← Back
Cloudflare
Cloudflare One adds native programmability extensions to SASE platform with custom Workers integration
Cloudflare WorkersCloudflare · featureapiplatformintegration · blog.cloudflare.com ↗

Native Programmability for Security Policies

Cloudflare One, the company's SASE platform, is deepening its programmability by natively integrating Cloudflare Workers directly into security and networking policies. Rather than limiting policy actions to traditional options like allow, block, isolate, or quarantine, customers can now invoke custom logic at the edge in real time.

What's Changing

The enhancement introduces two types of actions within Cloudflare One policies:

  • Managed actions: Pre-built templates for common scenarios including IT service management integrations, redirects, and compliance automation
  • Custom actions: Developer-defined logic via Cloudflare Workers that runs inline with policy evaluation, with full access to request context

When a Gateway HTTP policy matches, instead of executing a predefined action, customers can invoke a Worker that executes custom code at the edge in milliseconds. This eliminates the need to deploy separate automation infrastructure or configure webhook round-trips to external systems.

Key Benefits

By running both SASE and the Developer Platform on the same global infrastructure, Cloudflare enables:

  • Real-time context enrichment: Query external risk APIs or compliance systems before allowing access
  • Dynamic enforcement: Inject custom headers, validate browser attributes, or route traffic based on business logic without adding latency
  • Scheduled policy updates: Run Workers on schedules to analyze user activity and update policies—such as adding users to high-risk lists based on external signals

The integration leverages Cloudflare's global network spanning 330+ cities, operating within ~50ms of 95% of the internet-connected population.

Example Use Case

The announcement includes a real-world example: automated device session revocation. A customer deployed a scheduled Worker that queries the Devices API to identify inactive Cloudflare One Client registrations and revokes them, forcing re-authentication without building separate infrastructure. This addresses limitations in predefined session controls that don't support global time-based expiration.

Developer Action

Customers should explore integrating Cloudflare Workers into their existing Cloudflare One policies to augment security decisions with custom business logic. The native integration removes operational overhead compared to traditional webhook-based approaches.