Available Managed Transforms
HTTP request headers
|Add bot protection headers|
Adds HTTP headers with bot-related values to the request sent to the origin server:
This Managed Transform requires a Enterprise plan with Bot Management enabled.
|Add TLS client auth headers|
Adds HTTP headers with Mutual TLS (mTLS) client authentication values to the request sent to the origin server:
|Add visitor location headers|
Adds HTTP headers with location information for the visitor's IP address to the request sent to the origin server:
|Add "True-Client-IP" header|
Only available on Enterprise plans.
Unavailable when Remove visitor IP headers is enabled.
|Remove visitor IP headers|
Removes HTTP headers that may contain the visitor's IP address from the request sent to the origin server. Handles the following HTTP request headers:
Unavailable when Add "True-Client-IP" header is enabled.
Visitor IP address in the
x-forwarded-for HTTP header
x-forwarded-for HTTP request header, enabling Remove visitor IP headers will only remove the visitor IP from the header value when Cloudflare receives a request proxied by at least another CDN (content delivery network). In this case, Cloudflare will only keep the IP address of the last proxy.
For example, consider an incoming request proxied by two CDNs (
CDN_2) before reaching the Cloudflare network. The
x-forwarded-for header would be similar to the following:
x-forwarded-for: <VISITOR_IP>, <THIRD_PARTY_CDN_1_IP>, <THIRD_PARTY_CDN_2_IP>
With Remove visitor IP headers enabled, the
x-forwarded-for header sent to the origin server will be:
HTTP response headers
|Remove "X-Powered-By" headers|
|Add security headers|
Adds several security-related HTTP response headers. The added response headers and values are the following:
To increase protection, enable HTTP Strict Transport Security (HSTS) for your website.