Forward certificate to server
Customers using Cloudflare Access also have the option to forward client certificates to their origin server.
In addition to enforcing mTLS authentication for your host, you can also forward a client certificate to your origin server as an HTTP header. This setup is often helpful for server logging.
To avoid adding the certificate to every single request, the certificate is only forwarded on the first request of an mTLS connection.
This process is only available on accounts with Cloudflare Access.
The most common approach to forwarding a certificate is to use the Cloudflare API to update an mTLS certificate's hostname settings.
At least one of the following token permissions
is required:
Required API token permissions
Access: Mutual TLS Certificates Write
Once
client_certificate_forwarding is set to
true, every request within an mTLS connection will now include the following headers:
Cf-Client-Cert-Der-Base64
Cf-Client-Cert-Sha256
You can also modify HTTP response headers using Managed Transforms to pass along TLS client auth headers.
Additionally, Workers can provide details around the client certificate.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- © 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark
-