Merge branch 'production' of github.com:cloudflare/cloudflare-docs into production

Author: Maddy-Cloudflare

src/assets/images/cloudflare-one/identity/github/github2.png

@@ -0,0 +1,39 @@
+---
+title: Run AI-generated code on-demand with Code Sandboxes (new)
+description: You can start creating sandboxes today by installing our new Sandbox package.
+products:
+  - agents
+  - workers
+  - workflows
+date: 2025-06-25T15:00:00Z
+---
+
+AI is supercharging app development for everyone, but we need a safe way to run untrusted, LLM-written code. We’re introducing [Sandboxes](https://www.npmjs.com/package/@cloudflare/sandbox), which let your Worker run actual processes in a secure, container-based environment.
+
+```ts
+import { getSandbox } from "@cloudflare/sandbox";
+export { Sandbox } from "@cloudflare/sandbox";
+
+export default {
+  async fetch(request: Request, env: Env) {
+    const sandbox = getSandbox(env.Sandbox, "my-sandbox");
+    return sandbox.exec("ls", ["-la"]);
+  },
+};
+```
+
+### Methods
+
+- `exec(command: string, args: string[], options?: { stream?: boolean })`:Execute a command in the sandbox.
+- `gitCheckout(repoUrl: string, options: { branch?: string; targetDir?: string; stream?: boolean })`: Checkout a git repository in the sandbox.
+- `mkdir(path: string, options: { recursive?: boolean; stream?: boolean })`: Create a directory in the sandbox.
+- `writeFile(path: string, content: string, options: { encoding?: string; stream?: boolean })`: Write content to a file in the sandbox.
+- `readFile(path: string, options: { encoding?: string; stream?: boolean })`: Read content from a file in the sandbox.
+- `deleteFile(path: string, options?: { stream?: boolean })`: Delete a file from the sandbox.
+- `renameFile(oldPath: string, newPath: string, options?: { stream?: boolean })`: Rename a file in the sandbox.
+- `moveFile(sourcePath: string, destinationPath: string, options?: { stream?: boolean })`: Move a file from one location to another in the sandbox.
+- `ping()`: Ping the sandbox.
+
+Sandboxes are still experimental. We're using them to explore how isolated, container-like workloads might scale on Cloudflare — and to help define the developer experience around them.
+
+You can try it today from your Worker, with just a few lines of code. Let us know what you build.

src/assets/images/cloudflare-one/identity/github/github4.png

@@ -0,0 +1,7 @@
+---
+title: Improved non-English keyboard support
+description: Introduced support for non-English keyboard configurations in the remote browser, enhancing the global user experience.
+date: 2024-11-21
+---
+
+You can now type in languages that use diacritics (like á or ç) and character-based scripts (such as Chinese, Japanese, and Korean) directly within the remote browser. The isolated browser now properly recognizes non-English keyboard input, eliminating the need to copy and paste content from a local browser or device.

src/content/changelog/agents/2025-06-24-announcing-sandboxes.mdx

@@ -8,25 +8,29 @@ Authoritative DNS analytics are now available on the **account level** via the [
 
 This allows users to query DNS analytics across multiple zones in their account, by using the `accounts` filter.
 
-Here is an example to retrieve all DNS queries across all zones in an account that resulted in an `NXDOMAIN` response over a given time frame. Please replace `a30f822fcd7c401984bf85d8f2a5111c` with your actual account ID.
+Here is an example to retrieve the most recent DNS queries across all zones in your account that resulted in an `NXDOMAIN` response over a given time frame. Please replace `a30f822fcd7c401984bf85d8f2a5111c` with your actual account ID.
 
 ```graphql graphql-api-explorer title="GraphQL example for account-level DNS analytics"
-query Viewer {
-    viewer {
-        accounts(filter: { accountTag: "a30f822fcd7c401984bf85d8f2a5111c" }) {
-            dnsAnalyticsAdaptive(
-                limit: 10
-                filter: { date_geq: "2025-06-16", responseCode: "NXDOMAIN", date_leq: "2025-06-18" }
-                orderBy: [datetime_DESC]
-            ) {
-                zoneTag
-                queryName
-                responseCode
-                queryType
-                datetime
-            }
-        }
-    }
+query GetLatestNXDOMAINResponses {
+	viewer {
+		accounts(filter: { accountTag: "a30f822fcd7c401984bf85d8f2a5111c" }) {
+			dnsAnalyticsAdaptive(
+				filter: { 
+					date_geq: "2025-06-16", 
+					date_leq: "2025-06-18",
+					responseCode: "NXDOMAIN"
+				}
+				limit: 10000
+				orderBy: [datetime_DESC]
+			) {
+				zoneTag
+				queryName
+				responseCode
+				queryType
+				datetime
+			}
+		}
+	}
 }
 ```
 

src/content/changelog/browser-isolation/2024-11-21-non-english-keyboard.mdx

@@ -7,10 +7,28 @@ sidebar:
 
 import { Tabs, TabItem } from "~/components";
 
-The `/pdf` endpoint instructs the browser to render the webpage as a PDF document.
+The `/pdf` endpoint instructs the browser to generate a PDF of a webpage or custom HTML using Cloudflare's headless browser rendering service.
+
+## Endpoint
+
+```txt
+https://api.cloudflare.com/client/v4/accounts/<accountId>/browser-rendering/pdf
+```
+
+## Required fields
+You must provide either `url` or `html`:
+-  `url` (string)
+-  `html` (string)
+
+## Common use cases
+
+-  Capture a PDF of a webpage
+-  Generate PDFs, such as invoices, licenses, reports, and certificates, directly from HTML
 
 ## Basic usage
 
+### Convert a URL to PDF
+
 <Tabs syncKey="workersExamples"> <TabItem label="curl">
 
 Navigate to `https://example.com/` and inject custom CSS and an external stylesheet. Then return the rendered page as a PDF.
@@ -51,11 +69,35 @@ console.log(content);
 
 </TabItem> </Tabs>
 
+### Convert custom HTML to PDF
+
+If you have raw HTML you want to generate a PDF from, use the `html` option. You can still apply custom styles using the `addStyleTag` parameter.
+
+```bash
+curl -X POST https://api.cloudflare.com/client/v4/accounts/<acccountID>/browser-rendering/pdf \
+  -H 'Authorization: Bearer <apiToken>' \
+  -H 'Content-Type: application/json' \
+  -d '{
+  "html": "<html><body>Advanced Snapshot</body></html>",
+	"addStyleTag": [
+      { "content": "body { font-family: Arial; }" },
+      { "url": "https://cdn.jsdelivr.net/npm/[email protected]/dist/css/bootstrap.min.css" }
+    ]
+}' \
+  --output "invoice.pdf"
+```
+
 ## Advanced usage
 
-Navigate to `https://example.com`, first setting an additional HTTP request header and configuring the page size (`viewport`). Then, wait until there are no more than 2 network connections for at least 500 ms, or until the maximum timeout of 4500 ms is reached, before considering the page loaded and returning the rendered PDF document.
+:::note[Looking for more parameters?]
+Visit the [Browser Rendering PDF API reference](/api/resources/browser_rendering/subresources/pdf/methods/create/) for all available parameters, such as setting HTTP credentials using `authenticate`, setting `cookies`, and customizing load behavior using `gotoOptions`.
+:::
+
+### Advanced page load with custom headers and viewport
 
-The `goToOptions` parameter exposes most of [Puppeteer'd API](https://pptr.dev/api/puppeteer.gotooptions).
+Navigate to `https://example.com`, setting additional HTTP headers and configuring the page size (viewport). The PDF generation will wait until there are no more than two network connections for at least 500 ms, or until the maximum timeout of 4500 ms is reached, before rendering.
+
+The `goToOptions` parameter exposes most of [Puppeteer's API](https://pptr.dev/api/puppeteer.gotooptions).
 
 ```bash
 curl -X POST 'https://api.cloudflare.com/client/v4/accounts/<accountId>/browser-rendering/pdf' \
@@ -78,9 +120,9 @@ curl -X POST 'https://api.cloudflare.com/client/v4/accounts/<accountId>/browser-
   --output "advanced-output.pdf"
 ```
 
-## Blocking images and styles when generating a PDF
+### Blocking images and styles when generating a PDF
 
-The options `rejectResourceTypes` and `rejectRequestPattern` can be used to block requests. The opposite can also be done, _only_ allow certain requests using `allowResourceTypes` and `allowRequestPattern`.
+The options `rejectResourceTypes` and `rejectRequestPattern` can be used to block requests during rendering. The opposite can also be done, _only_ allow certain requests using `allowResourceTypes` and `allowRequestPattern`.
 
 ```bash
 curl -X POST https://api.cloudflare.com/client/v4/accounts/<acccountID>/browser-rendering/pdf \
@@ -93,23 +135,3 @@ curl -X POST https://api.cloudflare.com/client/v4/accounts/<acccountID>/browser-
 }' \
   --output "cloudflare.pdf"
 ```
-
-## Generate PDF from custom HTML
-
-If you have HTML you'd like to generate a PDF from, the `html` option can be used. The option `addStyleTag` can be used to add custom styles.
-
-```bash
-curl -X POST https://api.cloudflare.com/client/v4/accounts/<acccountID>/browser-rendering/pdf \
-  -H 'Authorization: Bearer <apiToken>' \
-  -H 'Content-Type: application/json' \
-  -d '{
-  "html": "<html><body>Advanced Snapshot</body></html>",
-	"addStyleTag": [
-      { "content": "body { font-family: Arial; }" },
-      { "url": "https://cdn.jsdelivr.net/npm/[email protected]/dist/css/bootstrap.min.css" }
-    ]
-}' \
-  --output "invoice.pdf"
-```
-
-Many more options exist, like setting HTTP credentials using `authenticate`, setting `cookies`, and using `gotoOptions` to control page load behaviour - check the endpoint [reference](/api/resources/browser_rendering/subresources/pdf/methods/create/) for all available parameters.

src/content/changelog/dns/2025-06-23-account-level-dns-analytics-api.mdx

@@ -196,6 +196,10 @@ Certain scenarios also affect Origin Cache Control behavior when it is enabled o
   </tbody>
 </table>
 
+:::note
+When the `Cloudflare-Cdn-Cache-Control` header is set, OCC is turned **on** (regardless of whether OCC is enabled or disabled). As a result, we apply our Authorization header logic (per [RFC 7234, Section 3.2](https://tools.ietf.org/html/rfc7234#section-3.2)) to allow only the `s-maxage`, `must-revalidate`, or `public` directives. If any other directive is present, we do not cache the asset and instead return `BYPASS`.
+:::
+
 ## Examples
 
 Review the examples below to learn which directives to use with the `Cache-Control` header to control specific caching behavior.

src/content/docs/browser-rendering/rest-api/pdf-endpoint.mdx

@@ -0,0 +1,22 @@
+---
+title: 5 - Junk email folder and administrative quarantine
+pcx_content_type: integration-guide
+sidebar:
+  order: 5
+head:
+  - tag: title
+    content: Deliver emails to the junk email folder - Office 365
+
+---
+
+import { Render } from "~/components"
+
+In this tutorial, you will learn to deliver `SUSPICIOUS` and `BULK` messages to the user's junk email folder, and `MALICIOUS`, `SPAM`, and `SPOOF` messages to the Administrative Quarantine (this requires an administrator to release the emails).
+
+## Configure anti-spam policies
+
+<Render file="email-security/deployment/m365-use-cases-antispam" params={{ one: "_AdminOnlyAccessPolicy_", two: "_AdminOnlyAccessPolicy_", three: "_AdminOnlyAccessPolicy_", four: "step7-adminonly-case5.png" }} />
+
+## Create transport rules
+
+<Render file="email-security/deployment/m365-use-case-transport-rules" params={{ one: "Email Security Deliver to Junk Email folder`", two: "`SUSPICIOUS`, `BULK`", three: "_Modify the message properties_ > _Set the Spam Confidence Level (SCL)_ > _5_", four: "step4-rules.png", five: "`Email Security Admin Managed Host Quarantine`", six: " `MALICIOUS`, `UCE`, `SPOOF`", seven: "_Redirect the message to_ > _hosted quarantine_", eight: "step10-hosted-quarantine-case5.png" }} />

src/content/docs/cache/concepts/cache-control.mdx

@@ -0,0 +1,56 @@
+---
+title: 4 - User managed quarantine and administrative quarantine
+pcx_content_type: integration-guide
+sidebar:
+  order: 4
+head:
+  - tag: title
+    content: User managed quarantine and administrative quarantine - Office 365
+
+---
+
+import { Render } from "~/components"
+
+In this tutorial, you will learn to deliver `SPAM` and `SPOOF` messages to the user managed quarantine, and `MALICIOUS` messages to the administrative quarantine (this requires an administrator to release the emails).
+
+## Create quarantine policies
+
+<Render file="email-security/deployment/m365-use-case-2-4-create-quarantine-policy" />
+
+## Configure quarantine notifications
+
+<Render file="email-security/deployment/m365-use-case-configure-quarantine-notifications" />
+
+## Configure anti-spam policies
+
+To configure anti-spam policies:
+
+1. Open the [Microsoft 365 Defender console](https://security.microsoft.com/)
+
+2. Go to **Email & collaboration** > **Policies & rules**.
+
+3. Select **Threat policies**.
+
+4. Under **Policies**, select **Anti-spam**.
+
+5. Select the **Anti-spam inbound policy (Default)** text (not the checkbox).
+
+6. In the **Actions** section, scroll down and select **Edit actions**.
+
+7. Set the following conditions and actions (you might need to scroll up or down to find them):
+
+   * **Spam**: *Quarantine message*.
+     * **Select quarantine policy**: *UserNotifyUserRelease*.
+   * **High confidence spam**: *Quarantine message*.
+     * **Select quarantine policy**: *UserNotifyAdminRelease*.
+   * **Phishing**: *Quarantine message*.
+     * **Select quarantine policy**: *UserNotifyAdminRelease*.
+   * **High confidence phishing**: *Quarantine message*.
+     * **Select quarantine policy**: *UserNotifyAdminRelease*.
+   * **Retain spam in quarantine for this many days**: Default is 15 days. Email Security recommends 15-30 days.
+
+8. Select **Save**.
+
+## Create transport rules
+
+<Render file="email-security/deployment/m365-use-case-transport-rules" params={{ one: "`Email Security User Quarantine Message`", two: "`UCE`, `SPOOF`", three: "_Modify the message properties_ > _Set the Spam Confidence Level (SCL)_ > _5_", four: "step4-rules-case4.png", five: "`Email Security User Quarantine Message Admin Release`", six: "`MALICIOUS`", seven: "_Modify the message properties_ > _Set the Spam Confidence Level (SCL)_ > _9_", eight: "step10-admin-release-case4.png" }} />