Skip to content
Cloudflare Docs
Firewall
Cloudflare Docs
Firewall
GitHub icon
Visit Firewall on GitHub
Set theme to dark (⇧+D)

Fields

The Cloudflare Firewall Rules language supports a range of field types:

Standard fields

Most standard fields use the same naming conventions as Wireshark display fields. However, there are some subtle differences between Cloudflare and Wireshark:

  • Wireshark supports CIDR (Classless Inter-Domain Routing) notation for expressing IP address ranges in equality comparisons (ip.src == 1.2.3.0/24, for example). Cloudflare does not.

    To evaluate a range of addresses using CIDR notation, use the in comparison operator as in this example: ip.src in {1.2.3.0/24 4.5.6.0/24}.

  • In Wireshark, ssl is a protocol field containing hundreds of other fields of various types that are available for comparison in multiple ways. However, in Firewall Rules ssl is a single Boolean field that indicates whether the connection from the client to Cloudflare is encrypted.

  • The Cloudflare Firewall Rules language does not support the slice operator.

The Cloudflare Firewall Rules language supports these standard fields:

FieldDescription
http.cookie
String

Represents the entire cookie as a string.

Example value:
session=8521F670545D7865F79C3D7BEDC29CCE;-background=light

http.host
String

Represents the host name used in the full request URI.

Example value:
www.example.org

http.referer
String

Represents the HTTP Referer request header, which contains the address of the web page that linked to the currently requested page.

Example value:
Referer: htt­ps://developer.example.org/en-US/docs/Web/JavaScript

http.request.full_uri
String

Represents the full URI as received by the web server (does not include #fragment, which is not sent to web servers).

Example value:
htt­ps://www.example.org/articles/index?section=539061&expand=comments

http.request.method
String

Represents the HTTP method, returned as a string of uppercase characters.

Example value:
GET

http.request.timestamp.sec
Integer

Represents the timestamp when Cloudflare received the request, expressed as Unix time in seconds. This value is 10 digits long.

Example value:
1484063137

When validating HMAC tokens in an expression, pass this field as the currentTimestamp argument to the is_timed_hmac_valid_v() validation function.

http.request.uri
String

Represents the absolute URI of the request.

Example value:
/articles/index?section=539061&expand=comments

http.request.uri.path
String

Represents the URI path of the request.

Example value:
/articles/index

http.request.uri.query
String

Represents the entire query string, without the ? delimiter.

Example value:
section=539061&expand=comments

http.user_agent
String

Represents the HTTP user agent, a request header that contains a characteristic string to allow identification of the client operating system and web browser.

Example value:
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36

http.version
Number

Represents the version of the HTTP protocol used. Use this field when you require different checks for different versions.

Example Values:

  • HTTP/1.1
  • HTTP/3

http.x_forwarded_for
String

Represents the full X-Forwarded-For HTTP header.

Example value:
203.0.113.195, 70.41.3.18

ip.src
IP address

Represents the client TCP IP address, which may be adjusted to reflect the actual address of the client by using, for example, HTTP headers such asX-Forwarded-For or X-Real-IP.

Example value:
93.184.216.34

ip.geoip.asnum
Number

Represents the 16- or 32-bit integer representing the Autonomous System (AS) number associated with client IP address.

ip.geoip.continent
String		Represents the continent code associated with client IP address:
  • AF – Africa
  • AN – Antarctica
  • AS – Asia
  • EU – Europe
  • NA – North America
  • OC – Oceania
  • SA – South America
  • T1 – Tor network
ip.geoip.country
String

Represents the 2-letter country code in ISO 3166-1 Alpha 2 format.

Example value:
GB

ip.geoip.subdivision_1_iso_code
String

Represents the ISO 3166-2 code for the first level region associated with the IP address. When the actual value is not available, this field contains an empty string.

Example value:
GB-ENG

ip.geoip.subdivision_2_iso_code
String

Represents the ISO 3166-2 code for the second level region associated with the IP address. When the actual value is not available, this field contains an empty string.

Example value:
GB-SWK

ip.geoip.is_in_european_union
Boolean

Returns true when the request originates from an EU country.

ssl
Boolean

Returnstrue when the HTTP connection to the client is encrypted.

Dynamic fields

Dynamic fields represent computed or derived values, typically related to threat intelligence about an HTTP request.

The Cloudflare Firewall Rules language supports these dynamic fields:

Field NameDescription

cf.bot_management.verified_bot
Boolean

When true, this field indicates the request originated from a known bot or crawler. It does not identify good or bad intent.

cf.client.bot
Boolean

When true, this field indicates the client of a request is a known good bot.

cf.edge.server_port
Number

Represents the port number at which Cloudflare's network received the request.

Use this field to filter traffic on a specific port. The value is a port number in the range 1–65535.

cf.threat_score
Number

Represents a Cloudflare threat score from 0–100, where 0 indicates low risk. Values above 10 may represent spammers or bots, and values above 40 identify bad actors on the internet.

It is rare to see values above 60. A common recommendation is to challenge requests with a score above 10 and to block those above 50.

cf.tls_client_auth.cert_verified
Boolean		Returns true when a request presents a valid client certificate.
cf.worker.upstream_zone
String

Identifies whether a request comes from a worker or not.

When a request comes from a worker, this field will hold the name of the zone for that worker. Otherwise cf.worker.upstream_zone is empty

Magic Firewall Fields

Field NameDescription

cf.colo.name
String

The data center that is handling this traffic.
Example value: sfo06

cf.colo.region
String

Region of the data center that is handling this traffic.
Example value: WNAM

ip
String

The raw IP packet as a list of bytes. It should be used in conjunction with the bit_slice function when other structured fields are lacking.

ip.dst
IP Address

The destination address as specified in the IP packet.
Example value:192.0.2.2

ip.len
Number

The length of the packet.
Example value:60

ip.proto
String

The transport layer for the packet, if it can be determined.
Example values: icmp, tcp

ip.src
IP Address

The source address of the IP Packet.

tcp
String

The raw TCP packet as a list of bytes. It should be used in conjunction with the bit_slice function when other structured fields are lacking.

tcp.flags.ack
Boolean

TCP acknowledgment flag.

tcp.flags.cwr
Boolean

TCP congestion window reduced flag.

tcp.flags.ecn
Boolean

TCP ECN-Echo flag.

tcp.flags.fin
Boolean

TCP flag indicating this is the last packet from sender.

tcp.flags.push
Boolean

TCP push flag.

tcp.flags.reset
Boolean

TCP reset flag.

tcp.flags.syn
Boolean

TCP synchronize flag.

tcp.flags.urg
Boolean

TCP urgent flag.

tcp.srcport
Number

Source port number of the IP packet. Only applies to TCP packets.

tcp.dstport
Number

Destination port number of the IP packet. Only applies to TCP packets.

udp.dstport
Number

Destination port number of the IP packet. Only applies to UDP packets.

udp.srcport
Number

Source port number of the IP packet. Only applies to UDP packets.

URI argument and value fields

The Cloudflare Firewall Rules language includes URI argument and value fields associated with HTTP requests. Many of these fields return arrays containing the respective values. Those that do require the [*] index operator, which returns an array of values for each field.

The Cloudflare Firewall Rules language supports these URI argument and value fields:

Field NameDescription
http.request.uri.args
Map<String><Array>

Represents the HTTP URI arguments associated with a request as a Map (associative array).

When an argument repeats, then the array contains multiple items in the order they appear in the request.

Values are not pre-processed and retain the case used in the request.

Decoding: no decoding performed
Non-ASCII: preserved

Example:
any(http.request.uri.args["search"][*] == "red+apples")

Example value:
{"search": ["red+apples"]}

http.request.uri.args.names
Array<String>

Represents the names of the arguments in the HTTP URI query string. Names are not pre-processed and retain the case used in the request.

When a name repeats, the array contains multiple items in the order that they appear in the request.

Decoding: no decoding performed
Non-ASCII: preserved

Example:
any(http.request.uri.args.names[*] == "search")

Example value:
["search"]

http.request.uri.args.values
Array<String>

Represents the values of arguments in the HTTP URI query string. Values are not pre-processed and retain the case used in the request. They are in the same order as in the request.

Duplicated values are listed multiple times.

Decoding: no decoding performed
Non-ASCII: preserved

Example:
any(http.request.uri.args.values[*] == "red+apples")

Example value:
["red+apples"]

HTTP header fields

The Firewall Rules language includes fields that represent properties of HTTP request headers. Many of these return arrays containing the respective values. Those that do require the [*] index operator, which returns an array of values for each field.

The Cloudflare Firewall Rules language supports these HTTP header fields:

Field NameDescription
http.request.headers
Map<String><Array>

Represents HTTP request headers as a Map (or associative array).

When there are repeating headers, the array includes them in the order they appear in the request. The keys convert to lowercase.

Decoding: no decoding performed
Whitespace: preserved
Non-ASCII: preserved

Example:
any(http.request.headers["content-type"][*] == "application/json")

Example value:
{"content-type": ["application/json"]}

http.request.headers.names
Array<String>

Represents the names of the headers in the HTTP request. The names are not pre-processed and retain the case used in the request.

The order of header names is not guaranteed but will match http.request.headers.values.

Duplicate headers are listed multiple times.

Decoding: no decoding performed
Whitespace: preserved
Non-ASCII: preserved

Example:
any(http.request.headers.names[*] == "content-type")

Example value:["content-type"]

http.request.headers.values
Array<String>

Represents the values of the headers in the HTTP request.

Values are not pre-processed and retain the case used in the request.

The order of header values is not guaranteed but will match http.request.headers.names.

Duplicate headers are listed multiple times.

Decoding: no decoding performed
Whitespace: preserved
Non-ASCII: preserved

Example 1:
any(http.request.headers.values[*] == "application/json")

Example value 1:
["application/json"]

Additionally used for logging requests according to the specified operator and the length/size entered for the header value.

Example 2:
any(len(http.request.headers.values[*])[*] gt 10)

Example value 2:
["gt 10"]

http.request.headers.truncated
Boolean

Returns true when the HTTP request contains too many headers; otherwise, returns false.

When true, http.request.headers, http.request.headers.names, and http.request.headers.values may not contain all of the headers sent in the HTTP request.

HTTP body fields

The Firewall Rules language includes fields that represent properties of an HTTP request body. Many of these return arrays containing the respective values. Those that do require the [*] index operator, which returns an array of values for each field.

The Cloudflare Firewall Rules language supports these HTTP body fields:

Field NameDescription
http.request.body.raw
String

Represents the unaltered HTTP request body.

When the value of http.request.body.truncated is true, the return value may be truncated.

Decoding: no decoding performed
Whitespace: preserved
Non-ASCII: preserved

http.request.body.truncated
Boolean

Indicates whether the HTTP request body is truncated.

When true, http.request.body fields may not contain all of the HTTP request body.

http.request.body.form
Map<String><Array>

Represents the HTTP request body of a form as a Map (or associative array). Populated when the Content-Type header is application/x-www-form-urlencoded.

Values are not pre-processed and retain the case used in the request. When a field repeats, then the array contains multiple items in the order they are in the request.

The return value may be truncated if http.request.body.truncated is true.

Decoding: no decoding performed
Whitespace: preserved
Non-ASCII: preserved

Example:
any(http.request.body.form["username"][*] == "admin")

Example value:
{username": ["admin"]}

http.request.body.form.names
Array<String>

Represents the names of the form fields in an HTTP request where the content type is application/x-www-form-urlencoded.

Names are not pre-processed and retain the case found in the request. They are listed in the same order as in the request. Duplicate names are listed multiple times.

The return value may be truncated if http.request.body.truncated is true.

Decoding: no decoding performed
Whitespace: preserved
Non-ASCII: preserved

Example:
any(http.request.body.form.names[*] == "username")

Example value:
["username"]

http.request.body.form.values
Array<String>

Represents the values of the form fields in an HTTP request where the content type is application/x-www-form-urlencoded.

Values are not pre-processed and retain the case used in the request. They are in the same order as in the request.

Duplicated values are listed multiple times.

The return value may be truncated if http.request.body.truncated is true.

Decoding: no decoding performed
Whitespace: preserved
Non-ASCII: preserved

Example:
any(http.request.body.form.values[*] == "admin")

Example value:
["admin"]