Fields reference
Indicates whether the request contained an API session authentication token, as defined by API Shield's saved session identifiers.
- Enterprise add-on
Indicates whether the request matched a saved endpoint in Endpoint Management.
Indicates whether the request violated the schema assigned to the respective saved endpoint.
Indicates whether the incoming request comes from an identified Enterprise-only cloud-based corporate proxy or secure web gateway.
- Enterprise add-on
List of IDs that correlate to the Bot Management heuristic detections made on a request.
- Enterprise add-on
Provides an SSL/TLS fingerprint to help you identify potential bot requests.
- Enterprise add-on
Provides an SSL/TLS fingerprint to help you identify potential bot requests.
- Enterprise add-on
Indicates whether the visitor has previously passed a JS Detection.
- Enterprise add-on
Represents the likelihood that a request originates from a bot using a score from 1–99.
- Enterprise add-on
Indicates whether static resources should be included when you create a rule using cf.bot_management.score.
- Enterprise add-on
Indicates whether the request originated from a known good bot or crawler.
- Enterprise add-on
Indicates whether the request originated from a known good bot or crawler.
Represents the global network's IP address to which the HTTP request has resolved.
Represents the port number at which the Cloudflare global network received the request.
Returns the string representation of the per-hostname custom metadata JSON object set by SSL for SaaS customers.
Returns per-request random bytes that you can use in the uuidv4() function.
The Ray ID of the current request.
Contains the specific code for 1XXX Cloudflare errors.
A string with the type of error in the response being returned.
Represents a Cloudflare threat score from 0–100, where 0 indicates low risk.
The cipher for the connection to Cloudflare.
The SHA-1 fingerprint of the certificate in the request.
The SHA-256 fingerprint of the certificate in the request.
The Distinguished Name (DN) of the Certificate Authority (CA) that issued the certificate included in the request.
The Distinguished Name (DN) of the Certificate Authority (CA) that issued the certificate in the request in a legacy format.
The Distinguished Name (DN) of the Certificate Authority (CA) that issued the certificate in the request in RFC 2253 format.
Serial number of the direct issuer of the certificate in the request.
The Subject Key Identifier (SKI) of the direct issuer of the certificate in the request.
The certificate in the request is not valid after this date.
The certificate in the request is not valid before this date.
Returns true when a request presents a certificate (valid or not).
Indicates whether the request presented a valid but revoked client certificate.
Serial number of the certificate in the request.
The Subject Key Identifier (SKI) of the certificate in the request.
The Distinguished Name (DN) of the owner (or requester) of the certificate included in the request.
The Distinguished Name (DN) of the owner (or requester) of the certificate in the request in a legacy format.
The Distinguished Name (DN) of the owner (or requester) of the certificate in the request in RFC 2253 format.
Returns true when a request presents a valid client certificate.
The SHA-1 fingerprint of TLS client extensions, encoded in Base64.
The length of the client hello message sent in a TLS handshake.
The value of the 32-byte random value provided by the client in a TLS handshake, encoded in Base64.
The TLS version of the connection to Cloudflare.
Provides the type and purpose of a verified bot.
Indicates whether the Cloudflare WAF detected authentication credentials in the request.
- Enterprise
Indicates whether the file scanner was unable to scan all the content objects detected in the request.
- Enterprise add-on
Indicates whether the request contains at least one malicious content object.
- Enterprise add-on
Indicates whether the request contains at least one content object.
- Enterprise add-on
The number of malicious content objects detected in the request (zero or greater).
- Enterprise add-on
The number of content objects detected in the request (zero or greater).
- Enterprise add-on
An array of scan results in the order the content objects were detected in the request.
- Enterprise add-on
An array of file sizes in bytes, in the order the content objects were detected in the request.
- Enterprise add-on
An array of file types in the order the content objects were detected in the request.
- Enterprise add-on
Indicates whether the password detected in the request was previously leaked.
Indicates whether the auth credentials detected in the request (username-password pair) were previously leaked.
- Pro or above
Indicates whether the username detected in the request was previously leaked.
- Enterprise
Indicates whether a similar version of the username and password credentials detected in the request were previously leaked.
- Enterprise
A global score from 1–99 that combines the score of each WAF attack vector into a single score.
- Enterprise
The attack score class of the current request, based on the WAF attack score.
- Business or above
An attack score from 1–99 classifying the command injection or Remote Code Execution (RCE) attack vector.
- Enterprise
An attack score from 1–99 classifying the SQL injection (SQLi) attack vector.
- Enterprise
An attack score from 1–99 classifying the cross-site scripting (XSS) attack vector.
- Enterprise
Identifies whether a request comes from a worker or not.
The entire cookie as a string.
The hostname used in the full request URI.
The HTTP Referer request header, which contains the address of the web page that linked to the currently requested page.
List of language tags provided in the Accept-Language HTTP request header.
The HTTP request body of a form represented as a Map (or associative array).
- Enterprise add-on
The names of the form fields in an HTTP request.
- Enterprise add-on
The values of the form fields in an HTTP request.
- Enterprise add-on
The MIME type of the request detected from the request body.
A Map (or associative array) representation of multipart names to multipart values in the request body.
- Enterprise add-on
List of Content-Disposition headers for each part in the multipart body.
- Enterprise add-on
List of Content-Transfer-Encoding headers for each part in the multipart body.
- Enterprise add-on
List of Content-Type headers for each part in the multipart body.
- Enterprise add-on
List of filenames for each part in the multipart body.
- Enterprise add-on
List of multipart names for every part in the multipart body.
- Enterprise add-on
List of multipart values for every part in the multipart body.
- Enterprise add-on
The unaltered HTTP request body.
- Enterprise add-on
The total size of the HTTP request body (in bytes).
- Enterprise add-on
Indicates whether the HTTP request body is truncated.
- Enterprise add-on
The Cookie HTTP header associated with a request represented as a Map (associative array).
- Pro or above
The full URI as received by the web server.
The HTTP request headers represented as a Map (or associative array).
The names of the headers in the HTTP request.
Indicates whether the HTTP request contains too many headers.
The values of the headers in the HTTP request.
The aud (audience) claim identifies the recipients that the JSON Web Token (JWT) is intended for.
- Enterprise add-on
The aud (audience) claim identifies the recipients that the JSON Web Token (JWT) is intended for.
- Enterprise add-on
The aud (audience) claim identifies the recipients that the JSON Web Token (JWT) is intended for.
- Enterprise add-on
The iat (issued at) claim identifies the time (number of seconds) at which the JWT was issued.
- Enterprise add-on
The iat (issued at) claim identifies the time (number of seconds) at which the JWT was issued.
- Enterprise add-on
The iat (issued at) claim identifies the time (number of seconds) at which the JWT was issued.
- Enterprise add-on
The iss (issuer) claim identifies the principal that issued the JWT.
- Enterprise add-on
The iss (issuer) claim identifies the principal that issued the JWT.
- Enterprise add-on
The iss (issuer) claim identifies the principal that issued the JWT.
- Enterprise add-on
The jti (JWT ID) claim provides a unique identifier for the JWT.
- Enterprise add-on
The jti (JWT ID) claim provides a unique identifier for the JWT.
- Enterprise add-on
The jti (JWT ID) claim provides a unique identifier for the JWT.
- Enterprise add-on
The nbf (not before) claim identifies the time (number of seconds) before which the JWT must not be accepted for processing.
- Enterprise add-on
The nbf (not before) claim identifies the time (number of seconds) before which the JWT must not be accepted for processing.
- Enterprise add-on
The nbf (not before) claim identifies the time (number of seconds) before which the JWT must not be accepted for processing.
- Enterprise add-on
The sub (subject) claim identifies the principal that is the subject of the JWT.
- Enterprise add-on
The sub (subject) claim identifies the principal that is the subject of the JWT.
- Enterprise add-on
The sub (subject) claim identifies the principal that is the subject of the JWT.
- Enterprise add-on
The HTTP method, returned as a string of uppercase characters.
The millisecond when Cloudflare received the request, between 0–999.
The timestamp when Cloudflare received the request, expressed as UNIX time in seconds.
The URI path and query string of the request.
The HTTP URI arguments associated with a request represented as a Map (associative array).
The names of the arguments in the HTTP URI query string.
The values of arguments in the HTTP URI query string.
The URI path of the request.
The lowercased file extension in the URI path without the dot (.) character.
The entire query string, without the ? delimiter.
The version of the HTTP protocol used. Use this field when different checks are needed for different versions.
The HTTP status code returned to the client, either set by a Cloudflare product or returned by the origin server.
The lowercased content type (including subtype and suffix) without any extra parameters, based on the response's Content-Type header.
The HTTP response headers represented as a Map (or associative array).
The names of the headers in the HTTP response.
The values of the headers in the HTTP response.
The HTTP User-Agent request header, which contains a characteristic string to identify the client operating system and web browser.
The full value of the X-Forwarded-For HTTP header.
The client TCP IP address, which may be adjusted to reflect the actual address of the client using HTTP headers such as X-Forwarded-For or X-Real-IP.
The 16-bit or 32-bit integer representing the Autonomous System (AS) number associated with the client IP address.
The city associated with the client IP address.
The continent code associated with the client IP address.
The 2-letter country code in ISO 3166-1 Alpha 2 format.
Whether the request originates from a country in the European Union (EU).
- Business or above
The latitude associated with the client IP address.
The longitude associated with the client IP address.
The metro code or Designated Market Area (DMA) code associated with the incoming request.
The postal code associated with the incoming request.
The region name associated with the incoming request.
The region code associated with the incoming request.
The ISO 3166-2 code for the first-level region associated with the IP address.
- Business or above
The ISO 3166-2 code for the second-level region associated with the IP address.
- Business or above
The name of the timezone associated with the incoming request.
The raw full URI as received by the web server without any transformation.
The raw HTTP URI arguments associated with a request represented as a Map (associative array).
The raw names of the arguments in the HTTP URI query string.
The raw values of arguments in the HTTP URI query string.
The raw URI path and query string of the request without any transformation.
The raw file extension in the request URI path without any transformation.
The entire query string without the ? delimiter and without any transformation.
Returns true when the HTTP connection to the client is encrypted.