Merge branch 'production' into patricia/pcx18133-turnstile-docs-v2

Author: patriciasantaana

.github/pull_request_template.md

@@ -10,6 +10,7 @@
 
 <!-- Remove items that do not apply -->
 
+- [ ] Is there a [changelog](https://developers.cloudflare.com/changelog/) entry ([guidelines](https://developers.cloudflare.com/style-guide/documentation-content-strategy/content-types/changelog/))? If you don't add one for something awesome and new (however small) — how will our customers find out? Changelogs are automatically posted to [RSS feeds](https://developers.cloudflare.com/fundamentals/new-features/available-rss-feeds/), the [Discord](https://discord.com/channels/595317990191398933/1040420029080018945), and [X](https://x.com/CFchangelog).
 - [ ] The [documentation style guide](https://developers.cloudflare.com/style-guide/) has been adhered to.
 - [ ] If a larger change - such as adding a new page- an issue has been opened in relation to any incorrect or out of date information that this PR fixes.
 - [ ] Files which have changed name or location have been allocated [redirects](https://developers.cloudflare.com/pages/configuration/redirects/#per-file).

public/__redirects

@@ -38,6 +38,13 @@
 /waf/change-log/index.xml /changelog/rss/waf.xml 301
 /waf/change-log/general-updates/index.xml /changelog/rss/waf.xml 301
 
+## area changelog feeds
+
+/fundamentals/reference/changelog/performance/index.xml /changelog/rss/application-performance.xml 301
+/fundamentals/reference/changelog/platform/index.xml /changelog/rss/core-platform.xml 301
+/fundamentals/reference/changelog/security/index.xml /changelog/rss/application-security.xml 301
+/workers/platform/changelog/platform/index.xml /changelog/rss/developer-platform.xml 301
+
 ## legacy
 /release-notes/index.xml /changelog/rss/index.xml 301
 /release-notes/ /changelog/ 301
@@ -1241,6 +1248,8 @@
 /security-center/indicator-feeds/get-started/ /security-center/indicator-feeds/ 301
 
 # spectrum
+/spectrum/changelog/ /spectrum/ 301
+/spectrum/changelog/index.xml /changelog/rss/index.xml 301
 /spectrum/getting-started/ /spectrum/get-started/ 301
 /spectrum/getting-started/byoip/ /spectrum/about/byoip/ 301
 /spectrum/getting-started/getting-started/ /spectrum/get-started/ 301
@@ -1514,6 +1523,10 @@
 # time-services_redirects
 /time-services/nts/usage/ /time-services/nts/ 301
 
+# tenant
+/tenant/changelog/ /tenant/ 301
+/tenant/changelog/index.xml /changelog/rss/index.xml 301
+
 # turnstile
 /turnstile/get-started/domain-management/ /turnstile/reference/domain-management/ 301
 /turnstile/get-started/migrating-from-recaptcha/ /turnstile/migration/recaptcha/ 301
@@ -1618,6 +1631,8 @@
 
 # waiting-room
 /waiting-room/how-to/mobile-traffic/ /waiting-room/how-to/json-response/ 301
+/waiting-room/changelog/ /waiting-room/ 301
+/waiting-room/changelog/index.xml /changelog/rss/index.xml 301
 
 # warp-client
 /warp-client/get-started/macOS/ /warp-client/get-started/macos/ 301

src/assets/images/reference-architecture/fullstack-app/fullstack-app-base.svg

@@ -16,11 +16,10 @@ if (!page) {
 }
 
 if (
-	!page.data.release_notes_file_name &&
-	!page.data.release_notes_product_area_name
+	!page.data.release_notes_file_name
 ) {
 	throw new Error(
-		`[ProductReleaseNotes] ${Astro.params.slug} does not have a 'release_notes_file_name' or 'changaelog_product_area_name' frontmatter property.`,
+		`[ProductReleaseNotes] ${Astro.params.slug} does not have a 'release_notes_file_name' frontmatter property.`,
 	);
 }
 
@@ -34,37 +33,22 @@ if (
 }
 
 const name =
-	page.data.release_notes_product_area_name ??
 	page.data.release_notes_file_name?.[0];
 
 let releaseNotes;
 
-if (page.data.release_notes_product_area_name) {
+if (name === "api-deprecations") {
+	const opts = {
+		deprecationsOnly: true,
+	};
+	({ releaseNotes } = await getReleaseNotes(opts));
+} else {
 	const opts = {
 		filter: (entry: CollectionEntry<"release-notes">) => {
-			return entry.data.productArea === name;
+			return entry.id === name;
 		},
 	};
 	({ releaseNotes } = await getReleaseNotes(opts));
-} else {
-	if (name === "wrangler") {
-		const opts = {
-			wranglerOnly: true,
-		};
-		({ releaseNotes } = await getReleaseNotes(opts));
-	} else if (name === "api-deprecations") {
-		const opts = {
-			deprecationsOnly: true,
-		};
-		({ releaseNotes } = await getReleaseNotes(opts));
-	} else {
-		const opts = {
-			filter: (entry: CollectionEntry<"release-notes">) => {
-				return entry.id === name;
-			},
-		};
-		({ releaseNotes } = await getReleaseNotes(opts));
-	}
 }
 
 if (!releaseNotes) {

src/components/ProductReleaseNotes.astro

@@ -96,7 +96,7 @@ Meanwhile, the information disclosure flaw in WordPress core provides attackers
       <td>
         <RuleID id="28108d25f1cf470c8e7648938f634977" />
       </td>
-      <td>100814</td>
+      <td>100820</td>
       <td>CentOS WebPanel - Remote Code Execution - CVE:CVE-2025-48703</td>
       <td>Log</td>
       <td>Block</td>
@@ -136,4 +136,4 @@ Meanwhile, the information disclosure flaw in WordPress core provides attackers
       <td>This is a New Detection</td>
     </tr>
   </tbody>
-</table>
+</table>

src/content/changelog/waf/2025-08-04-waf-release.mdx

@@ -0,0 +1,61 @@
+---
+title: "WAF Release - 2025-08-07 - Emergency"
+description: Cloudflare WAF managed rulesets 2025-08-07 emergency release
+date: 2025-08-07
+---
+
+import { RuleID } from "~/components";
+
+This week’s highlight focuses on two critical vulnerabilities affecting key infrastructure and enterprise content management platforms. Both flaws present significant remote code execution risks that can be exploited with minimal or no user interaction.
+
+**Key Findings**
+
+- Squid (≤6.3) — CVE-2025-54574: A heap buffer overflow occurs when processing Uniform Resource Names (URNs). This vulnerability may allow remote attackers to execute arbitrary code on the server. The issue has been resolved in version 6.4.
+
+- Adobe AEM (≤6.5.23) — CVE-2025-54253: Due to a misconfiguration, attackers can achieve remote code execution without requiring any user interaction, posing a severe threat to affected deployments.
+
+**Impact**
+
+Both vulnerabilities expose critical attack vectors that can lead to full server compromise. The Squid heap buffer overflow allows remote code execution by crafting malicious URNs, which can lead to server takeover or denial of service. Given Squid’s widespread use as a caching proxy, this flaw could be exploited to disrupt network traffic or gain footholds inside secure environments.
+
+Adobe AEM’s remote code execution vulnerability enables attackers to run arbitrary code on the content management server without any user involvement. This puts sensitive content, application integrity, and the underlying infrastructure at extreme risk. Exploitation could lead to data theft, defacement, or persistent backdoor installation.
+
+These findings reinforce the urgency of updating to the patched versions — Squid 6.4 and Adobe AEM 6.5.24 or later — and reviewing configurations to prevent exploitation.
+
+<table style="width: 100%">
+  <thead>
+    <tr>
+      <th>Ruleset</th>
+      <th>Rule ID</th>
+      <th>Legacy Rule ID</th>
+      <th>Description</th>
+      <th>Previous Action</th>
+      <th>New Action</th>
+      <th>Comments</th>
+    </tr>
+  </thead>
+  <tbody>
+    <tr>
+      <td>Cloudflare Managed Ruleset</td>
+      <td>
+        <RuleID id="f61ed7c1e7e24c3380289e41ef7e015b" />
+      </td>
+      <td>100844</td>
+      <td>Adobe Experience Manager Forms - Remote Code Execution - CVE:CVE-2025-54253</td>
+      <td>N/A</td>
+      <td>Block</td>
+      <td>This is a New Detection</td>
+    </tr>
+    <tr>
+      <td>Cloudflare Managed Ruleset</td>
+      <td>
+        <RuleID id="e76e65f5a3aa43f49e0684a6baec057a" />
+      </td>
+      <td>100840</td>
+      <td>Squid - Buffer Overflow - CVE:CVE-2025-54574</td>
+      <td>N/A</td>
+      <td>Block</td>
+      <td>This is a New Detection</td>
+    </tr>
+  </tbody>
+</table>

src/content/changelog/waf/2025-08-07-emergency-waf-release.mdx

@@ -3,6 +3,7 @@ title: Deploy to Cloudflare buttons now support Worker environment variables, se
 description: Worker environment variables, secrets, and Secrets Store secrets can now be used in Workers templates
 products:
   - workers
+  - secrets-store
 date: 2025-07-29T01:00:00Z
 ---
 

src/content/changelog/workers/2025-07-01-workers-deploy-button-supports-environment-variables-and-secrets.mdx

@@ -114,7 +114,6 @@ If you deselect **Save new endpoints to endpoint management**, the endpoints wil
 
 ### Add endpoints manually
 
-
 <Tabs syncKey="dashNewNav">
   <TabItem label="Old dashboard">
     <Steps>
@@ -192,7 +191,7 @@ For each saved endpoint, customers can view:
 - **Error rate** vs. overall traffic: grouped by 4xx, 5xx, and their sum.
 - **Response size**: The average size of the response (in bytes) returned to the request.
 - **Labels**: The current [labels](/api-shield/management-and-monitoring/endpoint-labels/) assigned to the endpoint.
-- **Authentication status**: The breakdown of which [session identifiers](/api-shield/get-started/#session-identifiers) were seen on successful requests to this endpoint.
+- **[Authentication status](/api-shield/security/authentication-posture/)**: The breakdown of which [session identifiers](/api-shield/get-started/#session-identifiers) were seen on successful requests to this endpoint.
 - **Sequences**: The number of [Sequence Analytics](/api-shield/security/sequence-analytics/) sequences the endpoint was found in.
 
 :::note

src/content/docs/api-shield/management-and-monitoring/endpoint-management/index.mdx

@@ -10,8 +10,6 @@ import { Render, Tabs, TabItem, Steps } from "~/components";
 
 Protect your website or application from AI crawlers by implementing a `robots.txt` file on your domain to direct AI bot operators on what content they can and cannot scrape for AI model training.
 
-Cloudflare's managed `robots.txt` explicitly disallows known bots engaged in scraping for AI purposes.
-
 AI bots are expected to follow the `robots.txt` directives.
 
 :::note
@@ -37,7 +35,18 @@ Disallow: /langtest
 Sitemap: https://www.crawlstop.com/sitemap.xml
 ```
 
-With the managed `robots.txt` enabled, Cloudflare will prepend our managed content before your original content, resulting in what you can view at https://crawlstop.com/robots.txt.
+With the managed `robots.txt` enabled, Cloudflare will prepend our managed content before your original content, resulting in what you can view at https://www.crawlstop.com/robots.txt.
+
+**Robots.txt example**
+<div style="position: relative; padding-top: 56.25%; border: 1px solid orange; border-radius: 5px">
+<iframe
+	src="https://www.crawlstop.com/robots.txt"
+	style="border: none; position: absolute; top: 0; left: 0; height: 100%; width: 100%;"
+	allowfullscreen="true"
+	title="crawltop.com robots.txt file"
+	>
+</iframe>
+</div>
 
 ### No robots.txt file
 

src/content/docs/bots/additional-configurations/managed-robots-txt.mdx

@@ -90,3 +90,7 @@ If you are hitting concurrency limits, or would like to better manage concurrent
 - [Reuse sessions](/browser-rendering/workers-bindings/reuse-sessions/): You can optimize your setup and decrease startup time by reusing sessions instead of launching a new browser every time. If you are concerned about maintaining test isolation, for example for tests that depend on a clean environment, we recommend using [incognito browser contexts](https://pptr.dev/api/puppeteer.browser.createbrowsercontext), which isolate cookies and cache with other sessions. 
 
 If you are still running into concurrency limits you can [request a higher limit](https://forms.gle/CdueDKvb26mTaepa9). 
+
+### Is there a limit to how many requests a single browser session can handle?
+
+No, there is not a fixed limit on the number of requests per browser session. A single browser can handle multiple requests as long as it stays within the available compute and memory limits.