Available Managed Transforms

This page lists the available Managed Transforms. They can modify HTTP request headers or response headers.

For more complex and customized header modifications, consider using Snippets.

Warning

The names of HTTP headers are case-insensitive. Cloudflare may use a capitalization different from the one presented in this page. Make sure that your origin server can handle HTTP request headers regardless of the exact capitalization of their names.

HTTP request headers

Add bot protection headers

Note

Requires an Enterprise plan with Bot Management enabled.

Adds HTTP headers with bot-related values to the request sent to the origin server:

• cf-bot-score: Contains the bot score (for example, 30).
• cf-verified-bot: Contains true if the request comes from a verified bot , or false otherwise.
• cf-threat-score: Contains the threat score (for example, 10).
• cf-ja3-hash: Contains the JA3 fingerprint .
• cf-ja4: Contains the JA4 fingerprint .

Add TLS client auth headers

Adds HTTP headers with Mutual TLS (mTLS) client authentication values to the request sent to the origin server:

• cf-cert-revoked: Value from the cf.tls_client_auth.cert_revoked field.
• cf-cert-verified: Value from the cf.tls_client_auth.cert_verified field.
• cf-cert-presented: Value from the cf.tls_client_auth.cert_presented field.
• cf-cert-issuer-dn: Value from the cf.tls_client_auth.cert_issuer_dn field.
• cf-cert-subject-dn: Value from the cf.tls_client_auth.cert_subject_dn field.
• cf-cert-issuer-dn-rfc2253: Value from the cf.tls_client_auth.cert_issuer_dn_rfc2253 field.
• cf-cert-subject-dn-rfc2253: Value from the cf.tls_client_auth.cert_subject_dn_rfc2253 field.
• cf-cert-issuer-dn-legacy: Value from the cf.tls_client_auth.cert_issuer_dn_legacy field.
• cf-cert-subject-dn-legacy: Value from the cf.tls_client_auth.cert_subject_dn_legacy field.
• cf-cert-serial: Value from the cf.tls_client_auth.cert_serial field.
• cf-cert-issuer-serial: Value from the cf.tls_client_auth.cert_issuer_serial field.
• cf-cert-fingerprint-sha256: Value from the cf.tls_client_auth.cert_fingerprint_sha256 field.
• cf-cert-fingerprint-sha1: Value from the cf.tls_client_auth.cert_fingerprint_sha1 field.
• cf-cert-not-before: Value from the cf.tls_client_auth.cert_not_before field.
• cf-cert-not-after: Value from the cf.tls_client_auth.cert_not_after field.
• cf-cert-ski: Value from the cf.tls_client_auth.cert_ski field.
• cf-cert-issuer-ski: Value from the cf.tls_client_auth.cert_issuer_ski field.

Add visitor location headers

Adds HTTP headers with location information for the visitor’s IP address to the request sent to the origin server:

• cf-ipcity: The visitor’s city (value from the ip.src.city field).
• cf-ipcountry: The visitor’s country (value from the ip.src.country field).
• cf-ipcontinent: The visitor’s continent (value from the ip.src.continent field).
• cf-iplongitude: The visitor’s longitude (value from the ip.src.lon field).
• cf-iplatitude: The visitor’s latitude (value from the ip.src.lat field).
• cf-region: The visitor’s region (value from the ip.src.region field).
• cf-region-code: The visitor’s region code (value from the ip.src.region_code field).
• cf-metro-code: The visitor’s metro code (value from the ip.src.metro_code field).
• cf-postal-code: The visitor’s postal code (value from the ip.src.postal_code field).
• cf-timezone: The name of the visitor’s timezone (value from the ip.src.timezone.name field).

Warning

Turning on IP geolocation will send a cf-ipcountry HTTP header to your origin server even when Add visitor location headers is turned off.

Add “True-Client-IP” header

Note

Only available on Enterprise plans.

Adds a true-client-ip request header with the visitor’s IP address.

This Managed Transform is unavailable when Remove visitor IP headers is enabled.

Remove visitor IP headers

Removes HTTP headers that may contain the visitor’s IP address from the request sent to the origin server. Handles the following HTTP request headers:

• cf-connecting-ip
• x-forwarded-for (refer to the notes below)
• true-client-ip

This Managed Transform is unavailable when Add “True-Client-IP” header is enabled.

Visitor IP address in the x-forwarded-for HTTP header

For the x-forwarded-for HTTP request header, enabling Remove visitor IP headers will only remove the visitor IP from the header value when Cloudflare receives a request proxied by at least another CDN (content delivery network). In this case, Cloudflare will only keep the IP address of the last proxy.

For example, consider an incoming request proxied by two CDNs (CDN_1 and CDN_2) before reaching the Cloudflare network. The x-forwarded-for header would be similar to the following:
x-forwarded-for: <VISITOR_IP>, <THIRD_PARTY_CDN_1_IP>, <THIRD_PARTY_CDN_2_IP>

With Remove visitor IP headers enabled, the x-forwarded-for header sent to the origin server will be:
x-forwarded-for: <THIRD_PARTY_CDN_2_IP>

HTTP response headers

Remove “X-Powered-By” headers

Removes the X-Powered-By HTTP response header that provides information about the application at the origin server that handled the request.

Add security headers

Adds several security-related HTTP response headers. The added response headers and values are the following:

• x-content-type-options: nosniff
• x-xss-protection: 1; mode=block
• x-frame-options: SAMEORIGIN
• referrer-policy: same-origin
• expect-ct: max-age=86400, enforce

To increase protection, enable HTTP Strict Transport Security (HSTS) for your website.