Cloudflare TV

💻 What Launched Today at Full Stack Week

Presented by Apoorva Ravikrishnan, Marc Lamik, Sam Marsh
Originally aired on 

Join our product and engineering teams as they discuss what products have shipped today!

Read the blog posts:

Visit the Full Stack Week Hub for every announcement and CFTV episode — check back all week for more!

English
Full Stack Week

Transcript (Beta)

Hi everyone, thanks so much for tuning in. Today is the fourth day of Cloudflare Full Stack Week and throughout this week we've been making a series of announcements all centered around empowering developers to do what they do best, write code, without having to worry about the underlying infrastructure, security, performance and scalability.

I'm Apoorva Ravikrishnan from the product marketing team and I'm here with folks from the product team to talk about two releases that went out today.

First one on image blur and custom domains and second one on HTTP response header modification.

Before I pass it on to my colleagues here so they can introduce themselves, I want to note that if you have any questions while you're watching this segment, please do send them in.

We'll try and respond to them either during the segment or we'll reach out to you later on.

Anyway, Marc, do you want to quickly introduce yourself?

Yeah, happy to. Yeah, thank you Apoorva. I'm Marc. I'm a product director at Cloudflare within our emerging technologies incubation team and I'm also working on images.

I'm happy to talk about images today. Great, thank you.

Sam, quick introduction. Yeah, so I'm Sam Marsh. I am product manager here at Cloudflare and I'm responsible for transform rules amongst a few of the products and I'm based out of our London office.

All right, thank you. Let's kick things off.

So Marc, before we talk about images blur and custom domains, can you give an overview of Cloudflare images?

What's the need for a product like Cloudflare images and when was it launched?

Just a quick overview. Yeah, so we launched Cloudflare images to everyone after a beta phase more or less exactly two months ago during our speed innovation week.

Cloudflare images is our like end-to -end images product which enables our users, our customers to not only store the images but also transform, resize and deliver them in the fastest possible way.

For us this is a huge, was a huge change because or like a huge step up because before that we never went into actually storing images and now we're like providing an end-to-end solution.

So you don't need to worry about what to do with images on the Internet, on a website or in the application.

You can just upload them to Cloudflare via API or by UI and then we'll take care of the rest and you can transform them into anything you'd like to have.

Wow, that definitely sounds like a product that makes life easy for developers doesn't it?

But I was wondering if you could also touch upon some of the key benefits for developers when they use this product and who have been the ideal customers for Cloudflare images so far?

Yeah, Cloudflare images actually we've seen a really broad set of customers on it and it's like one thing we really like to do in Cloudflare, we like to build products that work for a broad set of users.

Like from, we have a lot of developers that have only have a website with a few pictures and a few images but they just want to have the ease of mind without no egress cost, have a very cost -efficient solution of just taking care about images.

So they just once upload all their image stack and just use it via Cloudflare and don't worry about what to deliver where and how to make it fast.

And that has been like a lot of our, especially our early customers.

Then we move to people who are like kind of, I have a first project, I want to integrate maybe like a dynamic upload of images.

Is it maybe, is it user-generated content or is it stuff that comes from partners or customers?

So you can really have a very flexible way to build your image library. And then, but also building a product that works for even big enterprise customers who want to use it.

So it's really for developers on all different scales of products, from I'll just make my website to I build my first product to I work in an enterprise and I need to build something for my images.

All right, really exciting product we have there.

Anyway, can you cover what we launched today? What are the improvements we made to Cloudflare Images?

Yeah, well, we talked about like a few things today.

So one thing we have been working on for a while and we've already did a lot of soft launch on it is supporting the AVIF format, which is most probably the most advanced image format currently out there.

There's a lot of innovation happening and it's going to be JPEG, Excel and a few cool things coming in the future.

But for AVIF is something that for a lot of customers is pretty important that we support it.

It makes images really small with like a good quality.

So that's something that we launched on images as well. And we try to deliver as many as possible images on AVIF.

Doesn't always make sense to convert it there.

Sometimes you don't have a size improvement, but it actually needs quite a significant amount of compute.

But yeah, that's something we launched, which, yeah, we hope that a lot of customers are really excited about that.

Next thing is functionality that really works super well with something that we think is not unique, but is a special functionality in images, which is that you can sign an image and make it like token protected.

So you can, it cannot be opened from everyone.

A lot of our customers use that when they have things they only want to show to locked in users or things behind the paywall.

And what was missing for us that a lot of customers requested was to actually show like a blurred version of the image to not locked in or not paying customers.

And that's what we did now. So we launched blur, which enables customers to create a new variant that has a blurred component, which blurs the image from a little bit blurred to completely blurred.

And that's something that customers have been asking for.

It's already live on the API.

So if you're using the images API, you can already use it for, we'll also create a UI version that will take another few weeks, but this is ready to use.

Next thing, which you all said already mentioned, another thing from customers that was highly requested was while they love our solution, often we only, or we deliver all images from our own domain, which is image delivery.net.

So there are some use cases for customers, for example, that are very highly SEO dependent, where it's important to serve all images from their own domain.

And that's why we've, should we show and with integrated solution, how to use your own domain to show where the images loads from doesn't change anything else.

It's just in the end, the URL that it's served from.

You can already use it using a worker and we, in the blog post, you can see how this is done.

We also integrate or create a solution where everyone can just use it by like a special URL.

This will also be ready within the next four to six weeks.

So then everyone can use it without the need of a worker.

And at the moment it can be easily done with a worker. Last but not least, we are going to launch two new bundles.

So we saw that there's a lot of products and a lot of customers who are not only using images or not only using videos, but want to use both.

And we really would love to get customers to give customers some synergies of both cloud rare solutions for media.

So we launched two bundles combining images and cloud for images and cloud for stream where you get both like allowance for stored images and delivered images, as well as stored minutes of video and minutes of video served.

We have a starter bundle for just $10 a month where you can, where you get like the very basics to start up your project to have all you need for like a small setup.

And then we have a creator bundle that comes for $50 a month where you're already having like 500,000 images, a thousand minutes of stored video and a million images served and 50,000 minutes of video search, which already should bring you through quite a bit of scaling of your product.

Those bundles will also go live by the end of November. And we're really happy to offer those synergies that's between 50 and 60% cost savings for our customers.

Oh, wow. That's incredible. Thank you for talking us through that and talking about the images and stream bundle, especially I'm sure it'll be very interesting for the folks who are listening in.

I also wanted to, I wondered if you could touch upon what's next for cloud for images.

Do you have any thoughts on that?

Yeah, we, well, as usual in Cloudflare, we don't stop and we still have a lot of ideas for images.

There's a few things. One thing that is really on our minds at the moment is to deliver an analytics solution for images.

There's a lot of customers who want to know, okay, how often did I serve this image and what format did I serve it?

What type of customer looked at it? So how can we get all the interesting data around images to our customers?

So that's something that is on our mind.

There's some other functionalities. So we are going to add some more functionality to the UI.

There's some things we have on our mind around webhooks, which is something that also has been requested by a few customers.

So there's some interesting things coming up.

Also some bigger things I'm not going to talk about yet now, but yeah, you can for sure stay tuned on the images site that we're just getting started.

That's very exciting. And also a big surprise coming up for the folks listening in, I think, for the next Innovation Week or in the upcoming Innovation Week.

Anyway, thank you so much, Mark, for walking us through that.

Let's change gears a bit now and talk about one of the next launch that we had today, which was HTTP response header modification.

So Sam, before we sort of talk about the releases for today, can you walk us through what HTTP response headers are typically used for?

Yeah. Yeah. HTTP headers in general are essentially how the Internet works, how traffic gets from A to B, how your browser asks for and gets the right file and the right information.

Generally, the browser sends a request. And with that HTTP request, there's a number of headers, which are the file it's looking for and kind of similar things.

And then it's the server or the application on the other side that will respond with the data.

And again, it will respond with some headers.

And the headers are the data type or a variety of things, as we'll cover later, in terms of how the browser should handle the content and what to do with it.

And typically, the main use cases we see predominantly in Cloudflare and from our users are using response headers to either protect or increase security.

So there's a number of response header technologies, such as content security policies, or a variety of acronyms like CALLS and COOP and HSTS, and about a billion others.

And they're all basically response header technology or technologies implemented by response headers to ensure that things like cross -site scripting, man-in-the-middle attacks, interceptions, protocol downgrades, they're all harder to do or impossible to do, as much as anything can be impossible.

So response headers are, whilst they're a building block, they're much more interesting from a security perspective.

And the other angle you see response headers used for is client enrichment.

So if you do a curl on any website, you'll see all the response headers there that come back.

And you see a lot of interesting ones, to be honest.

In the wild, you see a number of websites who have Terry Pratchett quotes in their response headers.

You see websites like PayPal who are actually advertising for developers in their response headers because they think developers look in response headers, which is potentially a fair assumption.

So there's all kinds of weird and wonderful things if you really start to dig in.

Okay, thank you so much for taking us through that. It was super helpful for me, definitely, to understand what it is.

And what did we launch today? Could you walk us through that?

Yeah, so in April this year, we launched a product called Transform Rules.

And Transform Rules is basically trying to take the power of products like workers and effectively package it up into a simple UI experience.

And the kind of evolution of it is, you know, people used to still do edit kind of config on web servers on their actually premises.

So adding an enlightened NGINX to add a response header, then they may have graduated that to workers for the more, you know, additional power and kind of routing.

And then they may kind of just want to have it as a simple rule.

So we're kind of taking them to that writing code experience right the way through to like two clicks and these headers are added.

So what we did in April this year was we launched Transform Rules to allow people to do very simple URL rewriting.

In June, we launched a request header modification.

Those are headers that come from browsers to Cloudflare to the origin.

And then today we have effectively completed that trifecta.

So we're allowing the modification of headers that come from the server through Cloudflare back to the browser.

So with that, we can pretty much modify the entire workflow, you know, modifying what gets sent to the server and then what gets sent back to the eyeball.

And again, this is all within what we call the edge rules.

So there's a really powerful filtering experience. You can trigger it on like 15 or 20 different triggers and it's all click and drag basically.

So it's all super simple to set up and configure thrash board. Got it. I was also wondering, I think you touched upon it a bit earlier, but what are some of the key benefits of using response header modifications and some of the key use cases that you've come across?

Yeah. So one of the, you know, one of the most interesting ones, and I think we kind of touched upon this in the blog, is the kind of movement that we see, not just those, but obviously the Internet sees in terms of the adoption of SaaS platforms.

And historically, you know, response header modification isn't a new thing.

You know, this has been going for a long time, but historically you would do this where you had this whole walled castle approach to kind of IT.

So it was your data center, your CRM system ran on your server, and then your web server sat next to that.

And then you could just go to your web server, add some rules to say, add this header, take this header away, and everything worked fine.

And that's kind of how it was for a long time. But now we're kind of, rightfully so, getting away from this like walled garden approach to security in particular.

We have, you know, big customers of ours like Shopify, Salesforce Commerce Cloud.

So they're not your CRM software. You don't own that software. You can't kind of just go in there and start adding things and taking it away.

So if you wanted to kind of take what Shopify sends to your customers or Salesforce or any of these other platforms send to your visitors, and you want to tweak that or add something, doing that without the power of workers or transform rules is pretty difficult to do because you don't access to their software.

So by adding Cloudflare in the middle of this traffic flow, what you can effectively do is take what's sent back from these providers, add a custom header to say, you know, this is coming from my website, or again, a custom header to say, hey, don't forget the special offer code, you know, what it may be.

And then you can send that to your eyeball or to your visitors, to your actual browser.

So it kind of gives administrators that control back and that power back that they previously may have had, but with the kind of moving to these better platforms, frankly, they may have actually lost that or traded some of that off.

So we're trying to kind of give them what they had back, but in a better, more kind of powerful powerful experience.

The other angle on this in terms of having header modification in workers and transform rules, which we're talking about today, is typically things like content security policy and HSTS and other security headers, they tended to be a kind of binary on or off.

So you tend to say, my content security policy is this, and it's on for the whole website, you know, typically.

With the ability of a kind of transform rules, you can, if you wanted to say, for these particular bits of my website, I want these particular security headers to be set, but also for visitors to my website who've got a low bot score, or kind of they're not a verified bot, or, you know, they're kind of coming in with a user agent, which is something I don't trust.

You can actually dynamically kind of change these security policies and these security headers to be stricter.

So you can basically really, really take the kind of hammer and screwdriver out and make these things really refined to say, for these specific visitors with these specific properties, I want them to get these specific response headers.

But for everybody else, they get, you know, the generic ones.

So not only are we kind of bringing that role back into administrators' hands, we're kind of enriching it and giving them more tools and more ability than they may have ever previously had.

Got it. Thank you so much for taking us through that.

And I was wondering, is this available for all Cloudflare users, or is it specific to a particular plan users?

Yeah, so this is something that every kind of plan or every kind of segment customers is interested in, because it's such an interesting technology.

And so much of the functionality out there relies upon these headers.

Everything from, you know, your logging solutions, potentially, where you might want to have, I don't know the correct term, geomap of where your visitors come from and where they originate from.

If you add, you know, a kind of request header, for example, that says X country equals the IP's country, then you can plot that map.

Or conversely, if you want to set specific cache options for specific file types, again, you can do that.

And that's not limited to any particular segment. It's something that we try our best to give to all platforms to kind of drive these features down the stack, as it were, so that everyone can play with them, everyone can use them.

And frankly, everyone can kind of realize the benefit of the kind of hard work and sweat we put into making these products.

Thank you so much for taking us through that. It feels like you almost get all the control back, which is very crucial for being secure.

And it's incredible what this feature can do. What are some of the technical challenges you encountered when developing this?

Yeah, so along that theme, the difficult part of header modification, I would say, is it's not all the control back.

It's probably 99% of the control back. But there are always going to be headers you or we don't allow to be modified, either for security purposes, or generally, because we are kind of setting them already at some point of the kind of, you know, it comes into Cloudflare, it goes through 62 million processes, and it kind of comes out the other end.

In one of those processes, we're probably setting a specific header, like the kind of HSTS header, for example, if it's turned on at the zone level.

So there's a number of headers, whereby it's not just kind of like type whatever you want, and whatever you want gets set.

But what I would say is they are like probably a handful of headers, maybe two.

And as we kind of productize more and more of these things, which is where we want to go, we don't want to force people to be playing around with setting headers.

We want to say, click here to make it faster, click here to make it more secure.

As we productize this more and more and more, we're probably going to run into that.

But it's a nice challenge to have, having users adopt it either way.

It's our problem to make it so that we don't interrupt any traffic, but we make it much, much easier for customers to just say, click, and it's done.

So I would certainly say making sure we don't trample on the toes of our colleagues and say, hey, look, you know, you guys are allowing this header that we set to be modified.

I think that's been the key part is just identifying those headers within the code base and saying, we can't change that one.

We can't change that one. And then trying to find a way to document that clearly without it being a laundry list just dumped in some document hidden on the end.

I think that's the really trickiest part. Got it. Thank you so much.

I think I'm curious about, this is a question for both of you. I was wondering, because we spend so much effort in listening to our customers, understanding what they really need, and it always goes into the product.

Is that the core funder of Cloudflare products?

We always listen to the customers and then we try and figure out what we have to go from here?

I would say so, yeah. I would say that the key thing is always listening and almost interpreting and understanding.

And it's kind of the product management 101 is listen and then ask why five times is the old adage.

And then you'll eventually get to what the real problem is. And really understanding the customer segment and really understanding the why.

Because often we find that actually the suggested, I want this to happen, when you really dig to the bottom of it, we've either already got a way that could probably do it now, or we've got a better way which would kind of fit their requirements.

So that's the key thing is listen, but then kind of drill down to find out more.

Got it. Thank you.

Mark has always told me. Yeah. Go ahead, Mark. No, please. I was going to say, Mark always tells me all the products are built for developers, by developers, and that's one of the core winning theme we have going on here.

So do you want to say something else, Mark?

Yeah, I think it's a lot of what Sam said. What we do in ETI where we really try out a lot of new products is also really understand customers and understand what are like the problem spaces, don't think in solutions.

And also think about what can we do with technology innovation that happens and how can we, how can from an innovation, how can we find the customer benefit that we could add to that?

Because I think one problem in innovation is always if you ask customers what they want about future things, well, if they don't know that this would be possible or that this could be happening, they would never say that they would want this.

So understanding the problem space, but also trying out a lot of stuff and then listening to customers is really important.

Thank you. Also, back to you, Sam, just a quick one.

What's next for response header modifications? And I'm conscious we have four minutes left before we sign out.

And I just wanted to understand what's next.

Yeah. So yeah, we're on a journey at the moment with kind of header modification.

And unsurprisingly, this is not the kind of end goal.

Where we started off just from a Cloudflare perspective is if a customer at the start of the year wanted to set or request a response header, they would quickly spin up a worker, they would copy some code and they'd just modify the header name and value, and it'd be working really simple.

And then we kind of evolved that in terms of a simplification and said, it's been easier now, just go and add a transform rule, type in the header name, type in the kind of the field.

So like cf.bot underscore management score to get the bot score.

And that's how you now add a request header.

And there's still a lot of typing there. And there's still a lot of looking up fields and looking up parameters.

So the kind of next evolutionary step now is to say, if you want to have the bot score as a request header, or you want to have a CSP generated for you, then let's make that a one button experience.

Let's just literally click on it and the bot scores added.

Let's just click on this and the CSPs generated for you. And that's kind of where we're trying to really drive value and drive security as well, because some of these things are quite tricky to figure out if we can make it so that they are like a one click experience.

Not only is it driving up security, which is what we really want to do, but also it's re -simplifying, setting up these quite complex technologies sometimes.

So that's one of the things we're really hoping to get done early next year is just make this whole thing just click, click, done basically.

That's very exciting. And so there's more surprises coming up with the upcoming Innovation Week, not just from Mark's Cloudflare Images product, but also from you.

This is very, very exciting. So we had a very great session today. For those of you who are just tuning in, we spoke with Mark and Sam on the launches that went out today, which was on Images Blur and Custom Domain and HTTP response header modification.

If you have not read these blogs, please do check them out and also stay tuned because we'll be announcing more and more features for this Innovation Week, which is on the full stack week.

It's all about making the life of developers easier because we want to empower them to write code and sort of take away all the underlying issues around infrastructure and wondering how they should be able to help scalability.

So we take that away. It's all about making life easier for the developers.

Anyway, thanks. And we'll be wrapping up this segment in a few minutes.

And we have another product segment of what we launched today at 12.30 PT.

So stay tuned. And thank you so much.

Thumbnail image for video "Full Stack Week"

Full Stack Week
Relive the exciting announcements from Full Stack Week! Check out the Full Stack Week Hub to find all of our announcements and blog posts!
Watch more episodes