← Back
Cloudflare
Cloudflare enhances SASE platform with programmable security policies, enables custom logic at edge
Cloudflare WorkersCloudflare · featureapiplatformintegration · blog.cloudflare.com ↗

Programmability Beyond APIs

Cloudflare is redefining what programmability means for security platforms. While most vendors claim programmability through public APIs and webhooks, Cloudflare is moving beyond infrastructure-as-code capabilities. The company is enabling organizations to intercept security events in real time, enrich them with external context, and make intelligent decisions before requests complete—all without additional latency or separate infrastructure.

A practical example: when a user attempts to access a regulated application with sensitive data, Cloudflare can query an external learning management system to verify compliance training completion. If certification has expired, the policy can redirect the user to training rather than simply triggering an alert.

Native Integration of Workers and SASE

By design, Cloudflare's global network runs both SASE and Developer Platform services on the same infrastructure across 330+ cities. This architectural advantage eliminates the round-trip latency and integration overhead that standalone SASE providers face when stitching together disconnected systems.

Key capabilities being integrated:

  • Custom Actions: Invoke Cloudflare Workers directly from Gateway HTTP policies to run custom business logic at the edge
  • Managed Actions: Pre-built templates for common scenarios including IT service management integrations, redirects, and compliance automation
  • Real-time Decision Making: Inject dynamic headers, call risk APIs, validate browser attributes, and route traffic based on custom logic—all in milliseconds
  • Scheduled Automation: Run Workers on schedules to analyze user activity and update policies dynamically based on external signals

Practical Example: Device Session Revocation

The post includes a working example of a scheduled Worker that enforces periodic re-authentication for Cloudflare One Client users. The Worker queries the Devices API, identifies inactive devices based on a configurable threshold, and revokes registrations to force re-authentication. This solves a gap in Cloudflare's pre-defined session controls, which are application-scoped rather than globally time-based.

What Developers Need to Do

Customers can begin building these programmable security workflows today using Cloudflare One and Workers. Cloudflare is formalizing the experience with managed and custom action templates to make integration even simpler. Organizations should evaluate their current policy workflows to identify where custom logic could improve security posture, compliance automation, or user experience—and test implementations using the Worker+Gateway integration pattern.