Early Hints and Encrypted Client Hello (ECH) are currently disabled globally

Dear community,

This note is to inform you of the status of Early Hints and Encrypted Client Hello.

We have sadly had to disable both of these features globally whilst we address a number of issues with them. These issues are unrelated. We are in the process of adding a label to each of the toggles in dashboard to alert that they are disabled.

We expect to re-enable Early Hints in the coming weeks, with ECH re-enablement for Free coming later in the year with roll-out to those in the beta in early 2024.

We apologise for the inconvenience caused here and are doing our best to get these features back online ASAP.

  • Sam

While you’re working on things, I would like to urge you to implement a rule to allow me to bypass early hints on cookie.

I have never been able to use early hints because I serve different javascript assets depending on whether you’re logged in or not, and therefore I serve different HTTP link headers depending on whether you’re logged in or not.

Since early hints are cached for subsequent requests, I am unable to use early hints, because a logged in user might get the cached early hints for a logged out user (which won’t line up with the assets actually being requested on the webpage), or vice versa.

I would love the flexibility to create a rule to bypass early hints on cookie.

I’ve asked numerous times for this to be addressed ever since it was in beta, but here I am pleading just one more time :wink:

Cloudflare has really enhanced its Rules section over the past months, and I’d love for Early Hints to be one of the settings that could be disabled in Configuration Rules.

You see, I already have a page rule in place to cache everything but bypass cache on cookie. However, early hints unfortunately has its own separate caching mechanism and doesn’t respect the bypass cache rule.


Thanks @DanWeb. First time I’m hearing this request. I’ll think about it and explore with the team. Appreciate the feature request!


I first brought it up in support ticket 2364068 back in January 2022 where, after LOTS of needless back and forth, I was eventually told the request was forwarded to the engineers. I also spoke to Natalie Yeh (CF Product Designer) on video call about the issue back in August 2022. Also in August 2022, I had a long conversation about the issue with MVP @eva2000 who, and perhaps this is the dangerous issue, was actually unaware that it is broken when using a CMS which serves different link headers to different user groups. After pointing out that https://developers.cloudflare.com/cache/about/early-hints says “Early Hints cache entries are keyed by request URI and ignore query strings.” he went ahead and disabled Early Hints on his own site and posted internally about the issue as well (not sure what became of that). I mention all of this because maybe there’s a way to use this feedback to improve internal communication. I apologize if this isn’t the right avenue to air this, but I have your ear, and most of my grievances have fallen on deaf ears over the years.

Much thanks! As called out above, I believe the biggest issue is that a large portion of the web serves different assets to logged in users vs logged out users. (e.g. a lightweight javascript to logged out users, while full functionality JS to logged in users). It’s been my experience that a lot of these websites have Early Hints enabled without realizing that it is broken when using a CMS out of the box. (Discourse, which powers this very community, is an example of a CMS that would break with Early Hints enabled and inspecting HTML link preload tags.)


Does ECH work for ssh connections in free plan?

ECH is a standard on top of TLS. SSH’s encryption is unrelated to TLS so it can’t be applied to SSH connections.

1 Like

What is the current status of re-enabling Early Hints?

I’d love to know the issues that caused it to be turned off as well as the timeline for re-enabling.


But maybe here is a way for you to use ECH in “SSH” connection, you need to build a Cloudflare tunnel in your server and export SSH service to a self-defined public hostname(and this domain must be hosted in Cloudflare), once Cloudflare re-enabled the ECH function in your self-defined domain, you could connect into your server using “ECH + TLSv1.3 + SSH”.

But since the SSH protocol hide behind TLS, you need to install cloudflared software in your client either for connecting to your server, like this (this could be written to SSH config file):

/usr/local/bin/cloudflared access ssh --hostname xxx.xxx.com

Inconsistency in how this is displayed.

This information was written a month ago. What is the current status?


Hi all - a brief note to let you know that Early Hints is now re-enabled globally.


By any chance, were my suggestions incorporated? Otherwise I’m afraid early hints is a dealbreaker for myself and many others.

@smarsh do you have an ETA when ECH will be re-enabled?

1 Like

This is re-enabling what was already in place, no additions or feature requests.

No ETA, it will be sometime in 2024 but we dont have a firm timeline.


This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.