Merge branch 'production'

Author: RebeccaTamachiro

public/__redirects

@@ -2444,6 +2444,9 @@
 /cloudflare-one/email-security/reference/domain-information/ /cloudflare-one/email-security/settings/domain-management/domain/ 301
 /cloudflare-one/insights/email-monitoring/phish-submissions/* /cloudflare-one/email-security/settings/phish-submissions/:splat 301
 /cloudflare-one/email-security/phish-guard/* /cloudflare-one/email-security/phishguard/:splat 301
+/cloudflare-one/email-security/settings/trusted-domains/ /cloudflare-one/email-security/settings/detection-settings/trusted-domains/ 301
+/cloudflare-one/email-security/detection-settings/additional-detections/ /cloudflare-one/email-security/settings/detection-settings/additional-detections/ 301
+/cloudflare-one/email-security/settings/configure-text-add-ons/ /cloudflare-one/email-security/settings/detection-settings/configure-text-add-ons/ 301
 
 # Learning paths
 

src/components/WranglerConfig.astro

@@ -38,7 +38,10 @@ let toml, json;
 
 if (language === "toml") {
 	toml = code;
-	json = JSON.stringify(TOML.parse(code), null, 2);
+	json = JSON.stringify({
+		"$schema": "./node_modules/wrangler/config-schema.json",
+		...TOML.parse(code),
+	}, null, 2);
 } else {
 	json = code;
 	toml = TOML.stringify(jsoncParse(code));

src/content/changelog/waf/2025-10-30-emergency-waf-release.mdx

@@ -0,0 +1,44 @@
+---
+title: "WAF Release - 2025-10-30 - Emergency"
+description: Cloudflare WAF managed rulesets 2025-10-30 emergency release
+date: 2025-10-30
+---
+
+import { RuleID } from "~/components";
+
+This week’s release introduces a new detection signature that enhances coverage for a critical vulnerability in Oracle E-Business Suite, tracked as CVE-2025-61884.
+
+**Key Findings**
+
+The flaw is easily exploitable and allows an unauthenticated attacker with network access to compromise Oracle Configurator, which can grant access to sensitive resources and configuration data. The affected versions include 12.2.3 through 12.2.14.
+
+**Impact**
+
+Successful exploitation of CVE-2025-61884 may result in unauthorized access to critical business data or full exposure of information accessible through Oracle Configurator. Administrators are strongly advised to apply vendor's patches and recommended mitigations to reduce this exposure.
+
+<table style="width: 100%">
+  <thead>
+    <tr>
+      <th>Ruleset</th>
+      <th>Rule ID</th>
+      <th>Legacy Rule ID</th>
+      <th>Description</th>
+      <th>Previous Action</th>
+      <th>New Action</th>
+      <th>Comments</th>
+    </tr>
+  </thead>
+  <tbody>
+    <tr>
+      <td>Cloudflare Managed Ruleset</td>
+      <td>
+        <RuleID id="2749f13f8cb34a3dbd49c8c48827402f" />
+      </td>
+      <td>N/A</td>
+      <td>Oracle E-Business Suite - SSRF - CVE:CVE-2025-61884</td>
+      <td>N/A</td>
+      <td>Block</td>
+      <td>This is a New Detection</td>
+    </tr>
+  </tbody>
+</table>

src/content/changelog/workers/2025-10-24-tanstack-start.mdx

@@ -0,0 +1,77 @@
+---
+title: Build TanStack Start apps with the Cloudflare Vite plugin
+description: TanStack Start can now be used with the Cloudflare Vite plugin
+products:
+  - workers
+date: 2025-10-24
+---
+
+import { PackageManagers, WranglerConfig } from "~/components";
+
+The [Cloudflare Vite plugin](/workers/vite-plugin/) now supports [TanStack Start](https://tanstack.com/start/) apps.
+Get started with new or existing projects.
+
+## New projects
+
+Create a new TanStack Start project that uses the Cloudflare Vite plugin via the `create-cloudflare` CLI:
+
+<PackageManagers
+	type="create"
+	pkg="cloudflare@latest"
+	args="my-tanstack-start-app --framework=tanstack-start"
+/>
+
+## Existing projects
+
+Migrate an existing TanStack Start project to use the Cloudflare Vite plugin:
+
+1. Install `@cloudflare/vite-plugin` and `wrangler`
+
+<PackageManagers type="add" pkg="@cloudflare/vite-plugin wrangler" dev />
+
+2. Add the Cloudflare plugin to your Vite config
+
+```ts {4, 8} title="vite.config.ts"
+import { defineConfig } from "vite";
+import { tanstackStart } from "@tanstack/react-start/plugin/vite";
+import viteReact from "@vitejs/plugin-react";
+import { cloudflare } from "@cloudflare/vite-plugin";
+
+export default defineConfig({
+	plugins: [
+		cloudflare({ viteEnvironment: { name: "ssr" } }),
+		tanstackStart(),
+		viteReact(),
+	],
+});
+```
+
+3. Add your Worker config file
+
+<WranglerConfig>
+
+```toml
+name = "my-tanstack-start-app"
+compatibility_date = "2025-10-11"
+compatibility_flags = ["nodejs_compat"]
+main = "@tanstack/react-start/server-entry"
+```
+
+</WranglerConfig>
+
+4. Modify the scripts in your `package.json`
+
+```json title="package.json" del={5} ins={6-8}
+{
+	"scripts": {
+		"dev": "vite dev",
+		"build": "vite build && tsc --noEmit",
+		"start": "node .output/server/index.mjs",
+		"preview": "vite preview",
+		"deploy": "npm run build && wrangler deploy",
+		"cf-typegen": "wrangler types"
+	}
+}
+```
+
+See the [TanStack Start framework guide](/workers/framework-guides/web-apps/tanstack-start/) for more info.

src/content/docs/browser-rendering/rest-api/pdf-endpoint.mdx

@@ -192,7 +192,8 @@ curl -X POST 'https://api.cloudflare.com/client/v4/accounts/<accountId>/browser-
         "left": "30px"
       },
       "timeout": 30000
-    }
+    }`
+```
 
 <Render
   file="setting-custom-user-agent"

src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/domain-support/migrating-custom-hostnames.mdx

@@ -70,6 +70,6 @@ The custom hostname can activate on the new zone even if the certificate is stil
 
 :::note
 
-Verify that the custom hostname successfully activated after the migration in the Cloudflare dashboard by selecting **SSL/TLS** > **Custom hostnames** > **`{your custom hostname}`**.
+Verify that the custom hostname successfully activated after the migration on the [**Custom Hostnames**](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/custom-hostnames) page.
 
 :::

src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/performance/early-hints-for-saas.mdx

@@ -22,7 +22,7 @@ Before you can employ Early Hints for SaaS, you need to create a custom hostname
 
 1. [Locate your zone ID](/fundamentals/account/find-account-and-zone-ids/), available in the Cloudflare dashboard.
 
-2. Locate your Authentication Key by selecting **My Profile** > **API tokens** > **Global API Key**.
+2. Locate your Authentication Key on the [**API Tokens**](https://dash.cloudflare.com/?to=/:account/profile/api-tokens) page, under **Global API Key**.
 
 3. If you are [creating a new custom hostname](/api/resources/custom_hostnames/methods/create/), make an API call such as the example below, specifying `"early_hints": "on"`:
 

src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/saas-customers/provider-guides/salesforce-commerce-cloud.mdx

@@ -7,7 +7,7 @@ head:
 description: Learn how to configure your Enterprise zone with Salesforce Commerce Cloud.
 ---
 
-import { Details, Render } from "~/components";
+import { Details, Render, DashButton } from "~/components";
 
 <Render
 	file="provider-guide-intro"
@@ -104,11 +104,11 @@ If you do have a `CAA` record, verify that it permits SSL certificates to be iss
 ### Best practice Zone-level configuration
 
 1. Set **Minimum TLS version** to **TLS 1.2**
-   1. Navigate to **SSL/TLS > Edge Certificates**, scroll down the page to find **Minimum TLS Version**, and set it to _TLS 1.2_. This setting applies to every Proxied DNS record in your Zone.
+   1. Go to the [**Edge Certificates**](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates) page, scroll down to find **Minimum TLS Version**, and set it to _TLS 1.2_. This setting applies to every Proxied DNS record in your Zone.
 2. Match the **Security Level** set in **SFCC Business Manager**
-   1. _Option 1: Zone-level_ - Navigate to **Security > Settings**, find **Security Level** and set **Security Level** to match what is configured in **SFCC Business Manager**. This setting applies to every Proxied DNS record in your Cloudflare zone.
+   1. _Option 1: Zone-level_ - Go to the [**Settings**](https://dash.cloudflare.com/?to=/:account/:zone/security/settings) page under Security, find **Security Level** and set **Security Level** to match what is configured in **SFCC Business Manager**. This setting applies to every Proxied DNS record in your Cloudflare zone.
    2. _Option 2: Per Proxied DNS record_ - If the **Security Level** differs between the Proxied DNS records targeting your SFCC environment and other Proxied DNS records in your Cloudflare zone, use a **Configuration Rule** to set the **Security Level** specifically for the Proxied DNS records targeting your SFCC environment. For example:
-      1. Create a new **Configuration Rule** by navigating to **Rules** > **Overview** and selecting **Create rule** next to **Configuration Rules**:
+      1. Create a new **Configuration Rule** on the [**Rules Overview**](https://dash.cloudflare.com/?to=/:account/:zone/rules/overview) page by selecting **Create rule** next to **Configuration Rules**:
          1. **Rule name:** `Match Security Level on SFCC hostnames`
          2. **Field:** _Hostname_
          3. **Operator:** _is in_ (this will match against multiple hostnames specified in the **Value** field)
@@ -117,9 +117,9 @@ If you do have a `CAA` record, verify that it permits SSL certificates to be iss
             1. **Select Security Level:** _Medium_ (this should match the **Security Level** set in **SFCC Business Manager**)
          6. Scroll to the bottom of the page and click **Deploy**
 3. Disable **Browser Integrity Check**
-   1. _Option 1: Zone-level_ - Navigate to **Security > Settings**, find **Browser Integrity Check** and toggle it off to disable it. This setting applies to every Proxied DNS record in your Cloudflare zone.
+   1. _Option 1: Zone-level_ - Go to the [**Settings**](https://dash.cloudflare.com/?to=/:account/:zone/security/settings) page under Security, find **Browser Integrity Check** and toggle it off to disable it. This setting applies to every Proxied DNS record in your Cloudflare zone.
    2. _Option 2: Per Proxied DNS record_ - If you want to keep **Browser Integrity Check** enabled for other Proxied DNS records in your Cloudflare zone but want to disable it on Proxied DNS records targeting your SFCC environment, keep the Zone-level **Browser Integrity Check** feature enabled and use a **Configuration Rule** to disable **Browser Integrity Check** specifically for the hostnames targeting your SFCC environment. For example:
-      1. Create a new **Configuration Rule** by navigating to **Rules** > **Overview** and selecting **Create rule** next to **Configuration Rules**:
+      1. Create a new **Configuration Rule** on the [**Rules Overview**](https://dash.cloudflare.com/?to=/:account/:zone/rules/overview) page by selecting **Create rule** next to **Configuration Rules**:
          1. **Rule name:** `Disable Browser Integrity Check on SFCC hostnames`
          2. **Field:** _Hostname_
          3. **Operator:** _is in_ (this will match against multiple hostnames specified in the **Value** field)
@@ -131,7 +131,7 @@ If you do have a `CAA` record, verify that it permits SSL certificates to be iss
    1. Your SFCC environment, also called a **Realm**, will contain one to many SFCC Proxy Zones, which is where caching will always occur. In the corresponding SFCC Proxy Zone for your domain, SFCC performs their own cache optimization, so it is recommended to bypass the cache on the Proxied DNS records in your Cloudflare zone which target your SFCC environment to prevent a "double caching" scenario. This can be accomplished with a **Cache Rule**.
    2. If the **Cache Rule** is not created, caching will occur in both your Cloudflare zone and your corresponding SFCC Proxy Zone, which can cause issues if and when the cache is invalidated or purged in your SFCC environment.
       1. Additional information on caching in your SFCC environment can be found in [SFCC's Content Cache Documentation](https://developer.salesforce.com/docs/commerce/b2c-commerce/guide/b2c-content-cache.html)
-   3. Create a new **Cache Rule** by navigating to **Rules** > **Overview** and selecting **Create rule** next to **Cache Rules**:
+   3. Create a new **Cache Rule** on the [**Rules Overview**](https://dash.cloudflare.com/?to=/:account/:zone/rules/overview) page by selecting **Create rule** next to **Cache Rules**:
       1. **Rule name:** `Bypass cache on SFCC hostnames`
       2. **Field:** _Hostname_
       3. **Operator:** _is in_ (this will match against multiple hostnames specified in the **Value** field)

src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/enforce-mtls.mdx

@@ -40,7 +40,7 @@ While TLS 1.3 is the most recent and secure version, it is not supported by some
 
 ### Scope
 
-Minimum TLS version exists both as a [zone-level setting](/ssl/edge-certificates/additional-options/minimum-tls/) (under **Edge certificates** > **Minimum TLS Version**) and as a custom hostname setting. What this implies is:
+Minimum TLS version exists both as a [zone-level setting](/ssl/edge-certificates/additional-options/minimum-tls/) (on the [**Edge Certificates**](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates) page under **Minimum TLS Version**) and as a custom hostname setting. What this implies is:
 
 - For custom hostnames created via API, it is possible not to explicitly define a value for `min_tls_version`. When that is the case, whatever value is defined as your zone's minimum TLS version will be applied. To confirm whether a given custom hostname has a specific minimum TLS version set, use the following API call.
 

src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/security/certificate-management/issue-and-validate/validate-certificates/delegated-dcv.mdx

@@ -22,7 +22,7 @@ DCV Delegation requires your customers to place a one-time record at their autho
 To set up Delegated DCV:
 
 1. Add a [custom hostname](/cloudflare-for-platforms/cloudflare-for-saas/domain-support/create-custom-hostnames/) for your zone, choosing `TXT` as the **Certificate validation method**.
-2. On **SSL/TLS** > **Custom Hostnames**, go to **DCV Delegation for Custom Hostnames**.
+2. On the [**Custom Hostnames**](https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/custom-hostnames) page, go to **DCV Delegation for Custom Hostnames**.
 3. Copy the hostname value.
 4. For each hostname, the domain owner needs to place a `CNAME` record at their authoritative DNS. In this example, the SaaS zone is `example.com`.
    ```txt