Modify response header
Use HTTP response header modification rules to manipulate the headers of HTTP responses sent to website visitors.
flowchart LR accTitle: Header modifications diagram accDescr: Header modification rules can change the headers sent to your origin server (request header modifications) or sent your your website visitors (response header modifications). A[Visitor] B((Cloudflare)) C[(Origin server)] A -.-> B -. "Includes request<br> header modifications" .-> C C -.-> B == "Includes response<br> header modifications" ==> A style A stroke-width: 2px style B stroke: orange,fill: orange,color: black linkStyle 0,1,2 stroke-width: 1px linkStyle 3 stroke-width: 3px
To modify HTTP headers in the request sent to your origin server, refer to HTTP request header modification rules.
Through HTTP response header modification rules you can:
- Set the value of an HTTP response header to a literal string value, overwriting its previous value or adding a new header to the response if it does not exist.
- Set the value of an HTTP response header according to an expression, overwriting its previous value or adding a new header to the response if it does not exist.
- Add a new HTTP response header with a literal string value without removing any existing headers with the same name.
- Remove an HTTP header from the response.
You can create an HTTP response header modification rule in the dashboard or via API.
For more complex response header modifications, consider using Snippets.
Important remarks
-
The response header values are calculated using the field values from the corresponding HTTP request. For example, the value of
ip.src.country
will be the country of the website visitor, not the origin where the response was sent from. -
You cannot modify or remove HTTP response headers whose name starts with
cf-
orx-cf-
. -
You cannot modify the value of certain headers such as
server
,eh-cache-tag
, oreh-cdn-cache-control
. -
Currently you cannot reference IP lists in expressions of HTTP response header modification rules.
-
The HTTP response header removal operation will remove all response headers with the provided name.
-
If you change the value of an existing HTTP response header using an expression that evaluates to an empty string (
""
) or an undefined value, the HTTP response header is removed. -
Currently, there is a limited number of HTTP response headers that you cannot change. Cloudflare may remove restrictions for some of these HTTP response headers when presented with valid use cases. Create a post in the community ↗ for consideration.
-
Any response header modifications will also apply to Cloudflare error pages and custom error pages.
-
Modifying
cache-control
,CDN-Cache-Control
, orCloudflare-CDN-Cache-Control
headers will not change the way Cloudflare caches an object. Instead, you should create a Cache Rule. -
To add a
set-cookie
header to the response, make sure you use the Add operation instead of Set static/Set dynamic. Using one of the Set operations will remove anyset-cookie
headers already in the response, including those added by other Cloudflare products such as Bot Management. -
Currently you can only use the Add operation with a literal string value.
Troubleshooting
When troubleshooting HTTP response header modification rules, use Cloudflare Trace to determine if a rule is triggering for a specific URL.