Merge branch 'cloudflare:production' into production

krishnprakash · web-flow · commit 7ab655c3f9fd · 2025-03-11T20:27:41.000+05:30
diff --git a/src/content/changelog/workers/2025-03-11-process-env-support.mdx b/src/content/changelog/workers/2025-03-11-process-env-support.mdx
@@ -0,0 +1,32 @@
+---
+title: Access your Worker's environment variables from process.env
+description: With Node.js compatability on, process.env is automatically populated with environment variables and secrets
+products:
+  - workers
+date: 2025-03-11T15:00:00Z
+---
+
+You can now access [environment variables](/workers/configuration/environment-variables/) and
+[secrets](/workers/configuration/secrets/) on [`process.env`](/workers/runtime-apis/nodejs/process/#processenv)
+when using the [`nodejs_compat` compatability flag](/workers/configuration/compatibility-flags/#nodejs-compatibility-flag).
+
+```js
+const apiClient = ApiClient.new({ apiKey: process.env.API_KEY });
+const LOG_LEVEL = process.env.LOG_LEVEL || "info";
+```
+
+In Node.js, environment variables are exposed via the global `process.env` object. Some libraries
+assume that this object will be populated, and many developers may be used to accessing variables
+in this way.
+
+Previously, the `process.env` object was always empty unless written to in Worker code. This could
+cause unexpected errors or friction when developing Workers using code previously written for Node.js.
+
+Now, [environment variables](/workers/configuration/environment-variables/),
+[secrets](/workers/configuration/secrets/), and [version metadata](/workers/runtime-apis/bindings/version-metadata/)
+can all be accessed on `process.env`.
+
+After April 1, 2025, populating `process.env` will become the default behavior when `nodejs_compat` is enabled, and
+your Worker's compatability date is after "2025-04-01". Until then, users can opt-in to this behavior by adding the
+[`nodejs_compat_populate_process_env`](/workers/configuration/compatibility-flags/#enable-auto-populating-processenv)
+compatability flag.
diff --git a/src/content/compatibility-flags/nodejs-compat-populate-process-env.md b/src/content/compatibility-flags/nodejs-compat-populate-process-env.md
@@ -0,0 +1,25 @@
+---
+name: "Enable auto-populating `process.env`"
+sort_date: "2025-02-27"
+enable_date: "2025-04-01"
+enable_flag: "nodejs_compat_populate_process_env"
+disable_flag: "nodejs_compat_do_not_populate_process_env"
+---
+
+When you enable the `nodejs_compat_populate_process_env` compatibility flag and the [`nodejs_compat`](/workers/runtime-apis/nodejs/)
+flag is also enabled, `process.env` will be populated with values from any bindings with text or JSON values.
+This means that if you have added [environment variables](/workers/configuration/environment-variables/),
+[secrets](/workers/configuration/secrets/), or [version metadata](/workers/runtime-apis/bindings/version-metadata/)
+bindings, these values can be accessed on `process.env`.
+
+```js
+const apiClient = ApiClient.new({ apiKey: process.env.API_KEY });
+const LOG_LEVEL = process.env.LOG_LEVEL || "info";
+```
+
+This makes accessing these values easier and conforms to common Node.js patterns, which can
+reduce toil and help with compatability for existing Node.js libraries.
+
+If users do not wish for these values to be accessible via `process.env`, they can use the
+`nodejs_compat_do_not_populate_process_env` flag. In this case, `process.env` will still be
+available, but will not have values automatically added.
diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/as-a-service/windows.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/as-a-service/windows.mdx
@@ -64,7 +64,7 @@ By default, Cloudflare Tunnel expects all of the configuration to exist in the `
    cloudflared.exe tunnel create <Tunnel Name>
    ```
 
-   This will generate a [credentials file](/cloudflare-one/connections/connect-networks/get-started/tunnel-useful-terms/#credentials-file) in `.json` format.
+   This will generate a [credentials file](/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/local-tunnel-terms/#credentials-file) in `.json` format.
 
 10. [Create a configuration file](/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/create-local-tunnel/#4-create-a-configuration-file) with the following content:
 
diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/create-local-tunnel.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/create-local-tunnel.mdx
@@ -105,7 +105,7 @@ cloudflared tunnel login
 Running this command will:
 
 - Open a browser window and prompt you to log in to your Cloudflare account. After logging in to your account, select your hostname.
-- Generate an account certificate, the [cert.pem file](/cloudflare-one/connections/connect-networks/get-started/tunnel-useful-terms/#certpem), in the [default `cloudflared` directory](/cloudflare-one/connections/connect-networks/get-started/tunnel-useful-terms/#default-cloudflared-directory).
+- Generate an account certificate, the [cert.pem file](/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/local-tunnel-terms/#certpem), in the [default `cloudflared` directory](/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/local-tunnel-terms/#default-cloudflared-directory).
 
 ## 3. Create a tunnel and give it a name
 
@@ -116,7 +116,7 @@ cloudflared tunnel create <NAME>
 Running this command will:
 
 - Create a tunnel by establishing a persistent relationship between the [name you provide](/cloudflare-one/connections/connect-networks/get-started/tunnel-useful-terms/#tunnel-name) and a [UUID](/cloudflare-one/connections/connect-networks/get-started/tunnel-useful-terms/#tunnel-uuid) for your tunnel. At this point, no connection is active within the tunnel yet.
-- Generate a [tunnel credentials file](/cloudflare-one/connections/connect-networks/get-started/tunnel-useful-terms/#credentials-file) in the [default `cloudflared` directory](/cloudflare-one/connections/connect-networks/get-started/tunnel-useful-terms/#default-cloudflared-directory).
+- Generate a [tunnel credentials file](/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/local-tunnel-terms/#credentials-file) in the [default `cloudflared` directory](/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/local-tunnel-terms/#certpem).
 - Create a subdomain of `.cfargotunnel.com`.
 
 From the output of the command, take note of the tunnel's UUID and the path to your tunnel's credentials file.
diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/routing-to-tunnel/dns.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/routing-to-tunnel/dns.mdx
@@ -44,7 +44,7 @@ This command create a `CNAME` record that points to the tunnel subdomain, but wi
 
 :::note
 
-To create DNS records using `cloudflared`, the [`cert.pem`](/cloudflare-one/connections/connect-networks/get-started/tunnel-useful-terms/#certpem) file must be installed on your system.
+To create DNS records using `cloudflared`, the [`cert.pem`](/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/local-tunnel-terms/#certpem) file must be installed on your system.
 :::
 
 </TabItem>
diff --git a/src/content/docs/cloudflare-one/connections/connect-networks/routing-to-tunnel/lb.mdx b/src/content/docs/cloudflare-one/connections/connect-networks/routing-to-tunnel/lb.mdx
@@ -39,7 +39,7 @@ This command creates an LB DNS record that points the specified hostname to the
 
 :::note
 
-To create DNS records using `cloudflared`, the [`cert.pem`](/cloudflare-one/connections/connect-networks/get-started/tunnel-useful-terms/#certpem) file must be installed on your system.
+To create DNS records using `cloudflared`, the [`cert.pem`](/cloudflare-one/connections/connect-networks/do-more-with-tunnels/local-management/local-tunnel-terms/#certpem) file must be installed on your system.
 :::
 
 </TabItem>
diff --git a/src/content/docs/cloudflare-one/identity/devices/warp-client-checks/client-certificate.mdx b/src/content/docs/cloudflare-one/identity/devices/warp-client-checks/client-certificate.mdx
@@ -31,7 +31,7 @@ The Client Certificate device posture attribute checks if the device has a valid
 
 - A CA that issues client certificates for your devices. WARP does not evaluate the certificate trust chain; this needs to be the issuing certificate.
 - Cloudflare WARP client is [deployed](/cloudflare-one/connections/connect-devices/warp/deployment/) on the device.
-- A client certificate is [installed and trusted](#how-warp-checks-for-a-client-certificate) on the device.
+- A client certificate is [installed and trusted](#configure-the-client-certificate-check) on the device.
 
 :::note
 
diff --git a/src/content/docs/cloudflare-one/identity/one-time-pin.mdx b/src/content/docs/cloudflare-one/identity/one-time-pin.mdx
@@ -88,6 +88,6 @@ By design, blocked users will not receive an email. The login page will always s
 
 :::note
 
-Access only logs an authentication attempt after the user enters a code. If the user enters their email but never submits a code, the event will not appear in your [audit logs](/cloudflare-one/insights/logs/audit-logs/#authentication-audit-logs).
+Access only logs an authentication attempt after the user enters a code. If the user enters their email but never submits a code, the event will not appear in your [audit logs](/cloudflare-one/insights/logs/audit-logs/#authentication-logs).
 :::
 
diff --git a/src/content/docs/cloudflare-one/identity/users/seat-management.mdx b/src/content/docs/cloudflare-one/identity/users/seat-management.mdx
@@ -5,7 +5,7 @@ sidebar:
   order: 4
 ---
 
-Cloudflare Zero Trust subscriptions consist of seats that active users in your account consume. Active users are added to Zero Trust through any [authentication event](#authentication-event).
+Cloudflare Zero Trust subscriptions consist of seats that active users in your account consume. Active users are added to Zero Trust through any [authentication event](#authentication-events).
 
 The amount of seats available in your Zero Trust account depends on the amount of users you purchase. If you want to increase the number of seats available, you will have to purchase more users. Learn more about adding and removing seats from your account in the [Zero Trust FAQ](/cloudflare-one/faq/getting-started-faq/#how-do-i-change-my-subscription-plan).
 
diff --git a/src/content/docs/cloudflare-one/policies/gateway/application-app-types.mdx b/src/content/docs/cloudflare-one/policies/gateway/application-app-types.mdx
@@ -58,7 +58,7 @@ Applications can be incompatible with [TLS decryption](/cloudflare-one/policies/
 
 #### Application grouping
 
-Gateway automatically groups applications incompatible with TLS decryption into the _Do Not Inspect_ app type. As Cloudflare identifies incompatible applications, Gateway will periodically update this app type to add new applications. To ensure Gateway does not intercept any current or future incompatible traffic, you can [create a Do Not Inspect HTTP policy](/cloudflare-one/policies/gateway/initial-setup/http/#bypass-inspection-for-incompatible-applications) with the entire _Do Not Inspect_ app type selected.
+Gateway automatically groups applications incompatible with TLS decryption into the _Do Not Inspect_ app type. As Cloudflare identifies incompatible applications, Gateway will periodically update this app type to add new applications. To ensure Gateway does not intercept any current or future incompatible traffic, you can [create a Do Not Inspect HTTP policy](/cloudflare-one/policies/gateway/http-policies/#do-not-inspect) with the entire _Do Not Inspect_ app type selected.
 
 :::note[Install Cloudflare certificate manually to allow TLS decryption]
 
diff --git a/src/content/docs/cloudflare-one/policies/gateway/network-policies/index.mdx b/src/content/docs/cloudflare-one/policies/gateway/network-policies/index.mdx
@@ -40,7 +40,7 @@ API value: `allow`
 
 **Traffic**
 
-- [All Access Private Apps](#all-access-private-apps)
+- [All Access Private Apps](#all-access-private-app-destinations)
 - [All Access App Targets](#all-access-app-targets)
 - [Application](#application)
 - [Content Categories](#content-categories)
diff --git a/src/content/docs/dns/zone-setups/troubleshooting/cannot-add-domain.mdx b/src/content/docs/dns/zone-setups/troubleshooting/cannot-add-domain.mdx
@@ -9,7 +9,7 @@ head:
 
 If you encounter issues [adding a domain](/fundamentals/setup/manage-domains/add-site/) to Cloudflare, follow these troubleshooting steps.
 
-## 1. Disable DNSSEC
+## Disable DNSSEC
 
 Cloudflare cannot provide authoritative DNS resolution for a domain — a [full setup domain](/dns/zone-setups/full-setup/) — when **DNSSEC** is enabled at your domain registrar.
 
@@ -23,7 +23,7 @@ If you experience these issues, refer to [Configuring DNSSEC](/dns/dnssec) and [
 
 ---
 
-## 2. Register the domain
+## Register the domain
 
 If the issue is with your registrar, you may receive the following error messages:
 
@@ -39,7 +39,7 @@ If you receive these error messages, make sure that:
 
 ---
 
-## 3. Resolve DNS for apex domain
+## Resolve DNS for apex domain
 
 Before a domain can be added to Cloudflare, the domain must return `NS` records for valid, working nameservers. `NS` records can be checked via third-party online tools such as [https://www.whatsmydns.net](https://www.whatsmydns.net/) or via a command-line terminal using a dig command:
 
@@ -69,21 +69,39 @@ ns3.cloudflare.com. dns.cloudflare.com. 2029202248 10000 2400 604800 300
 
 ---
 
-## 4. Check if the domain is restricted at Cloudflare
+## Check if the domain is restricted at Cloudflare
 
 If Cloudflare has temporary or permanent restrictions on a domain, you will receive the following errors:
 
 - **Error 1105**
   - **Message**: `Error with Cloudflare request: [1105] This zone is temporarily restricted and cannot be added to Cloudflare at this time, please contact Cloudflare Support.`
   - **Cause**: We have seen too many attempts to add a domain to Cloudflare
   - **Resolution**: Wait 3 hours before attempting to re-add the domain to Cloudflare. Support cannot speed up this process.
-- \_**Error 1093 or 1116**
+- **Error 1093 or 1116**
   - **Message**: `This zone cannot be added to Cloudflare at this time, please contact Cloudflare Support. (Code: 1093)`
   - **Cause**: You may have entered a subdomain (`www.example.com`) instead of the apex domain (also known as "root domain", e.g. `example.com`).
   - **Resolution**: Verify that you are entering the apex domain. If you are and still experience issues, contact [Cloudflare Support](/support/contacting-cloudflare-support/).
-- \_**Error 1097**
+- _**Error 1097**
   - **Message**: `This web property cannot be added to Cloudflare at this time. If you are an Enterprise customer, contact your Customer Success Manager. Otherwise, email abusereply@cloudflare.com with a detailed explanation of your association with this zone. (Code: 1097)`
   - **Resolution**: Contact [abusereply@cloudflare.com](mailto:abusereply@cloudflare.com) with a detailed explanation of your association with this zone.
 - **Error: Cannot be found** OR **`<your domain>` is not a registered domain (code: 1049)**
   - This can happen if the domain has not been registered yet. Some domains, like `.gov` domains, have special requirements that require the domain be added first.
   - **Resolution:** Please contact [Cloudflare Support](/support/contacting-cloudflare-support/) if you require assistance adding a `.gov` and/or other domains that require manual registration.
+
+---
+
+## Contact the zone owner in case of zone hold error
+
+Enterprise customers can use the [zone hold](/fundamentals/setup/account/account-security/zone-holds/) feature to prevent domains to be added in any other account.
+If you get the following error when adding your domain, it means that a zone hold is active:
+
+```
+The zone name provided is subject to a hold which disallows the creation of this zone. 
+Please contact the owner of the Cloudflare account that manages this domain to have this hold removed.
+```
+
+In this case you'll need to remove the zone hold if you own the Cloudflare account in which the zone is active, or contact the owner of the Cloudflare account which has the zone active.
+
+If you are not the owner of the Cloudflare account that has the hold on the zone, using an online WHOIS tool might help you finding the owner of a website.
+See this [external tool](https://www.godaddy.com/fr/whois) or this [other external tool](https://www.whois.com/whois/).
+You can also use the [Cloudflare Forgot Email?](https://dash.cloudflare.com/forgot-email) page, and check the documentation related to the [Forgot Email? feature](/fundamentals/setup/account/account-security/login-and-account-issues/#forgot-your-email).
diff --git a/src/content/docs/fundamentals/setup/manage-domains/remove-domain.mdx b/src/content/docs/fundamentals/setup/manage-domains/remove-domain.mdx
@@ -17,6 +17,13 @@ If you have an Enterprise plan, you need to [change the zone plan](/fundamentals
 
 If you need to re-add the domain in a different account, make sure the current settings have been saved. For example, you may [Import and export DNS records](/dns/manage-dns-records/how-to/import-and-export/).
 
+:::note
+If you have just added a domain and haven't configured its plan yet, the domain is in the `Initializing (Setup)` status and cannot be deleted.
+At this step you'll need to select a plan for this domain: the status will then change to `Pending` and you can then delete the domain.
+Please also note that domains in the `Initializing (Setup)` or `Pending` statuses will [automatically be deleted after 28 days](/dns/zone-setups/reference/domain-status/#initializing-setup) if they do not activate.
+:::
+
+
 ### Actions outside of Cloudflare
 
 * When you remove a domain from Cloudflare, it also prevents your domain from using Cloudflare for DNS resolution. To avoid DNS errors, update your nameservers at your domain registrar to use nameservers not owned by Cloudflare.
diff --git a/src/content/docs/images/transform-images/sources.mdx b/src/content/docs/images/transform-images/sources.mdx
@@ -19,7 +19,7 @@ If you use a Worker to optimize remote images via a `fetch()` subrequest, then t
 
 In the Cloudflare dashboard, go to **Images** > **Transformations** and select the zone where you want to serve transformations.
 
-To get started, you must have [transformations enabled on your zone](/images/get-started/#enable-transformations).
+To get started, you must have [transformations enabled on your zone](/images/get-started/#enable-transformations-on-your-zone).
 
 In **Sources**, you can configure the origins for transformations on your zone.
 
diff --git a/src/content/docs/stream/transform-videos/index.mdx b/src/content/docs/stream/transform-videos/index.mdx
@@ -35,7 +35,7 @@ https://example.com/cdn-cgi/media/<OPTIONS>/<SOURCE-VIDEO>
 - `example.com`: Your website or zone on Cloudflare, with Transformations enabled.
 - `/cdn-cgi/media/`: A prefix that identifies a special path handled by Cloudflare's built-in media transformation service.
 - `<OPTIONS>`: A comma-separated list of options. Refer to the available options below.
-- `<SOURCE-VIDEO>`: An absolute path on the origin server or a full URL (starting with `https://` or `http://`) of the original asset to resize.
+- `<SOURCE-VIDEO>`: A full URL (starting with `https://` or `http://`) of the original asset to resize.
 
 For example, this URL will source an HD video from an R2 bucket, shorten it, crop and resize it as a square, and remove the audio.
 
diff --git a/src/content/docs/workers/examples/signing-requests.mdx b/src/content/docs/workers/examples/signing-requests.mdx
@@ -22,7 +22,7 @@ import { TabItem, Tabs } from "~/components";
 
 :::note
 
-This example Worker makes use of the [Node.js Buffer API](/workers/runtime-apis/nodejs/buffer/), which is available as part of the Worker's runtime [Node.js compatibility mode](/workers/runtime-apis/nodejs/). To run this Worker, you will need to [enable the `nodejs_compat` compatibility flag](/workers/runtime-apis/nodejs/#enable-nodejs-with-workers).
+This example Worker makes use of the [Node.js Buffer API](/workers/runtime-apis/nodejs/buffer/), which is available as part of the Worker's runtime [Node.js compatibility mode](/workers/runtime-apis/nodejs/). To run this Worker, you will need to [enable the `nodejs_compat` compatibility flag](/workers/runtime-apis/nodejs/#get-started).
 :::
 
 You can both verify and generate signed requests from within a Worker using the [Web Crypto APIs](https://developer.mozilla.org/en-US/docs/Web/API/Crypto/subtle).
diff --git a/src/content/docs/workers/frameworks/framework-guides/angular.mdx b/src/content/docs/workers/frameworks/framework-guides/angular.mdx
@@ -24,7 +24,7 @@ To use `create-cloudflare` to create a new Angular project with <InlineBadge pre
 <PackageManagers
 	type="create"
 	pkg="cloudflare@latest my-angular-app"
-	args={"--framework=angular --experimental"}
+	args={"--framework=angular --platform=workers"}
 />
 
 <Render
diff --git a/src/content/docs/workers/frameworks/framework-guides/gatsby.mdx b/src/content/docs/workers/frameworks/framework-guides/gatsby.mdx
@@ -24,7 +24,7 @@ To use `create-cloudflare` to create a new Gatsby project with <InlineBadge pres
 <PackageManagers
 	type="create"
 	pkg="cloudflare@latest my-gatsby-app"
-	args={"--framework=gatsby --experimental"}
+	args={"--framework=gatsby --platform=workers"}
 />
 
 <Render
diff --git a/src/content/docs/workers/frameworks/framework-guides/nuxt.mdx b/src/content/docs/workers/frameworks/framework-guides/nuxt.mdx
@@ -24,7 +24,7 @@ To use `create-cloudflare` to create a new Nuxt project with <InlineBadge preset
 <PackageManagers
 	type="create"
 	pkg="cloudflare@latest my-nuxt-app"
-	args={"--framework=nuxt --experimental"}
+	args={"--framework=nuxt --platform=workers"}
 />
 
 <Render
diff --git a/src/content/docs/workers/frameworks/framework-guides/react.mdx b/src/content/docs/workers/frameworks/framework-guides/react.mdx
@@ -63,3 +63,7 @@ The following command will build and deploy your project. If you are using CI, e
 You can serve static assets in your React application by [placing them in the `./public/` directory](https://vite.dev/guide/assets#the-public-directory). This can be useful for resource files such as images, stylesheets, fonts, and manifests.
 
 <Render file="workers-assets-routing-summary" />
+
+## Use bindings with React
+
+Your new project also contains a Worker at `./api/index.ts`, which you can use as a backend API for your React application. While your React application cannot directly access Workers bindings, it can interact with them through this Worker. You can make [`fetch()` requests](/workers/runtime-apis/fetch/) from your React application to the Worker, which can then handle the request and use bindings. Learn how to [configure Workers bindings](/workers/runtime-apis/bindings/).
diff --git a/src/content/docs/workers/frameworks/framework-guides/vue.mdx b/src/content/docs/workers/frameworks/framework-guides/vue.mdx
diff --git a/src/content/docs/workers/observability/logs/real-time-logs.mdx b/src/content/docs/workers/observability/logs/real-time-logs.mdx
diff --git a/src/content/docs/workers/runtime-apis/nodejs/process.mdx b/src/content/docs/workers/runtime-apis/nodejs/process.mdx
diff --git a/src/content/docs/workers/static-assets/compatibility-matrix.mdx b/src/content/docs/workers/static-assets/compatibility-matrix.mdx
