Merge branch 'cloudflare:production' into production

Author: coffee-mug

package-lock.json

@@ -83,7 +83,7 @@
 		"micromark-extension-mdxjs": "3.0.0",
 		"node-html-parser": "7.0.1",
 		"openapi-types": "12.1.3",
-		"parse-duration": "2.1.3",
+		"parse-duration": "2.1.4",
 		"prettier": "3.5.3",
 		"prettier-plugin-astro": "0.14.1",
 		"prettier-plugin-tailwindcss": "0.6.9",

package.json

@@ -187,6 +187,7 @@
 /bots/concepts/ja3-fingerprint/ /bots/concepts/ja3-ja4-fingerprint/ 301
 /bots/reference/verified-bot-categories/ /bots/concepts/bot/verified-bots/categories/ 301
 /bots/reference/verified-bot-policy/ /bots/concepts/bot/verified-bots/policy/ 301
+/bots/concepts/challenge-solve-rate/ /fundamentals/security/cloudflare-challenges/challenge-solve-rate/ 301
 
 #browser-rendering
 /browser-rendering/get-started/browser-rendering-with-do/ /browser-rendering/workers-binding-api/browser-rendering-with-do/ 301

public/__redirects

@@ -6,6 +6,8 @@ sidebar:
 
 ---
 
+For a deep-dive on how sampling at Cloudflare works, see [Understanding sampling in Cloudflare Analytics](/analytics/sampling/).
+
 ## Overview
 
 In a small number of cases, the analytics provided on the Cloudflare dashboard and GraphQL Analytics API are based on a **sample** — a subset of the dataset. In these cases, Cloudflare Analytics returns an estimate derived from the sampled value. For example, suppose that during an attack the sampling rate is 10% and 5,000 events are sampled. Cloudflare will estimate 50,000 total events (5,000 × 10) and report this value in Analytics.

src/content/docs/analytics/graphql-api/sampling.mdx

@@ -43,9 +43,13 @@ Use managed labels to identify endpoints by use case. Cloudflare may automatical
 
 `cf-account-update`: Add this label to endpoints that participate in user account or profile updates.
 
+`cf-llm`: Services that are (partially) powered by Large Language Model (LLM).
+
 `cf-rss-feed`: Add this label to endpoints that expect traffic from RSS clients.
 
-`cf-llm`: Services that are (partially) powered by Large Language Model (LLM).
+:::note
+<Render file="rss-labels" product="bots" />
+:::
 
 ### Risk labels
 
@@ -109,4 +113,4 @@ Alternatively, you can create a user-defined label via Endpoint Management in AP
 
 ## Availability
 
-Endpoint Management's labeling service is available to all customers.
+Endpoint Management's labeling service is available to all customers.

src/content/docs/api-shield/management-and-monitoring/endpoint-labels.mdx

@@ -118,3 +118,7 @@ To use rate limiting rules with account takeover detections:
 The rule can be enhanced with Leaked Credential Checks. Refer to the [WAF documentation](/waf/detections/leaked-credentials/) for more information on how to include leaked credentials and account takeover detections in a rate limiting rule. 
 
 :::
+
+## Availability
+
+Detection IDs are available for Enterprise Bot Management customers. 

src/content/docs/bots/concepts/detection-ids.mdx

@@ -27,7 +27,7 @@ import { Badge, Details, Tabs, TabItem, Render } from "~/components";
 Access for Infrastructure allows you to have granular control over how users access individual servers, clusters, or databases. By adding an infrastructure application to Cloudflare Access, you can configure how users authenticate to the resource as well as control and authorize the ports, protocols, and usernames that they can connect with. Access and command logs ensure regulatory compliance and allow for auditing of user activity in case of a security breach.
 
 :::note
-Access for Infrastructure currently only supports [SSH](/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/).
+Access for Infrastructure currently only supports [SSH](/cloudflare-one/connections/connect-networks/use-cases/ssh/ssh-infrastructure-access/). To connect using other protocols, [add a self-hosted private application](/cloudflare-one/applications/non-http/self-hosted-private-app/). For browser-based SSH, RDP, or VNC, refer to [browser-rendered terminal](/cloudflare-one/applications/non-http/browser-rendering/).
 :::
 
 ## Prerequisites
@@ -37,7 +37,7 @@ Access for Infrastructure currently only supports [SSH](/cloudflare-one/connecti
 
 ## 1. Add a target
 
-<Render file="access/add-target" params={{ protocol: "generic" }}/>
+<Render file="access/add-target" params={{ protocol: "generic" }} />
 
 ## 2. Add an infrastructure application
 
@@ -122,9 +122,9 @@ The following [Access policy selectors](/cloudflare-one/policies/access/#selecto
 
 By default, Cloudflare will evaluate Access infrastructure application policies after evaluating all Gateway network policies. To evaluate Access infrastructure applications before or after specific Gateway policies, create the following [Gateway network policy](/cloudflare-one/policies/gateway/network-policies/):
 
-| Selector               | Operator | Value | Action |
-| ---------------------- | -------- | ----- | ------ |
-| All Access App Targets | is       | on    | Allow  |
+| Selector                     | Operator | Value     | Action |
+| ---------------------------- | -------- | --------- | ------ |
+| Access Infrastructure Target | is       | _Present_ | Allow  |
 
 You can move this policy in the Gateway policy builder to change its [order of precedence](/cloudflare-one/policies/gateway/order-of-enforcement/#order-of-precedence).
 

src/content/docs/cloudflare-one/applications/non-http/infrastructure-apps.mdx

@@ -22,35 +22,40 @@ This feature replaces the legacy [private network app type](/cloudflare-one/appl
 
 ## Add your application to Access
 
-<Render file="access/self-hosted-app/create-app" product="cloudflare-one" params={{ private: true }}/>
+<Render
+	file="access/self-hosted-app/create-app"
+	product="cloudflare-one"
+	params={{ private: true }}
+/>
 
-6. Add the private IP and/or private hostname that represents the application. You can use [wildcards](/cloudflare-one/policies/access/app-paths/) with private hostnames to protect multiple parts of an application that share a root path.
+6.  Add the private IP and/or private hostname that represents the application. You can use [wildcards](/cloudflare-one/policies/access/app-paths/) with private hostnames to protect multiple parts of an application that share a root path.
 
-	:::note
-	Private hostnames are currently only available over port `443` over HTTPS and the application must have a valid Server Name Indicator (SNI).
-	:::
+    :::note
+    Private hostnames are currently only available over port `443` over HTTPS and the application must have a valid Server Name Indicator (SNI).
+    :::
 
 7.  <Render file="access/add-access-policies" product="cloudflare-one" />
 
-8. Configure how users will authenticate:
+8.  Configure how users will authenticate:
 
-		1. Select the [**Identity providers**](/cloudflare-one/identity/idp-integration/) you want to enable for your application.
+        1. Select the [**Identity providers**](/cloudflare-one/identity/idp-integration/) you want to enable for your application.
+        2. (Recommended) If you plan to only allow access via a single IdP, turn on **Instant Auth**. End users will not be shown the [Cloudflare Access login page](/cloudflare-one/applications/login-page/). Instead, Cloudflare will redirect users directly to your SSO login event.
+        3. (Recommended) Turn on **WARP authentication identity** to allow users to authenticate to the application using their [WARP session identity](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-sessions/). We recommend turning this on if your application is not in the browser and cannot handle a `302` redirect.
 
-		2. (Recommended) If you plan to only allow access via a single IdP, turn on **Instant Auth**. End users will not be shown the [Cloudflare Access login page](/cloudflare-one/applications/login-page/). Instead, Cloudflare will redirect users directly to your SSO login event.
-
-		3. (Recommended) Turn on **WARP authentication identity** to allow users to authenticate to the application using their [WARP session identity](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-sessions/). We recommend turning this on if your application is not in the browser and cannot handle a `302` redirect.
-
-9. Select **Next**.
+9.  Select **Next**.
 
 10. (Optional) Configure [App Launcher settings](/cloudflare-one/applications/app-launcher/) for the application.
 
 11. <Render file="access/access-block-page" product="cloudflare-one" />
 
 12. Select **Next**.
 
-13. <Render file="access/self-hosted-app/advanced-settings" product="cloudflare-one" />
+13. <Render
+    	file="access/self-hosted-app/advanced-settings"
+    	product="cloudflare-one"
+    />
 
-		These settings only apply to private hostnames and require [Gateway TLS decryption](/cloudflare-one/policies/gateway/http-policies/tls-decryption/).
+        These settings only apply to private hostnames and require [Gateway TLS decryption](/cloudflare-one/policies/gateway/http-policies/tls-decryption/).
 
 14. Select **Save**.
 
@@ -74,9 +79,9 @@ The WARP client manages sessions for all non-HTTPS applications. Users will rece
 
 By default, Cloudflare will evaluate a private application's Access policies after evaluating all Gateway network policies. To evaluate Access private applications before or after specific Gateway policies, create the following [Gateway network policy](/cloudflare-one/policies/gateway/network-policies/):
 
-| Selector                            | Operator | Value | Action |
-| ----------------------------------- | -------- | ----- | ------ |
-| All Access App Private Destinations | is       | on    | Allow  |
+| Selector           | Operator | Value     | Action |
+| ------------------ | -------- | --------- | ------ |
+| Access Private App | is       | _Present_ | Allow  |
 
 You can move this policy in the Gateway policy builder to change its [order of precedence](/cloudflare-one/policies/gateway/order-of-enforcement/#order-of-precedence).
 

src/content/docs/cloudflare-one/applications/non-http/self-hosted-private-app.mdx

@@ -26,14 +26,14 @@ WARP settings define the WARP client modes and permissions available to end user
 <Render file="warp/all-systems-modes-plans" />
 
 :::note
-
-To use **Admin override**, you must first have enabled the [**Lock WARP switch**](#lock-warp-switch). **Admin override** is only needed and used when the WARP lock switch is turned on.
-
+To use **Admin override**, you must first have enabled [**Lock WARP switch**](#lock-warp-switch).
 :::
 
-When the [**Lock WARP switch**](#lock-warp-switch) is enabled, users cannot toggle the WARP client on and off on their device. Enabling **Admin override** gives users the ability to temporarily turn off the WARP client using an override code provided by an admin. **Admin override** is only needed in a configuration where the **lock WARP switch** is enabled.
+When [**Lock WARP switch**](#lock-warp-switch) is enabled, users cannot toggle the WARP client on and off on their device. Enabling **Admin override** gives users the ability to temporarily turn on or off the WARP client using an override code provided by an admin. **Admin override** is only needed in a configuration where **Lock WARP switch** is enabled.
 
-**Admin override** allows end users to momentarily turn off WARP with an override code to work around a temporary network issue (for example, an incompatible public Wi-Fi, or a firewall at a customer site blocking the connection).
+Example use cases for **Admin override** include:
+- Allowing users to momentarily turn off WARP to work around a temporary network issue such as an incompatible public Wi-Fi, or a firewall at a customer site blocking the connection.
+- Allowing test users to turn on WARP when [Global WARP override](#global-warp-override) is in effect.
 
 As admin, you can set a **Timeout** to define how long a user can toggle the WARP switch on or off after entering the override code. Cloudflare generates a new override code every hour that an admin can send to end users. The override code's validity adheres to fixed-hour time blocks and aims to be generous to the end user.
 
@@ -53,20 +53,19 @@ To retrieve the one-time code for a user:
 2. Go to **My Team** > **Devices**.
 3. Select **View** for a connected device.
 4. Scroll down to **User details** and copy the 7-digit **Override code**.
-5. Share this code with the end user for them to enter on their device.
+5. Share this code with the user for them to enter on their device.
 
 The user will have an unlimited amount of time to activate their code.
 
 #### Enter the override code
 
-To turn off the WARP client on a user device:
+To activate the override code on a user device:
 
 1. In the WARP client, go to **Settings** > **Preferences** > **Advanced**.
 2. Select **Enter code**.
-3. Enter the override code. The WARP client will display a pop-up window showing when the override expires.
-4. Turn off the WARP switch.
+3. Enter the override code.
 
-The client will automatically reconnect after the [Auto connect period](#auto-connect), but the user can continue to turn off WARP until the override expires.
+The user can now toggle the WARP switch or use the `warp-cli connect` command. The client will automatically reconnect after the [Auto connect period](#auto-connect), but the user can continue to turn on or off WARP until the override expires.
 
 ### Install CA to system certificate store
 
@@ -111,6 +110,35 @@ This setting is primarily used as a prerequisite for [WARP Connector](/cloudflar
 
 The CGNAT IP assigned to a WARP device is permanent until the device unregisters from your Zero Trust organization. Disconnects and reconnects do not change the IP address assignment.
 
+### Global WARP override
+
+<Details header="Feature availability">
+
+| [WARP modes](/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-modes/) | [Zero Trust plans](https://www.cloudflare.com/teams-pricing/) |
+| ----------------------------------------------------------------------------------------- | ------------------------------------------------------------- |
+| All modes                                                             | All plans                                                     |
+
+| System   | Availability | Minimum WARP version |
+| -------- | ------------ | -------------------- |
+| Windows  | ✅           | 2025.2.600.0        |
+| macOS    | ✅           |  2025.2.600.0                    |
+| Linux    | ✅           |   2025.2.600.0                |
+| iOS      | ❌           |                      |
+| Android  | ❌           |                      |
+| ChromeOS | ❌           |                      |
+
+</Details>
+
+:::note
+Requires the [Super Administrator](/cloudflare-one/roles-permissions/) role.
+:::
+
+Global WARP override allows administrators to fail open WARP in case of an incident or outage. When you turn on **Global WARP override**, Cloudflare will disconnect all Windows, macOS, and Linux WARP clients that are connected to your Zero Trust organization. This includes end user devices, [WARP Connector](/cloudflare-one/connections/connect-networks/private-net/warp-connector/) hosts, and [WARP-to-WARP](/cloudflare-one/connections/connect-networks/private-net/warp-to-warp/) devices. End users will receive a notification on their device and the WARP client will display `The administrator for your account has disconnected WARP`.
+
+[Auto connect](#auto-connect) and [Lock WARP switch](#lock-warp-switch) will not apply while the global override is on. Additionally, the global override will clear any existing [Admin override](#admin-override) codes. The only way for users to reconnect during a global override is by using a new [Admin override](#admin-override) code. For example, you may want to provide IT staff with a code so that they can test resolution of the incident that led to the global disconnect.
+
+To resume normal operations, turn off **Global WARP override**. If you configured an [Auto connect](#auto-connect) value, the WARP client will automatically reconnect. Otherwise WARP will remain disconnected until the user manually reconnects.
+
 ## Device settings
 
 ### Captive portal detection

src/content/docs/cloudflare-one/connections/connect-devices/warp/configure-warp/warp-settings/index.mdx

@@ -22,7 +22,7 @@ To request participation in this beta, contact your account team.
 
 | System   | Availability | Minimum WARP version |
 | -------- | ------------ | -------------------- |
-| Windows  | ✅           | 2025.1.447.1         |
+| Windows  | ✅           |  2025.2.460.1        |
 | macOS    | ❌           |                      |
 | Linux    | ❌           |                      |
 | iOS      | ❌           |                      |
@@ -33,8 +33,8 @@ To request participation in this beta, contact your account team.
 
 Cloudflare WARP supports multiple user registrations on a single Windows device. When deployed in multi-user mode, the WARP client will automatically switch user registrations after a user logs in to their Windows account. All traffic to Cloudflare will be attributed to the currently active Windows user. This allows administrators to apply identity-based policies and device settings, audit user activity, and remove individual users from a shared workstation.
 
-:::note
-A user must log out of their Windows account before switching to another account. A user cannot lock the screen and log in to another account, use the **Switch users** option in Windows, or have any other type of concurrent sessions.
+:::caution[DNS logging]
+If a user enables **Log DNS queries** in the WARP GUI (or runs `warp-cli dns log enable`), WARP will store all DNS queries on the device onto disk. Any user on the device will be able to examine the DNS queries of another user.
 :::
 
 ## Enable multi-user mode
@@ -100,6 +100,7 @@ The following flowchart shows how WARP registration settings take effect as user
 flowchart TB
     start(["Enable multi-user mode"])-->reg["Active Windows user is prompted to register WARP"]
 		reg--"Log out of Windows"-->prelogin
+		reg--"Switch user"-->regexists
 
     subgraph preloginbehavior["Windows login screen"]
 		prelogin{{"Is there a pre-login <br />registration?"}}
@@ -114,3 +115,13 @@ flowchart TB
 		regexists-. "No" .->reg
 ```
 
+### Fast user switching
+
+:::note
+Requires [multi-user mode](#enable-multi-user-mode).
+:::
+
+[Fast user switching](https://learn.microsoft.com/windows/win32/shell/fast-user-switching) is a Windows feature that allows users to switch accounts without logging out. With fast user switching, multiple users may be logged in to the device and generating network traffic. The WARP client will attribute all traffic to the user who has the [interactive windows station](http://techcommunity.microsoft.com/blog/askperf/sessions-desktops-and-windows-stations/372473). For example, if user A is logged in and fast user switches to user B, traffic from both accounts will appear to come from user B. This is because user B is now actively using the Windows desktop GUI. Now assume that user B logs out and there is no [pre-login registration](/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/windows-prelogin/); WARP will continue to attribute traffic to user B until user A logs back in to the Windows desktop.
+
+To accurately attribute network traffic to specific users, Cloudflare recommends disabling fast user switching or at the very least configuring a [pre-login registration](/cloudflare-one/connections/connect-devices/warp/deployment/mdm-deployment/windows-prelogin/).
+