Skip to content
Visit Logs on GitHub
Set theme to dark (⇧+D)

HTTP requests

The descriptions below detail the fields available for http_requests.

BotScoreCloudflare Bot Score. Scores below 30 are commonly associated with automated traffic. Available for Bot Management customers (please contact your account team to enable).int
BotScoreSrcDetection engine responsible for generating the Bot Score.
Possible values are Not Computed | Heuristics | Machine Learning | Behavioral Analysis | Verified Bot | JS Fingerprinting | Cloudflare Service
BotTagsType of bot traffic (if available). See Bot Tags for the list of potential values. Available in Logpush v2 only.array[string]
CacheCacheStatusunknown | miss | expired | updating | stale | hit | ignored | bypass | revalidatedstring
CacheResponseBytesNumber of bytes returned by the cacheint
CacheResponseStatus (deprecated)HTTP status code returned by the cache to the edge. All requests (including non-cacheable ones) go through the cache. Also see CacheCacheStatus
CacheTieredFillTiered Cache was used to serve this requestbool
ClientASNClient AS numberint
ClientCountryCountry of the client IP addressstring
ClientDeviceTypeClient device typestring
ClientIPIP address of the clientstring
ClientIPClassunknown | clean | badHost | searchEngine | allowlist | greylist | monitoringService | securityScanner | noRecord | scan | backupService | mobilePlatform | torstring
ClientMTLSAuthCertFingerprintThe SHA256 fingerprint of the certificate presented by the client during mTLS authentication. Only populated on the first request on an mTLS connection. Available in Logpush v2 only.string
ClientMTLSAuthStatusThe status of mTLS authentication. Only populated on the first request on an mTLS connection. Available in Logpush v2 only.
Possible values are unknown | ok | absent | untrusted | notyetvalid | expired
ClientRequestBytesNumber of bytes in the client requestint
ClientRequestHostHost requested by the clientstring
ClientRequestMethodHTTP method of client requeststring
ClientRequestPathURI path requested by the clientstring
ClientRequestProtocolHTTP protocol of client requeststring
ClientRequestRefererHTTP request referrerstring
ClientRequestSchemeThe URL scheme requested by the visitor. Available in Logpush v2 only.string
ClientRequestSourceIdentifies requests as coming from an external source or another service within Cloudflare. Available in Logpush v2 only.string
ClientRequestURIURI requested by the clientstring
ClientRequestUserAgentUser agent reported by the clientstring
ClientSSLCipherClient SSL cipherstring
ClientSSLProtocolClient SSL (TLS) protocolstring
ClientSrcPortClient source portint
ClientTCPRTTMsThe smoothed average of TCP round-trip time (SRTT). For the initial request on a connection, this is measured only during connection setup. For a subsequent request on the same connection, it is measured over the entire connection lifetime up until the time that request is received. Available in Logpush v2
ClientXRequestedWithX-Requested-With HTTP headerstring
EdgeCFConnectingO2OTrue if the request looped through multiple zones on the Cloudflare edge. This is considered an orange to orange (o2o) request. Available in Logpush v2 only.bool
EdgeColoCodeIATA airport code of data center that received the requeststring
EdgeColoIDCloudflare edge colo idint
EdgeEndTimestampTimestamp at which the edge finished sending response to the clientint or string
EdgePathingOpIndicates what type of response was issued for this request (unknown = no specific action)string
EdgePathingSrcDetails how the request was classified based on security checks (unknown = no specific classification)string
EdgePathingStatusIndicates what data was used to determine the handling of this request (unknown = no data)string
EdgeRateLimitActionThe action taken by the blocking rule; empty if no action taken.
Possible values are unknown | simulate | ban | challenge | jsChallenge
EdgeRateLimitIDThe internal rule ID of the rate-limiting rule that triggered a block (ban) or log action. 0 if no action
EdgeRequestHostHost header on the request from the edge to the originstring
EdgeResponseBodyBytesSize of the HTTP response body returned to clients. Available in Logpush v2
EdgeResponseBytesNumber of bytes returned by the edge to the clientint
EdgeResponseCompressionRatioEdge response compression ratiofloat
EdgeResponseContentTypeEdge response Content-Type header valuestring
EdgeResponseStatusHTTP status code returned by Cloudflare to the clientint
EdgeServerIPIP of the edge server making a request to the originstring
EdgeStartTimestampTimestamp at which the edge received request from the clientint or string
EdgeTimeToFirstByteMsTotal view of Time To First Byte as measured at Cloudflare's edge. Starts after a TCP connection is established and ends when Cloudflare begins returning the first byte of a response to eyeballs. Includes TLS handshake time (for new connections) and origin response time. Available in Logpush v2
FirewallMatchesActionsArray of actions the Cloudflare firewall products performed on this request. The individual firewall products associated with this action be found in FirewallMatchesSources and their respective RuleIds can be found in FirewallMatchesRuleIDs. The length of the array is the same as FirewallMatchesRuleIDs and FirewallMatchesSources.
Possible actions are unknown | allow | block | challenge | jschallenge | log | connectionClose | challengeSolved | challengeFailed | challengeBypassed | jschallengeSolved | jschallengeFailed | jschallengeBypassed | bypass | managedChallenge | managedChallengeSkipped | managedChallengeNonInteractiveSolved | managedChallengeInteractiveSolved | managedChallengeBypassed
FirewallMatchesRuleIDsArray of RuleIDs of the firewall product that has matched the request. The firewall product associated with the RuleID can be found in FirewallMatchesSources. The length of the array is the same as FirewallMatchesActions and FirewallMatchesSources.array[string]
FirewallMatchesSourcesThe firewall products that matched the request. The same product can appear multiple times, which indicates different rules or actions that were activated. The RuleIDs can be found in FirewallMatchesRuleIDs, the actions can be found in FirewallMatchesActions. The length of the array is the same as FirewallMatchesRuleIDs and FirewallMatchesActions. Validation matches only appear in Logpush and are not supported in Logpull.
Possible sources are unknown | asn | country | ip | ipRange | securityLevel | zoneLockdown | waf | firewallRules | uaBlock | rateLimit | bic | hot | l7ddos | validation | botFight | apiShield | botManagement | dlp | firewallManaged | firewallCustom
OriginDNSResponseTimeMsTime taken to receive a DNS response for an origin name. Usually 0, but may be longer if a CNAME record is used. Available in Logpush v2
OriginIPIP of the origin serverstring
OriginRequestHeaderSendDurationMsTime taken to send request headers to origin after establishing a connection. Note that this value is usually 0. Available in Logpush v2
OriginResponseBytes (deprecated)Number of bytes returned by the origin serverint
OriginResponseDurationMsUpstream response time, measured from the first datacenter that receives a request. Includes time taken by Argo Smart Routing and Tiered Cache, plus time to connect and receive a response from origin servers. This field replaces OriginResponseTime. Available in Logpush v2
OriginResponseHTTPExpiresValue of the origin 'expires' header in RFC1123 formatstring
OriginResponseHTTPLastModifiedValue of the origin 'last-modified' header in RFC1123 formatstring
OriginResponseHeaderReceiveDurationMsTime taken for origin to return response headers after Cloudflare finishes sending request headers. Available in Logpush v2
OriginResponseStatusStatus returned by the origin serverint
OriginResponseTime (deprecated)Number of nanoseconds it took the origin to return the response to edgeint
OriginSSLProtocolSSL (TLS) protocol used to connect to the originstring
OriginTCPHandshakeDurationMsTime taken to complete TCP handshake with origin. This will be 0 if an origin connection is reused. Available in Logpush v2
OriginTLSHandshakeDurationMsTime taken to complete TLS handshake with origin. This will be 0 if an origin connection is reused. Available in Logpush v2
ParentRayIDRay ID of the parent request if this request was made using a Worker scriptstring
RayIDID of the requeststring
SecurityLevelThe security level configured at the time of this request. This is used to determine the sensitivity of the IP Reputation system.string
SmartRouteColoIDThe Cloudflare datacenter used to connect to the origin server if Argo Smart Routing is used. Available in Logpush v2
UpperTierColoIDThe "upper tier" datacenter that was checked for a cached copy if Tiered Cache is used. Available in Logpush v2
WAFActionAction taken by the WAF, if triggeredstring
WAFFlags (deprecated)Additional configuration flags: simulate (0x1) | nullstring
WAFMatchedVar (deprecated)The full name of the most-recently matched variablestring
WAFProfilelow | med | highstring
WAFRuleIDID of the applied WAF rulestring
WAFRuleMessageRule message associated with the triggered rulestring
WorkerCPUTimeAmount of time in microseconds spent executing a worker, if anyint
WorkerStatusStatus returned from worker daemonstring
WorkerSubrequestWhether or not this request was a worker subrequestbool
WorkerSubrequestCountNumber of subrequests issued by a worker when handling this requestint
ZoneIDInternal zone IDint
ZoneNameThe human-readable name of the zone (e.g. ''). Available in Logpush v2 only.string