Cloudflare Docs
Edit this page
Report an issue with this page
Log into the Cloudflare dashboard
Set theme to dark (⇧+D)

HTTP request header modification rules

Use HTTP request header modification rules to manipulate the headers of HTTP requests sent to your origin server.

To modify HTTP headers in the response sent to website visitors, refer to HTTP response header modification rules.

Through HTTP request header modification rules you can:

  • Set the value of an HTTP request header to a literal string value, overwriting its previous value or adding a new header to the request.
  • Set the value of an HTTP request header according to an expression, overwriting its previous value or adding a new header to the request.
  • Remove an HTTP header from the request.

You can create an HTTP request header modification rule in the dashboard or via API.

​​ Important remarks

  • You cannot modify or remove HTTP request headers whose name starts with x-cf- or cf- except for the cf-connecting-ip HTTP request header, which you can remove.

  • You cannot modify the value of any header commonly used to identify the website visitor’s IP address, such as x-forwarded-for, true-client-ip, or x-real-ip. Additionally, you cannot remove the x-forwarded-for header.

  • You cannot set or modify the value of cookie HTTP request headers, but you can remove these headers. Configuring a rule that removes the cookie HTTP request header will remove all cookie headers in matching requests.

  • If you modify the value of an existing HTTP request header using an expression that evaluates to an empty string ("") or an undefined value, the HTTP request header is removed.

  • The HTTP request header removal operation will remove all request headers with the provided name.

  • Currently, there is a limited number of HTTP request headers that you cannot modify. Cloudflare may remove restrictions for some of these HTTP request headers when presented with valid use cases. Create a post in the community for consideration.

  • To use claims inside a JSON Web Token (JWT), you must first set up a token validation configuration in API Shield.

​​ Troubleshooting

When troubleshooting HTTP request header modification rules, use Cloudflare Trace Beta to determine if a rule is triggering for a specific URL.