Fields
The Cloudflare Firewall Rules language supports a range of field types:
- Standard fields represent common, typically static properties of an HTTP request.
- Dynamic fields represent computed or derived values, typically related to Cloudflare threat intelligence about the request.
- URI argument and value fields are extracted from the request.
- HTTP header fields represent the names and values associated with HTTP request headers.
- HTTP body fields represent the properties of an HTTP request body, including forms, for example.
Standard fields
Most standard fields use the same naming conventions as Wireshark display fields. However, there are some subtle differences between Cloudflare and Wireshark:
Wireshark supports CIDR (Classless Inter-Domain Routing) notation for expressing IP address ranges in equality comparisons (
ip.src == 1.2.3.0/24, for example). Cloudflare does not.To evaluate a range of addresses using CIDR notation, use the
incomparison operator as in this example:ip.src in {1.2.3.0/24 4.5.6.0/24}.In Wireshark,
sslis a protocol field containing hundreds of other fields of various types that are available for comparison in multiple ways. However, in Firewall Rulessslis a single Boolean field that indicates whether the connection from the client to Cloudflare is encrypted.The Cloudflare Firewall Rules language does not support the
sliceoperator.
The Cloudflare Firewall Rules language supports these standard fields:
| Field | Description |
|---|---|
http.cookieString | Represents the entire cookie as a string. Example value: |
http.hostString | Represents the host name used in the full request URI. Example value: |
http.refererString | Represents the HTTP Referer request header, which contains the address of the web page that linked to the currently requested page. Example value: |
http.request.full_uriString | Represents the full URI as received by the web server (does not include Example value: |
http.request.methodString | Represents the HTTP method, returned as a string of uppercase characters. Example value: |
http.request.cookiesMap<String><Array> | Represents the Cookie values are not pre-processed and retain the case used in the request. Decoding: Cookie names are URL decoded. If two cookies have the same name after decoding, their value arrays are merged. Example: Example value: |
http.request.timestamp.secInteger | Represents the timestamp when Cloudflare received the request, expressed as Unix time in seconds. This value is 10 digits long. Example value: When validating HMAC tokens in an expression, pass this field as the currentTimestamp argument to the |
http.request.uriString | Represents the URI path and query string of the request. Example value: |
http.request.uri.pathString | Represents the URI path of the request. Example value: |
http.request.uri.queryString | Represents the entire query string, without the Example value: |
http.user_agentString | Represents the HTTP user agent, a request header that contains a characteristic string to allow identification of the client operating system and web browser. Example value: |
http.request.versionNumber | Represents the version of the HTTP protocol used. Use this field when you require different checks for different versions. Example Values:
|
http.x_forwarded_forString | Represents the full Example value: |
ip.srcIP address | Represents the client TCP IP address, which may be adjusted to reflect the actual address of the client by using, for example, HTTP headers such as Example value: |
ip.geoip.asnumNumber | Represents the 16- or 32-bit integer representing the Autonomous System (AS) number associated with client IP address. |
ip.geoip.continentString | Represents the continent code associated with client IP address:
|
ip.geoip.countryString | Represents the 2-letter country code in ISO 3166-1 Alpha 2 format. Example value: For more information on the ISO 3166-1 Alpha 2 format, see ISO 3166-1 Alpha 2 on Wikipedia. |
ip.geoip.subdivision_1_iso_codeString | Represents the ISO 3166-2 code for the first level region associated with the IP address. When the actual value is not available, this field contains an empty string. Example value: For more information on the ISO 3166-2 standard and the available regions, see ISO 3166-2 on Wikipedia. |
ip.geoip.subdivision_2_iso_codeString | Represents the ISO 3166-2 code for the second level region associated with the IP address. When the actual value is not available, this field contains an empty string. Example value: For more information on the ISO 3166-2 standard and the available regions, see ISO 3166-2 on Wikipedia. |
ip.geoip.is_in_european_unionBoolean | Returns |
raw.http.request.full_uriString | Similar to the Note: This raw field may include some basic normalization done by Cloudflare's HTTP server. However, this can change in the future. |
raw.http.request.uriString | Similar to the Note: This raw field may include some basic normalization done by Cloudflare's HTTP server. However, this can change in the future. |
raw.http.request.uri.pathString | Similar to the Note: This raw field may include some basic normalization done by Cloudflare's HTTP server. However, this can change in the future. |
raw.http.request.uri.queryString | Similar to the Note: This raw field may include some basic normalization done by Cloudflare's HTTP server. However, this can change in the future. |
sslBoolean | Returns |
Dynamic fields
Dynamic fields represent computed or derived values, typically related to threat intelligence about an HTTP request.
The Cloudflare Firewall Rules language supports these dynamic fields:
| Field Name | Description |
|---|---|
| When |
| Represents the likelihood that a request originates from a bot using a score from 1–99. A low score indicates that the request comes from a bot or an automated agent. A high score indicates that a human issued the request. |
cf.client.botBoolean | When |
cf.edge.server_ipIP Address | Represents the edge IP address to which the HTTP request has resolved to. This field is only meaningful for BYOIP customers. |
cf.edge.server_portNumber | Represents the port number at which Cloudflare's network received the request. Use this field to filter traffic on a specific port. The value is a port number in the range 1–65535. |
cf.threat_scoreNumber | Represents a Cloudflare threat score from 0–100, where 0 indicates low risk. Values above 10 may represent spammers or bots, and values above 40 identify bad actors on the internet. It is rare to see values above 60. A common recommendation is to challenge requests with a score above 10 and to block those above 50. |
cf.tls_client_auth.cert_revokedBoolean | Returns When |
cf.tls_client_auth.cert_verifiedBoolean | Returns Also returns |
cf.worker.upstream_zone String | Identifies whether a request comes from a worker or not. When a request comes from a worker, this field will hold the name of the zone for that worker. Otherwise |
Magic Firewall Fields
| Field Name | Description |
|---|---|
| The data center that is handling this traffic. Example value: sfo06 |
| Region of the data center that is handling this traffic. Example value: WNAM |
| The raw ICMP packet as a list of bytes. It should be used in conjunction with the bit_slice function when other structured fields are lacking. |
| The ICMP type. Only applies to ICMP packets. Example value: 8 |
| The ICMP code. Only applies to ICMP packets. Example value: 2 |
| The raw IP packet as a list of bytes. It should be used in conjunction with the bit_slice function when other structured fields are lacking. |
| The destination address as specified in the IP packet. Example value: 192.0.2.2 |
| Represents the 2-letter country code associated with the client IP address in ISO 3166-1 Alpha 2 format. Example value: GBFor more information on the ISO 3166-1 Alpha 2 format, see ISO 3166-1 Alpha 2 on Wikipedia. |
| The length of the IPv4 header in bytes. Example value: 5 |
| The length of the packet. Example value: 60 |
| The first byte of IP options field, if the options field is set. Example value: 25 |
| The transport layer for the packet, if it can be determined. Example values: icmp, tcp |
| The source address of the IP Packet. |
| The time-to-live of the IP Packet. Example values: 54 |
| The raw TCP packet as a list of bytes. It should be used in conjunction with the bit_slice function when other structured fields are lacking. |
| The numeric value of the TCP flags byte. |
| TCP acknowledgment flag. |
| TCP congestion window reduced flag. |
| TCP ECN-Echo flag. |
| TCP flag indicating this is the last packet from sender. |
| TCP push flag. |
| TCP reset flag. |
| TCP synchronize flag. |
| TCP urgent flag. |
| Source port number of the IP packet. Only applies to TCP packets. |
| Destination port number of the IP packet. Only applies to TCP packets. |
| The raw UDP packet as a list of bytes. It should be used in conjunction with the bit_slice function when other structured fields are lacking. |
| Destination port number of the IP packet. Only applies to UDP packets. |
| Source port number of the IP packet. Only applies to UDP packets. |
URI argument and value fields
The Cloudflare Firewall Rules language includes URI argument and value fields associated with HTTP requests. Many of these fields return arrays containing the respective values.
The Cloudflare Firewall Rules language supports these URI argument and value fields:
| Field Name | Description |
http.request.uri.argsMap<String><Array> | Represents the HTTP URI arguments associated with a request as a Map (associative array). When an argument repeats, then the array contains multiple items in the order they appear in the request. Values are not pre-processed and retain the case used in the request. Decoding: no decoding performed Example: Example value: |
http.request.uri.args.namesArray<String> | Represents the names of the arguments in the HTTP URI query string. Names are not pre-processed and retain the case used in the request. When a name repeats, the array contains multiple items in the order that they appear in the request. Decoding: no decoding performed Example: Example value: |
http.request.uri.args.valuesArray<String> | Represents the values of arguments in the HTTP URI query string. Values are not pre-processed and retain the case used in the request. They are in the same order as in the request. Duplicated values are listed multiple times. Decoding: no decoding performed Example: Example value: |
raw.http.request.uri.argsMap<String><Array> | Contains the same field values as |
raw.http.request.uri.args.namesArray<String> | Contains the same field values as |
raw.http.request.uri.args.valuesArray<String> | Contains the same field values as |
HTTP header fields
The Firewall Rules language includes fields that represent properties of HTTP request headers. Many of these return arrays containing the respective values.
The Cloudflare Firewall Rules language supports these HTTP header fields:
| Field Name | Description |
http.request.headersMap<String><Array> | Represents HTTP request headers as a Map (or associative array). When there are repeating headers, the array includes them in the order they appear in the request. The keys convert to lowercase. Decoding: no decoding performed Example: Example value: |
http.request.headers.namesArray<String> | Represents the names of the headers in the HTTP request. The names are not pre-processed and retain the case used in the request. The order of header names is not guaranteed but will match Duplicate headers are listed multiple times. Decoding: no decoding performed Example: Example value: |
http.request.headers.valuesArray<String> | Represents the values of the headers in the HTTP request. Values are not pre-processed and retain the case used in the request. The order of header values is not guaranteed but will match Duplicate headers are listed multiple times. Decoding: no decoding performed Example 1: Example value 1: Additionally used for logging requests according to the specified operator and the length/size entered for the header value. Example 2: Example value 2: |
http.request.headers.truncatedBoolean | Returns When |
HTTP body fields
The Firewall Rules language includes fields that represent properties of an HTTP request body. Many of these return arrays containing the respective values.
The Cloudflare Firewall Rules language supports these HTTP body fields:
| Field Name | Description |
http.request.body.rawString | Represents the unaltered HTTP request body. When the value of Decoding: no decoding performed |
http.request.body.truncatedBoolean | Indicates whether the HTTP request body is truncated. When true, |
http.request.body.formMap<String><Array> | Represents the HTTP request body of a form as a Map (or associative array). Populated when the Values are not pre-processed and retain the case used in the request. When a field repeats, then the array contains multiple items in the order they are in the request. The return value may be truncated if Decoding: no decoding performed Example: Example value: |
http.request.body.form.namesArray<String> | Represents the names of the form fields in an HTTP request where the content type is Names are not pre-processed and retain the case found in the request. They are listed in the same order as in the request. Duplicate names are listed multiple times. The return value may be truncated if Decoding: no decoding performed Example: Example value: |
http.request.body.form.valuesArray<String> | Represents the values of the form fields in an HTTP request where the content type is Values are not pre-processed and retain the case used in the request. They are in the same order as in the request. Duplicated values are listed multiple times. The return value may be truncated if Decoding: no decoding performed Example: Example value: |
GeoIP is the registered trademark of MaxMind, Inc.