Skip to content
Rules
Visit Rules on GitHub
Set theme to dark (⇧+D)

Create an HTTP Request Header Modification Rule in the dashboard

Create HTTP Request Header Modification Rules in the Transform Rules tab under Rules. See Common use cases for example rule definitions.

Do the following:

  1. Log in to the Cloudflare dashboard.

  2. Select the Websites tab and choose the site for which you want to create a new HTTP Request Header Modification Rule.

  3. Select Rules > Transform Rules.

    Transform Rules tab

  4. Click Create transform rule > Modify Header.

    Create HTTP Header Modification rule page

  5. In the page that displays, enter a descriptive name for the URL Rewrite Rule in Rule name.

  6. Under When incoming requests match, define the rule expression.

  7. For Modify header, select one of the following options:

    • Set static — Sets the value of an HTTP request header to a static string value. Overrides the value of an existing header with the same name or adds a new header if it does not exist.
    • Set dynamic — Sets the value of an HTTP request header according to the provided expression. Overrides the value of an existing header with the same name or adds a new header if it does not exist.
    • Remove — Removes the HTTP request header with the provided name, if it exists.
  8. Enter the name of the HTTP request header to modify in Header name and the static value or expression in Value, if you are setting the header value.

  9. To modify another HTTP request header in the same rule, click + Set new header.

    The following example includes the modification of three headers using the available actions:

    HTTP request header modification examples

  10. To save and deploy your rule, click Deploy. If you are not ready to deploy your rule, click Save as Draft.

After creating a rule, you return to the Transform Rules dashboard interface.

If you choose to deploy your new HTTP Request Header Modification Rule, the toggle switch associated with the rule will be On. If you save the rule as a draft, the toggle will be Off.


Additional information on Request Header Modification Rules

This section contains reference information on HTTP Request Header Modification Rules.

Format of HTTP request header names and values

The name of the HTTP request header you want to set or remove can only contain alphanumeric characters (a-z and A-Z) and the following special characters: - and _.

The value of the HTTP request header you want to set can only contain alphanumeric characters and the following special characters: _ :;.,\/"'?!(){}[]@<>=-.

Available fields and functions

The available fields when setting an HTTP request header value using an expression are the following:

  • cf.bot_detection.js_check_score
  • cf.bot_management.*
  • cf.client.bot
  • cf.client_trust_score
  • cf.threat_score
  • cf.colo.id
  • cf.edge.server_port
  • cf.zone.name
  • cf.metal.id
  • cf.tls_client_auth.*
  • http.cookie
  • http.host
  • http.referer
  • http.request.headers
  • http.request.method
  • http.request.timestamp.sec
  • http.request.timestamp.msec
  • http.request.full_uri
  • http.request.uri
  • http.request.uri.*
  • http.request.version
  • raw.http.request.full_uri
  • raw.http.request.uri
  • http.user_agent
  • http.x_forwarded_for
  • ip.src
  • ip.geoip.*
  • ssl

Use the to_string() function to get the string representation of a non-string value like an Integer value. For example, to_string(cf.bot_management.score).

For more information on the available functions, check Functions in the Firewall documentation.