Merge branch 'cloudflare:production' into production

Author: krishnprakash

src/assets/images/changelog/ai-gateway/guardrails-social-preview.png

@@ -1,14 +1,14 @@
 ---
 title: Introducing Guardrails in AI Gateway
 description: Keep AI interactions secure and risk-free with Guardrails in AI Gateway
-products:
-  - ai-gateway
 date: 2025-02-26T6:00:00Z
+preview_image: ~/assets/images/changelog/ai-gateway/guardrails-social-preview.png
 ---
 
-[AI Gateway](/ai-gateway/) now includes [Guardrails](/ai-gateway/guardrails/), to help you monitor your AI apps for harmful or inappropriate content and deploy safely. 
+[AI Gateway](/ai-gateway/) now includes [Guardrails](/ai-gateway/guardrails/), to help you monitor your AI apps for harmful or inappropriate content and deploy safely.
 
 Within the AI Gateway settings, you can configure:
+
 - **Guardrails**: Enable or disable content moderation as needed.
 - **Evaluation scope**: Select whether to moderate user prompts, model responses, or both.
 - **Hazard categories**: Specify which categories to monitor and determine whether detected inappropriate content should be blocked or flagged.

src/content/changelog/ai-gateway/2025-02-26-guardrails.mdx

@@ -8,15 +8,25 @@ import { FeatureTable } from "~/components"
 
 Use Cache Analytics to improve site performance or reduce origin web server traffic. Cache Analytics helps determine if resources are missing from cache, expired, or ineligible for caching. Cache Analytics includes filter by hostname, list of top URLs that miss cache, and a query of up to three days of data.
 
-First, determine whether to focus on Requests or Data Transfer. The default view is Requests, which helps with understanding performance because every cache miss degrades the speed of content delivery. Data Transfer helps with understanding cost because most hosting providers charge for every byte that leaves their network.
+## Availability
 
-You can toggle between Requests and Data Transfer while keeping other analytics filters enabled.
+<FeatureTable id="cache.cache_analytics" />
 
-For best practices related to Cache Analytics, refer to [Cache performance](/cache/performance-review/cache-performance/).
+## Access Cache Analytics
 
-## Availability
+1. Log in to the [Cloudflare dashboard](https://dash.cloudflare.com/login) and select your account and domain.
+2. Go to **Caching** > **Overview**.
 
-<FeatureTable id="cache.cache_analytics" />
+## Requests vs Data Transfer
+
+You can decide wheter to focus on **Requests** or **Data Transfer**:
+
+- **Requests** (default view) help assess performance, as each cache miss slows down content delivery.
+- **Data Transfer** is useful for cost analysis, since most hosting providers charge for every byte that leaves their network.
+
+You can switch between these views while keeping other analytics filters applied.
+
+For best practices related to Cache Analytics, refer to [Cache performance](/cache/performance-review/cache-performance/).
 
 ## Add filters
 

src/content/docs/cache/performance-review/cache-analytics.mdx

@@ -3,10 +3,9 @@ pcx_content_type: how-to
 title: Validate JWTs
 sidebar:
   order: 1
-
 ---
 
-import { GlossaryTooltip } from "~/components"
+import { GlossaryTooltip } from "~/components";
 
 When Cloudflare sends a request to your origin, the request will include an [application token](/cloudflare-one/identity/authorization-cookie/application-token/) as a `Cf-Access-Jwt-Assertion` request header and as a `CF_Authorization` cookie.
 
@@ -22,9 +21,9 @@ You can also manually rotate the key using the [API](/api/resources/zero_trust/s
 
 As shown in the example below, `https://<your-team-name>.cloudflareaccess.com/cdn-cgi/access/certs` contains two public keys: the current key used to sign all new tokens, and the previous key that has been rotated out.
 
-* `keys`: both keys in JWK format
-* `public_cert`: current key in PEM format
-* `public_certs`: both keys in PEM format
+- `keys`: both keys in JWK format
+- `public_cert`: current key in PEM format
+- `public_certs`: both keys in PEM format
 
 ```txt
 {
@@ -65,9 +64,8 @@ As shown in the example below, `https://<your-team-name>.cloudflareaccess.com/cd
 
 :::note[Avoid key rotation issues]
 
-
-* Validate tokens using the external endpoint rather than saving the public key as a hard-coded value.
-* Do not fetch the current key from `public_cert`, since your origin may inadvertently read an expired value from an outdated cache. Instead, match the `kid` value in the JWT to the corresponding certificate in `public_certs`.
+- Validate tokens using the external endpoint rather than saving the public key as a hard-coded value.
+- Do not fetch the current key from `public_cert`, since your origin may inadvertently read an expired value from an outdated cache. Instead, match the `kid` value in the JWT to the corresponding certificate in `public_certs`.
   :::
 
 ## Verify the JWT manually
@@ -175,10 +173,10 @@ func main() {
 
 `pip` install the following:
 
-* flask
-* requests
-* PyJWT
-* cryptography
+- flask
+- requests
+- PyJWT
+- cryptography
 
 ```python
 from flask import Flask, request
@@ -251,8 +249,8 @@ if __name__ == '__main__':
 ### JavaScript example
 
 ```javascript
-const express = require('express');
-const jose = require('jose');
+const express = require("express");
+const jose = require("jose");
 
 // The Application Audience (AUD) tag for your application
 const AUD = process.env.POLICY_AUD;
@@ -265,33 +263,36 @@ const JWKS = jose.createRemoteJWKSet(new URL(CERTS_URL));
 
 // verifyToken is a middleware to verify a CF authorization token
 const verifyToken = async (req, res, next) => {
-  const token = req.headers['cf-access-jwt-assertion'];
-
-  // Make sure that the incoming request has our token header
-  if (!token) {
-    return res.status(403).send({
-      status: false,
-      message: 'missing required cf authorization token',
-    });
-  }
-
-  const result = await jose.jwtVerify(token, JWKS, {
-    issuer: TEAM_DOMAIN,
-    audience: AUD,
-  });
-
-  req.user = result.payload;
-  next();
+	const token = req.headers["cf-access-jwt-assertion"];
+
+	// Make sure that the incoming request has our token header
+	if (!token) {
+		return res.status(403).send({
+			status: false,
+			message: "missing required cf authorization token",
+		});
+	}
+
+	const result = await jose.jwtVerify(token, JWKS, {
+		issuer: TEAM_DOMAIN,
+		audience: AUD,
+	});
+
+	req.user = result.payload;
+	next();
 };
 
 const app = express();
 
 app.use(verifyToken);
 
-app.get('/', (req, res) => {
-  res.send('Hello World!');
+app.get("/", (req, res) => {
+	res.send("Hello World!");
 });
 
 app.listen(3333);
-
 ```
+
+## Related resources
+
+- [Verifying JWTs in Cloudflare Workers](https://kinde.com/blog/engineering/verifying-jwts-in-cloudflare-workers/) - Implement JWT verification in Cloudflare Workers.

src/content/docs/cloudflare-one/identity/authorization-cookie/validating-json.mdx

@@ -2,7 +2,7 @@
 pcx_content_type: navigation
 title: Digital Experience Monitoring
 sidebar:
-  order: 2
+  order: 1
 ---
 
 import { DirectoryListing } from "~/components";

src/content/docs/cloudflare-one/insights/dex/index.mdx

@@ -2,7 +2,7 @@
 pcx_content_type: reference
 title: Monitoring
 sidebar:
-  order: 1
+  order: 2
 ---
 
 Monitor performance and network status for your organization's [fleet](/cloudflare-one/insights/dex/monitoring/#fleet-status) or individual [user devices](/cloudflare-one/insights/dex/monitoring/#device-monitoring).

src/content/docs/cloudflare-one/insights/dex/monitoring.mdx

@@ -2,14 +2,13 @@
 pcx_content_type: reference
 title: Notifications
 sidebar:
-  order: 5
+  order: 6
 head:
   - tag: title
     content: DEX notifications
-
 ---
 
-import { AvailableNotifications } from "~/components"
+import { AvailableNotifications } from "~/components";
 
 Administrators can receive alerts when Cloudflare detects connectivity issues with the WARP client or degraded application performance. Notifications can be delivered via email, webhook, and third-party services.
 

src/content/docs/cloudflare-one/insights/dex/notifications.mdx

@@ -2,7 +2,7 @@
 pcx_content_type: reference
 title: Remote captures
 sidebar:
-  order: 4
+  order: 5
 ---
 
 import { Details } from "~/components";
@@ -45,7 +45,8 @@ DEX will now send capture requests to the configured devices. If the WARP client
 ## Check remote capture status
 
 To view a list of captures, go to **DEX** > **Remote captures**. The **Status** column displays one of the following options:
-- **Success**: The capture is complete and ready for download. Any partially successful captures will still upload to Cloudflare. For example, there could be a scenario where the PCAP succeeds on the primary network interface but fails on the WARP tunnel interface. You can [review PCAP results](/cloudflare-one/insights/dex/remote-captures/#download-remote-captures) to determine which PCAPs succeeded or failed. 
+
+- **Success**: The capture is complete and ready for download. Any partially successful captures will still upload to Cloudflare. For example, there could be a scenario where the PCAP succeeds on the primary network interface but fails on the WARP tunnel interface. You can [review PCAP results](/cloudflare-one/insights/dex/remote-captures/#download-remote-captures) to determine which PCAPs succeeded or failed.
 - **Running**: The capture is in progress on the device.
 - **Pending Upload**: The capture is complete but not yet ready for download.
 - **Failed**: The capture has either timed out or encountered an error. To retry the capture, check the WARP client version and [connectivity status](/cloudflare-one/insights/dex/monitoring/#fleet-status), then start a [new capture](/cloudflare-one/insights/dex/remote-captures/#start-a-remote-capture).

src/content/docs/cloudflare-one/insights/dex/remote-captures.mdx

@@ -0,0 +1,76 @@
+---
+pcx_content_type: reference
+title: Rules
+sidebar:
+  order: 4
+---
+
+DEX rules allow you to create and manage testing policies for targeted user groups within your [fleet](/cloudflare-one/insights/dex/tests/). After creating a rule, you can use it to define the scope of a [test](/cloudflare-one/insights/dex/tests/) to specific groups such as departments (like finance or sales), devices, and/or users. You can apply and reuse rules on your desired tests.
+
+DEX rules are ideal for admins who want to define the scope of a test to a specific group within their fleet to allow for more precise problem detection and resolution.
+
+## Create a rule
+
+To create a rule:
+
+1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **DEX** > **Rules**.
+2. Select **Add a rule**.
+3. Give your rule a name and build your desired expressions.
+4. Select **Create rule** to finalize your rule.
+
+### Selectors
+
+Selectors are required categories in a DEX rule expression that define a group within a fleet. The selector(s) you have defined in a rule will determine which group a test will impact.
+
+Review the available selectors and their scope in the following list.
+
+| Selector                     | Description                                                                                                                       |
+| ---------------------------- | --------------------------------------------------------------------------------------------------------------------------------- |
+| **User email**               | For specifying [user emails](/cloudflare-one/policies/gateway/identity-selectors/#user-email).                                    |
+| **User group emails**        | For specifying [group emails](/cloudflare-one/policies/gateway/identity-selectors/#user-group-email).                             |
+| **User group IDs**           | For specifying [group IDs](/cloudflare-one/policies/gateway/identity-selectors/#user-group-ids).                                  |
+| **User group names**         | For specifying a [group name](/cloudflare-one/policies/gateway/identity-selectors/#user-group-names).                             |
+| **Operating systems**        | For specifying operating systems.                                                                                                 |
+| **Operating system version** | For specifying an operating system version (use Operator `in`) or versions (use Operator `is`).                                   |
+| **Managed network**          | For specifying users accessing the network from the office (managed network) compared to those accessing remotely.                |
+| **SAML attributes**          | For specifying a value from the [SAML Attribute Assertion](/cloudflare-one/policies/gateway/identity-selectors/#saml-attributes). |
+| **Colos**                    | For specifying a Cloudflare data center location users are connected to.                                                          |
+
+## Add a rule to a test
+
+After you have created a rule, you can add it to a test. If you do not add a rule to a test, the test will run on your entire device fleet.
+
+To add a rule to a test:
+
+1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **DEX** > **Tests**.
+2. Choose an existing test and select **Edit**, or select **Add a test** to make a new test.
+3. Under **Select DEX rules**, select the rule you would like to apply.
+4. Select **Save test** for an existing rule or **Add rule** for the new test.
+
+:::note
+When applying or removing rules from an existing test, your change can take up to 24 hours to propagate.
+:::
+
+To view which tests a rule is being applied to:
+
+1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **DEX** > **Rules**.
+2. Select a rule > **Edit**.
+3. Select the **DEX tests** tab and review the list of tests that include your selected rule.
+
+## Create a test using a rule
+
+You can create a new test from the [DEX test dashboard as described above](/cloudflare-one/insights/dex/rules/#add-a-rule-to-a-test) or directly from the DEX rules dashboard.
+
+To create a new test using a rule from DEX rules:
+
+1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **DEX** > **Rules**.
+2. Select a rule > **Edit**.
+3. Select the **DEX tests** tab.
+4. You will be able to review all the tests that currently include this rule. To create a new test, select **Create a test using this rule**.
+5. Enter all required information, making sure that the box next to your rule name is checked.
+6. Select **Add test**.
+
+## Related resources
+
+- [DEX HTTP test](/cloudflare-one/insights/dex/tests/http/) - Assess the accessibility of a web application.
+- [DEX Traceroute test](/cloudflare-one/insights/dex/tests/traceroute/) - Measure the network path of an IP packet from an end-user device to a server.

src/content/docs/cloudflare-one/insights/dex/rules.mdx

@@ -3,11 +3,9 @@ pcx_content_type: reference
 title: HTTP test
 sidebar:
   order: 1
-
 ---
 
-
-import { Details } from "~/components"
+import { Details } from "~/components";
 
 <Details header="Feature availability">
 
@@ -17,13 +15,12 @@ import { Details } from "~/components"
 
 | System   | Availability | Minimum WARP version |
 | -------- | ------------ | -------------------- |
-| Windows  | ✅            | 2023.3.381           |
-| macOS    | ✅            | 2023.3.381           |
-| Linux    | ✅            | 2023.3.398           |
-| iOS      | ❌            |                      |
-| Android  | ✅            | 1.0                  |
-| ChromeOS | ✅            | 1.0                  |
-
+| Windows  | ✅           | 2023.3.381           |
+| macOS    | ✅           | 2023.3.381           |
+| Linux    | ✅           | 2023.3.398           |
+| iOS      | ❌           |                      |
+| Android  | ✅           | 1.0                  |
+| ChromeOS | ✅           | 1.0                  |
 
 </Details>
 
@@ -36,11 +33,11 @@ To set up an HTTP test for an application:
 1. In [Zero Trust](https://one.dash.cloudflare.com/), go to **DEX** > **Tests**.
 2. Select **Add a Test**.
 3. Fill in the following fields:
-   * **Name**: Enter any name for the test.
-   * **Target**: Enter the URL of the website or application that you want to test (for example, `https://jira.site.com`). Both public and private hostnames are supported. If testing a private hostname, ensure that the domain is on your [local domain fallback](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/local-domains/) list.
-   * **Source device profiles**: (Optional) Select the [WARP device profiles](/cloudflare-one/connections/connect-devices/warp/configure-warp/device-profiles/) that you want to run the test on. If no profiles are selected, the test will run on all supported devices connected to your Zero Trust organization.
-   * **Test type**: Select *HTTP Get*.
-   * **Test frequency**: Specify how often the test will run. Input a minute value between 5 and 60.
+   - **Name**: Enter any name for the test.
+   - **Target**: Enter the URL of the website or application that you want to test (for example, `https://jira.site.com`). Both public and private hostnames are supported. If testing a private hostname, ensure that the domain is on your [local domain fallback](/cloudflare-one/connections/connect-devices/warp/configure-warp/route-traffic/local-domains/) list.
+   - **Source device profiles**: (Optional) Select the [WARP device profiles](/cloudflare-one/connections/connect-devices/warp/configure-warp/device-profiles/) that you want to run the test on. If no profiles are selected, the test will run on all supported devices connected to your Zero Trust organization.
+   - **Test type**: Select _HTTP Get_.
+   - **Test frequency**: Specify how often the test will run. Input a minute value between 5 and 60.
 4. Select **Add test**.
 
 Next, [view the results](/cloudflare-one/insights/dex/tests/view-results/) of your test.
@@ -55,3 +52,7 @@ An HTTP test measures the following data:
 | Server response time | Round-trip time for the device to receive a response from the target.                                                                                                   |
 | DNS response time    | Round-trip time for the DNS query to resolve.                                                                                                                           |
 | HTTP status codes    | [Status code](https://developer.mozilla.org/en-US/docs/Web/HTTP/Status) returned by the target.                                                                         |
+
+## Related resources
+
+- [DEX rules](/cloudflare-one/insights/dex/rules/) - Specify the target group of a test.