Each group approaches safety by way of a novel lens, formed by their tooling, necessities, and historical past. No two environments look the identical, and none keep static for lengthy. We imagine the platforms that shield them should not be static both.
Cloudflare constructed our world community to be programmable by design, so we will help organizations unlock this flexibility and freedom. On this submit, we’ll go deeper into what programmability means, and the way Cloudflare One, our SASE platform, helps prospects architect their safety and networking with our constructing blocks to fulfill their distinctive and customized wants.
What programmability truly means
The time period programmability has change into diluted by the {industry}. Most safety distributors declare programmability as a result of they’ve public APIs, documented Terraform suppliers, webhooks, and alerting. That’s nice, and Cloudflare presents all of these issues too.
These foundational capabilities present customization, infrastructure-as-code, and safety operations automation, however they’re desk stakes. With conventional programmability, you may configure a webhook to ship an alert to Slack when a coverage triggers.
However the true worth of programmability is one thing totally different. It’s the potential to intercept a safety occasion, enrich it with exterior context, and act on it in actual time. Say a consumer makes an attempt to entry a regulated software containing delicate monetary knowledge. Earlier than the request completes, you question your studying administration system to confirm the consumer has accomplished the required compliance coaching. If their certification has expired, or they by no means accomplished it, entry is denied, and they’re redirected to the coaching portal. The coverage didn’t simply set off an alert — it made the choice.
Constructing essentially the most programmable SASE platform
The Cloudflare world community spans greater than 330 cities throughout the globe and operates inside roughly 50 milliseconds of 95% of the Web-connected inhabitants. This community runs each service on each server in each knowledge middle. Which means our industry-leading SASE platform and Developer Platform run aspect by aspect, on the identical metallic, making our Cloudflare providers each composable and programmable.
If you use Cloudflare to guard your exterior internet properties, you’re utilizing the identical community, the identical instruments, and the identical primitives as whenever you safe your customers, gadgets, and personal networks with Cloudflare One. These are additionally the identical primitives you utilize whenever you construct and deploy full-stack functions on our Developer Platform. They’re designed to work collectively — not as a result of they have been built-in after the actual fact, however as a result of they have been by no means separate to start with.
By design, this enables prospects to increase coverage selections with customized logic in actual time. You’ll be able to name an exterior danger API, inject dynamic headers, or validate browser attributes. You’ll be able to route visitors primarily based on your small business logic with out including latency or standing up separate infrastructure. Standalone SASE suppliers with out their very own compute platform require you to deploy automation in a separate cloud, manually configure webhooks, and settle for the round-trip latency and administration overhead of sewing collectively disconnected programs. With Cloudflare, your Employee augments inline SASE providers like Entry to implement customized insurance policies, on the edge, in milliseconds.
What programmability unlocks
At its core, each safety gateway operates on the identical elementary mannequin. Site visitors flows from sources, by way of insurance policies, to locations. The insurance policies are the place issues get fascinating, however in most platforms, your choices are restricted to predefined actions: permit, block, isolate, or quarantine.
We predict there’s a higher method. What in case you may invoke customized logic as a substitute?
Fairly than predefined actions, you would:
Dynamically inject headers primarily based on consumer identification claims
Name exterior danger engines for a real-time verdict earlier than permitting entry
Implement entry controls primarily based on location and dealing hours
As we speak, prospects can already do lots of these items with Cloudflare. And we’re strengthening the combination between our SASE and Developer Platform to make this even simpler. Programmability extensions, like those listed above, will likely be natively built-in into Cloudflare One, enabling prospects to construct real-time, customized logic into their safety and networking insurance policies. Examine a request and decide in milliseconds. Or run a Employee on a schedule to research consumer exercise and replace insurance policies accordingly, reminiscent of including customers to a high-risk listing primarily based on indicators from an exterior system.
We’re constructing this across the idea of actions: each managed and customized. Managed actions will present templates for frequent eventualities like IT service administration integrations, redirects, and compliance automation. Customized actions permit you to outline your personal logic fully. When a Gateway HTTP coverage matches, as a substitute of being restricted to permit, block, or isolate, you may invoke a Cloudflare Employee immediately. Your code runs on the edge, in actual time, with full entry to the request context.
How prospects are constructing as we speak
Whereas we’re bettering this expertise, many purchasers are already utilizing Cloudflare One and Developer Platform this manner as we speak. Right here is an easy instance that illustrates what you are able to do with this programmability.
Automated machine session revocation
The issue: A buyer needed to implement periodic re-authentication for his or her Cloudflare One Consumer customers, much like how conventional VPNs require customers to re-authenticate each few hours. Cloudflare’s pre-defined session controls are designed round per-application insurance policies, not world time-based expiration.
The answer: A scheduled Cloudflare Employee that queries the Gadgets API, identifies gadgets which were inactive longer than a specified threshold, and revokes their registrations, forcing customers to re-authenticate by way of their identification supplier.
export default {
async scheduled(occasion, env, ctx) {
const API_TOKEN = env.API_TOKEN;
const ACCOUNT_ID = env.ACCOUNT_ID;
const REVOKE_INTERVAL_MINUTES = parseInt(env.REVOKE_INTERVAL_MINUTES); // Reuse for inactivity threshold
const DRY_RUN = env.DRY_RUN === 'true';
const headers = {
'Authorization': `Bearer ${API_TOKEN}`,
'Content material-Kind': 'software/json'
};
let cursor = '';
let allDevices = [];
// Fetch all registrations with cursor-based pagination
whereas (true) {
let url = `
if (cursor) {
url += `&cursor=${cursor}`;
}
const devicesResponse = await fetch(url, { headers });
const devicesData = await devicesResponse.json();
if (!devicesData.success) {
console.error('Did not fetch registrations:', devicesData.errors);
return;
}
allDevices = allDevices.concat(devicesData.outcome);
// Extract subsequent cursor (alter in case your response makes use of a unique subject, e.g., devicesData.result_info.cursor)
cursor = devicesData.cursor || '';
if (!cursor) break;
}
const now = new Date();
for (const machine of allDevices) {
const lastSeen = new Date(machine.last_seen_at);
const minutesInactive = (now - lastSeen) / (1000 * 60);
if (minutesInactive > REVOKE_INTERVAL_MINUTES) {
console.log(`Registration ${machine.id} inactive for ${minutesInactive} minutes.`);
if (DRY_RUN) {
console.log(`Dry run: Would delete registration ${machine.id}`);
} else {
const deleteResponse = await fetch(
`
{ methodology: 'DELETE', headers }
);
const deleteData = await deleteResponse.json();
if (deleteData.success) {
console.log(`Deleted registration ${machine.id}`);
} else {
console.error(`Did not delete ${machine.id}:`, deleteData.errors);
}
}
}
}
}
};
Configure the Employee with setting secrets and techniques (API_TOKEN, ACCOUNT_ID, REVOKE_INTERVAL_MINUTES) and a cron set off (0 */4 * * * for each 4 hours), and you’ve got automated session administration. Simply getting a easy function like this right into a vendor’s roadmap may take months, and even longer to maneuver right into a administration interface.
However with automated machine session revocation, our technical specialist deployed this coverage with the client in a day. It has been working in manufacturing for months.
We’ve noticed numerous implementations like this throughout Cloudflare One deployments. We’ve seen customers implement teaching pages and function justification workflows by utilizing our present redirect insurance policies and Employees. Different customers have constructed customized logic that evaluates browser attributes earlier than making coverage or routing selections. Every solves a novel downside that will in any other case require ready for a vendor to construct a particular, area of interest integration with a third-party system. As a substitute, prospects are constructing precisely what they want, on their timeline, with logic they personal.
A programmable platform that modifications the dialog
We imagine the way forward for enterprise safety is not a monolithic platform that tries to do all the pieces. It is a composable and programmable platform that provides prospects the instruments and adaptability to increase it in any route.
For safety groups, we anticipate our platform to alter the dialog. As a substitute of submitting a function request and hoping it makes the roadmap, you may construct a tailor-made resolution that addresses your precise necessities as we speak.
For our companions and managed safety service suppliers (MSSPs), our platform opens up their potential to construct and ship options for his or her particular buyer base. Which means industry-specific options, or capabilities for purchasers in a particular regulatory setting. Customized integrations change into a aggressive benefit, not an expert providers engagement.
And for our prospects, it means you are constructing on a platform that’s simple to deploy and essentially adaptable to your most advanced and altering wants. Your safety platform grows with you — it doesn’t constrain you.
We’re simply getting began. All through 2026, you will see us proceed to deepen the combination between Cloudflare One and our Developer Platform. We plan to start out by creating customized actions in Cloudflare Gateway that assist dynamic coverage enforcement. These actions can use auxiliary knowledge saved in your group’s present databases with out the executive or compliance challenges of migrating that knowledge into Cloudflare. These similar customized actions can even assist request augmentation to move alongside Cloudflare attributes to your inside programs, for higher logging and entry selections in your downstream programs.
Within the meantime, the constructing blocks are already right here. Exterior analysis guidelines, customized machine posture checks, Gateway redirects, and the total energy of Employees can be found as we speak. When you’re unsure the place to start out, our developer documentation has guides and reference architectures for extending Cloudflare One.
We constructed Cloudflare on the idea that safety needs to be ridiculously simple to make use of, however we additionally know that “easy” doesn’t suggest “one-size-fits-all.” It means supplying you with the instruments to construct precisely what you want. We imagine that’s the way forward for SASE.
