Merge branch 'production' into kian/PCX-17753

Author: kodster28

src/content/docs/api-shield/security/mtls/configure.mdx

@@ -23,7 +23,10 @@ Before you can protect your API or web application with mTLS rules, you need to:
 
 <Render file="mtls-api-shield-support" />
 
-<Render file="cloudflare-managed-client-cert" product="ssl" />
+:::caution
+
+By default, API Shield mTLS uses client certificates issued by a Cloudflare-managed CA. If you need to use certificates issued by another CA, you can use the API to [bring your own CA for mTLS](/ssl/client-certificates/byo-ca/).
+:::
 
 ## Create an mTLS rule via the Cloudflare dashboard
 

src/content/docs/api-shield/security/mtls/index.mdx

@@ -6,11 +6,11 @@ sidebar:
 
 ---
 
-import { GlossaryTooltip, Render } from "~/components"
+import { GlossaryDefinition, Render } from "~/components";
 
 <Render file="mtls-api-shield-support" />
 
-<GlossaryTooltip term="mTLS (mutual TLS)">Mutual TLS (mTLS)</GlossaryTooltip> authentication uses client certificates to ensure traffic between client and server is bidirectionally secure and trusted. mTLS also allows requests that do not authenticate via an identity provider — such as Internet-of-things (IoT) devices — to demonstrate they can reach a given resource.
+<GlossaryDefinition term="mTLS (mutual TLS)" />
 
 ![mTLS sequence diagram](~/assets/images/api-shield/api-shield-call-sequence.png)
 

src/content/docs/cloudflare-one/roles-permissions.mdx

@@ -52,3 +52,4 @@ For more information on Email Security roles, refer to [Account-scoped roles](/f
 - **Email Security Analyst**: Has analyst access. Can take action on emails and read emails.
 - **Email Security Reporting**: Can read metrics.
 - **Email Security Read Only**: Can read all information, but cannot take action on anything.
+- **Email Security Policy Admin**: Can read all settings, but only write allow policies, trusted domains, and blocked senders.

src/content/docs/learning-paths/mtls/concepts/index.mdx

@@ -6,7 +6,9 @@ sidebar:
   order: 1
 ---
 
-Mutual TLS [mTLS](https://www.cloudflare.com/learning/access-management/what-is-mutual-tls/) authentication uses client certificates to ensure traffic between client and server is bidirectionally secure and trusted. mTLS also allows requests that do not authenticate via an identity provider — such as Internet-of-things (IoT) devices — to demonstrate they can reach a given resource.
+import { GlossaryDefinition } from "~/components";
+
+<GlossaryDefinition term="mTLS (mutual TLS)" />
 
 [TLS (Transport Layer Security)](https://www.cloudflare.com/learning/ssl/transport-layer-security-tls/) is a widely-used protocol to ensure secure communication over a network. It ensures confidentiality and integrity by encrypting data and validating the server using digital certificates.
 

src/content/docs/learning-paths/mtls/concepts/mtls-cloudflare.mdx

@@ -20,5 +20,5 @@ There are two main ways to use mTLS at Cloudflare, either by using the Applicati
 | Mainly used for                                                       | External Authentication (that is, APIs)                                                                                                                                                                                                                                               | Internal Authentication (that is, employees)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            |
 | Availability                                                          | By default, 100 Client Certificates per Zone are included for free. For more certificates or [API Shield features](/api-shield/), contact your account team.                                                                                                                          | Zero Trust Enterprise only feature.                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                     |
 | [Certificate Authority (CA)](/ssl/concepts/#certificate-authority-ca) | Cloudflare-managed or customer-uploaded (BYO CA). There's a soft-limit of up to [five customer-uploaded CAs](/ssl/client-certificates/byo-ca/#availability).                                                                                                                          | Customer-uploaded only (BYO CA). There's a soft-limit of up to [50 CAs](/cloudflare-one/account-limits/#access).                                                                                                                                                                                                                                                                                                                                                                                                                                                                        |
-| Client Certificate Details | Forwarded to the origin server via [Cloudflare API](/ssl/client-certificates/enable-mtls/#cloudflare-api), [Cloudflare Workers](/ssl/client-certificates/enable-mtls/#cloudflare-workers), and [Managed Transforms](/ssl/client-certificates/enable-mtls/#managed-transforms). | Forwarded to the origin server via [Cloudflare API](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#cloudflare-api), [Cloudflare Workers](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#cloudflare-workers), and [Managed Transforms](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#managed-transforms). Client Certificate headers and [Cf-Access-Jwt-Assertion](/cloudflare-one/identity/authorization-cookie/validating-json/) JWT header can be forwarded to the origin server. |
+| Client Certificate Details | Forwarded to the origin server via [Cloudflare API](/ssl/client-certificates/forward-a-client-certificate/#cloudflare-api), [Cloudflare Workers](/ssl/client-certificates/forward-a-client-certificate/#cloudflare-workers), and [Managed Transforms](/ssl/client-certificates/forward-a-client-certificate/#managed-transforms). | Forwarded to the origin server via [Cloudflare API](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#cloudflare-api), [Cloudflare Workers](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#cloudflare-workers), and [Managed Transforms](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#managed-transforms). Client Certificate headers and [Cf-Access-Jwt-Assertion](/cloudflare-one/identity/authorization-cookie/validating-json/) JWT header can be forwarded to the origin server. |
 | Client Certificates Revocation                                        | Use the WAF [Custom Rules](/waf/custom-rules/) to check for [_cf.tls_client_auth.cert_revoked_](/ssl/client-certificates/revoke-client-certificate/), which only applies to Cloudflare-managed CA. <br /><br /> For BYO CAs, it would be the same approach as with Cloudflare Access. | Generate a [Certificate Revocation List (CRL)](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/#create-a-crl) and enforce the revocation in a Cloudflare Worker.                                                                                                                                                                                                                                                                                                                                                                                         |

src/content/docs/learning-paths/mtls/mtls-app-security/index.mdx

@@ -10,7 +10,7 @@ This implementation requires an active [Zone](/fundamentals/concepts/accounts-an
 
 API Shield is not required to use mTLS. <br />
 
-By default, mTLS uses Client Certificates issued by a Cloudflare Managed CA. Cloudflare generates a unique CA for each customer account, meaning that Client Certificates all validate against an account-level Cloudflare CA.
+By default, mTLS uses Client Certificates issued by a Cloudflare Managed CA and set at account-level. If you have an Enterprise account, you also have the option to [bring your own CA](/ssl/client-certificates/byo-ca/).
 :::
 
 ## 1. Enable mTLS

src/content/docs/learning-paths/mtls/mtls-app-security/related-features.mdx

@@ -33,7 +33,7 @@ Generally, ensure client certificates are rotated regularly and safely to reduce
 
 ## Forward a client certificate
 
-There are multiple ways to [forward a client certificate](/ssl/client-certificates/enable-mtls/#forward-a-client-certificate) to your origin server.
+There are multiple ways to [forward a client certificate](/ssl/client-certificates/forward-a-client-certificate/) to your origin server.
 
 ## Bring your own CA for mTLS
 
@@ -132,7 +132,7 @@ This expression will check for a specific [Client Certificate serial number](/ru
 
 ## Rate Limiting by Client Certificates
 
-By enabling [forwarding a certificate](/ssl/client-certificates/enable-mtls/#cloudflare-api) via the Cloudflare API, the first request of an mTLS connection will include the following headers:
+By enabling [forwarding a certificate](/ssl/client-certificates/forward-a-client-certificate/#cloudflare-api) via the Cloudflare API, every request of an mTLS connection will include the following headers:
 
 - `Cf-Client-Cert-Der-Base64` (raw certificate in DER format, encoded as base64)
 - `Cf-Client-Cert-Sha256` (SHA256 fingerprint of the certificate)

src/content/docs/learning-paths/mtls/mtls-cloudflare-access/index.mdx

@@ -12,7 +12,7 @@ This requires an active Enterprise [Account](/fundamentals/concepts/accounts-and
 Setting up [mTLS](/cloudflare-one/identity/devices/access-integrations/mutual-tls-authentication/) with [Cloudflare Access](/cloudflare-one/policies/access/) can help in cases where the customer:
 
 - Already has existing Client Certificates on devices.
-- Needs to protect Access applications with Bring Your Own CA (BYOCA).
+- Needs to protect Access applications with [Bring Your Own CA (BYOCA)](/ssl/client-certificates/byo-ca/).
 - Needs to integrate with a Zero Trust solution.
 
 ## 1. Create a CA

src/content/docs/learning-paths/mtls/mtls-workers/index.mdx

@@ -17,7 +17,7 @@ Cloudflare Workers runs after the Cloudflare WAF and Cloudflare Access. Review t
 
 All Client Certificate details can be found in the [tlsClientAuth](/workers/runtime-apis/request#incomingrequestcfproperties) object in Cloudflare Workers.
 
-Example Cloudflare Workers code to return all headers and gain visibility, including [Client Certificate headers](/ssl/client-certificates/enable-mtls/#cloudflare-workers):
+Example Cloudflare Workers code to return all headers and gain visibility, including [Client Certificate headers](/ssl/client-certificates/forward-a-client-certificate/#cloudflare-workers):
 
 <Tabs> <TabItem label="Module Worker" icon="seti:javascript">
 ```js

src/content/docs/pages/framework-guides/nextjs/ssr/supported-features.mdx

@@ -45,7 +45,7 @@ If you need to use other APIs from Node.js, you should use [`@opennextjs/cloudfl
 
 ### Routers
 
-Cloudlflare recommends using the [App router](https://nextjs.org/docs/app) from Next.js.
+Cloudflare recommends using the [App router](https://nextjs.org/docs/app) from Next.js.
 
 Cloudflare also supports the older [Pages](https://nextjs.org/docs/pages) router from Next.js.