Label operations
Labels add use-case context to operations. Security detections can use labels to extend relevant focus on traffic with a specific application use case.
Cloudflare defines managed labels. They identify common operation types, such as login flows, sign-up flows, and AI-powered operations.
Some managed labels can be discovered automatically. Automatic discovery currently applies only to selected managed labels and selected plans.
The following managed labels are available:
| Label | Description |
|---|---|
cf-api-endpoint | Operations that serve machine-readable data or facilitate programmatic interaction. |
cf-llm | Operations that receive requests for services powered by Large Language Models (LLMs). |
cf-mcp | Operations that implement the Model Context Protocol (MCP) for AI tool and data access. |
cf-contains-ads | Operations that serve web pages containing advertisements. |
cf-log-in | Operations that accept user credentials. |
cf-sign-up | Operations that create user accounts. |
cf-content | Operations that provide unique content, such as product details, reviews, or pricing. |
cf-purchase | Operations that complete a purchase. |
cf-password-reset | Operations that participate in password reset flows. |
cf-add-cart | Operations that add items to a cart or verify item availability. |
cf-add-payment | Operations that accept credit card or bank account details. |
cf-check-value | Operations that check rewards points, in-game currency, or other stored value. |
cf-add-post | Operations that post messages, reviews, or similar user-generated content. |
cf-account-update | Operations that update user account or profile details. |
cf-rss-feed | Operations that expect traffic from RSS clients. |
cf-web-page | Operations that serve HTML pages. |
Some detections use labels to decide which operations to inspect. The following detections can use operation labels:
| Label | Related detection |
|---|---|
cf-llm | AI Security for Apps |
cf-log-in | Leaked credentials detection and account abuse protection |
cf-sign-up | Account abuse protection |
Some detections may still require product-specific configuration. For an end-to-end workflow, refer to Define security protections.
Custom labels help you organize operations by owner, application, environment, and business flow.
Apply labels to operations from Web Assets.
-
In the Cloudflare dashboard, go to the Web Assets page.
Go to Web assets -
Select the operation that you want to label.
-
Select Edit labels.
-
Select the managed or custom labels to apply.
-
Select Save labels.
You can review matched operations and managed labels in Security Analytics. You can also query or export this data.
You can query matched operation and managed label data using the GraphQL Analytics API. The webAssetsOperationId and webAssetsLabelsManaged fields are available in the httpRequestsAdaptive and httpRequestsAdaptiveGroups datasets.
webAssetsLabelsManaged returns at most 10 labels per request.
The following query returns request counts by operation ID and managed label set for traffic carrying the cf-llm managed label:
query GetAdaptiveGroups($zoneTag: string, $start: DateTime!, $end: DateTime!) { viewer { zones(filter: { zoneTag: $zoneTag }) { httpRequestsAdaptiveGroups( filter: { datetime_geq: $start datetime_leq: $end requestSource: "eyeball" webAssetsLabelsManaged_hasany: ["cf-llm"] } limit: 25 orderBy: [count_DESC] ) { count dimensions { webAssetsOperationId webAssetsLabelsManaged } } } }}Replace cf-llm with another managed label. You can also use webAssetsOperationId as the only dimension to group traffic by matched operation.
You can export per-request Web Assets data to your storage or SIEM system using Logpush. The WebAssetsOperationID and WebAssetsLabelsManaged fields are available in the HTTP requests dataset.