Skip to content

Fields reference

cf.api_gateway.auth_id_present

Indicates whether the request contained an API session authentication token, as defined by API Shield's saved session identifiers.

  • Enterprise add-on
cf.api_gateway.fallthrough_detected

Indicates whether the request matched a saved endpoint in Endpoint Management.

cf.api_gateway.request_violates_schema

Indicates whether the request violated the schema assigned to the respective saved endpoint.

cf.bot_management.corporate_proxy

Indicates whether the incoming request comes from an identified Enterprise-only cloud-based corporate proxy or secure web gateway.

  • Enterprise add-on
cf.bot_management.detection_ids

List of IDs that correlate to the Bot Management heuristic detections made on a request.

  • Enterprise add-on
cf.bot_management.ja3_hash

Provides an SSL/TLS fingerprint to help you identify potential bot requests.

  • Enterprise add-on
cf.bot_management.ja4

Provides an SSL/TLS fingerprint to help you identify potential bot requests.

  • Enterprise add-on
cf.bot_management.js_detection.passed

Indicates whether the visitor has previously passed a JS Detection.

  • Enterprise add-on
cf.bot_management.score

Represents the likelihood that a request originates from a bot using a score from 1–99.

  • Enterprise add-on
cf.bot_management.static_resource

Indicates whether static resources should be included when you create a rule using cf.bot_management.score.

  • Enterprise add-on
cf.bot_management.verified_bot

Indicates whether the request originated from a known good bot or crawler.

  • Enterprise add-on
cf.client.bot

Indicates whether the request originated from a known good bot or crawler.

cf.edge.server_ip

Represents the global network's IP address to which the HTTP request has resolved.

cf.edge.server_port

Represents the port number at which the Cloudflare global network received the request.

cf.hostname.metadata

Returns the string representation of the per-hostname custom metadata JSON object set by SSL for SaaS customers.

cf.random_seed

Returns per-request random bytes that you can use in the uuidv4() function.

cf.ray_id

The Ray ID of the current request.

cf.response.1xxx_code

Contains the specific code for 1XXX Cloudflare errors.

cf.response.error_type

A string with the type of error in the response being returned.

cf.threat_score

Represents a Cloudflare threat score from 0–100, where 0 indicates low risk.

cf.tls_cipher

The cipher for the connection to Cloudflare.

cf.tls_client_auth.cert_fingerprint_sha1

The SHA-1 fingerprint of the certificate in the request.

cf.tls_client_auth.cert_fingerprint_sha256

The SHA-256 fingerprint of the certificate in the request.

cf.tls_client_auth.cert_issuer_dn

The Distinguished Name (DN) of the Certificate Authority (CA) that issued the certificate included in the request.

cf.tls_client_auth.cert_issuer_dn_legacy

The Distinguished Name (DN) of the Certificate Authority (CA) that issued the certificate in the request in a legacy format.

cf.tls_client_auth.cert_issuer_dn_rfc2253

The Distinguished Name (DN) of the Certificate Authority (CA) that issued the certificate in the request in RFC 2253 format.

cf.tls_client_auth.cert_issuer_serial

Serial number of the direct issuer of the certificate in the request.

cf.tls_client_auth.cert_issuer_ski

The Subject Key Identifier (SKI) of the direct issuer of the certificate in the request.

cf.tls_client_auth.cert_not_after

The certificate in the request is not valid after this date.

cf.tls_client_auth.cert_not_before

The certificate in the request is not valid before this date.

cf.tls_client_auth.cert_presented

Returns true when a request presents a certificate (valid or not).

cf.tls_client_auth.cert_revoked

Indicates whether the request presented a valid but revoked client certificate.

cf.tls_client_auth.cert_serial

Serial number of the certificate in the request.

cf.tls_client_auth.cert_ski

The Subject Key Identifier (SKI) of the certificate in the request.

cf.tls_client_auth.cert_subject_dn

The Distinguished Name (DN) of the owner (or requester) of the certificate included in the request.

cf.tls_client_auth.cert_subject_dn_legacy

The Distinguished Name (DN) of the owner (or requester) of the certificate in the request in a legacy format.

cf.tls_client_auth.cert_subject_dn_rfc2253

The Distinguished Name (DN) of the owner (or requester) of the certificate in the request in RFC 2253 format.

cf.tls_client_auth.cert_verified

Returns true when a request presents a valid client certificate.

cf.tls_client_extensions_sha1

The SHA-1 fingerprint of TLS client extensions, encoded in Base64.

cf.tls_client_hello_length

The length of the client hello message sent in a TLS handshake.

cf.tls_client_random

The value of the 32-byte random value provided by the client in a TLS handshake, encoded in Base64.

cf.tls_version

The TLS version of the connection to Cloudflare.

cf.verified_bot_category

Provides the type and purpose of a verified bot.

cf.waf.auth_detected

Indicates whether the Cloudflare WAF detected authentication credentials in the request.

  • Enterprise
cf.waf.content_scan.has_failed

Indicates whether the file scanner was unable to scan all the content objects detected in the request.

  • Enterprise add-on
cf.waf.content_scan.has_malicious_obj

Indicates whether the request contains at least one malicious content object.

  • Enterprise add-on
cf.waf.content_scan.has_obj

Indicates whether the request contains at least one content object.

  • Enterprise add-on
cf.waf.content_scan.num_malicious_obj

The number of malicious content objects detected in the request (zero or greater).

  • Enterprise add-on
cf.waf.content_scan.num_obj

The number of content objects detected in the request (zero or greater).

  • Enterprise add-on
cf.waf.content_scan.obj_results

An array of scan results in the order the content objects were detected in the request.

  • Enterprise add-on
cf.waf.content_scan.obj_sizes

An array of file sizes in bytes, in the order the content objects were detected in the request.

  • Enterprise add-on
cf.waf.content_scan.obj_types

An array of file types in the order the content objects were detected in the request.

  • Enterprise add-on
cf.waf.credential_check.password_leaked

Indicates whether the password detected in the request was previously leaked.

cf.waf.credential_check.username_and_password_leaked

Indicates whether the auth credentials detected in the request (username-password pair) were previously leaked.

  • Pro or above
cf.waf.credential_check.username_leaked

Indicates whether the username detected in the request was previously leaked.

  • Enterprise
cf.waf.credential_check.username_password_similar

Indicates whether a similar version of the username and password credentials detected in the request were previously leaked.

  • Enterprise
cf.waf.score

A global score from 1–99 that combines the score of each WAF attack vector into a single score.

  • Enterprise
cf.waf.score.class

The attack score class of the current request, based on the WAF attack score.

  • Business or above
cf.waf.score.rce

An attack score from 1–99 classifying the command injection or Remote Code Execution (RCE) attack vector.

  • Enterprise
cf.waf.score.sqli

An attack score from 1–99 classifying the SQL injection (SQLi) attack vector.

  • Enterprise
cf.waf.score.xss

An attack score from 1–99 classifying the cross-site scripting (XSS) attack vector.

  • Enterprise
cf.worker.upstream_zone

Identifies whether a request comes from a worker or not.

http.cookie

The entire cookie as a string.

http.host

The hostname used in the full request URI.

http.referer

The HTTP Referer request header, which contains the address of the web page that linked to the currently requested page.

http.request.accepted_languages

List of language tags provided in the Accept-Language HTTP request header.

http.request.body.form

The HTTP request body of a form represented as a Map (or associative array).

  • Enterprise add-on
http.request.body.form.names

The names of the form fields in an HTTP request.

  • Enterprise add-on
http.request.body.form.values

The values of the form fields in an HTTP request.

  • Enterprise add-on
http.request.body.mime

The MIME type of the request detected from the request body.

http.request.body.multipart

A Map (or associative array) representation of multipart names to multipart values in the request body.

  • Enterprise add-on
http.request.body.multipart.content_dispositions

List of Content-Disposition headers for each part in the multipart body.

  • Enterprise add-on
http.request.body.multipart.content_transfer_encodings

List of Content-Transfer-Encoding headers for each part in the multipart body.

  • Enterprise add-on
http.request.body.multipart.content_types

List of Content-Type headers for each part in the multipart body.

  • Enterprise add-on
http.request.body.multipart.filenames

List of filenames for each part in the multipart body.

  • Enterprise add-on
http.request.body.multipart.names

List of multipart names for every part in the multipart body.

  • Enterprise add-on
http.request.body.multipart.values

List of multipart values for every part in the multipart body.

  • Enterprise add-on
http.request.body.raw

The unaltered HTTP request body.

  • Enterprise add-on
http.request.body.size

The total size of the HTTP request body (in bytes).

  • Enterprise add-on
http.request.body.truncated

Indicates whether the HTTP request body is truncated.

  • Enterprise add-on
http.request.cookies

The Cookie HTTP header associated with a request represented as a Map (associative array).

  • Pro or above
http.request.full_uri

The full URI as received by the web server.

http.request.headers

The HTTP request headers represented as a Map (or associative array).

http.request.headers.names

The names of the headers in the HTTP request.

http.request.headers.truncated

Indicates whether the HTTP request contains too many headers.

http.request.headers.values

The values of the headers in the HTTP request.

http.request.jwt.claims.aud

The aud (audience) claim identifies the recipients that the JSON Web Token (JWT) is intended for.

  • Enterprise add-on
http.request.jwt.claims.aud.names

The aud (audience) claim identifies the recipients that the JSON Web Token (JWT) is intended for.

  • Enterprise add-on
http.request.jwt.claims.aud.values

The aud (audience) claim identifies the recipients that the JSON Web Token (JWT) is intended for.

  • Enterprise add-on
http.request.jwt.claims.iat.sec

The iat (issued at) claim identifies the time (number of seconds) at which the JWT was issued.

  • Enterprise add-on
http.request.jwt.claims.iat.sec.names

The iat (issued at) claim identifies the time (number of seconds) at which the JWT was issued.

  • Enterprise add-on
http.request.jwt.claims.iat.sec.values

The iat (issued at) claim identifies the time (number of seconds) at which the JWT was issued.

  • Enterprise add-on
http.request.jwt.claims.iss

The iss (issuer) claim identifies the principal that issued the JWT.

  • Enterprise add-on
http.request.jwt.claims.iss.names

The iss (issuer) claim identifies the principal that issued the JWT.

  • Enterprise add-on
http.request.jwt.claims.iss.values

The iss (issuer) claim identifies the principal that issued the JWT.

  • Enterprise add-on
http.request.jwt.claims.jti

The jti (JWT ID) claim provides a unique identifier for the JWT.

  • Enterprise add-on
http.request.jwt.claims.jti.names

The jti (JWT ID) claim provides a unique identifier for the JWT.

  • Enterprise add-on
http.request.jwt.claims.jti.values

The jti (JWT ID) claim provides a unique identifier for the JWT.

  • Enterprise add-on
http.request.jwt.claims.nbf.sec

The nbf (not before) claim identifies the time (number of seconds) before which the JWT must not be accepted for processing.

  • Enterprise add-on
http.request.jwt.claims.nbf.sec.names

The nbf (not before) claim identifies the time (number of seconds) before which the JWT must not be accepted for processing.

  • Enterprise add-on
http.request.jwt.claims.nbf.sec.values

The nbf (not before) claim identifies the time (number of seconds) before which the JWT must not be accepted for processing.

  • Enterprise add-on
http.request.jwt.claims.sub

The sub (subject) claim identifies the principal that is the subject of the JWT.

  • Enterprise add-on
http.request.jwt.claims.sub.names

The sub (subject) claim identifies the principal that is the subject of the JWT.

  • Enterprise add-on
http.request.jwt.claims.sub.values

The sub (subject) claim identifies the principal that is the subject of the JWT.

  • Enterprise add-on
http.request.method

The HTTP method, returned as a string of uppercase characters.

http.request.timestamp.msec

The millisecond when Cloudflare received the request, between 0–999.

http.request.timestamp.sec

The timestamp when Cloudflare received the request, expressed as UNIX time in seconds.

http.request.uri

The URI path and query string of the request.

http.request.uri.args

The HTTP URI arguments associated with a request represented as a Map (associative array).

http.request.uri.args.names

The names of the arguments in the HTTP URI query string.

http.request.uri.args.values

The values of arguments in the HTTP URI query string.

http.request.uri.path

The URI path of the request.

http.request.uri.path.extension

The lowercased file extension in the URI path without the dot (.) character.

http.request.uri.query

The entire query string, without the ? delimiter.

http.request.version

The version of the HTTP protocol used. Use this field when different checks are needed for different versions.

http.response.code

The HTTP status code returned to the client, either set by a Cloudflare product or returned by the origin server.

http.response.content_type.media_type

The lowercased content type (including subtype and suffix) without any extra parameters, based on the response's Content-Type header.

http.response.headers

The HTTP response headers represented as a Map (or associative array).

http.response.headers.names

The names of the headers in the HTTP response.

http.response.headers.values

The values of the headers in the HTTP response.

http.user_agent

The HTTP User-Agent request header, which contains a characteristic string to identify the client operating system and web browser.

http.x_forwarded_for

The full value of the X-Forwarded-For HTTP header.

ip.src

The client TCP IP address, which may be adjusted to reflect the actual address of the client using HTTP headers such as X-Forwarded-For or X-Real-IP.

ip.src.asnum

The 16-bit or 32-bit integer representing the Autonomous System (AS) number associated with the client IP address.

ip.src.city

The city associated with the client IP address.

ip.src.continent

The continent code associated with the client IP address.

ip.src.country

The 2-letter country code in ISO 3166-1 Alpha 2 format.

ip.src.is_in_european_union

Whether the request originates from a country in the European Union (EU).

  • Business or above
ip.src.lat

The latitude associated with the client IP address.

ip.src.lon

The longitude associated with the client IP address.

ip.src.metro_code

The metro code or Designated Market Area (DMA) code associated with the incoming request.

ip.src.postal_code

The postal code associated with the incoming request.

ip.src.region

The region name associated with the incoming request.

ip.src.region_code

The region code associated with the incoming request.

ip.src.subdivision_1_iso_code

The ISO 3166-2 code for the first-level region associated with the IP address.

  • Business or above
ip.src.subdivision_2_iso_code

The ISO 3166-2 code for the second-level region associated with the IP address.

  • Business or above
ip.src.timezone.name

The name of the timezone associated with the incoming request.

raw.http.request.full_uri

The raw full URI as received by the web server without any transformation.

raw.http.request.uri.args

The raw HTTP URI arguments associated with a request represented as a Map (associative array).

raw.http.request.uri.args.names

The raw names of the arguments in the HTTP URI query string.

raw.http.request.uri.args.values

The raw values of arguments in the HTTP URI query string.

raw.http.request.uri.path

The raw URI path and query string of the request without any transformation.

raw.http.request.uri.path.extension

The raw file extension in the request URI path without any transformation.

raw.http.request.uri.query

The entire query string without the ? delimiter and without any transformation.

ssl

Returns true when the HTTP connection to the client is encrypted.