IMPORTANT for existing users: New functionality requires 3 additional API permissions in order to use the new functions.
For whatever reason,
Account.Account Settings: Read
Account.Account Settings: Edit
User.API Token: Read
Account.Account Settings: Read
isn't granted implicitly withAccount.Account Settings: Edit
.
Not sure why (maybe a current Cloudflare bug?), but theUser.API Token: Read
permission can't currently be added manually to tokens (initially or after the fact). The only workaround I could figure out is to create a new token via this link: Create new token with pre-filled permissions
At this point, you should have a total of 22 permissions for your API token (if you are going for full functionality).
What's new:
The newly used
- Added support for Cloudflare web analytics (requires two additional API permissions for your token (
Account.Account Settings: Read
&Account.Account Settings: Edit
), for those upgrading from a previous version)- Token permissions are automatically checked (requires an additional API permissions for your token (
User.API Token: Read
), for those upgrading from a previous version)- Removed option: Speed -> Other -> Signed Exchanges (deprecated as of Oct 20, 2025)
- Removed option: Speed -> Other -> AMP Real URL (deprecated as of Oct 20, 2025)
User.API Token: Read
permission does not allow the actual token to be read for current or any other tokens (it's not a potential security issue). It does a backend check of permissions and lets you see visually if anything is missing (permissions in green are allowed with your token, permissions in grey are not granted).
![]()
The new web analytics functionality allows you to enable or disable Cloudflare web analytics (including the ability to exclude just Europe from web analytics).
![]()
Cloudflare web analytics can give you real-world data to see how the performance of your site is, from an end-user standpoint.
![]()
- Limit preloading to 10 resources
- Timeframe bar for analytics on admin index uses style variables
- Removed option: Speed -> Image Optimization -> Mirage (deprecated as of Sept 15, 2025)
- Updated charting library (Chart.js) to 4.5.0
- Make use of XF\Util\Ip::stringToBinary & XF\Util\Ip::binaryToString if using XenForo >= 2.3
- Firewall option to force registration challenge removed (no longer needed now that Turnstile is supported)
- Removed option to force contact and registration pages to not be an overlay (was used in conjunction with the registration challenge that was removed)
- New option (Preload resources): automatically adds Link header that includes JavaScript and CSS URLs for the page (tells browsers to preload resources used by the page)
Fixes an issue where if you have other addons that extend theXF\Templater
class, with an execution order higher than 1000, and you are trying to view IP addresses that were logged without an associated geo-location record for that IP.
- Removed use of is_callable() (PHP 8.2+ compatibility change)
- Added Cloudflare setting: Security -> Bots -> AI Labyrinth
- Fixed issue with geo-location of user IPs in admin area on latest versions of PHP
- Fixed issue with geo-location when users are viewing their own IP addresses (when using Security addon)
- Get user IP from request class rather than PHP global variable
- Geo-location flags work for article authors
- Don't log geo-location info for sessions if using XenForo < 2.2.8 (required method wasn't introduced until XF 2.2.8)
- Internally simplified how geo-location flag CSS is generated
Yuck... sorry. This fixes it.
First of all, this is a big(ish) update...
Large R2 attachments should see the download start much faster for end users (rather than downloading it fully on the server before sending it to user, it's done with streams now). Honestly not sure why I didn't do it that way to begin with, but thanks to @Chris D for pointing out mystupidityoversight. It's still going to be more performant to be using presigned URLs, so the streaming change is only if you aren't using presigned URLs or token authentication for R2 attachments.
The addon now has the ability to pick up Cloudflare geo-location info for users (or more specifically, HTTP requests). This is something I've been doing for a LONG time with internal addons (in vBulletin 3, vBulletin 4, XF1 and XF2). So this was (mostly) just merging an internal addon I already had into this one.
As far as storing all the extra geo data, it's done as efficiently as possible, with a single record for location data needed for each IP. So even if an IP was logged 1,000 times (and even across multiple users), it only needs to store the geo data once per IP. If you delete/purge IPs, the geo data cleans itself up if there no record of the IP being used any longer in the
- If you want this to be done just at the country-level, make sure you enable the IP Geolocation setting for your Cloudflare domain/zone.
- If you want this to be done at the region-level, make sure you enable the Add visitor location headers option for your Cloudflare domain/zone.
- If you don't want to do this at all, disable the
Log IP address locations
setting under Options -> External service providers.xf_ip
table.
There are a couple new permissions that go along with this to allow user groups to see the country someone posted in a thread/sent a direct message from if you want to allow that.
User group permissions -> Forum permissions -> View country flag on posts
User group permissions -> Direct message permissions -> View country flag on messages
![]()
- Updated charting library (Chart.js) to 4.4.7
- Fixed issue where R2 egress bandwidth info for a bucket was reporting class B operations instead of class A operations
- Updated call for attaching custom domain to R2 bucket (endpoint changed)
- Attachment contents passed to view as a stream, rather than a string
- CLI tool to migrate data will ignore files with a prefix of
local/
- Made change to CLI migration tool so that the multi-process ability is compatible with new version of Symphony (XF 2.3)
- Added new Cloudflare setting (under Security): AI Bots
- Geo-location functionality
- New option: Admin -> Options -> External service providers -> Log IP address locations
- New permission: View country flag on posts
- New permission: View country flag on messages
- Added new Cloudflare setting (under Speed): Speed Brain
- Easy Config enables Speed Brain
- Added support for setting
SSL/TLS Encryption Mode
toStrict (SSL-only origin pull)
(for Enterprise zones)- Added new Cloudflare setting (under SSL/TLS): Encrypted Client Hello
- Added new Cloudflare setting (under Security): Leaked credentials
We use essential cookies to make this site work, and optional cookies to enhance your experience.