Fields reference
The Cloudflare Rules language supports a range of field types:
- Standard fields represent common, typically static properties of an HTTP request.
- Dynamic fields represent computed or derived values, typically related to Cloudflare threat intelligence about the request.
- URI argument and value fields are extracted from the request.
- HTTP request header fields represent the names and values associated with HTTP request headers.
- HTTP request body fields represent the properties of an HTTP request body, including forms, for example.
- HTTP response fields represent the names and values of HTTP headers and the status code of the HTTP response.
Standard fields
Most standard fields use the same naming conventions as Wireshark display fields. However, there are some subtle differences between Cloudflare and Wireshark:
Wireshark supports CIDR (Classless Inter-Domain Routing) notation for expressing IP address ranges in equality comparisons (
ip.src == 1.2.3.0/24
, for example). Cloudflare does not.To evaluate a range of addresses using CIDR notation, use the
in
comparison operator as in this example:ip.src in {1.2.3.0/24 4.5.6.0/24}
.In Wireshark,
ssl
is a protocol field containing hundreds of other fields of various types that are available for comparison in multiple ways. However, in the Rules languagessl
is a single Boolean field that indicates whether the connection from the client to Cloudflare is encrypted.The Cloudflare Rules language does not support the
slice
operator.
The Cloudflare Rules language supports these standard fields:
Field | Description | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
http.cookie String | Represents the entire cookie as a string. Example value: | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
http.host String | Represents the hostname used in the full request URI. Example value: | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
http.referer String | Represents the HTTP Referer request header, which contains the address of the web page that linked to the currently requested page. Example value: | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
http.request.full_uri String | Represents the full URI as received by the web server (does not include Example value: | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
http.request.method String | Represents the HTTP method, returned as a string of uppercase characters. Example value: | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
http.request.cookies Map<String><Array> | Represents the The cookie values are not pre-processed and retain the original case used in the request. Decoding: The cookie names are URL decoded. If two cookies have the same name after decoding, their value arrays are merged. Example: Example value: | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
http.request.timestamp.sec Integer | Represents the timestamp when Cloudflare received the request, expressed as Unix time in seconds. This value is 10 digits long. To obtain the timestamp milliseconds, use the Example value: When validating HMAC tokens in an expression, pass this field as the currentTimestamp argument to the | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
http.request.timestamp.msec Integer | Represents the millisecond when Cloudflare received the request, between 0 and 999. To obtain the complete timestamp, use both Example value: | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
http.request.uri String | Represents the URI path and query string of the request. Example value: | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
http.request.uri.path String | Represents the URI path of the request. Example value: | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
http.request.uri.path.extension String | The lowercased file extension in the URI path without the dot ( | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
http.request.uri.query String | Represents the entire query string, without the Example value: | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
http.user_agent String | Represents the HTTP user agent, a request header that contains a characteristic string to allow identification of the client operating system and web browser. Example value: | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
http.request.version String | Represents the version of the HTTP protocol used. Use this field when you require different checks for different versions. Example Values:
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
http.x_forwarded_for String | Represents the full Example value: | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
ip.src IP address | Represents the client TCP IP address, which may be adjusted to reflect the actual address of the client by using, for example, HTTP headers such as
Example value: | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
ip.src.lat String | Represents the latitude associated with the client IP address. Example value: | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
ip.src.lon String | Represents the longitude associated with the client IP address. Example value: | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
ip.src.city String | Represents the city associated with the client IP address. Example value: | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
ip.src.postal_code String | Represents the postal code associated with the incoming request. Example value: | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
ip.src.metro_code String | Represents the metro code or Designated Market Area (DMA) code associated with the incoming request. Example value: | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
ip.src.region String | Represents the region name associated with the incoming request. Example value: | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
ip.src.region_code String | Represents the region code associated with the incoming request. Example value: | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
ip.src.timezone.name String | Represents the name of the timezone associated with the incoming request. Example value: This field is only available in rewrite expressions of Transform Rules. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
ip.src.asnum Number | Represents the 16- or 32-bit integer representing the Autonomous System (AS) number associated with client IP address. Note: This field has the same value as the | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
ip.src.continent String | Represents the continent code associated with client IP address:
Note: This field has the same value as the | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
ip.src.country String | Represents the 2-letter country code in ISO 3166-1 Alpha 2 format. Example value: For more information on the ISO 3166-1 Alpha 2 format, refer to ISO 3166-1 Alpha 2 on Wikipedia. Note: This field has the same value as the | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
ip.src.subdivision_1_iso_code String | Represents the ISO 3166-2 code for the first level region associated with the IP address. When the actual value is not available, this field contains an empty string. Example value: For more information on the ISO 3166-2 standard and the available regions, refer to ISO 3166-2 on Wikipedia. Note: This field has the same value as the | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
ip.src.subdivision_2_iso_code String | Represents the ISO 3166-2 code for the second level region associated with the IP address. When the actual value is not available, this field contains an empty string. Example value: For more information on the ISO 3166-2 standard and the available regions, refer to ISO 3166-2 on Wikipedia. Note: This field has the same value as the | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
ip.src.is_in_european_union Boolean | Returns This list was obtained from MaxMind’s GeoIP2 database on 2023-12-05. This information is maintained by MaxMind. For details on obtaining up-to-date country information, refer to MaxMind GeoLite2 Free Geolocation Data. Note: This field has the same value as the | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
raw.http.request.full_uri String | Similar to the Note: This raw field may include some basic normalization done by Cloudflare's HTTP server. However, this can change in the future. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
raw.http.request.uri String | Similar to the Note: This raw field may include some basic normalization done by Cloudflare's HTTP server. However, this can change in the future. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
raw.http.request.uri.path String | Similar to the Note: This raw field may include some basic normalization done by Cloudflare's HTTP server. However, this can change in the future. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
raw.http.request.uri.path.extension String | Similar to the | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
raw.http.request.uri.query String | Similar to the Note: This raw field may include some basic normalization done by Cloudflare's HTTP server. However, this can change in the future. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
ssl Boolean | Returns |
Dynamic fields
Dynamic fields represent computed or derived values, typically related to threat intelligence about an HTTP request.
The Cloudflare Rules language supports these dynamic fields:
Field Name | Description |
---|---|
| When |
| Provides the type and purpose of a verified bot. For more details, refer to Verified Bot Categories. |
| Represents the likelihood that a request originates from a bot using a score from 1–99. A low score indicates that the request comes from a bot or an automated agent. A high score indicates that a human issued the request. |
| Indicates whether static resources should be included when you create a rule using For more details, refer to Static resource protection. |
| Provides an SSL/TLS fingerprint to help you identify potential bot requests. For more details, refer to JA3 Fingerprints. |
| Indicates whether the visitor has previous passed a JS Detection. For more details, refer to JavaScript detections. |
| List of IDs that correlate to the Bot Management heuristic detections made on a request (you can have multiple heuristic detections on the same request). Use this field to explicitly match a specific heuristic or to exclude a heuristic in a rule. Example: |
cf.client.bot Boolean | When |
cf.edge.server_ip IP Address | Represents the global network's IP address to which the HTTP request has resolved to. This field is only meaningful for BYOIP customers. |
cf.edge.server_port Number | Represents the port number at which the Cloudflare global network received the request. Use this field to filter traffic on a specific port. The value is a port number in the range 1–65535. |
cf.hostname.metadata String | Returns the string representation of the per-hostname custom metadata JSON object set by SSL for SaaS customers. |
cf.random_seed Bytes | Returns per-request random bytes that you can use in the |
cf.ray_id String | The Ray ID of the current request. A Ray ID is an identifier given to every request that goes through Cloudflare. |
cf.threat_score Number | Represents a Cloudflare threat score from 0–100, where 0 indicates low risk. Values above 10 may represent spammers or bots, and values above 40 identify bad actors on the Internet. It is rare to see values above 60. A common recommendation is to challenge requests with a score above 10 and to block those above 50. |
cf.tls_cipher String | The cipher for the connection to Cloudflare. Example: |
cf.tls_client_auth.cert_revoked Boolean | Returns When |
cf.tls_client_auth.cert_verified Boolean | Returns Also returns |
cf.tls_client_auth.cert_presented Boolean | Returns |
cf.tls_client_auth.cert_issuer_dn String | The Distinguished Name (DN) of the Certificate Authority (CA) that issued the certificate included in the request. Example: |
cf.tls_client_auth.cert_subject_dn String | The Distinguished Name (DN) of the owner (or requester) of the certificate included in the request. Example: |
cf.tls_client_auth.cert_issuer_dn_rfc2253 String | The Distinguished Name (DN) of the Certificate Authority (CA) that issued the certificate in the request in RFC 2253 format. Example: |
cf.tls_client_auth.cert_subject_dn_rfc2253 String | The Distinguished Name (DN) of the owner (or requester) of the certificate in the request in RFC 2253 format. Example: |
cf.tls_client_auth.cert_issuer_dn_legacy String | The Distinguished Name (DN) of the Certificate Authority (CA) that issued the certificate in the request in a legacy format. Example: |
cf.tls_client_auth.cert_subject_dn_legacy String | The Distinguished Name (DN) of the owner (or requester) of the certificate in the request in a legacy format. Example: |
cf.tls_client_auth.cert_serial String | Serial number of the certificate in the request. Example: |
cf.tls_client_auth.cert_issuer_serial String | Serial number of the direct issuer of the certificate in the request. Example: |
cf.tls_client_auth.cert_fingerprint_sha256 String | The SHA-256 fingerprint of the certificate in the request. Example: |
cf.tls_client_auth.cert_fingerprint_sha1 String | The SHA-1 fingerprint of the certificate in the request. Example: |
cf.tls_client_auth.cert_not_before String | The certificate in the request is not valid before this date. Example: |
cf.tls_client_auth.cert_not_after String | The certificate in the request is not valid after this date. Example: |
cf.tls_client_auth.cert_ski String | The Subject Key Identifier (SKI) of the certificate in the request. Example: |
cf.tls_client_auth.cert_issuer_ski String | The Subject Key Identifier (SKI) of the direct issuer of the certificate in the request. Example: |
cf.tls_version String | The TLS version of the connection to Cloudflare. Example: |
cf.waf.score Number | A global score from 1 to 99 that combines the score of each WAF attack vector into a single score. |
cf.waf.score.sqli Number | An attack score from 1 to 99 classifying the SQL injection (SQLi) attack vector. |
cf.waf.score.xss Number | An attack score from 1 to 99 classifying the cross-site scripting (XSS) attack vector. |
cf.waf.score.rce Number | An attack score from 1 to 99 classifying the command injection or Remote Code Execution (RCE) attack vector. |
cf.waf.score.class String | The attack score class of the current request, based on the WAF attack score. |
cf.worker.upstream_zone String | Identifies whether a request comes from a worker or not. When a request comes from a worker, this field will hold the name of the zone for that worker. Otherwise |
Magic Firewall fields
Field Name | Description |
---|---|
| The data center that is handling this traffic. Example value: sfo06 |
| Region of the data center that is handling this traffic. Example value: WNAM |
| The raw ICMP packet as a list of bytes. It should be used in conjunction with the bit_slice function when other structured fields are lacking. |
| The ICMP type. Only applies to ICMP packets. Example value: 8 |
| The ICMP code. Only applies to ICMP packets. Example value: 2 |
| The raw IP packet as a list of bytes. It should be used in conjunction with the bit_slice function when other structured fields are lacking. |
| The destination address as specified in the IP packet. Example value: 192.0.2.2 |
| Represents the 2-letter country code associated with the server IP address in ISO 3166-1 Alpha 2 format. Example value: GB For more information on the ISO 3166-1 Alpha 2 format, refer to ISO 3166-1 Alpha 2 on Wikipedia. |
| Represents the 2-letter country code associated with the client IP address in ISO 3166-1 Alpha 2 format. For more information on the ISO 3166-1 Alpha 2 format, refer to ISO 3166-1 Alpha 2 on Wikipedia. For Magic Firewall, the |
| The length of the IPv4 header in bytes. Example value: 5 |
| The length of the packet including the header. Example value: 60 |
| The first byte of IP options field, if the options field is set. Example value: 25 |
| The transport layer for the packet, if it can be determined. Example values: icmp , tcp |
| The source address of the IP Packet. |
| Represents the 2-letter country code associated with the client IP address in ISO 3166-1 Alpha 2 format. Example value: GB For more information on the ISO 3166-1 Alpha 2 format, refer to ISO 3166-1 Alpha 2 on Wikipedia. |
| The time-to-live of the IP Packet. Example values: 54 |
| Determines if packets are valid L7 protocol SIP. Requires UDP packets to operate. Use a guard clause as shown below to ensure the packet is UDP (wirefilter): ip.proto == "udp" |
| The raw TCP packet as a list of bytes. It should be used in conjunction with the bit_slice function when other structured fields are lacking. |
| The numeric value of the TCP flags byte. |
| TCP acknowledgment flag. |
| TCP congestion window reduced flag. |
| TCP ECN-Echo flag. |
| TCP flag indicating this is the last packet from sender. |
| TCP push flag. |
| TCP reset flag. |
| TCP synchronize flag. |
| TCP urgent flag. |
| Source port number of the IP packet. Only applies to TCP packets. |
| Destination port number of the IP packet. Only applies to TCP packets. |
| The raw UDP packet as a list of bytes. It should be used in conjunction with the bit_slice function when other structured fields are lacking. |
| Destination port number of the IP packet. Only applies to UDP packets. |
| Source port number of the IP packet. Only applies to UDP packets. |
URI argument and value fields
The Cloudflare Rules language includes URI argument and value fields associated with HTTP requests. Many of these fields return arrays containing the respective values.
The Cloudflare Rules language supports these URI argument and value fields:
Field Name | Description |
---|---|
http.request.uri.args Map<String><Array> | Represents the HTTP URI arguments associated with a request as a Map (associative array). When an argument repeats, then the array contains multiple items in the order they appear in the request. The values are not pre-processed and retain the original case used in the request. Decoding: no decoding performed Example: Example value: |
http.request.uri.args.names Array<String> | Represents the names of the arguments in the HTTP URI query string. The names are not pre-processed and retain the original case used in the request. When a name repeats, the array contains multiple items in the order that they appear in the request. Decoding: no decoding performed Example: Example value: |
http.request.uri.args.values Array<String> | Represents the values of arguments in the HTTP URI query string. The values are not pre-processed and retain the original case used in the request. They are in the same order as in the request. Duplicated values are listed multiple times. Decoding: no decoding performed Example: Example value: |
raw.http.request.uri.args Map<String><Array> | Contains the same field values as |
raw.http.request.uri.args.names Array<String> | Contains the same field values as |
raw.http.request.uri.args.values Array<String> | Contains the same field values as |
HTTP request header fields
The Rules language includes fields that represent properties of HTTP request headers. Many of these return arrays containing the respective values.
The Cloudflare Rules language supports these HTTP header fields:
Field Name | Description |
---|---|
http.request.headers Map<String><Array> | Represents HTTP request headers as a Map (or associative array). The keys of the associative array are the names of HTTP request headers converted to lowercase. When there are repeating headers, the array includes them in the order they appear in the request. Decoding: no decoding performed Example: Example value: |
http.request.headers.names Array<String> | Represents the names of the headers in the HTTP request. The names are not pre-processed and retain the original case used in the request. Note: In HTTP/2 the names of HTTP headers are always in lowercase. Recent versions of the The order of header names is not guaranteed but will match Duplicate headers are listed multiple times. Decoding: no decoding performed Example: Example value:
|
http.request.headers.values Array<String> | Represents the values of the headers in the HTTP request. The values are not pre-processed and retain the original case used in the request. The order of header values is not guaranteed but will match Duplicate headers are listed multiple times. Decoding: no decoding performed Example 1: Example value 1: Additionally used to match requests according to the specified operator and the length/size entered for the header value. Example 2: Example value 2: |
http.request.headers.truncated Boolean | Returns When |
http.request.accepted_languages Array<String> | Represents the list of language tags provided in the If the HTTP header is not present in the request or is empty, If the HTTP header includes the language tag Example 1: Example 2: Note: This field is only available in Transform Rules. |
HTTP request body fields
The Rules language includes fields that represent properties of an HTTP request body. Many of these return arrays containing the respective values.
The Cloudflare Rules language supports these HTTP body fields:
Field Name | Description |
---|---|
http.request.body.raw String | Represents the unaltered HTTP request body. When the value of Decoding: no decoding performed |
http.request.body.truncated Boolean | Indicates whether the HTTP request body is truncated. When true, |
http.request.body.size Number | The total size of the HTTP request body (in bytes). Note: This field may have a value larger than the one returned by |
http.request.body.form Map<String><Array> | Represents the HTTP request body of a form as a Map (or associative array). Populated when the The values are not pre-processed and retain the original case used in the request. When a field repeats, then the array contains multiple items in the order they are in the request. The return value may be truncated if Decoding: no decoding performed Example: Example value: |
http.request.body.form.names Array<String> | Represents the names of the form fields in an HTTP request where the content type is The names are not pre-processed and retain the original case used in the request. They are listed in the same order as in the request. Duplicate names are listed multiple times. The return value may be truncated if Decoding: no decoding performed Example: Example value: |
http.request.body.form.values Array<String> | Represents the values of the form fields in an HTTP request where the content type is The values are not pre-processed and retain the original case used in the request. They are listed in the same order as in the request. Duplicated values are listed multiple times. The return value may be truncated if Decoding: no decoding performed Example: Example value: |
http.request.body.mime String | The MIME type of the request detected from the request body. Supports the most common MIME types of the following general categories: video, audio, image, application, text. Example: This field is available on all Cloudflare plans. |
HTTP response fields
The Rules language includes fields that represent properties of HTTP response returned by the origin or by a Worker script.
The Cloudflare Rules language supports these HTTP response fields:
Field Name | Description | ||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
http.response.code Integer | Represents the HTTP status code returned to the client, either set by a Cloudflare product or returned by the origin server. Example value: | ||||||||||||||
http.response.headers Map<String><Array> | Represents HTTP response headers as a Map (or associative array). When there are repeating headers, the array includes them in the order they appear in the response. The keys convert to lowercase. Decoding: no decoding performed Example: Example value: | ||||||||||||||
http.response.headers.names Array<String> | Represents the names of the headers in the HTTP response. The names are not pre-processed and retain the original case used in the response. The order of header names is not guaranteed but will match Duplicate headers are listed multiple times. Decoding: no decoding performed Example: Example value:
| ||||||||||||||
http.response.headers.values Array<String> | Represents the values of the headers in the HTTP response. The values are not pre-processed and retain the original case used in the response. The order of header values is not guaranteed but will match Duplicate headers are listed multiple times. Decoding: no decoding performed Example 1: Example value 1: Additionally used to match responses according to the specified operator and the length/size entered for the header value. Example 2: Example value 2: | ||||||||||||||
http.response.content_type.media_type String | The lowercased content type (including subtype and suffix) without any parameters such as | ||||||||||||||
cf.response.1xxx_code Integer | Contains the specific code for 1xxx Cloudflare errors. Use this field to differentiate between 1xxx errors associated with the same HTTP status code. The default value is Example value: Note: This field is only available in HTTP response header modifications and custom error responses. | ||||||||||||||
cf.response.error_type String | Contains a string with the type of error in the response being returned. The default value is an empty string ( The available values are the following:
You can use this field to customize the response for a specific type of error (for example, all 1xxx errors or all WAF block actions). Note: This field is only available in HTTP response header modifications and custom error responses. |
GeoIP is the registered trademark of MaxMind, Inc.