2025-09-01</td>
       <td>2025-09-08</td>
+      <td>2025-09-15</td>
       <td>Log</td>
-      <td>100872</td>
+      <td>100880</td>
       <td>
-        <RuleID id="e7464139fd3e44938b56716bef971afd" />
+        <RuleID id="be097f5a71a04f27aa87b60d005a12fd" />
       </td>
-      <td>WordPress:Plugin:InfiniteWP Client - Missing Authorization - CVE:CVE-2020-8772</td>
+      <td>Sitecore - Information Disclosure - CVE:CVE-2025-53694</td>
       <td>This is a New Detection</td>
-    </tr>
-    <tr>
-      <td>2025-09-01</td>
-      <td>2025-09-08</td>
-      <td>Log</td>
-      <td>100873</td>
-      <td>
-        <RuleID id="0181ebb2cc234f2d863412e1bab19b0b" />
-      </td>
-      <td>Sar2HTML - Command Injection - CVE:CVE-2025-34030</td>
-      <td>This is a New Detection</td>
-    </tr>
-    <tr>
-      <td>2025-09-01</td>
-      <td>2025-09-08</td>
-      <td>Log</td>
-      <td>100875</td>
-      <td>
-        <RuleID id="34d5c7c7b08b40eaad5b2bb3f24c0fbe" />
-      </td>
-      <td>Zhiyuan OA - Remote Code Execution - CVE:CVE-2025-34040</td>
-      <td>This is a New Detection</td>
-    </tr>
+    </tr>    
   </tbody>
 </table>