Glossary
Beta
| Word | Definition | Product | ||||
| account | Accounts group one or more members together with specific roles or permissions. Accounts can be associated with any number of domains. | Fundamentals | ||||
| active zone | A DNS zone that is active on Cloudflare requires changing its nameservers to Cloudflare’s for management. | Cloudflare One, DNS | ||||
| alarm | A Durable Object alarm is a mechanism that allows you to schedule the Durable Object to be woken up at a time in the future. | Durable Objects | ||||
| allowlist | An allowlist list of items (usually websites, IP addresses, email addresses, etc.) that are permitted to access a system. | WAF | ||||
| anycast | Anycast is a network addressing and routing method in which incoming requests can be routed to a variety of different locations. Anycast typically routes incoming traffic to the nearest data center with the capacity to process the request efficiently. | Magic Transit, Magic WAN | ||||
| apex domain | Apex domain is used to refer to a domain that does not contain a subdomain part, such as example.com (without www.). It is also known as “root domain” or “naked domain”. | DNS | ||||
| API key | An API key is unique to each Cloudflare user and used to confirm identity when using the Cloudflare API. | Fundamentals | ||||
| API token | API tokens authorize access to specific Cloudflare dashboard pages, accounts, and zones. API tokens are associated to the user that created them. | Fundamentals | ||||
| App Launcher | The App Launcher portal provides end users with a single dashboard to open applications secured by Cloudflare Zero Trust. | Cloudflare One | ||||
| application | The resource protected by Cloudflare Zero Trust, which can be a subdomain, a path, or a SaaS application. | Cloudflare One | ||||
| Authenticated Origin Pulls | Authenticated Origin Pulls allow origin web servers to validate that a web request came from Cloudflare using TLS client certificate authentication. | Cloudflare One, SSL/TLS | ||||
| backup codes | Backup codes allow restoration of Cloudflare account access outside the normal two-factor authentication process. A backup code becomes invalid after use. | Fundamentals | ||||
| blocklist | A blocklist is a list of items (usually websites, IP addresses, email addresses, etc.) that are prevented from accessing a system. | WAF | ||||
| cached bandwidth (cached egress bandwidth) | The amount of bandwidth served from Cloudflare without hitting the origin server. Cached bandwidth is the sum of all EdgeResponseBytes where CacheCacheStatus equals hit, stale, updating, ignored, or revalidated. | Cache | ||||
| cached requests | The number of requests served from Cloudflare without having to hit the origin server. Cached requests are the sum of all requests where CacheCacheStatus equals hit, stale, updating, ignored. This doesn’t include revalidated since the request had to be sent to the origin server. | Cache | ||||
| cacheTTL | CacheTTL is a parameter that defines the length of time in seconds that a KV result is cached in the global network location it is accessed from. | KV | ||||
| certificate | SSL certificates enable encryption over HTTPS for traffic between a client and a website. SSL certificates contain the website’s public key and the website’s identity along with related information. Devices attempting to communicate with the origin web server reference the SSL certificate to obtain the public key and verify the server’s identity. Cloudflare provides a Universal SSL certificate for each active Cloudflare domain. | SSL/TLS | ||||
| Certificate Authority (CA) | A CA is a trusted third party that provides SSL certificates for encrypting network traffic. | SSL/TLS | ||||
| certificate packs | Certificate packs allow Cloudflare to fallback to a different SSL certificate for browsers that do not support the latest standards. Certificate packs allow Custom SSL certificates to contain different signature algorithms for the same hostnames listed within the SSL certificate without taking up additional Custom SSL certificate quota for your Cloudflare account. | SSL/TLS | ||||
| certificate pinning | Certificate pinning is a security mechanism used to prevent on-path attacks on the Internet by hardcoding information about the certificate that the application expects to receive. If the wrong certificate is received, even if it is trusted by the system, the application will refuse to connect. | SSL/TLS | ||||
| Certification Authority Authorization (CAA) record | A CAA record declares which CAs are allowed to issue an SSL certificate for a domain. | SSL/TLS | ||||
| cipher suite | A set of encryption algorithms for establishing a secure communications connection. There are several cipher suites in wide use, and a client and server agree on the cipher suite to use when establishing the TLS connection. Support of multiple cipher suites allows compatibility across various clients. | SSL/TLS | ||||
| cloud | A network of remote servers used to store and maintain data. | Fundamentals | ||||
| Cloudflare Access | Cloudflare Access replaces corporate VPNs with Cloudflare’s network. It allows customers to deploy internal tools in any environment, including hybrid or multi-cloud models, and secure them consistently with Cloudflare’s network. | Access, Cloudflare One | ||||
| Cloudflare Browser Isolation | Cloudflare Browser Isolation seamlessly executes active webpage content in a secure isolated browser to protect users from zero-day attacks, malware, and phishing. | Cloudflare One, Gateway, RBI, ZTNA | ||||
| Cloudflare CASB | Cloudflare CASB provides comprehensive visibility and control over SaaS apps to prevent data leaks and compliance violations. It helps detect insider threats, Shadow IT, risky data sharing, and bad actors. | CASB, Cloudflare One | ||||
| Cloudflare Data Loss Prevention (DLP) | Cloudflare Data Loss Prevention (DLP) allows you to scan your web traffic and SaaS applications for the presence of sensitive data such as social security numbers, financial information, secret keys, and source code. | Cloudflare One, DLP | ||||
| Cloudflare Gateway | Cloudflare Gateway is a modern next-generation firewall between your user, device, or network and the public Internet. It includes DNS filtering to inspect and apply policies to all Internet-bound DNS queries. | Cloudflare One, Gateway | ||||
| Cloudflare Tunnel | Cloudflare Tunnel (formerly Argo Tunnel) establishes a secure outbound connection within your infrastructure to connect applications and machines to Cloudflare. | Cloudflare One, Tunnel | ||||
| Cloudflare Zero Trust | Cloudflare Zero Trust provides the power of Cloudflare’s global network to your internal teams and infrastructure. It empowers users with secure, fast, and seamless access to any device on the Internet. | Cloudflare One | ||||
| cloudflared | cloudflared is the software powering Cloudflare Tunnel. It runs on origin servers to connect to Cloudflare’s network and on client devices for non-HTTP traffic. | Cloudflare One, Tunnel | ||||
| consumer | A consumer is the term for a client that is subscribing to or consuming messages from a queue. | Queues | ||||
| content delivery network (CDN) | A geographically distributed group of servers which work together to provide fast delivery of Internet content. | Fundamentals | ||||
| credit | An amount applied to a specific Cloudflare account as credit for recurring subscriptions or plan payments. The Cloudflare billing system automatically applies credits in the next billing cycle. | Fundamentals | ||||
| daemon | A program that performs tasks without active management or maintenance. | Cloudflare One, Tunnel | ||||
| data center | A physical location where servers run and other IT operations are hosted. | Fundamentals | ||||
| denial-of-service (DoS) attack | A DoS attack is a type of cyber attack in which an attacker aims to render a computer or other device unavailable to its intended users by interrupting the device’s normal functioning. | Fundamentals | ||||
| distributed denial-of-service (DDoS) attack | A DDoS attack is a malicious attempt to disrupt normal traffic of a targeted server, service, or network by overwhelming the target or its surrounding infrastructure with a flood of Internet traffic. | Fundamentals | ||||
| DNS filtering | DNS filtering uses the Domain Name System to block malicious websites and filter out harmful content, enhancing security and access control. | Access, Cloudflare One, DNS, Gateway | ||||
| DNS location | DNS locations are a collection of DNS endpoints which can be mapped to physical entities such as offices, homes, or data centers. | Access, Cloudflare One, DNS, Gateway | ||||
| DNS over HTTPS | DNS over HTTPS (DoH) is a standard for encrypting DNS traffic via the HTTPS protocol, preventing tracking and spoofing of DNS queries. | 1.1.1.1, Cloudflare One, DNS | ||||
| DNS over TLS | DNS over TLS (DoT) is a standard for encrypting DNS traffic using its own port (853) and TLS encryption. | 1.1.1.1, Cloudflare One, DNS | ||||
| DNS record | DNS records are instructions that live in authoritative DNS servers and provide information about a domain including what IP address is associated with that domain and how to handle requests for that domain. | DNS | ||||
| DNS server | DNS servers translate human-readable domain names into IP addresses, eliminating the need to remember complex IP addresses. | Cloudflare One, DNS | ||||
| DNS zone | A portion of the DNS namespace that is managed by a specific organization or administrator. | DNS | ||||
| DoH subdomain | A unique DoH subdomain for each DNS location in Cloudflare Zero Trust used in WARP client settings. | Cloudflare One | ||||
| domain | The domain name of your application on Cloudflare. | Fundamentals | ||||
| Domain Name System (DNS) | The Domain Name System (DNS) is the phonebook of the Internet. DNS translates domain names to IP addresses. | DNS | ||||
| dynamic content | Dynamic content is website content that has to be fetched from the origin server. | Cache | ||||
| edge response status code | HTTP response code sent from Cloudflare to the client (end user). The Cloudflare dashboard Analytics app uses the edge response status code. | Fundamentals | ||||
| encryption algorithm | An encryption algorithm is a set of mathematical operations performed on data to ensure the data is only understood by the intended recipient. | SSL/TLS | ||||
| equal-cost multi-path routing | A technique that uses hashes calculated from packet data to determine the route chosen. | Magic Transit, Magic WAN | ||||
| Extended Validation (EV) certificate | EV certificates provide maximum trust to visitors, but require the most validation effort by the CA. EV certificates show the name of the company or organization in the address bar of the visitor’s browser. An EV certificate requires additional documentation by the company or organization in order for the CA to approve the certificate. | SSL/TLS | ||||
| feature | A feature is a setting in the Cloudflare dashboard that corresponds to functionality within a Cloudflare product or API. | Fundamentals | ||||
| firewall | A firewall is a security system that monitors and controls network traffic based on a set of security rules. | WAF | ||||
| GRE tunnel | Stands for generic routing encapsulation. It is a protocol wrapping one data packet within another type of data packet. This is useful for enabling protocols that are not normally supported by a network. | Magic Transit, Magic WAN | ||||
| health check | Requests issued by a monitor at regular interval and — depending on the monitor settings — return a pass or fail value to make sure an origin is still able to receive traffic. Each health monitor request is trying to answer two questions:
If the answer to either of these questions is “No”, then the server fails the health monitor request. | Load Balancing | ||||
| hostname | The name given to a server or node on a network, often the public DNS name of a server. | Cloudflare One, DNS | ||||
| HTTP request | An HTTP request is the way Internet communications platforms such as web browsers ask for the information they need to load a website. | Fundamentals | ||||
| identity provider | An identity provider (IdP) stores and manages users’ digital identities, enabling single sign-on and authentication for multiple applications. | Cloudflare One | ||||
| intermediate certificate | For security purposes, CAs issue intermediate certificates for signing website certificates. Intermediate certificates provide a means for the CA to revoke a single intermediate certificate, thus affecting only a small subset of website certificates. | SSL/TLS | ||||
| Internet | The Internet is a global system of computer networks that provides a wide range of information and communication facilities. | Fundamentals | ||||
| Internet Key Exchange (IKE) | The protocol Cloudflare uses to create the IPsec tunnel between Magic WAN and the customer’s device. | Magic Transit, Magic WAN | ||||
| IP address | IP stands for Internet Protocol, which is the set of rules that makes it possible for devices to communicate over the Internet. With billions of people accessing the Internet every day, unique identifiers are necessary to keep track of who is doing what. The Internet Protocol solves this by assigning IP numbers to every device accessing the Internet. Every assigned number is an IP address. | Fundamentals | ||||
| IPsec tunnel | Stands for Internet Protocol secure. It is a group of protocols for securing connections between devices, by encrypting IP packets. | Magic Transit, Magic WAN | ||||
| JSON web token | A compact way to securely transmit information between parties as a JSON object, often used for authentication. | Cloudflare One | ||||
| KV namespace | A KV namespace is a key-value database replicated to Cloudflare’s global network. A KV namespace must require a binding and an id. | KV | ||||
| letter of agency | Sometimes referred to as a Letter of Authorization. A document that authorizes Cloudflare to advertise your prefixes. This is required to transit providers can accept the routes Cloudflare advertises on your behalf. | Magic Transit | ||||
| maximum segment size (MSS) | MSS limits the size of packets, or small chunks of data, that travel across a network, such as the Internet. | Magic Transit, Magic WAN | ||||
| member or user | A member or user is an email account in Cloudflare that you can grant access to your organization account. Members belonging to multiple accounts can select which account to manage via the Cloudflare dashboard. | Fundamentals | ||||
| metadata | A metadata is a serializable value you append to each KV entry. | KV | ||||
| migration | A Durable Object migration is a mapping process from a class name to a runtime state. Initiate a Durable Object migration when you need to:
| Durable Objects | ||||
| monitor | A monitor issues health monitor requests at regular intervals to evaluate the health of each server within an origin pool. When a pool becomes unhealthy, your load balancer takes that pool out of the server rotation. | Load Balancing | ||||
| mTLS (mutual TLS) | MTLS is a common security practice that uses client TLS certificates to provide an additional layer of protection, allowing to cryptographically verify the client information. | SSL/TLS | ||||
| nameserver | A nameserver is a dedicated server that translates human readable hostnames into IP addresses. Nameservers like root servers, TLD servers, and authoritative nameservers are fundamental components of the Domain Name System (DNS). | DNS | ||||
| Next-generation firewall | A more powerful firewall with advanced features for modern security needs. | Cloudflare One | ||||
| OAuth | A protocol for authorizing users, allowing them to perform actions and view data on different platforms without sharing credentials. | Cloudflare One | ||||
| on-ramp | Refers to a way to connect a business network to Cloudflare. Examples of on-ramps, or ways to connect to Cloudflare, are Anycast GRE or IPsec tunnels, Cloudflare Network Interconnect (CNI), Cloudflare Tunnel, and WARP. | Magic Transit, Magic WAN | ||||
| OpenID Connect | A simple identity layer on top of OAuth 2.0 for verifying user identity and obtaining basic profile information. | Cloudflare One | ||||
| Organization Validated (OV) certificate | OV certificates are used by corporations or governments to portray an extra layer of confidence for their visitors. Rather than just validating domain ownership, the CA also validates the company’s registration using qualified independent information sources. The organization’s name is listed in the certificate. | SSL/TLS | ||||
| origin bandwidth (origin egress bandwidth) | The amount of data transferred from the origin server to Cloudflare within a certain period of time. Origin bandwidth is the sum of all EdgeResponseBytes where OriginResponseStatus does not equal 0. | Cache | ||||
| origin certificate | A Cloudflare Origin Certificate is a free SSL/TLS certificate issued by Cloudflare that can be installed on your origin server to facilitate making sure your data is encrypted in transit from Cloudflare to your origin server using HTTPS. | Cloudflare One, SSL/TLS | ||||
| origin pool | Within Cloudflare, pools represent your origin servers and how they are organized. As such, a pool can be a group of several origin servers, or you could also have only one origin server per pool. If you are familiar with DNS terminology, think of a pool as a “record set,” except Cloudflare only returns addresses that are considered healthy. You can attach health monitors to individual pools for customized monitoring. | Load Balancing | ||||
| origin request | An origin request is a request served from the origin server. | Fundamentals | ||||
| origin response status code | An origin response status code is an HTTP response code sent from the origin server to Cloudflare. | Fundamentals | ||||
| PAC file | A file containing a JavaScript function which can instruct a browser to forward traffic to a proxy server instead of directly to the destination server. | Cloudflare One | ||||
| plan | Plans distinguish the breadth of Cloudflare features accessible to a specific domain. Plan options include Free, Pro, Business, or Enterprise. | Fundamentals | ||||
| policy | A set of rules that regulate network activity, such as login access and website reachability. | Cloudflare One | ||||
| prefix | Refers to a number that identifies the network portion of an IP address, and tells devices how many bits are used for a network. For example, /31. | Magic Transit, Magic WAN | ||||
| primary certificate / secondary certificate | Primary and secondary indicates the order in which Custom SSL certificates were uploaded to Cloudflare. The primary certificate is the first certificate added to a pack. The primary certificate defines the hostnames covered by the certificate. | SSL/TLS | ||||
| producer | A producer is the term for a client that is publishing or producing messages on to a queue. | Queues | ||||
| protocol | A protocol is a set of rules governing the exchange or transmission of data between devices. | Fundamentals | ||||
| public key / private key | SSL public and private keys are essentially long strings of characters used for encrypting and decrypting data. Data encrypted with the public key can only be decrypted with the private key, and vice versa. Private keys are kept secret and unshared. | SSL/TLS | ||||
| queue | A queue is a buffer or list that automatically scales as messages are written to it, and allows a consumer Worker to pull messages from that same queue. | Queues | ||||
| RDP | Remote Desktop Protocol (RDP) allows remote desktop connections to a computer, often used on Windows and Mac operating systems. | Cloudflare One | ||||
| roles | Authorize which Cloudflare products and features a member is allowed to access in a Cloudflare account. Learn more about roles. | Fundamentals | ||||
| root certificate | A root certificate is generated by a CA and is used to sign certificates. Every browser includes a root store of trusted root certificates. Any certificate signed with the private key of a root certificate is automatically trusted by a browser. | SSL/TLS | ||||
| SafeSearch | SafeSearch is a feature of search engines that filters explicit or offensive content from search results. | Cloudflare One | ||||
| SAML | Security Assertion Markup Language (SAML) enables single sign-on and authentication for multiple applications. | Cloudflare One | ||||
| SASE | Secure Access Service Edge (SASE) is a cloud-based security model bundling networking and security functions. | Cloudflare One | ||||
| saved bandwidth (saved egress bandwidth) | The percentage of bandwidth saved by caching on the Cloudflare network. | Cache | ||||
| seat | A unique user authenticating to access applications protected by Cloudflare Access or to use Gateway services. | Cloudflare One | ||||
| Secure Sockets Layer (SSL) | SSL was a widely used cryptographic protocol for providing data security for Internet communications. SSL was superseded by TLS; however, most people still refer to Internet cryptographic protocols as SSL. | SSL/TLS | ||||
| Server Name Indication (SNI) | SNI allows a server to host multiple TLS Certificates for multiple websites using a single IP address. SNI adds the website hostname in the TLS handshake to inform the server which website to present when using shared IPs. Cloudflare uses SNI for all Universal SSL certificates. | SSL/TLS | ||||
| Service Level Agreement (SLA) | An SLA is a contractual obligation for Cloudflare to maintain a specific level of service. Read the Service Level Agreement (SLA) for the Cloudflare Business plan. Enterprise customers refer to the Enterprise SLA provided with their contract. | Fundamentals | ||||
| service provider (SP) | A service provider (SP) provides federated access to an application for a user from an identity provider (IdP). | Cloudflare One | ||||
| service token | Service tokens are generated by Cloudflare Access and enable automated systems or applications to access protected applications. | Access, Cloudflare One | ||||
| SIEM | Security Information and Event Management (SIEM) solutions provide analysis of log data from various systems. | Cloudflare One, WAF | ||||
| SMB | Secure Messaging Block (SMB) is a network file sharing protocol used for accessing files and services on a network. | Cloudflare One | ||||
| SSH | Secure Shell (SSH) protocol allows users to connect to infrastructure remotely and execute commands. | Cloudflare One | ||||
| SSO | Single Sign-On (SSO) is a technology that combines multiple application logins into one, requiring users to enter credentials only once. | Cloudflare One | ||||
| static content | Static content is website content that can be served directly from cache, without having to fetch it from the origin server. Static content includes files like images, stylesheets, and JavaScript that don’t change frequently. | Cache | ||||
| static route | A fixed configuration to route traffic through Anycast tunnels from Cloudflare global network to the customer’s locations. | Magic Transit, Magic WAN | ||||
| Subject Alternative Names (SANs) | The SAN field of an SSL certificate specifies additional hostnames (sites, IP addresses, common names, subdomains, apex domains, etc.) protected by a single SSL Certificate. | SSL/TLS | ||||
| team domain | A unique subdomain assigned to your Cloudflare account, where secured applications are accessed by users; for example, Setting up a team domain is an essential step in your Cloudflare Zero Trust configuration. This is where your users will find the apps you have secured behind Cloudflare Zero Trust — displayed in the App Launcher — and will be able to make login requests to them. | Cloudflare One | ||||
| team name | The customizable portion of your team domain, allowing you to personalize your Cloudflare Zero Trust configuration. You can view your team name in Zero Trust under Settings > Custom Pages.
To learn about the consequences of changing your team name, refer to the FAQ. | Cloudflare One | ||||
| Terraform | Terraform is a tool for building, changing, and versioning infrastructure, providing components and documentation for Cloudflare resources. | Cloudflare One, Terraform | ||||
| TLS (Transport Layer Security) | TLS is a cryptographic protocol that ensures data security over a computer network, such as the Internet. It encrypts the data that is transmitted between a user’s computer and a web server. | SSL/TLS | ||||
| traffic | Traffic is the data sent and received by visitors to a website. Cloudflare serves and protects this data as it passes through the Cloudflare network. | Fundamentals | ||||
| traffic steering | Cloudflare evaluates your route’s health and steers traffic according to priorities defined by you and / or tunnel health. | Magic Transit, Magic WAN | ||||
| Tunnel certificate | The Cloudflare Tunnel software, cloudflared, generates a certificate for secure connections using a service token and an origin certificate. | Cloudflare One, Tunnel | ||||
| tunnel health-check | A probe sent by Cloudflare to check for tunnel health. If a tunnel is not considered healthy, Cloudflare reroutes traffic to one that is considered healthy. | Magic Transit, Magic WAN | ||||
| two-factor authentication (2FA) | Two-factor authentication (2FA) is a security process in which a user provides two different authentication factors to verify their identity. It adds an extra layer of security to user logins by requiring users to present two or more separate pieces of evidence (factors) that establish their identity. | Fundamentals | ||||
| Universal SSL certificate | By default, Cloudflare issues — and renews — free, unshared, publicly trusted SSL certificates to all domains added to and activated on Cloudflare. | SSL/TLS | ||||
| Virtual Private Network (VPN) | A VPN extends a private network across a public network, enabling users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. | Cloudflare One, Tunnel | ||||
| WAN | Stands for wide area network. It refers to a computer network that connects groups of computers over large distances. WANs are often used by businesses to connect their office networks. The objective is to make each of the local area networks (LANs) be remotely connected and accessible. | Magic WAN | ||||
| WARP client | Cloudflare Zero Trust customers can use the Cloudflare WARP application to connect corporate desktops to Cloudflare Gateway for advanced web filtering. It utilizes the security benefits of WARP technology. | Cloudflare One | ||||
| website | A website is a collection of web pages and related content that is identified by a common domain name and published on at least one web server. | Fundamentals | ||||
| Zero Trust Security | Zero Trust Security is an IT security model that requires strict identity verification for every person and device accessing resources on a network. | Cloudflare One | ||||
| zone | A zone is a portion of DNS namespace that is managed by a specific organization or administrator. | Fundamentals |