Available Managed Transforms
HTTP request headers
|Add bot protection headers|
Adds HTTP request headers with bot-related values:
This Managed Transform requires a Enterprise plan with Bot Management enabled.
|Add visitor location headers|
Adds HTTP request headers with location information for the visitor's IP address. The added headers are:
|Add "True-Client-IP" header|
Only available on Enterprise plans.
Unavailable when Remove visitor IP headers is enabled.
|Remove visitor IP headers|
Removes HTTP request headers that may contain the visitor's IP address. Handles the following HTTP request headers:
Unavailable when Add "True-Client-IP" header is enabled.
Visitor IP address in the
x-forwarded-for HTTP header
x-forwarded-for HTTP request header, enabling Remove visitor IP headers will only remove the visitor IP from the header value when Cloudflare receives a request proxied by at least another CDN (content delivery network). In this case, Cloudflare will only keep the IP address of the last proxy.
For example, consider an incoming request proxied by two CDNs (
CDN_2) before reaching the Cloudflare network. The
x-forwarded-for header would be similar to the following:
x-forwarded-for: <VISITOR_IP>, <THIRD_PARTY_CDN_1_IP>, <THIRD_PARTY_CDN_2_IP>
With Remove visitor IP headers enabled, the
x-forwarded-for header sent to the origin server will be:
HTTP response headers
|Remove "X-Powered-By" headers|
|Add security headers|
Adds several security-related HTTP response headers. The added response headers and values are the following:
To increase protection, enable HTTP Strict Transport Security (HSTS) for your website.