XF2 Addons [DigitalPoint] App for Cloudflare® 1.9.9

It simplifies/automates much of the configuration and usage of Cloudflare with XenForo

• Added additional extensions to the Cache Rule for caching static content
• New Cloudflare Security option: Markdown for Agents

• XF 2.3+ compatibility change for country flags on articles
• Internally changed R2 uploads so they are uploaded as a stream (memory usage/efficiency thing)

IMPORTANT for existing users: New functionality requires 3 additional API permissions in order to use the new functions.

• Account.Account Settings: Read
• Account.Account Settings: Edit
• User.API Token: Read

For whatever reason, Account.Account Settings: Read isn't granted implicitly with Account.Account Settings: Edit.

Not sure why (maybe a current Cloudflare bug?), but the User.API Token: Read permission can't currently be added manually to tokens (initially or after the fact). The only workaround I could figure out is to create a new token via this link: Create new token with pre-filled permissions

At this point, you should have a total of 22 permissions for your API token (if you are going for full functionality).

What's new:

• Added support for Cloudflare web analytics (requires two additional API permissions for your token (Account.Account Settings: Read & Account.Account Settings: Edit), for those upgrading from a previous version)
• Token permissions are automatically checked (requires an additional API permissions for your token (User.API Token: Read), for those upgrading from a previous version)
• Removed option: Speed -> Other -> Signed Exchanges (deprecated as of Oct 20, 2025)
• Removed option: Speed -> Other -> AMP Real URL (deprecated as of Oct 20, 2025)

The newly used User.API Token: Read permission does not allow the actual token to be read for current or any other tokens (it's not a potential security issue). It does a backend check of permissions and lets you see visually if anything is missing (permissions in green are allowed with your token, permissions in grey are not granted).

The new web analytics functionality allows you to enable or disable Cloudflare web analytics (including the ability to exclude just Europe from web analytics).

Cloudflare web analytics can give you real-world data to see how the performance of your site is, from an end-user standpoint.

• Limit preloading to 10 resources
• Timeframe bar for analytics on admin index uses style variables
• Removed option: Speed -> Image Optimization -> Mirage (deprecated as of Sept 15, 2025)

• Updated charting library (Chart.js) to 4.5.0
• Make use of XF\Util\Ip::stringToBinary & XF\Util\Ip::binaryToString if using XenForo >= 2.3
• Firewall option to force registration challenge removed (no longer needed now that Turnstile is supported)
• Removed option to force contact and registration pages to not be an overlay (was used in conjunction with the registration challenge that was removed)
• New option (Preload resources): automatically adds Link header that includes JavaScript and CSS URLs for the page (tells browsers to preload resources used by the page)

• Fixed issue with geo-location of user IPs in admin area on latest versions of PHP
• Fixed issue with geo-location when users are viewing their own IP addresses (when using Security addon)

• Added new Cloudflare setting (under Speed): Speed Brain
• Easy Config enables Speed Brain
• Added support for setting SSL/TLS Encryption Mode to Strict (SSL-only origin pull) (for Enterprise zones)
• Added new Cloudflare setting (under SSL/TLS): Encrypted Client Hello
• Added new Cloudflare setting (under Security): Leaked credentials

• Fixed issue with deleting a Page Cache rule (change to Cloudflare API)
• Fixed issue with changing Cloudflare settings on XenForo 2.3 (was being done with form submission instead of the intended AJAX request)
• Ignore full stat rebuilds (too many API calls [11 per day], it will be impossibly slow, and you will hit API rate limit very quickly, so it would fail anyway)

• Removed workaround to allow non-Duotone icons in admin navigation for XenForo 2.3 (fixed in XF core)
• Added new Cloudflare setting (under Security): Replace insecure JavaScript libraries
• Changed verbiage to be worded better when setting up API token initially

• Removed Brotli compression setting (it's now always on in Cloudflare)
• Removed Minify settings (they have been deprecated and will be removed from Cloudflare soon)
• Removed Server-side Exclude setting (it has been deprecated and will be removed from Cloudflare soon)
• Added option to create Firewall Rule to block AI scrapers & crawlers
• Updated Chart.js library to 4.4.3