Cloudflare ships WAF security for AI apps and RFC 9457-style error responses on the same day
Contents
On March 13, Cloudflare announced two AI-related features at the same time. The first was the general availability of AI Security for Apps, which protects AI applications from WAF-level threats. The second was RFC 9457-compatible error responses that cut token cost by 98% when an AI agent encounters a Cloudflare error page. Both are responses to the fact that AI is now running in production.
AI Security for Apps GA
The threats AI apps face
In a normal web app, user input can be controlled through form validation or SQL escaping. In an AI app, the input is natural language, so an attacker can try to rewrite model behavior with prompts like “ignore the previous instructions” or “output the system prompt.” That is prompt injection.
RAG systems and chat histories also create another risk: a user may be able to pull out another user’s data or internal settings. PII such as email addresses, phone numbers, and credit card numbers can leak into responses even if the model itself is otherwise sound.
Automatic endpoint discovery
AI Security for Apps starts by discovering AI endpoints. It identifies them by behavior, not by name, so product search tools, evaluation tools, and recommendation APIs without a chat UI are also covered.
Discovered endpoints appear in the dashboard under Security -> Web Assets with the cf-llm label. Endpoint discovery is free across all plans.
For supported LLM providers, prompt extraction is done with JSONPath expressions that locate prompt content inside the request.
| Supported providers |
|---|
| OpenAI |
| Anthropic |
| Google Gemini |
| Mistral |
| Cohere |
Four threat categories
Each prompt passes through several detectors and gets metadata attached to the result.
Prompt injection Detects input that tries to rewrite instructions, extract the system prompt, or evade guardrails through role-play.
PII leakage Detects personal information in responses, such as email addresses, phone numbers, credit card numbers, and social security numbers. It can also mask PII on the input side.
Harmful topics Detects content that should not be emitted, such as hate speech, self-harm, or violent content.
Custom topics A new GA feature. You can define rules for competitor names, regulatory terms, or industry-specific banned words.
Integration with the WAF
Detection results are integrated into the WAF rule engine, so they can drive actions such as block, log only, or custom responses. The result can also be combined with existing signals like IP address, user agent, and geography.
Because Cloudflare acts as a reverse proxy, no application code changes are required. Cloudflare says about 20% of web traffic flows through its network, which gives it large-scale feedback for detection quality.
Plans and limits
| Plan | Endpoint discovery | Threat detection / mitigation |
|---|---|---|
| Free | free | coming soon |
| Pro | free | coming soon |
| Business | free | coming soon |
| Enterprise | free | available now |
Full detection plus mitigation is currently for Enterprise customers only, but endpoint discovery alone is already useful for understanding how an organization is using AI. The feature also launched through IBM Cloud Internet Services, and integration with Wiz AI Security was announced.
RFC 9457 error responses for AI agents
Anyone running AI agents in production has probably watched Cloudflare error pages blow up token costs the moment the agent hits one. If you pass a browser-oriented HTML error page directly to an LLM, hundreds of lines of markup and CSS turn into tokens.
How heavy HTML error pages are
The scale is obvious when you look at the numbers. For error 1015, a normal HTML response is 46,645 bytes and 14,252 tokens. The same information in Markdown is 798 bytes and 221 tokens, while JSON is 970 bytes and 256 tokens.
| Format | Bytes | Tokens (cl100k_base) |
|---|---|---|
| HTML | 46,645 | 14,252 |
| Markdown | 798 | 221 |
| JSON | 970 | 256 |
Markdown is about 64.5x lighter than HTML, a reduction of more than 98%. That difference adds up quickly in workflows that encounter multiple errors.
What RFC 9457 is
RFC 9457, “Problem Details for HTTP APIs,” defines a machine-readable schema for HTTP error responses. It can be parsed even if the client knows nothing about the specific API.
| Field | Meaning |
|---|---|
type | URI for the error documentation |
status | HTTP status code |
title | short human-readable summary |
detail | more detail about this occurrence |
instance | unique identifier, often a Ray ID |
Cloudflare’s extensions
Cloudflare adds fields that help an agent implement control flow.
| Field | Purpose |
|---|---|
error_code / error_name / error_category | error classification |
retryable | whether retry makes sense |
retry_after | recommended wait time |
owner_action_required | whether the site owner needs to intervene |
ray_id / timestamp / zone | operational metadata |
retryable and retry_after are the most important. If the error is 1015, wait and retry. If it is 1020, the site owner has to act and retries are pointless. The flag lets agents avoid useless loops.
Error categories and control flow
The 1xxx errors are grouped by category, and each category has a clear recommended action.
| Category | Example errors | Recommended action |
|---|---|---|
access_denied | 1006, 1020 | do not retry; report to the owner |
rate_limit | 1015 | wait retry_after seconds and retry |
dns | 1000, 1001 | do not retry; owner should check DNS |
config | 1003 | do not retry; owner should check configuration |
tls | 525, 526 | do not retry; certificate problem |
legal | 451 | regional restriction; do not retry |
worker | 1101 | Workers error; owner should investigate |
Markdown response structure
If you ask for Markdown, Cloudflare returns a YAML frontmatter section followed by prose.
---
type: "https://errors.cloudflare.com/1015"
title: "You have been rate limited"
status: 429
error_code: 1015
error_category: "rate_limit"
retryable: true
retry_after: 30
ray_id: "abc123def456"
timestamp: "2026-03-13T09:35:00Z"
---
## What Happened
This request was rate limited by Cloudflare.
## What You Should Do
Wait 30 seconds before retrying the request.If the frontmatter is parsed, the agent can make a machine decision, while the prose is still readable by a human or an LLM.
Example Python handler
import time, yaml
def parse_frontmatter(markdown_text: str) -> dict:
if not markdown_text.startswith("---\n"):
return {}
_, yaml_block, _ = markdown_text.split("---\n", 2)
return yaml.safe_load(yaml_block) or {}
def handle_cloudflare_error(markdown_text: str) -> str:
meta = parse_frontmatter(markdown_text)
if meta.get("retryable"):
wait = int(meta.get("retry_after", 30))
time.sleep(wait)
return f"retry_after_{wait}s"
if meta.get("owner_action_required"):
return f"escalate_error_{meta.get('error_code')}"
return "do_not_retry"How to use it
Site owners do not need to change anything. It is enabled across the Cloudflare network, and you just select the output format with the Accept header.
# Markdown
curl -H "Accept: text/markdown" -A "MyAgent/1.0" \
"https://example.com/cdn-cgi/error/1015"
# JSON
curl -H "Accept: application/json" -A "MyAgent/1.0" \
"https://example.com/cdn-cgi/error/1015" | jq .
# RFC 9457
curl -H "Accept: application/problem+json" -A "MyAgent/1.0" \
"https://example.com/cdn-cgi/error/1015" | jq .Browsers still receive HTML. The Accept header keeps the existing behavior unchanged. Right now it covers Cloudflare’s 1xxx platform errors, and 4xx/5xx support is planned.
Related reading
- Cloudflare WAF always-on detection, RFC 9849 ECH, and VMware Aria KEV - also covers Cloudflare WAF behavior
- GitHub’s agentic workflow security architecture - another angle on prompt injection defense
- Clinejection: how a GitHub issue title pushed an AI agent onto 4,000 developer machines - a real prompt-injection supply-chain attack
- AI code vulnerability analysis is starting to show results - improved detection quality in AI security
- AI agent memory injection and automatic smart-contract exploitation with EVMbench - another agent attack technique
- Cloudflare Workers real-time analytics architecture - Cloudflare edge architecture in practice