Require specific HTTP headers
Many organizations qualify traffic based on the presence of specific HTTP request headers. Use the Rules language HTTP request header fields to target requests with specific headers.
This example uses the http.request.headers.names field to look for the presence of an X-CSRF-Token header. The lower() transformation function converts the header name to lowercase so that the expression is case-insensitive.
When the X-CSRF-Token header is missing, Cloudflare blocks the request.
- Expression:
not any(lower(http.request.headers.names[*])[*] eq "x-csrf-token") and (http.request.full_uri eq "https://www.example.com/somepath") - Action: Block
This example uses the http.request.headers field to look for the presence of the X-Example-Header header and to get its value (if any). The keys in the http.request.headers field, corresponding to HTTP header names, are in lowercase.
When the X-Example-Header header is missing or it does not have the value example-value, Cloudflare blocks the request.
- Expression:
not any(http.request.headers["x-example-header"][*] eq "example-value") and (http.request.uri.path eq "/somepath") - Action: Block
In this example the header name is case-insensitive, but the header value is case-sensitive.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark