Skip to content
Firewall
Visit Firewall on GitHub
Set theme to dark (⇧+D)

Require specific HTTP headers

Many organizations qualify traffic based on the presence of specific HTTP request headers.

Use the Firewall Rules HTTP header and body fields to target requests with specific headers.

This example uses the http.headers.names field to look for the presence of an X-CSRF-Token header. The lower() transformation function converts the value to lowercase so that the expression is case insensitive.

When the X-CSRF-Token header is missing, Cloudflare blocks the request:

ExpressionAction
not any(lower(http.request.headers.names[*])[*] contains "x-csrf-token") and (http.request.full_uri eq "https://www.example.com/somepath")Block