HTTP requests
The descriptions below detail the fields available for http_requests.
BotDetectionIDs
Section titled “BotDetectionIDs”Type: array[int]
List of IDs that correlate to the Bot Management Heuristic detections made on a request. Available only for Bot Management customers. To enable this feature, contact your account team.
BotDetectionTags
Section titled “BotDetectionTags”Type: array[string]
List of tags that correlate to the Bot Management Heuristic detections made on a request. Available only for Bot Management customers. To enable this feature, contact your account team.
BotScore
Section titled “BotScore”Type: int
Cloudflare Bot Score. Scores below 30 are commonly associated with automated traffic. Available only for Bot Management customers. To enable this feature, contact your account team.
BotScoreSrc
Section titled “BotScoreSrc”Type: string
Detection engine responsible for generating the Bot Score.
Possible values are Not Computed | Heuristics | Machine Learning | Behavioral Analysis | Verified Bot | JS Fingerprinting | Cloudflare Service. Available only for Bot Management customers. To enable this feature, contact your account team.
BotTags
Section titled “BotTags”Type: array[string]
Type of bot traffic (if available). Refer to Bot Tags for the list of potential values. Available only for Bot Management customers. To enable this feature, contact your account team.
CacheCacheStatus
Section titled “CacheCacheStatus”Type: string
Cache status.
Possible values are unknown | miss | expired | updating | stale | hit | ignored | bypass | revalidated | dynamic | stream_hit | deferred
"dynamic" means that a request is not eligible for cache. This can mean, for example that it was blocked by the firewall. Refer to Cloudflare cache responses for more details.
CacheReserveUsed
Section titled “CacheReserveUsed”Type: bool
Cache Reserve was used to serve this request.
CacheResponseBytes
Section titled “CacheResponseBytes”Type: int
Number of bytes returned by the cache.
CacheResponseStatus (deprecated)
Section titled “CacheResponseStatus (deprecated)”Type: int
HTTP status code returned by the cache to the edge. All requests (including non-cacheable ones) go through the cache. Refer also to CacheCacheStatus field.
CacheTieredFill
Section titled “CacheTieredFill”Type: bool
Tiered Cache was used to serve this request.
ClientASN
Section titled “ClientASN”Type: int
Client AS number.
ClientCity
Section titled “ClientCity”Type: string
Approximate city of the client.
ClientCountry
Section titled “ClientCountry”Type: string
2-letter ISO-3166 country code of the client IP address.
ClientDeviceType
Section titled “ClientDeviceType”Type: string
Client device type.
ClientIP
Section titled “ClientIP”Type: string
IP address of the client.
ClientIPClass
Section titled “ClientIPClass”Type: string
Client IP class.
Possible values are unknown | badHost | searchEngine | allowlist | monitoringService | noRecord | scan | tor.
ClientLatitude
Section titled “ClientLatitude”Type: string
Approximate latitude of the client.
ClientLongitude
Section titled “ClientLongitude”Type: string
Approximate longitude of the client.
ClientMTLSAuthCertFingerprint
Section titled “ClientMTLSAuthCertFingerprint”Type: string
The SHA256 fingerprint of the certificate presented by the client during mTLS authentication. Only populated on the first request on an mTLS connection.
ClientMTLSAuthStatus
Section titled “ClientMTLSAuthStatus”Type: string
The status of mTLS authentication. Only populated on the first request on an mTLS connection.
Possible values are unknown | ok | absent | untrusted | notyetvalid | expired.
ClientRegionCode
Section titled “ClientRegionCode”Type: string
The ISO-3166-2 region code of the client IP address.
ClientRequestBytes
Section titled “ClientRequestBytes”Type: int
Number of bytes in the client request.
ClientRequestHost
Section titled “ClientRequestHost”Type: string
Host requested by the client.
ClientRequestMethod
Section titled “ClientRequestMethod”Type: string
HTTP method of client request.
ClientRequestPath
Section titled “ClientRequestPath”Type: string
URI path requested by the client.
ClientRequestProtocol
Section titled “ClientRequestProtocol”Type: string
HTTP protocol of client request.
ClientRequestReferer
Section titled “ClientRequestReferer”Type: string
HTTP request referrer.
ClientRequestScheme
Section titled “ClientRequestScheme”Type: string
The URL scheme requested by the visitor.
ClientRequestSource
Section titled “ClientRequestSource”Type: string
Identifies requests as coming from an external source or another service within Cloudflare. Refer to ClientRequestSource field for the list of potential values.
ClientRequestURI
Section titled “ClientRequestURI”Type: string
URI requested by the client.
ClientRequestUserAgent
Section titled “ClientRequestUserAgent”Type: string
User agent reported by the client.
ClientSSLCipher
Section titled “ClientSSLCipher”Type: string
Client SSL cipher.
ClientSSLProtocol
Section titled “ClientSSLProtocol”Type: string
Client SSL (TLS) protocol. The value "none" means that SSL was not used.
ClientSrcPort
Section titled “ClientSrcPort”Type: int
Client source port.
ClientTCPRTTMs
Section titled “ClientTCPRTTMs”Type: int
The smoothed average of TCP round-trip time (SRTT). For the initial request on a connection, this is measured only during connection setup. For a subsequent request on the same connection, it is measured over the entire connection lifetime up until the time that request is received.
ClientXRequestedWith
Section titled “ClientXRequestedWith”Type: string
X-Requested-With HTTP header.
ContentScanObjResults
Section titled “ContentScanObjResults”Type: array[string]
List of content scan results.
ContentScanObjSizes
Section titled “ContentScanObjSizes”Type: array[int]
List of content object sizes.
ContentScanObjTypes
Section titled “ContentScanObjTypes”Type: array[string]
List of content types.
Cookies
Section titled “Cookies”Type: object
String key-value pairs for Cookies. This field is populated based on Logpush Custom fields, which need to be configured.
EdgeCFConnectingO2O
Section titled “EdgeCFConnectingO2O”Type: bool
True if the request looped through multiple zones on the Cloudflare edge. This is considered an orange to orange (O2O) request.
EdgeColoCode
Section titled “EdgeColoCode”Type: string
IATA airport code of the data center that received the request.
EdgeColoID
Section titled “EdgeColoID”Type: int
Cloudflare edge data center ID.
EdgeEndTimestamp
Section titled “EdgeEndTimestamp”Type: int or string
Timestamp at which the edge finished sending response to the client.
EdgePathingOp
Section titled “EdgePathingOp”Type: string
Indicates what type of response was issued for this request (unknown = no specific action).
EdgePathingSrc
Section titled “EdgePathingSrc”Type: string
Details how the request was classified based on security checks (unknown = no specific classification).
EdgePathingStatus
Section titled “EdgePathingStatus”Type: string
Indicates what data was used to determine the handling of this request (unknown = no data).
EdgeRequestHost
Section titled “EdgeRequestHost”Type: string
Host header on the request from the edge to the origin.
EdgeResponseBodyBytes
Section titled “EdgeResponseBodyBytes”Type: int
Size of the HTTP response body returned to clients.
EdgeResponseBytes
Section titled “EdgeResponseBytes”Type: int
Number of bytes returned by the edge to the client.
EdgeResponseCompressionRatio
Section titled “EdgeResponseCompressionRatio”Type: float
The edge response compression ratio is calculated as the ratio between the sizes of the original and compressed responses.
EdgeResponseContentType
Section titled “EdgeResponseContentType”Type: string
Edge response Content-Type header value.
EdgeResponseStatus
Section titled “EdgeResponseStatus”Type: int
HTTP status code returned by Cloudflare to the client.
EdgeServerIP
Section titled “EdgeServerIP”Type: string
IP of the edge server making a request to the origin. Possible responses are string in IPv4 or IPv6 format, or empty string. Empty string means that there was no request made to the origin server.
EdgeStartTimestamp
Section titled “EdgeStartTimestamp”Type: int or string
Timestamp at which the edge received request from the client.
EdgeTimeToFirstByteMs
Section titled “EdgeTimeToFirstByteMs”Type: int
Total view of Time To First Byte as measured at Cloudflare's edge. Starts after a TCP connection is established and ends when Cloudflare begins returning the first byte of a response to eyeballs. Includes TLS handshake time (for new connections) and origin response time.
JA3Hash
Section titled “JA3Hash”Type: string
The MD5 hash of the JA3 fingerprint used to profile SSL/TLS clients. Available only for Bot Management customers. To enable this feature, contact your account team.
Type: string
The JA4 fingerprint used to profile SSL/TLS clients. Available only for Bot Management customers. To enable this feature, contact your account team.
JA4Signals
Section titled “JA4Signals”Type: object
Inter-request statistics computed for this JA4 fingerprint. JA4Signals field is organized in key:value pairs, where values are numbers. Available only for Bot Management customers. To enable this feature, contact your account team.
LeakedCredentialCheckResult
Section titled “LeakedCredentialCheckResult”Type: string
Result of the check for leaked credentials.
Possible results are: password_leaked | username_and_password_leaked | username_password_similar | username_leaked | clean.
OriginDNSResponseTimeMs
Section titled “OriginDNSResponseTimeMs”Type: int
Time taken to receive a DNS response for an origin name. Usually takes a few milliseconds, but may be longer if a CNAME record is used.
OriginIP
Section titled “OriginIP”Type: string
IP of the origin server.
OriginRequestHeaderSendDurationMs
Section titled “OriginRequestHeaderSendDurationMs”Type: int
Time taken to send request headers to origin after establishing a connection. Note that this value is usually 0.
OriginResponseBytes (deprecated)
Section titled “OriginResponseBytes (deprecated)”Type: int
Number of bytes returned by the origin server.
OriginResponseDurationMs
Section titled “OriginResponseDurationMs”Type: int
Upstream response time, measured from the first datacenter that receives a request. Includes time taken by Argo Smart Routing and Tiered Cache, plus time to connect and receive a response from origin servers. This field replaces OriginResponseTime.
OriginResponseHTTPExpires
Section titled “OriginResponseHTTPExpires”Type: string
Value of the origin 'expires' header in RFC1123 format.
OriginResponseHTTPLastModified
Section titled “OriginResponseHTTPLastModified”Type: string
Value of the origin 'last-modified' header in RFC1123 format.
OriginResponseHeaderReceiveDurationMs
Section titled “OriginResponseHeaderReceiveDurationMs”Type: int
Time taken for origin to return response headers after Cloudflare finishes sending request headers.
OriginResponseStatus
Section titled “OriginResponseStatus”Type: int
Status returned by the upstream server. The value 0 means that there was no request made to the origin server and the response was served by Cloudflare's Edge. However, if the zone has a Worker running on it, the value 0 could be the result of a Workers subrequest made to the origin.
OriginResponseTime (deprecated)
Section titled “OriginResponseTime (deprecated)”Type: int
Number of nanoseconds it took the origin to return the response to edge.
OriginSSLProtocol
Section titled “OriginSSLProtocol”Type: string
SSL (TLS) protocol used to connect to the origin.
OriginTCPHandshakeDurationMs
Section titled “OriginTCPHandshakeDurationMs”Type: int
Time taken to complete TCP handshake with origin. This will be 0 if an origin connection is reused.
OriginTLSHandshakeDurationMs
Section titled “OriginTLSHandshakeDurationMs”Type: int
Time taken to complete TLS handshake with origin. This will be 0 if an origin connection is reused.
ParentRayID
Section titled “ParentRayID”Type: string
Ray ID of the parent request if this request was made using a Worker script.
Type: string
ID of the request.
RequestHeaders
Section titled “RequestHeaders”Type: object
String key-value pairs for RequestHeaders. This field is populated based on Logpush Custom fields, which need to be configured.
ResponseHeaders
Section titled “ResponseHeaders”Type: object
String key-value pairs for ResponseHeaders. This field is populated based on Logpush Custom fields, which need to be configured.
SecurityAction
Section titled “SecurityAction”Type: string
Action of the security rule that triggered a terminating action, if any.
SecurityActions
Section titled “SecurityActions”Type: array[string]
Array of actions the Cloudflare security products performed on this request. The individual security products associated with this action can be found in SecuritySources and their respective rule IDs can be found in SecurityRuleIDs. The length of the array is the same as SecurityRuleIDs and SecuritySources.
Possible actions are unknown | allow | block | challenge | jschallenge | log | connectionClose | challengeSolved | challengeBypassed | jschallengeSolved | jschallengeBypassed | bypass | managedChallenge | managedChallengeNonInteractiveSolved | managedChallengeInteractiveSolved | managedChallengeBypassed | rewrite | forceConnectionClose | skip.
SecurityRuleDescription
Section titled “SecurityRuleDescription”Type: string
Description of the security rule that triggered a terminating action, if any.
SecurityRuleID
Section titled “SecurityRuleID”Type: string
Rule ID of the security rule that triggered a terminating action, if any.
SecurityRuleIDs
Section titled “SecurityRuleIDs”Type: array[string]
Array of rule IDs of the security product that matched the request. The security product associated with the rule ID can be found in SecuritySources. The length of the array is the same as SecurityActions and SecuritySources.
SecuritySources
Section titled “SecuritySources”Type: array[string]
Array of security products that matched the request. The same product can appear multiple times, which indicates different rules or actions that were activated. The rule IDs can be found in SecurityRuleIDs, and the actions can be found in SecurityActions. The length of the array is the same as SecurityRuleIDs and SecurityActions.
Possible sources are unknown | asn | country | ip | ipRange | securityLevel | zoneLockdown | waf | firewallRules | uaBlock | rateLimit | bic | hot | l7ddos | validation | botFight | apiShield | botManagement | dlp | firewallManaged | firewallCustom | apiShieldSchemaValidation | apiShieldTokenValidation | apiShieldSequenceMitigation.
SmartRouteColoID
Section titled “SmartRouteColoID”Type: int
The Cloudflare data center used to connect to the origin server if Argo Smart Routing is used.
UpperTierColoID
Section titled “UpperTierColoID”Type: int
The "upper tier" data center that was checked for a cached copy if Tiered Cache is used.
WAFAttackScore
Section titled “WAFAttackScore”Type: int
Overall request score generated by the WAF detection module.
WAFFlags (deprecated)
Section titled “WAFFlags (deprecated)”Type: string
Additional configuration flags: simulate (0x1) | null.
WAFMatchedVar (deprecated)
Section titled “WAFMatchedVar (deprecated)”Type: string
The full name of the most-recently matched variable.
WAFRCEAttackScore
Section titled “WAFRCEAttackScore”Type: int
WAF score for an RCE attack.
WAFSQLiAttackScore
Section titled “WAFSQLiAttackScore”Type: int
WAF score for an SQLi attack.
WAFXSSAttackScore
Section titled “WAFXSSAttackScore”Type: int
WAF score for an XSS attack.
WorkerCPUTime
Section titled “WorkerCPUTime”Type: int
Amount of time in microseconds spent executing a Worker, if any.
WorkerScriptName
Section titled “WorkerScriptName”Type: string
The Worker script name that made the request.
WorkerStatus
Section titled “WorkerStatus”Type: string
Status returned from Worker daemon.
WorkerSubrequest
Section titled “WorkerSubrequest”Type: bool
Whether or not this request was a Worker subrequest.
WorkerSubrequestCount
Section titled “WorkerSubrequestCount”Type: int
Number of subrequests issued by a Worker when handling this request.
WorkerWallTimeUs
Section titled “WorkerWallTimeUs”Type: int
The elapsed time in microseconds between the start of a Worker invocation, and when the Workers Runtime determines that no more JavaScript needs to run. Specifically, this measures the wall-clock time that the JavaScript context remained open. For example, when returning a response with a large body, the Workers runtime can, in some cases, determine that no more JavaScript needs to run, and closes the JS context before all the bytes have passed through and been sent. Alternatively, if you use the waitUntil() API to perform work without blocking the return of a response, this work may continue executing after the response has been returned, and will be included in WorkerWallTimeUs.
ZoneName
Section titled “ZoneName”Type: string
The human-readable name of the zone (for example, 'cloudflare.com').
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark