Merge branch 'production' into ranbel/load-balancing-with-zt

Author: ranbel

public/__redirects

@@ -653,8 +653,8 @@
 /fundamentals/reference/the-internet/ /fundamentals/concepts/the-internet/ 301
 /fundamentals/reference/http-request-headers/ /fundamentals/reference/http-headers/ 301
 /fundamentals/security/browser-integrity-check/ /waf/tools/browser-integrity-check/ 301
-/fundamentals/signed-exchanges/ /speed/optimization/other/signed-exchanges/ 301
-/fundamentals/signed-exchanges/amp-real-ulr/reference/ /speed/optimization/other/amp-real-url/reference/ 301
+/fundamentals/signed-exchanges/ /speed/optimization/ 301
+/fundamentals/signed-exchanges/amp-real-ulr/reference/ /speed/optimization/ 301
 /fundamentals/speed/aim/ /speed/aim/ 301
 /fundamentals/speed/optimization/ /speed/optimization/ 301
 /fundamentals/speed/prefetch-urls/ /speed/optimization/content/prefetch-urls/ 301
@@ -1343,19 +1343,19 @@
 /fundamentals/network/0-rtt-connection-resumption/ /speed/optimization/protocol/0-rtt-connection-resumption/ 301
 /support/speed/essentials/will-cloudflares-image-optimization-features-help-if-im-already-optimizing-images/ /speed/optimization/images/troubleshooting/multiple-optimizations/ 301
 /support/speed/optimization-delivery/configuring-cloudflare-mirage/ /speed/optimization/images/mirage/ 301
-/support/speed/optimization-mobile/understanding-cloudflare-mobile-redirect/ /speed/optimization/other/mobile-redirect/ 301
+/support/speed/optimization-mobile/understanding-cloudflare-mobile-redirect/ /rules/url-forwarding/examples/perform-mobile-redirects/ 301
 /support/speed/optimization-file-size/using-cloudflare-auto-minify/ /speed/optimization/content/ 301
 /support/speed/optimization-file-size/what-will-cloudflare-compress/ /speed/optimization/content/compression/ 301
 /speed/optimization/content/brotli/ /speed/optimization/content/compression/ 301
 /speed/optimization/content/brotli/enable/ /speed/optimization/content/compression/ 301
 /speed/optimization/content/brotli/content-compression/ /speed/optimization/content/compression/ 301
 /support/speed/optimization-file-size/why-isnt-auto-minify-working/ /speed/optimization/content/troubleshooting/ 301
-/support/speed/optimization-mobile/why-is-the-mobile-redirect-i-set-up-through-cloudflare-redirecting-my-static-assets/ /speed/optimization/other/troubleshooting/mobile-redirect-affect-static-assets/ 301
-/speed/optimization/other/amp-real-ulr/ /speed/optimization/other/amp-real-url/ 301
-/speed/optimization/other/amp-real-ulr/reference/ /speed/optimization/other/amp-real-url/reference/ 301
+/support/speed/optimization-mobile/why-is-the-mobile-redirect-i-set-up-through-cloudflare-redirecting-my-static-assets/ /rules/url-forwarding/examples/perform-mobile-redirects/ 301
+/speed/optimization/other/amp-real-ulr/ /speed/optimization/ 301
+/speed/optimization/other/amp-real-ulr/reference/ /speed/optimization/ 301
 /speed/optimization/other/mobile-redirect/ /rules/url-forwarding/examples/perform-mobile-redirects/ 301
-/speed/optimization/other/troubleshooting/mobile-redirect-affect-static-assets/ /speed/optimization/other/ 301
-/speed/optimization/other/troubleshooting/ /speed/optimization/other/ 301
+/speed/optimization/other/troubleshooting/mobile-redirect-affect-static-assets/ /speed/optimization/ 301
+/speed/optimization/other/troubleshooting/ /speed/optimization/ 301
 /speed/optimization/content/auto-minify/ /speed/optimization/content/ 301
 /speed/optimization/content/troubleshooting/auto-minify-not-working/ /speed/optimization/content/troubleshooting/ 301
 /speed/optimization/content/speculation/ /speed/optimization/content/speed-brain/ 301
@@ -2327,9 +2327,9 @@
 /fundamentals/get-started/setup/troubleshooting/* /fundamentals/setup/account-setup/add-site/ 301
 /fundamentals/get-started/basic-tasks/account-security/* /fundamentals/account-and-billing/account-security/:splat 301
 /fundamentals/get-started/setup/account-setup/* /fundamentals/account-and-billing/account-setup/:splat 301
-/fundamentals/speed/amp-real-ulr/* /speed/optimization/other/amp-real-ulr/:splat 301
+/fundamentals/speed/amp-real-ulr/* /speed/optimization/:splat 301
 /fundamentals/speed/rocket-loader/* /speed/optimization/content/rocket-loader/:splat 301
-/fundamentals/speed/signed-exchanges/* /speed/optimization/other/signed-exchanges/:splat 301
+/fundamentals/speed/signed-exchanges/* /speed/optimization/:splat 301
 /fundamentals/speed/speed-test/* /speed/observatory/:splat 301
 /speed/speed-test/* /speed/observatory/:splat 301
 /http-applications/* /version-management/:splat 301
@@ -2349,6 +2349,7 @@
 /fundamentals/setup/manage-members/* /fundamentals/manage-members/:splat 301
 /logs/get-started/enable-destinations/* /logs/logpush/logpush-job/enable-destinations/:splat 301
 /logs/reference/log-fields/* /logs/logpush/logpush-job/datasets/:splat 301
+/speed/optimization/other/* /speed/optimization/ 301
 
 # AI Crawl Control
 /ai-audit/* /ai-crawl-control/:splat 301

src/assets/images/changelog/security-center/2025-10-17-application-security-report-mock-data.png

@@ -0,0 +1,19 @@
+---
+title: Monitor Groups for Advanced Health Checking With Load Balancing
+description: Group multiple health monitors to create sophisticated, multi-service health assessments for your pools.
+date: 2025-10-16
+---
+
+Cloudflare Load Balancing now supports Monitor Groups, a powerful new way to combine multiple health monitors into a single, logical group. This allows you to create sophisticated health checks that more accurately reflect the true availability of your applications by assessing multiple services at once.
+
+With Monitor Groups, you can ensure that all critical components of an application are healthy before sending traffic to an origin pool, enabling smarter failover decisions and greater resilience. This feature is now available via the API for customers with an Enterprise Load Balancing subscription.
+
+### What you can do:
+
+- **Combine Multiple Monitors**: Group different health monitors (for example, HTTP, TCP) that check various application components, like a primary API gateway and a specific `/login` service.
+- **Isolate Monitors for Observation**: Mark a monitor as "monitoring only" to receive alerts and data without it affecting a pool's health status or traffic steering. This is perfect for testing new checks or observing non-critical dependencies.
+- **Improve Steering Intelligence**: Latency for Dynamic Steering is automatically averaged across all active monitors in a group, providing a more holistic view of an origin's performance.
+
+This enhancement is ideal for complex, multi-service applications where the health of one component depends on another. By aggregating health signals, Monitor Groups provide a more accurate and comprehensive assessment of your application's true status.
+
+For detailed information and API configuration guides, please visit our [developer documentation](/load-balancing/monitors/monitor-groups) for Monitor Groups.

src/assets/images/changelog/security-center/2025-10-17-report-feedback-survey.png

@@ -0,0 +1,23 @@
+---
+title: New Application Security reports (Closed Beta)
+description: A monthly recap of your cyber security insights and trends your Cloudflare account.
+date: 2025-10-17
+---
+
+import { DashButton } from "~/components";
+
+Cloudflare's new **Application Security report**, currently in Closed Beta, is now available in the dashboard.
+
+<DashButton url="/?to=/:account/security-center/reports" />
+
+The reports are generated monthly and provide cyber security insights trends for all of the Enterprise zones in your Cloudflare account.
+
+The reports also include an industry benchmark, comparing your cyber security landscape to peers in your industry. 
+
+![Application Security report mock data](~/assets/images/changelog/security-center/2025-10-17-application-security-report-mock-data.png)
+
+Learn more about the reports by referring to the [Security Reports documentation](/security-center/app-security-reports/).
+
+Use the feedback survey link at the top of the page to help us improve the reports.
+
+![Application Security report survey](~/assets/images/changelog/security-center/2025-10-17-report-feedback-survey.png)

src/content/changelog/load-balancing/2025-08-15-monitor-groups-for-load-balancing.mdx

@@ -0,0 +1,229 @@
+---
+title: New detections released for WAF managed rulesets
+description: New Cloudflare WAF managed rulesets release to improve protection against attacker-controlled payloads
+date: 2025-10-17
+---
+
+import { RuleID } from "~/components";
+
+This week we introduced several new detections across Cloudflare Managed Rulesets, expanding coverage for high-impact vulnerability classes such as SSRF, SQLi, SSTI, Reverse Shell attempts, and Prototype Pollution. These rules aim to improve protection against attacker-controlled payloads that exploit misconfigurations or unvalidated input in web applications.
+
+**Key Findings**
+
+New detections added for multiple exploit categories:
+
+SSRF (Server-Side Request Forgery) — new rules targeting both local and cloud metadata abuse patterns (Beta).
+
+SQL Injection (SQLi) — rules for common patterns, sleep/time-based injections, and string/wait function exploitation across headers and URIs.
+
+SSTI (Server-Side Template Injection) — arithmetic-based probe detections introduced across URI, header, and body fields.
+
+Reverse Shell and XXE payloads — enhanced heuristics for command execution and XML external entity misuse.
+
+Prototype Pollution — new Beta rule identifying common JSON payload structures used in object prototype poisoning.
+
+PHP Wrapper Injection and HTTP Parameter Pollution detections — to catch path traversal and multi-parameter manipulation attempts.
+
+Anomaly Header Checks — detecting CRLF injection attempts in header names.
+
+**Impact**
+
+These updates help detect multi-vector payloads that blend SSRF + RCE or SQLi + SSTI attacks, especially in cloud-hosted applications with exposed metadata endpoints or unsafe template rendering.
+
+Prototype Pollution and HTTP parameter pollution rules address emerging JavaScript supply-chain exploitation patterns increasingly seen in real-world incidents.
+
+<table style="width: 100%">
+	<thead>
+		<tr>
+			<th>Ruleset</th>
+			<th>Rule ID</th>
+			<th>Legacy Rule ID</th>
+			<th>Description</th>
+			<th>Previous Action</th>
+			<th>New Action</th>
+			<th>Comments</th>
+		</tr>
+	</thead>
+	<tbody>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td><RuleID id="72f0ff933fb0492eb71cda50589f2a1d" /></td>
+			<td>N/A</td>
+			<td>Anomaly:Header - name - CR, LF</td>
+			<td>N/A</td>
+			<td>Disabled</td>
+			<td>This is a New Detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td><RuleID id="5d0377e4435f467488614170132fab7e" /></td>
+			<td>N/A</td>
+			<td>Generic Rules - Reverse Shell - Body</td>
+			<td>N/A</td>
+			<td>Disabled</td>
+			<td>This is a New Detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td><RuleID id="54e32f7f802c4a699182e8921a027008" /></td>
+			<td>N/A</td>
+			<td>Generic Rules - Reverse Shell - Header</td>
+			<td>N/A</td>
+			<td>Disabled</td>
+			<td>This is a New Detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td><RuleID id="7cbda8dbafbc465d9b64a8f2958d0486" /></td>
+			<td>N/A</td>
+			<td>Generic Rules - Reverse Shell - URI</td>
+			<td>N/A</td>
+			<td>Disabled</td>
+			<td>This is a New Detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td><RuleID id="b9f3420674cf481da32333dc8e0cf7ad" /></td>
+			<td>N/A</td>
+			<td>Generic Rules - XXE - Body</td>
+			<td>N/A</td>
+			<td>Disabled</td>
+			<td>This is a New Detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td><RuleID id="ad55483512f0440b81426acdbf8aab5e" /></td>
+			<td>N/A</td>
+			<td>Generic Rules - SQLi - Common Patterns - Header URI</td>
+			<td>N/A</td>
+			<td>Disabled</td>
+			<td>This is a New Detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td><RuleID id="849c0618d1674f1c92ba6f9b2e466337" /></td>
+			<td>N/A</td>
+			<td>Generic Rules - SQLi - Sleep Function - Header URI</td>
+			<td>N/A</td>
+			<td>Disabled</td>
+			<td>This is a New Detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td><RuleID id="1b4db4c4bd0649c095c27c6cb686ab47" /></td>
+			<td>N/A</td>
+			<td>Generic Rules - SQLi - String Function - Header URI</td>
+			<td>N/A</td>
+			<td>Disabled</td>
+			<td>This is a New Detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td><RuleID id="fa2055b84af94ba4b925f834b0633709" /></td>
+			<td>N/A</td>
+			<td>Generic Rules - SQLi - WaitFor Function - Header URI</td>
+			<td>N/A</td>
+			<td>Disabled</td>
+			<td>This is a New Detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td><RuleID id="158177dec2504acdba1f2da201a076eb" /></td>
+			<td>N/A</td>
+			<td>SSRF - Local - Beta</td>
+			<td>N/A</td>
+			<td>Disabled</td>
+			<td>This is a New Detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td><RuleID id="98bfd6bb46074d5b8d1c4b39743a63ec" /></td>
+			<td>N/A</td>
+			<td>SSRF - Local - 2 - Beta</td>
+			<td>N/A</td>
+			<td>Disabled</td>
+			<td>This is a New Detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td><RuleID id="54e1733b10da4a599e06c6fbc2e84e2d" /></td>
+			<td>N/A</td>
+			<td>SSRF - Cloud - Beta</td>
+			<td>N/A</td>
+			<td>Disabled</td>
+			<td>This is a New Detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td><RuleID id="ecd26d61a75e46f6a4449a06ab8af26f" /></td>
+			<td>N/A</td>
+			<td>SSRF - Cloud - 2 - Beta</td>
+			<td>N/A</td>
+			<td>Disabled</td>
+			<td>This is a New Detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td><RuleID id="c16f4e133c4541f293142d02e6e8dc5b" /></td>
+			<td>N/A</td>
+			<td>SSTI - Arithmetic Probe - URI</td>
+			<td>N/A</td>
+			<td>Disabled</td>
+			<td>This is a New Detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td><RuleID id="f4fd9904e7624666b8c49cd62550d794" /></td>
+			<td>N/A</td>
+			<td>SSTI - Arithmetic Probe - Header</td>
+			<td>N/A</td>
+			<td>Disabled</td>
+			<td>This is a New Detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td><RuleID id="5c0875604f774c36a4f9b69c659d12a6" /></td>
+			<td>N/A</td>
+			<td>SSTI - Arithmetic Probe - Body</td>
+			<td>N/A</td>
+			<td>Disabled</td>
+			<td>This is a New Detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td><RuleID id="fae6fa37ae9249d58628e54b1a3e521e" /></td>
+			<td>N/A</td>
+			<td>PHP Wrapper Injection</td>
+			<td>N/A</td>
+			<td>Disabled</td>
+			<td>This is a New Detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td><RuleID id="9c02e585db34440da620eb668f76bd74" /></td>
+			<td>N/A</td>
+			<td>PHP Wrapper Injection</td>
+			<td>N/A</td>
+			<td>Disabled</td>
+			<td>This is a New Detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td><RuleID id="cb67fe56a84747b8b64277dc091e296d" /></td>
+			<td>N/A</td>
+			<td>HTTP parameter pollution</td>
+			<td>N/A</td>
+			<td>Disabled</td>
+			<td>This is a New Detection</td>
+		</tr>
+		<tr>
+			<td>Cloudflare Managed Ruleset</td>
+			<td><RuleID id="443b54d984944cd69043805ee34214ef" /></td>
+			<td>N/A</td>
+			<td>Prototype Pollution - Common Payloads - Beta</td>
+			<td>N/A</td>
+			<td>Disabled</td>
+			<td>This is a New Detection</td>
+		</tr>
+	</tbody>
+</table>

src/content/changelog/security-center/2025-10-17-app-sec-reports.mdx

@@ -18,6 +18,7 @@ This feature replaces the legacy [private network app type](/cloudflare-one/appl
 
 - Private IPs and hostnames are reachable over Cloudflare WARP, Magic WAN or Browser Isolation. For more details, refer to [Connect a private network](/cloudflare-one/connections/connect-networks/private-net/).
 - Private hostnames route to your custom DNS resolver through [Local Domain Fallback](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/local-domains/) or [Gateway resolver policies](/cloudflare-one/policies/gateway/resolver-policies/).
+- Public IPs and hostnames can be used to define a private application, however the IP or hostname must route through Cloudflare via [Cloudflare Tunnel](/cloudflare-one/connections/connect-networks/private-net/cloudflared/), [WARP Connector](/cloudflare-one/connections/connect-networks/private-net/warp-connector/), or [Magic WAN](/magic-wan/configuration/manually/how-to/configure-routes/).
 - (Optional) Turn on [Gateway TLS decryption](/cloudflare-one/policies/gateway/http-policies/tls-decryption/) if you want to use Access JWTs to manage [HTTPS application sessions](#https-applications).
 
 ## Add your application to Access
@@ -83,4 +84,4 @@ The WARP client manages sessions for all non-HTTPS applications. Users will rece
 
 ### Private hostname vs private IP
 
-An Access application defined by a private hostname takes precedence over an Access application defined by a private IP. For example, assume App-1 points to `wiki.internal.local` and App-2 points to `10.0.0.1`, but `wiki.internal.local` resolves to 	`10.0.0.1`. Users who go to `wiki.internal.local` will never match App-2; they will be allowed or blocked strictly based on App-1 Access policies (and [Gateway policies](#access-vs-gateway-policies)).
+An Access application defined by a private hostname takes precedence over an Access application defined by a private IP. For example, assume App-1 points to `wiki.internal.local` and App-2 points to `10.0.0.1`, but `wiki.internal.local` resolves to 	`10.0.0.1`. Users who go to `wiki.internal.local` will never match App-2; they will be allowed or blocked strictly based on App-1 Access policies (and [Gateway policies](#access-vs-gateway-policies)).

src/content/changelog/waf/2025-10-17-emergency-waf-release.mdx

@@ -38,19 +38,23 @@ flowchart TD
     ST -- Resolver IP included in WARP Tunnel per Split Tunnel configuration --> QW["Query sent via WARP Tunnel to be resolved"]
     ST -- Resolver IP not included in WARP Tunnel per Split Tunnel configuration --> QO["Query sent to resolver IP outside WARP Tunnel"]
 
+    %% Gateway evaluation after query via WARP
     QW -- Allowed by Gateway --> OR["Evaluated by Cloudflare on-ramp routes"]
+    QW -- Blocked by Gateway Network or HTTP Policy --> BLK["Traffic blocked by Cloudflare"]
+
     OR -- Onramp routes do not include resolver IP --> GP["Gateway proxies query to resolver IP via normal WARP egress route"]
-    OR -- Onramp routes include, resolver IP --> ADV["Cloudflare onramps advertises route that includes Resolver IP"]
+    OR -- Onramp routes include resolver IP --> ADV["Cloudflare onramps advertise route that includes Resolver IP"]
     ADV --> PR["Private resolver returns IP address to WARP client"]
 
     %% Right branch (no LDF match)
     C -- Domain does not exist in Local Domain Fallback policies --> GWR["Gateway checks Resolver Policies (Enterprise only)"]
 
     GWR -- Resolver policy is not matched --> C1111a["1.1.1.1"]
 
-    GWR -- Resolver policy is matched --> IDNS["Internal DNS"]
-    GWR -- Resolver policy is matched --> C1111b["1.1.1.1"]
-    GWR -- Resolver policy is matched --> CUST["Custom resolver"]
+    GWR -- Resolver policy is matched --> MATCH((Resolver policy directs query to one of the following))
+    MATCH --> IDNS["Internal DNS"]
+    MATCH --> C1111b["1.1.1.1"]
+    MATCH --> CUST["Custom resolver"]
     CUST --> PNS["Private network services<br>(Cloudflare Tunnel, Magic WAN, WARP Connector)"]
 ```
 #### Terms mentioned