Request Header Transform Rules
Use Request Header Transform Rules to manipulate the headers of HTTP requests sent to your origin server.
flowchart LR accTitle: Header modifications diagram accDescr: Header transform rules can change the headers sent to your origin server (request header modifications) or sent your your website visitors (response header modifications). A[Visitor] B((Cloudflare)) C[(Origin server)] A -.-> B == "Includes request<br> header modifications" ==> C C -.-> B -. "Includes response<br> header modifications" .-> A style A stroke-width: 2px style B stroke: orange,fill: orange,color: black linkStyle 0,2,3 stroke-width: 1px linkStyle 1 stroke-width: 3px
To modify HTTP headers in the response sent to website visitors, refer to Response Header Transform Rules.
Through Request Header Transform Rules you can:
- Set the value of an HTTP request header to a literal string value, overwriting its previous value or adding a new header to the request.
- Set the value of an HTTP request header according to an expression, overwriting its previous value or adding a new header to the request.
- Remove an HTTP header from the request.
You can create a request header transform rule in the dashboard, via API, or using Terraform.
For more complex request header modifications, consider using Snippets.
-
You cannot modify or remove HTTP request headers whose name starts with
x-cf-orcf-except for thecf-connecting-ipHTTP request header, which you can remove. -
Due to protocol compliance reasons, modifying or removing request headers with forbidden header names ↗ (such as
Accept-Encoding) is generally not allowed in Request Header Transform Rules. -
You cannot modify the value of any header commonly used to identify the website visitor's IP address, such as
x-forwarded-for,true-client-ip, orx-real-ip. Additionally, you cannot remove thex-forwarded-forheader. -
You cannot set or modify the value of
cookieHTTP request headers, but you can remove these headers. Configuring a rule that removes thecookieHTTP request header will remove allcookieheaders in matching requests. -
If you modify the value of an existing HTTP request header using an expression that evaluates to an empty string (
"") or an undefined value, the HTTP request header is removed. -
The HTTP request header removal operation will remove all request headers with the provided name.
-
Currently, there is a limited number of HTTP request headers that you cannot modify. Cloudflare may remove restrictions for some of these HTTP request headers when presented with valid use cases. Create a post in the community ↗ for consideration.
-
To use claims inside a JSON Web Token (JWT), you must first set up a token validation configuration in API Shield.
When troubleshooting Request Header Transform Rules, use Cloudflare Trace to determine if a rule is triggering for a specific URL.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark