Dynamic fields
Dynamic fields represent computed or derived values, typically related to threat intelligence about an HTTP request.
The Cloudflare Rules language supports these dynamic fields.
cf.bot_management.verified_bot
Boolean
When true
, this field indicates the request originated from a known good bot or crawler. Provides the same information as cf.client.bot
.
cf.verified_bot_category
String
Provides the type and purpose of a verified bot. For more details, refer to Verified Bot Categories.
cf.bot_management.score
Number
Represents the likelihood that a request originates from a bot using a score from 1–99. A low score indicates that the request comes from a bot or an automated agent. A high score indicates that a human issued the request.
cf.bot_management.static_resource
Boolean
Indicates whether static resources should be included when you create a rule using cf.bot_management.score
. For more details, refer to Static resource protection.
cf.bot_management.ja3_hash
String
Provides an SSL/TLS fingerprint to help you identify potential bot requests. For more details, refer to JA3/JA4 Fingerprint.
cf.bot_management.ja4
String
Provides an SSL/TLS fingerprint to help you identify potential bot requests. For more details, refer to JA3/JA4 Fingerprint.
cf.bot_management.js_detection.passed
Boolean
Indicates whether the visitor has previously passed a JS Detection. For more details, refer to JavaScript detections.
cf.bot_management.detection_ids
Array<Number>
List of IDs that correlate to the Bot Management heuristic detections made on a request (you can have multiple heuristic detections on the same request). Use this field to explicitly match a specific heuristic or to exclude a heuristic in a rule.
Example:
cf.client.bot
Boolean
When true
, this field indicates the request originated from a known good bot or crawler. Provides the same information as cf.bot_management.verified_bot
.
cf.edge.server_ip
IP address
Represents the global network's IP address to which the HTTP request has resolved. This field is only meaningful for BYOIP customers.
cf.edge.server_port
Number
Represents the port number at which the Cloudflare global network received the request. Use this field to filter traffic on a specific port. The value is a port number in the range 1–65535.
cf.hostname.metadata
String
Returns the string representation of the per-hostname custom metadata JSON object set by SSL for SaaS customers.
cf.random_seed
Bytes
Returns per-request random bytes that you can use in the uuidv4()
function.
cf.ray_id
String
The Ray ID of the current request. A Ray ID is an identifier given to every request that goes through Cloudflare.
cf.threat_score
Number
Represents a Cloudflare threat score from 0–100, where 0 indicates low risk. Values above 10 may represent spammers or bots, and values above 40 identify bad actors on the Internet. It is rare to see values above 60. A common recommendation is to challenge requests with a score above 10 and to block those above 50.
cf.tls_cipher
String
The cipher for the connection to Cloudflare.
Example:
cf.tls_client_auth.cert_revoked
Boolean
Returns true
when a request presents a valid but revoked client certificate. When true
, the cf.tls_client_auth.cert_verified
field is also true
.
cf.tls_client_auth.cert_verified
Boolean
Returns true
when a request presents a valid client certificate. Also returns true
when a request includes a valid certificate that was revoked (refer to cf.tls_client_auth.cert_revoked
).
cf.tls_client_auth.cert_presented
Boolean
Returns true
when a request presents a certificate (valid or not).
cf.tls_client_auth.cert_issuer_dn
String
The Distinguished Name (DN) of the Certificate Authority (CA) that issued the certificate included in the request.
Example:
cf.tls_client_auth.cert_subject_dn
String
The Distinguished Name (DN) of the owner (or requester) of the certificate included in the request.
Example:
cf.tls_client_auth.cert_issuer_dn_rfc2253
String
The Distinguished Name (DN) of the Certificate Authority (CA) that issued the certificate in the request in RFC 2253 ↗ format.
Example:
cf.tls_client_auth.cert_subject_dn_rfc2253
String
The Distinguished Name (DN) of the owner (or requester) of the certificate in the request in RFC 2253 ↗ format.
Example:
cf.tls_client_auth.cert_issuer_dn_legacy
String
The Distinguished Name (DN) of the Certificate Authority (CA) that issued the certificate in the request in a legacy format.
Example:
cf.tls_client_auth.cert_subject_dn_legacy
String
The Distinguished Name (DN) of the owner (or requester) of the certificate in the request in a legacy format.
Example:
cf.tls_client_auth.cert_serial
String
Serial number of the certificate in the request.
Example:
cf.tls_client_auth.cert_issuer_serial
String
Serial number of the direct issuer of the certificate in the request.
Example:
cf.tls_client_auth.cert_fingerprint_sha256
String
The SHA-256 fingerprint of the certificate in the request.
Example:
cf.tls_client_auth.cert_fingerprint_sha1
String
The SHA-1 fingerprint of the certificate in the request.
Example:
cf.tls_client_auth.cert_not_before
String
The certificate in the request is not valid before this date.
Example:
cf.tls_client_auth.cert_not_after
String
The certificate in the request is not valid after this date.
Example:
cf.tls_client_auth.cert_ski
String
The Subject Key Identifier (SKI) of the certificate in the request.
Example:
cf.tls_client_auth.cert_issuer_ski
String
The Subject Key Identifier (SKI) of the direct issuer of the certificate in the request.
Example:
cf.tls_client_extensions_sha1
String
The SHA-1 fingerprint of TLS client extensions, encoded in Base64.
Example:
cf.tls_client_hello_length
Number
The length of the client hello message sent in a TLS handshake ↗. Specifically, the length of the bytestring of the client hello.
Example:
cf.tls_client_random
String
The value of the 32-byte random value provided by the client in a TLS handshake ↗, encoded in Base64. Refer to RFC 8446 ↗ for more details.
Example:
cf.tls_version
String
The TLS version of the connection to Cloudflare.
Example:
cf.waf.content_scan.has_obj
Boolean
When true
, the request contains at least one content object.
For more details, refer to Malicious uploads detection.
cf.waf.content_scan.has_malicious_obj
Boolean
When true
, the request contains at least one malicious content object.
For more details, refer to Malicious uploads detection.
cf.waf.content_scan.num_malicious_obj
Integer
The number of malicious content objects detected in the request (zero or greater).
For more details, refer to Malicious uploads detection.
cf.waf.content_scan.has_failed
Boolean
When true
, the file scanner was unable to scan all the content objects detected in the request.
For more details, refer to Malicious uploads detection.
cf.waf.content_scan.num_obj
Integer
The number of content objects detected in the request (zero or greater).
For more details, refer to Malicious uploads detection.
cf.waf.content_scan.obj_sizes
Array<Integer>
An array of file sizes in bytes, in the order the content objects were detected in the request.
For more details, refer to Malicious uploads detection.
cf.waf.content_scan.obj_types
Array<String>
An array of file types in the order the content objects were detected in the request. If Cloudflare cannot determine the file type of a content object, the corresponding value in the obj_types
array will be application/octet-stream
.
For more details, refer to Malicious uploads detection.
cf.waf.content_scan.obj_results
Array<String>
An array of scan results in the order the content objects were detected in the request. The possible values are: clean
, suspicious
, infected
, and not scanned
.
For more details, refer to Malicious uploads detection.
cf.waf.score
Number
A global score from 1
to 99
that combines the score of each WAF attack vector into a single score. This is the standard WAF attack score to detect variants of attack patterns.
cf.waf.score.sqli
Number
An attack score from 1
to 99
classifying the SQL injection (SQLi) attack vector.
cf.waf.score.xss
Number
An attack score from 1
to 99
classifying the cross-site scripting (XSS) attack vector.
cf.waf.score.rce
Number
An attack score from 1
to 99
classifying the command injection or Remote Code Execution (RCE) attack vector.
cf.waf.score.class
String
The attack score class of the current request, based on the WAF attack score. Can have one of the following values: attack
, likely_attack
, likely_clean
, clean
.
cf.waf.auth_detected
Boolean
When true
, the Cloudflare WAF detected authentication credentials in the request.
Only available when leaked credentials detection is enabled.
cf.waf.credential_check.password_leaked
Boolean
When true
, the password detected in the request was previously leaked.
Only available when leaked credentials detection is enabled.
cf.waf.credential_check.username_leaked
Boolean
When true
, the username detected in the request was previously leaked.
Only available when leaked credentials detection is enabled.
cf.waf.credential_check.username_and_password_leaked
Boolean
When true
, the authentication credentials detected in the request (username and password pair) were previously leaked.
Only available when leaked credentials detection is enabled.
cf.waf.credential_check.username_password_similar
Boolean
When true
, a similar version of the username and password credentials detected in the request were previously leaked.
Only available when leaked credentials detection is enabled.
cf.worker.upstream_zone
String
Identifies whether a request comes from a worker or not. When a request comes from a worker, this field will hold the name of the zone for that worker. Otherwise, cf.worker.upstream_zone
is empty.
The Bot Management Corporate Proxy field contains identified cloud-based corporate proxies and secure web gateways that are Enterprise-only, and provide outbound security services to their clients.
You can access the Corporate Proxy field in custom rules, rate limiting rules, or Workers to provide different security rules for traffic from these sources. You can also exempt them from rules using Bot Management scores.
API Shield users can now create custom rules using claims present in tokens processed by JSON Web Tokens Validation.
Users can also use any custom JWT claim. Refer to the WAF documentation for an example of a custom JWT claim.
http.request.jwt.claims.aud
Map<Array<String>>
http.request.jwt.claims.aud.names
Array<String>
http.request.jwt.claims.aud.values
Array<String>
The aud
(audience) claim identifies the recipients that the JSON Web Token (JWT) is intended for. Each principal intended to process the JWT must identify itself with a value in the audience claim. In the general case, the aud
value is an array of case-sensitive strings, each containing a StringOrURI
value.
Refer to the Registered Claim Names ↗ in RFC 7519 for more information.
http.request.jwt.claims.iat.sec
Map<Array<Integer>>
http.request.jwt.claims.iat.sec.names
Array<String>
http.request.jwt.claims.iat.sec.values
Array<Integer>
The iat
(issued at) claim identifies the time (number of seconds) at which the JWT was issued.
Refer to the Registered Claim Names ↗ in RFC 7519 for more information.
http.request.jwt.claims.iss
Map<Array<String>>
http.request.jwt.claims.iss.names
Array<String>
http.request.jwt.claims.iss.values
Array<String>
The iss
(issuer) claim identifies the principal that issued the JWT.
Refer to the Registered Claim Names ↗ in RFC 7519 for more information.
http.request.jwt.claims.jti
Map<Array<String>>
http.request.jwt.claims.jti.names
Array<String>
http.request.jwt.claims.jti.values
Array<String>
The jti
(JWT ID) claim provides a unique identifier for the JWT.
Refer to the Registered Claim Names ↗ in RFC 7519 for more information.
http.request.jwt.claims.nbf.sec
Map<Array<Integer>>
http.request.jwt.claims.nbf.sec.names
Array<String>
http.request.jwt.claims.nbf.sec.values
Array<Integer>
The nbf
(not before) claim identifies the time (number of seconds) before which the JWT must not be accepted for processing.
Refer to the Registered Claim Names ↗ in RFC 7519 for more information.
http.request.jwt.claims.sub
Map<Array<String>>
http.request.jwt.claims.sub.names
Array<String>
http.request.jwt.claims.sub.values
Array<String>
The sub
(subject) claim identifies the principal that is the subject of the JWT. The claims in a JWT are normally statements about the subject.
Refer to the Registered Claim Names ↗ in RFC 7519 for more information.