Cloudflare Docs
Ruleset Engine
Edit this page on GitHub
Set theme to dark (⇧+D)

Fields reference

The Cloudflare Rules language supports a range of field types:

​​ Standard fields

Most standard fields use the same naming conventions as Wireshark display fields. However, there are some subtle differences between Cloudflare and Wireshark:

  • Wireshark supports CIDR (Classless Inter-Domain Routing) notation for expressing IP address ranges in equality comparisons (ip.src == 1.2.3.0/24, for example). Cloudflare does not.

    To evaluate a range of addresses using CIDR notation, use the in comparison operator as in this example: ip.src in {1.2.3.0/24 4.5.6.0/24}.

  • In Wireshark, ssl is a protocol field containing hundreds of other fields of various types that are available for comparison in multiple ways. However, in the Rules language ssl is a single Boolean field that indicates whether the connection from the client to Cloudflare is encrypted.

  • The Cloudflare Rules language does not support the slice operator.

The Cloudflare Rules language supports these standard fields:

FieldDescription
http.host
String

Represents the hostname used in the full request URI.

Example value:
www.example.org

http.referer
String

Represents the HTTP Referer request header, which contains the address of the web page that linked to the currently requested page.

Example value:
Referer: htt­ps://developer.example.org/en-US/docs/Web/JavaScript

http.request.full_uri
String

Represents the full URI as received by the web server (does not include #fragment, which is not sent to web servers).

Example value:
htt­ps://www.example.org/articles/index?section=539061&expand=comments

http.request.method
String

Represents the HTTP method, returned as a string of uppercase characters.

Example value:
GET

http.request.cookies
Map<Array<String>>

Represents the Cookie HTTP header associated with a request as a Map (associative array).

The cookie values are not pre-processed and retain the original case used in the request.

Decoding: The cookie names are URL decoded. If two cookies have the same name after decoding, their value arrays are merged.

Example:
any(http.request.cookies["app"][*] == "test")

Example value:
{"app": ["test"]}

http.request.timestamp.sec
Integer

Represents the timestamp when Cloudflare received the request, expressed as Unix time in seconds. This value is 10 digits long.

To obtain the timestamp milliseconds, use the http.request.timestamp.msec field.

Example value:
1484063137

When validating HMAC tokens in an expression, pass this field as the currentTimestamp argument to the is_timed_hmac_valid_v0() validation function.

http.request.timestamp.msec
Integer

Represents the millisecond when Cloudflare received the request, between 0 and 999.

To obtain the complete timestamp, use both http.request.timestamp.sec and http.request.timestamp.msec fields.

Example value:
857

http.request.uri
String

Represents the URI path and query string of the request.

Example value:
/articles/index?section=539061&expand=comments

http.request.uri.path
String

Represents the URI path of the request.

Example value:
/articles/index

http.request.uri.path.extension
String

The lowercased file extension in the URI path without the dot (.) character. Corresponds to the string after the last dot in the URI path, without considering the query string.
If the first character of the last path segment is a dot and the segment does not contain other dot characters, the field value will be an empty string (""). Having a dot as the first character does not represent a file extension and is commonly used in Unix-like systems to represent a hidden file or directory.

Example values
URI pathField value
/foo""
/foo.mp3"mp3"
/.mp3""
/.foo.mp3"mp3"
/foo.tar.bz2"bz2"
/foo.""
/foo.MP3"mp3"
http.request.uri.query
String

Represents the entire query string, without the ? delimiter.

Example value:
section=539061&expand=comments

http.user_agent
String

Represents the HTTP user agent, a request header that contains a characteristic string to allow identification of the client operating system and web browser.

Example value:
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36

http.request.version
String

Represents the version of the HTTP protocol used. Use this field when you require different checks for different versions.

Example Values:

  • HTTP/1.1
  • HTTP/3
http.x_forwarded_for
String

Represents the full X-Forwarded-For HTTP header.

Example value:
203.0.113.195, 70.41.3.18

ip.src
IP address

Represents the client TCP IP address, which may be adjusted to reflect the actual address of the client by using, for example, HTTP headers such as X-Forwarded-For or X-Real-IP.

Example value:
93.184.216.34

ip.src.lat
String

Represents the latitude associated with the client IP address.

Example value:
37.78044

ip.src.lon
String

Represents the longitude associated with the client IP address.

Example value:
-122.39055

ip.src.city
String

Represents the city associated with the client IP address.

Example value:
San Francisco

ip.src.postal_code
String

Represents the postal code associated with the incoming request.

Example value:
78701

ip.src.metro_code
String

Represents the metro code or Designated Market Area (DMA) code associated with the incoming request.

Example value:
635

ip.src.region
String

Represents the region name associated with the incoming request.

Example value:
Texas

ip.src.region_code
String

Represents the region code associated with the incoming request.

Example value:
TX

ip.src.timezone.name
String

Represents the name of the timezone associated with the incoming request.

Example value:
America/Chicago

This field is only available in rewrite expressions of Transform Rules.

ip.src.asnum
Number

Represents the 16- or 32-bit integer representing the Autonomous System (AS) number associated with client IP address.

Note: This field has the same value as the ip.geoip.asnum field, which is deprecated. The ip.geoip.asnum field is still available for new and existing rules, but you should use the ip.src.asnum field instead.

ip.src.continent
String

Represents the continent code associated with client IP address:

  • AF – Africa
  • AN – Antarctica
  • AS – Asia
  • EU – Europe
  • NA – North America
  • OC – Oceania
  • SA – South America
  • T1 – Tor network

Note: This field has the same value as the ip.geoip.continent field, which is deprecated. The ip.geoip.continent field is still available for new and existing rules, but you should use the ip.src.continent field instead.

ip.src.country
String

Represents the 2-letter country code in ISO 3166-1 Alpha 2 format.

Example value:
GB

For more information on the ISO 3166-1 Alpha 2 format, refer to ISO 3166-1 Alpha 2 on Wikipedia.

Note: This field has the same value as the ip.geoip.country field, which is deprecated. The ip.geoip.country field is still available for new and existing rules, but you should use the ip.src.country field instead.

ip.src.subdivision_1_iso_code
String

Represents the ISO 3166-2 code for the first level region associated with the IP address. When the actual value is not available, this field contains an empty string.

Example value:
GB-ENG

For more information on the ISO 3166-2 standard and the available regions, refer to ISO 3166-2 on Wikipedia.

Note: This field has the same value as the ip.geoip.subdivision_1_iso_code field, which is deprecated. The ip.geoip.subdivision_1_iso_code field is still available for new and existing rules, but you should use the ip.src.subdivision_1_iso_code field instead.

ip.src.subdivision_2_iso_code
String

Represents the ISO 3166-2 code for the second level region associated with the IP address. When the actual value is not available, this field contains an empty string.

Example value:
GB-SWK

For more information on the ISO 3166-2 standard and the available regions, refer to ISO 3166-2 on Wikipedia.

Note: This field has the same value as the ip.geoip.subdivision_2_iso_code field, which is deprecated. The ip.geoip.subdivision_2_iso_code field is still available for new and existing rules, but you should use the ip.src.subdivision_2_iso_code field instead.

ip.src.is_in_european_union
Boolean

Returns true when the request originates from a country in the European Union (EU).

Countries in EU (from geolocation data)
Country codeCountry name
ATAustria
AXÅland Islands
BEBelgium
BGBulgaria
CYCyprus
CZCzechia
DEGermany
DKDenmark
EEEstonia
ESSpain
FIFinland
FRFrance
GFFrench Guiana
GPGuadeloupe
GRGreece
HRCroatia
HUHungary
IEIreland
ITItaly
LTLithuania
LULuxembourg
LVLatvia
MFSaint Martin
MQMartinique
MTMalta
NLThe Netherlands
PLPoland
PTPortugal
RERéunion
RORomania
SESweden
SISlovenia
SKSlovakia
YTMayotte
The EU country list was obtained from MaxMind’s GeoIP2 database on 2023-12-05. For details on obtaining up-to-date country information, refer to the MaxMind website.

Note: This field has the same value as the ip.geoip.is_in_european_union field, which is deprecated. The ip.geoip.is_in_european_union field is still available for new and existing rules, but you should use the ip.src.is_in_european_union field instead.

raw.http.request.full_uri
String

Similar to the http.request.full_uri non-raw field. Represents the full URI as received by the web server without the URI fragment (if any) and without any transformation.

Note: This raw field may include some basic normalization done by Cloudflare's HTTP server. However, this can change in the future.

raw.http.request.uri
String

Similar to the http.request.uri non-raw field. Represents the URI path and query string of the request without any transformation.

Note: This raw field may include some basic normalization done by Cloudflare's HTTP server. However, this can change in the future.

raw.http.request.uri.path
String

Similar to the http.request.uri.path non-raw field. Represents the URI path of the request without any transformation.

Note: This raw field may include some basic normalization done by Cloudflare's HTTP server. However, this can change in the future.

raw.http.request.uri.path.extension
String

Similar to the http.request.uri.path.extension non-raw field. Represents the file extension in the request URI path without any transformation.

raw.http.request.uri.query
String

Similar to the http.request.uri.query non-raw field. Represents the entire query string without the ? delimiter and without any transformation.

Note: This raw field may include some basic normalization done by Cloudflare's HTTP server. However, this can change in the future.

ssl
Boolean

Returnstrue when the HTTP connection to the client is encrypted.

​​ Dynamic fields

Dynamic fields represent computed or derived values, typically related to threat intelligence about an HTTP request.

The Cloudflare Rules language supports these dynamic fields:

Field NameDescription

cf.bot_management.verified_bot
Boolean

When true, this field indicates the request originated from a known good bot or crawler. Provides the same information as cf.client.bot.

cf.verified_bot_category
String

Provides the type and purpose of a verified bot.

For more details, refer to Verified Bot Categories.

cf.bot_management.score
Number

Represents the likelihood that a request originates from a bot using a score from 1–99.

A low score indicates that the request comes from a bot or an automated agent. A high score indicates that a human issued the request.

cf.bot_management.static_resource
Boolean

Indicates whether static resources should be included when you create a rule using cf.bot_management.score.

For more details, refer to Static resource protection.

cf.bot_management.ja3_hash
String

Provides an SSL/TLS fingerprint to help you identify potential bot requests.

For more details, refer to JA3 Fingerprints.

cf.bot_management.js_detection.passed
Boolean

Indicates whether the visitor has previous passed a JS Detection.

For more details, refer to JavaScript detections.

cf.bot_management.detection_ids
Array<Number>

List of IDs that correlate to the Bot Management heuristic detections made on a request (you can have multiple heuristic detections on the same request). Use this field to explicitly match a specific heuristic or to exclude a heuristic in a rule.

Example:
any(cf.bot_management.detection_ids[*] eq 33554817)

cf.client.bot
Boolean

When true, this field indicates the request originated from a known good bot or crawler. Provides the same information as cf.bot_management.verified_bot.

cf.edge.server_ip
IP Address

Represents the global network's IP address to which the HTTP request has resolved to.

This field is only meaningful for BYOIP customers.

cf.edge.server_port
Number

Represents the port number at which the Cloudflare global network received the request.

Use this field to filter traffic on a specific port. The value is a port number in the range 1–65535.

cf.hostname.metadata
String

Returns the string representation of the per-hostname custom metadata JSON object set by SSL for SaaS customers.

cf.random_seed
Bytes

Returns per-request random bytes that you can use in the uuidv4() function.

cf.ray_id
String

The Ray ID of the current request. A Ray ID is an identifier given to every request that goes through Cloudflare.

cf.threat_score
Number

Represents a Cloudflare threat score from 0–100, where 0 indicates low risk. Values above 10 may represent spammers or bots, and values above 40 identify bad actors on the Internet.

It is rare to see values above 60. A common recommendation is to challenge requests with a score above 10 and to block those above 50.

cf.tls_cipher
String

The cipher for the connection to Cloudflare.

Example:
"AES128-SHA256"

cf.tls_client_auth.cert_revoked
Boolean

Returns true when a request presents a valid but revoked client certificate.

When true, the cf.tls_client_auth.cert_verified field is also true.

cf.tls_client_auth.cert_verified
Boolean

Returns true when a request presents a valid client certificate.

Also returns true when a request includes a valid certificate that was revoked (see cf.tls_client_auth.cert_revoked).

cf.tls_client_auth.cert_presented
Boolean

Returns true when a request presents a certificate (valid or not).

cf.tls_client_auth.cert_issuer_dn
String

The Distinguished Name (DN) of the Certificate Authority (CA) that issued the certificate included in the request.

Example:
"CN=Access Testing CA,OU=TX,O=Access Testing,L=Austin,ST=Texas,C=US"

cf.tls_client_auth.cert_subject_dn
String

The Distinguished Name (DN) of the owner (or requester) of the certificate included in the request.

Example:
"CN=James Royal,OU=Access Admins,O=Access,L=Austin,ST=Texas,C=US"

cf.tls_client_auth.cert_issuer_dn_rfc2253
String

The Distinguished Name (DN) of the Certificate Authority (CA) that issued the certificate in the request in RFC 2253 format.

Example:
"CN=Access Testing CA,OU=TX,O=Access Testing,L=Austin,ST=Texas,C=US"

cf.tls_client_auth.cert_subject_dn_rfc2253
String

The Distinguished Name (DN) of the owner (or requester) of the certificate in the request in RFC 2253 format.

Example:
"CN=James Royal,OU=Access Admins,O=Access,L=Austin,ST=Texas,C=US"

cf.tls_client_auth.cert_issuer_dn_legacy
String

The Distinguished Name (DN) of the Certificate Authority (CA) that issued the certificate in the request in a legacy format.

Example:
"/C=US/ST=Texas/L=Austin/O=Access Testing/OU=TX/CN=Access Testing CA"

cf.tls_client_auth.cert_subject_dn_legacy
String

The Distinguished Name (DN) of the owner (or requester) of the certificate in the request in a legacy format.

Example:
"/C=US/ST=Texas/L=Austin/O=Access/OU=Access Admins/CN=James Royal"

cf.tls_client_auth.cert_serial
String

Serial number of the certificate in the request.

Example:
"527E0F20A20EA2A4146C78390F34CE7AF0878CA4"

cf.tls_client_auth.cert_issuer_serial
String

Serial number of the direct issuer of the certificate in the request.

Example:
"2688201DBA77402EA87118876F2E1B24CF8B0395"

cf.tls_client_auth.cert_fingerprint_sha256
String

The SHA-256 fingerprint of the certificate in the request.

Example:
"af363dc85bc942a892d3cee9796190fdb36d89cd588a4f1cb17c74a943439714"

cf.tls_client_auth.cert_fingerprint_sha1
String

The SHA-1 fingerprint of the certificate in the request.

Example:
"933ad5282c560ae3f482a43ecd73bc9de878a190"

cf.tls_client_auth.cert_not_before
String

The certificate in the request is not valid before this date.

Example:
"Mar 21 13:35:00 2022 GMT"

cf.tls_client_auth.cert_not_after
String

The certificate in the request is not valid after this date.

Example:
"Mar 21 13:35:00 2023 GMT"

cf.tls_client_auth.cert_ski
String

The Subject Key Identifier (SKI) of the certificate in the request.

Example:
"27846FAE6EAC4A8DAD9101B519CF1EB460242831"

cf.tls_client_auth.cert_issuer_ski
String

The Subject Key Identifier (SKI) of the direct issuer of the certificate in the request.

Example:
"8204924CF49D471E855862706D889F58F6B784D3"

cf.tls_client_extensions_sha1
String

The SHA-1 fingerprint of TLS client extensions, encoded in Base64.

Example:
"OWFiM2I5ZDc0YWI0YWYzZmFkMGU0ZjhlYjhiYmVkMjgxNTU5YTU2Mg=="

cf.tls_client_hello_length
Number

The length of the client hello message sent in a TLS handshake. Specifically, the length of the bytestring of the client hello.

Example:
508

cf.tls_client_random
String

The value of the 32-byte random value provided by the client in a TLS handshake, encoded in Base64. Refer to RFC 8446 for more details.

Example:
"YWJjZA=="

cf.tls_version
String

The TLS version of the connection to Cloudflare.

Example:
"TLSv1.2"

cf.waf.content_scan.has_obj
Boolean

When true, the request contains at least one content object.

For more details, refer to Uploaded content scanning.

cf.waf.content_scan.has_malicious_obj
Boolean

When true, the request contains at least one malicious content object.

For more details, refer to Uploaded content scanning.

cf.waf.content_scan.num_malicious_obj
Integer

The number of malicious content objects detected in the request (zero or greater).

For more details, refer to Uploaded content scanning.

cf.waf.content_scan.has_failed
Boolean

When true, the file scanner was unable to scan all the content objects detected in the request.

For more details, refer to Uploaded content scanning.

cf.waf.content_scan.num_obj
Integer

The number of content objects detected in the request (zero or greater).

For more details, refer to Uploaded content scanning.

cf.waf.content_scan.obj_sizes
Array<Integer>

An array of file sizes in bytes, in the order the content objects were detected in the request.

For more details, refer to Uploaded content scanning.

cf.waf.content_scan.obj_types
Array<String>

An array of file types in the order the content objects were detected in the request.

If Cloudflare cannot determine the file type of a content object, the corresponding value in the obj_typesarray will be application/octet-stream.

For more details, refer to Uploaded content scanning.

cf.waf.content_scan.obj_results
Array<String>

An array of scan results in the order the content objects were detected in the request.

The possible values are: clean, suspicious, infected, and not scanned.

For more details, refer to Uploaded content scanning.

cf.waf.score
Number

A global score from 1 to 99 that combines the score of each WAF attack vector into a single score.
This is the standard WAF attack score to detect variants of attack patterns.

cf.waf.score.sqli
Number

An attack score from 1 to 99 classifying the SQL injection (SQLi) attack vector.

cf.waf.score.xss
Number

An attack score from 1 to 99 classifying the cross-site scripting (XSS) attack vector.

cf.waf.score.rce
Number

An attack score from 1 to 99 classifying the command injection or Remote Code Execution (RCE) attack vector.

cf.waf.score.class
String

The attack score class of the current request, based on the WAF attack score.
Can have one of the following values: attack, likely_attack, likely_clean, clean.

cf.worker.upstream_zone
String

Identifies whether a request comes from a worker or not.

When a request comes from a worker, this field will hold the name of the zone for that worker. Otherwise cf.worker.upstream_zone is empty.

​​ Corporate Proxy

The Bot Management Corporate Proxy field contains identified cloud-based corporate proxies and secure web gateways that are Enterprise-only, and provide outbound security services to their clients.

You can access the Corporate Proxy field in custom rules, rate limiting rules, or Workers to provide different security rules for traffic from these sources. You can also exempt them from rules using Bot Management scores.

Example
not cf.bot_management.verified_bot
and not cf.bot_management.static_resource
and not cf.bot_management.corporate_proxy
and cf.bot_management.score lt 30

​​ Magic Firewall fields

Field NameDescription

cf.colo.name
String

The data center that is handling this traffic.
Example value: sfo06

cf.colo.region
String

Region of the data center that is handling this traffic.
Example value: WNAM

icmp
String

The raw ICMP packet as a list of bytes. It should be used in conjunction with the bit_slice function when other structured fields are lacking.

icmp.type
Number

The ICMP type. Only applies to ICMP packets.
Example value: 8

icmp.code
Number

The ICMP code. Only applies to ICMP packets.
Example value: 2

ip
String

The raw IP packet as a list of bytes. It should be used in conjunction with the bit_slice function when other structured fields are lacking.

ip.dst
IP Address

The destination address as specified in the IP packet.
Example value: 192.0.2.2

ip.dst.country
String

Represents the 2-letter country code associated with the server IP address in ISO 3166-1 Alpha 2 format.
Example value: GB

For more information on the ISO 3166-1 Alpha 2 format, refer to ISO 3166-1 Alpha 2 on Wikipedia.

ip.src.country
String

Represents the 2-letter country code associated with the client IP address in ISO 3166-1 Alpha 2 format.
Example value:
GB

For more information on the ISO 3166-1 Alpha 2 format, refer to ISO 3166-1 Alpha 2 on Wikipedia.

For Magic Firewall, the ip.geoip.country field (which is deprecated) will match on either source or destination address. The ip.geoip.country field is still available for new and existing rules, but you should use the ip.src.country and/or ip.dst.country fields instead.

ip.hdr_len
Number

The length of the IPv4 header in bytes.
Example value: 5

ip.len
Number

The length of the packet including the header.
Example value: 60

ip.opt.type
Number

The first byte of IP options field, if the options field is set.
Example value: 25

ip.proto
String

The transport layer for the packet, if it can be determined.
Example values: icmp, tcp

ip.src
IP Address

The source address of the IP Packet.

ip.src.country
String

Represents the 2-letter country code associated with the client IP address in ISO 3166-1 Alpha 2 format.
Example value: GB

For more information on the ISO 3166-1 Alpha 2 format, refer to ISO 3166-1 Alpha 2 on Wikipedia.

ip.ttl
Number

The time-to-live of the IP Packet.
Example values: 54

sip
Boolean

Determines if packets are valid L7 protocol SIP. Requires UDP packets to operate.
Use a guard clause as shown below to ensure the packet is UDP (wirefilter):
ip.proto == "udp"

tcp
String

The raw TCP packet as a list of bytes. It should be used in conjunction with the bit_slice function when other structured fields are lacking.

tcp.flags
Number

The numeric value of the TCP flags byte.

tcp.flags.ack
Boolean

TCP acknowledgment flag.

tcp.flags.cwr
Boolean

TCP congestion window reduced flag.

tcp.flags.ecn
Boolean

TCP ECN-Echo flag.

tcp.flags.fin
Boolean

TCP flag indicating this is the last packet from sender.

tcp.flags.push
Boolean

TCP push flag.

tcp.flags.reset
Boolean

TCP reset flag.

tcp.flags.syn
Boolean

TCP synchronize flag.

tcp.flags.urg
Boolean

TCP urgent flag.

tcp.srcport
Number

Source port number of the IP packet. Only applies to TCP packets.

tcp.dstport
Number

Destination port number of the IP packet. Only applies to TCP packets.

udp
String

The raw UDP packet as a list of bytes. It should be used in conjunction with the bit_slice function when other structured fields are lacking.

udp.dstport
Number

Destination port number of the IP packet. Only applies to UDP packets.

udp.srcport
Number

Source port number of the IP packet. Only applies to UDP packets.

​​ URI argument and value fields

The Cloudflare Rules language includes URI argument and value fields associated with HTTP requests. Many of these fields return arrays containing the respective values.

The Cloudflare Rules language supports these URI argument and value fields:

Field NameDescription
http.request.uri.args
Map<Array<String>>

Represents the HTTP URI arguments associated with a request as a Map (associative array).

When an argument repeats, then the array contains multiple items in the order they appear in the request.

The values are not pre-processed and retain the original case used in the request.

Decoding: no decoding performed
Non-ASCII: preserved

Example:
any(http.request.uri.args["search"][*] == "red+apples")

Example value:
{"search": ["red+apples"]}

http.request.uri.args.names
Array<String>

Represents the names of the arguments in the HTTP URI query string. The names are not pre-processed and retain the original case used in the request.

When a name repeats, the array contains multiple items in the order that they appear in the request.

Decoding: no decoding performed
Non-ASCII: preserved

Example:
any(http.request.uri.args.names[*] == "search")

Example value:
["search"]

http.request.uri.args.values
Array<String>

Represents the values of arguments in the HTTP URI query string. The values are not pre-processed and retain the original case used in the request. They are in the same order as in the request.

Duplicated values are listed multiple times.

Decoding: no decoding performed
Non-ASCII: preserved

Example:
any(http.request.uri.args.values[*] == "red+apples")

Example value:
["red+apples"]

raw.http.request.uri.args
Map<Array<String>>

Contains the same field values as http.request.uri.args.

raw.http.request.uri.args.names
Array<String>

Contains the same field values as http.request.uri.args.names.

raw.http.request.uri.args.values
Array<String>

Contains the same field values as http.request.uri.args.values.

​​ HTTP request header fields

The Rules language includes fields that represent properties of HTTP request headers. Many of these return arrays containing the respective values.

The Cloudflare Rules language supports these HTTP header fields:

Field NameDescription
http.request.headers
Map<Array<String>>

Represents HTTP request headers as a Map (or associative array).

The keys of the associative array are the names of HTTP request headers converted to lowercase.

When there are repeating headers, the array includes them in the order they appear in the request.

Decoding: no decoding performed
Whitespace: preserved
Non-ASCII: preserved

Example:
any(http.request.headers["content-type"][*] == "application/json")

Example value:
{"content-type": ["application/json"]}

http.request.headers.names
Array<String>

Represents the names of the headers in the HTTP request.

The names are not pre-processed and retain the original case used in the request.

Note: In HTTP/2 the names of HTTP headers are always in lowercase. Recent versions of the curl tool enable HTTP/2 by default for HTTPS connections.

The order of header names is not guaranteed but will match http.request.headers.values.

Duplicate headers are listed multiple times.

Decoding: no decoding performed
Whitespace: preserved
Non-ASCII: preserved

Example:
any(http.request.headers.names[*] == "content-type")

Example value: ["content-type"]

http.request.headers.values
Array<String>

Represents the values of the headers in the HTTP request.

The values are not pre-processed and retain the original case used in the request.

The order of header values is not guaranteed but will match http.request.headers.names.

Duplicate headers are listed multiple times.

Decoding: no decoding performed
Whitespace: preserved
Non-ASCII: preserved

Example 1:
any(http.request.headers.values[*] == "application/json")

Example value 1:
["application/json"]

Additionally used to match requests according to the specified operator and the length/size entered for the header value.

Example 2:
any(len(http.request.headers.values[*])[*] gt 10)

Example value 2:
["This header value is longer than 10 bytes"]

http.request.headers.truncated
Boolean

Returns true when the HTTP request contains too many headers; otherwise, returns false.

When true, http.request.headers, http.request.headers.names, and http.request.headers.values may not contain all of the headers sent in the HTTP request.

http.request.accepted_languages
Array<String>

Represents the list of language tags provided in the Accept-Language HTTP request header, sorted by weight (;q=<weight>, with a default weight of 1) in descending order.

If the HTTP header is not present in the request or is empty, http.request.accepted_languages[0] will return a "missing value", which the concat() function will handle as an empty string.

If the HTTP header includes the language tag * it will not be stored in the array.

Example 1:
Request with header Accept-Language: fr-CH, fr;q=0.8, en;q=0.9, de;q=0.7, *;q=0.5. In this case:
http.request.accepted_languages[0] == "fr-CH"
http.request.accepted_languages == ["fr-CH", "en", "fr", "de"]

Example 2:
Request without an Accept-Language HTTP header and a URI of https://www.example.com/my-path. In this case:
concat("/", http.request.accepted_languages[0], http.request.uri.path) == "//my-path".

Note: This field is only available in Transform Rules.

​​ HTTP request body fields

The Rules language includes fields that represent properties of an HTTP request body. Many of these return arrays containing the respective values.

The Cloudflare Rules language supports these HTTP body fields:

Field NameDescription
http.request.body.raw
String

Represents the unaltered HTTP request body.

When the value of http.request.body.truncated is true, the return value may be truncated.

Decoding: no decoding performed
Whitespace: preserved
Non-ASCII: preserved

http.request.body.truncated
Boolean

Indicates whether the HTTP request body is truncated.

When true, http.request.body fields may not contain all of the HTTP request body.

http.request.body.size
Number

The total size of the HTTP request body (in bytes).

Note: This field may have a value larger than the one returned by len(http.request.body.raw), since the http.request.body.raw field only considers the first 128 KB of the request.

http.request.body.form
Map<Array<String>>

Represents the HTTP request body of a form as a Map (or associative array). Populated when the Content-Type header is application/x-www-form-urlencoded.

The values are not pre-processed and retain the original case used in the request.

When a field repeats, then the array contains multiple items in the order they are in the request.

The return value may be truncated if http.request.body.truncated is true.

Decoding: no decoding performed
Whitespace: preserved
Non-ASCII: preserved

Example:
any(http.request.body.form["username"][*] == "admin")

Example value:
{username": ["admin"]}

http.request.body.form.names
Array<String>

Represents the names of the form fields in an HTTP request where the content type is application/x-www-form-urlencoded.

The names are not pre-processed and retain the original case used in the request. They are listed in the same order as in the request.

Duplicate names are listed multiple times.

The return value may be truncated if http.request.body.truncated is true.

Decoding: no decoding performed
Whitespace: preserved
Non-ASCII: preserved

Example:
any(http.request.body.form.names[*] == "username")

Example value:
["username"]

http.request.body.form.values
Array<String>

Represents the values of the form fields in an HTTP request where the content type is application/x-www-form-urlencoded.

The values are not pre-processed and retain the original case used in the request. They are listed in the same order as in the request.

Duplicated values are listed multiple times.

The return value may be truncated if http.request.body.truncated is true.

Decoding: no decoding performed
Whitespace: preserved
Non-ASCII: preserved

Example:
any(http.request.body.form.values[*] == "admin")

Example value:
["admin"]

http.request.body.mime
String

The MIME type of the request detected from the request body.

Supports the most common MIME types of the following general categories: video, audio, image, application, text.

Example:
image/jpeg

This field is available on all Cloudflare plans.

​​ HTTP response fields

The Rules language includes fields that represent properties of HTTP response returned by the origin or by a Worker script.

The Cloudflare Rules language supports these HTTP response fields:

Field NameDescription
http.response.code
Integer

Represents the HTTP status code returned to the client, either set by a Cloudflare product or returned by the origin server.

Example value:
403

http.response.headers
Map<Array<String>>

Represents HTTP response headers as a Map (or associative array).

When there are repeating headers, the array includes them in the order they appear in the response. The keys convert to lowercase.

Decoding: no decoding performed
Whitespace: preserved
Non-ASCII: preserved

Example:
any(http.response.headers["server"][*] == "nginx")

Example value:
{"server": ["nginx"]}

http.response.headers.names
Array<String>

Represents the names of the headers in the HTTP response. The names are not pre-processed and retain the original case used in the response.

The order of header names is not guaranteed but will match http.response.headers.values.

Duplicate headers are listed multiple times.

Decoding: no decoding performed
Whitespace: preserved
Non-ASCII: preserved

Example:
any(http.response.headers.names[*] == "content-type")

Example value: ["content-type"]

http.response.headers.values
Array<String>

Represents the values of the headers in the HTTP response.

The values are not pre-processed and retain the original case used in the response.

The order of header values is not guaranteed but will match http.response.headers.names.

Duplicate headers are listed multiple times.

Decoding: no decoding performed
Whitespace: preserved
Non-ASCII: preserved

Example 1:
any(http.response.headers.values[*] == "application/json")

Example value 1:
["application/json"]

Additionally used to match responses according to the specified operator and the length/size entered for the header value.

Example 2:
any(len(http.response.headers.values[*])[*] gt 10)

Example value 2:
["This header value is longer than 10 bytes"]

http.response.content_type.media_type
String

The lowercased content type (including subtype and suffix) without any parameters such as charset, based on the response's Content-Type header.

Example values
Content-Type headerField value
text/html"text/html"
text/html; charset=utf-8"text/html"
text/html+extra"text/html+extra"
text/html+extra; charset=utf-8"text/html+extra"
text/HTML"text/html"
text/html; charset=utf-8; other=value"text/html"
cf.response.1xxx_code
Integer

Contains the specific code for 1xxx Cloudflare errors. Use this field to differentiate between 1xxx errors associated with the same HTTP status code. The default value is 0. For a list of 1xxx errors, refer to Troubleshooting Cloudflare 1XXX errors.

Example value:
1020

Note: This field is only available in HTTP response header modifications and custom error responses.

cf.response.error_type
String

Contains a string with the type of error in the response being returned. The default value is an empty string ("").

The available values are the following:

  • managed_challenge
  • iuam
  • legacy_challenge
  • ip_ban
  • waf
  • 5xx
  • 1xxx
  • always_online
  • country_challenge
  • ratelimit

You can use this field to customize the response for a specific type of error (for example, all 1xxx errors or all WAF block actions).

Note: This field is only available in HTTP response header modifications and custom error responses.


GeoIP is the registered trademark of MaxMind, Inc.