Available Managed Transforms
This page lists the available Managed Transforms. They can modify HTTP request headers or response headers.
HTTP request headers
Add bot protection headers
Adds HTTP headers with bot-related values to the request sent to the origin server:
cf-bot-score
: Contains the bot score (for example,30
).cf-verified-bot
: Containstrue
if the request comes from a verified bot, orfalse
otherwise.cf-threat-score
: Contains the threat score (for example,10
).cf-ja3-hash
: Contains the JA3 fingerprint.
Add TLS client auth headers
Adds HTTP headers with Mutual TLS (mTLS) client authentication values to the request sent to the origin server:
cf-cert-revoked
: Value from thecf.tls_client_auth.cert_revoked
field.cf-cert-verified
: Value from thecf.tls_client_auth.cert_verified
field.cf-cert-presented
: Value from thecf.tls_client_auth.cert_presented
field.cf-cert-issuer-dn
: Value from thecf.tls_client_auth.cert_issuer_dn
field.cf-cert-subject-dn
: Value from thecf.tls_client_auth.cert_subject_dn
field.cf-cert-issuer-dn-rfc2253
: Value from thecf.tls_client_auth.cert_issuer_dn_rfc2253
field.cf-cert-subject-dn-rfc2253
: Value from thecf.tls_client_auth.cert_subject_dn_rfc2253
field.cf-cert-issuer-dn-legacy
: Value from thecf.tls_client_auth.cert_issuer_dn_legacy
field.cf-cert-subject-dn-legacy
: Value from thecf.tls_client_auth.cert_subject_dn_legacy
field.cf-cert-serial
: Value from thecf.tls_client_auth.cert_serial
field.cf-cert-issuer-serial
: Value from thecf.tls_client_auth.cert_issuer_serial
field.cf-cert-fingerprint-sha256
: Value from thecf.tls_client_auth.cert_fingerprint_sha256
field.cf-cert-fingerprint-sha1
: Value from thecf.tls_client_auth.cert_fingerprint_sha1
field.cf-cert-not-before
: Value from thecf.tls_client_auth.cert_not_before
field.cf-cert-not-after
: Value from thecf.tls_client_auth.cert_not_after
field.cf-cert-ski
: Value from thecf.tls_client_auth.cert_ski
field.cf-cert-issuer-ski
: Value from thecf.tls_client_auth.cert_issuer_ski
field.
Add visitor location headers
Adds HTTP headers with location information for the visitor’s IP address to the request sent to the origin server:
cf-ipcity
: The visitor’s city (value from theip.src.city
field).cf-ipcountry
: The visitor’s country (value from theip.src.country
field).cf-ipcontinent
: The visitor’s continent (value from theip.src.continent
field).cf-iplongitude
: The visitor’s longitude (value from theip.src.lon
field).cf-iplatitude
: The visitor’s latitude (value from theip.src.lat
field).cf-region
: The visitor’s region (value from theip.src.region
field).cf-region-code
: The visitor’s region code (value from theip.src.region_code
field).cf-metro-code
: The visitor’s metro code (value from theip.src.metro_code
field).cf-postal-code
: The visitor’s postal code (value from theip.src.postal_code
field).cf-timezone
: The name of the visitor’s timezone (value from theip.src.timezone.name
field).
Add “True-Client-IP” header
Adds a true-client-ip
request header with the visitor’s IP address.
This Managed Transform is unavailable when Remove visitor IP headers is enabled.
Remove visitor IP headers
Removes HTTP headers that may contain the visitor’s IP address from the request sent to the origin server. Handles the following HTTP request headers:
cf-connecting-ip
x-forwarded-for
(refer to the notes below)true-client-ip
This Managed Transform is unavailable when Add “True-Client-IP” header is enabled.
Visitor IP address in the x-forwarded-for
HTTP header
For the x-forwarded-for
HTTP request header, enabling Remove visitor IP headers will only remove the visitor IP from the header value when Cloudflare receives a request proxied by at least another CDN (content delivery network). In this case, Cloudflare will only keep the IP address of the last proxy.
For example, consider an incoming request proxied by two CDNs (CDN_1
and CDN_2
) before reaching the Cloudflare network. The x-forwarded-for
header would be similar to the following:x-forwarded-for: <VISITOR_IP>, <THIRD_PARTY_CDN_1_IP>, <THIRD_PARTY_CDN_2_IP>
With Remove visitor IP headers enabled, the x-forwarded-for
header sent to the origin server will be:x-forwarded-for: <THIRD_PARTY_CDN_2_IP>
HTTP response headers
Remove “X-Powered-By” headers
Removes the X-Powered-By
HTTP response header that provides information about the application at the origin server that handled the request.
Add security headers
Adds several security-related HTTP response headers. The added response headers and values are the following:
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
x-frame-options: SAMEORIGIN
referrer-policy: same-origin
expect-ct: max-age=86400, enforce
To increase protection, enable HTTP Strict Transport Security (HSTS) for your website.