Available Managed Transforms
This page lists the available Managed Transforms. They can modify HTTP request headers or response headers.
For more complex and customized header modifications, consider using Snippets.
HTTP request headers
Section titled “HTTP request headers”Add bot protection headers
Section titled “Add bot protection headers”Adds HTTP headers with bot-related values to the request sent to the origin server:
cf-bot-score: Contains the bot score (for example,30).cf-verified-bot: Containstrueif the request comes from a verified bot, orfalseotherwise.cf-ja3-hash: Contains the JA3 fingerprint.cf-ja4: Contains the JA4 fingerprint.
Add TLS client auth headers
Section titled “Add TLS client auth headers”Adds HTTP headers with Mutual TLS (mTLS) client authentication values to the request sent to the origin server:
cf-cert-revoked: Value from thecf.tls_client_auth.cert_revokedfield.cf-cert-verified: Value from thecf.tls_client_auth.cert_verifiedfield.cf-cert-presented: Value from thecf.tls_client_auth.cert_presentedfield.cf-cert-issuer-dn: Value from thecf.tls_client_auth.cert_issuer_dnfield.cf-cert-subject-dn: Value from thecf.tls_client_auth.cert_subject_dnfield.cf-cert-issuer-dn-rfc2253: Value from thecf.tls_client_auth.cert_issuer_dn_rfc2253field.cf-cert-subject-dn-rfc2253: Value from thecf.tls_client_auth.cert_subject_dn_rfc2253field.cf-cert-issuer-dn-legacy: Value from thecf.tls_client_auth.cert_issuer_dn_legacyfield.cf-cert-subject-dn-legacy: Value from thecf.tls_client_auth.cert_subject_dn_legacyfield.cf-cert-serial: Value from thecf.tls_client_auth.cert_serialfield.cf-cert-issuer-serial: Value from thecf.tls_client_auth.cert_issuer_serialfield.cf-cert-fingerprint-sha256: Value from thecf.tls_client_auth.cert_fingerprint_sha256field.cf-cert-fingerprint-sha1: Value from thecf.tls_client_auth.cert_fingerprint_sha1field.cf-cert-not-before: Value from thecf.tls_client_auth.cert_not_beforefield.cf-cert-not-after: Value from thecf.tls_client_auth.cert_not_afterfield.cf-cert-ski: Value from thecf.tls_client_auth.cert_skifield.cf-cert-issuer-ski: Value from thecf.tls_client_auth.cert_issuer_skifield.
Add visitor location headers
Section titled “Add visitor location headers”Adds HTTP headers with location information for the visitor's IP address to the request sent to the origin server:
cf-ipcity: The visitor's city (value from theip.src.cityfield).cf-ipcountry: The visitor's country (value from theip.src.countryfield).cf-ipcontinent: The visitor's continent (value from theip.src.continentfield).cf-iplongitude: The visitor's longitude (value from theip.src.lonfield).cf-iplatitude: The visitor's latitude (value from theip.src.latfield).cf-region: The visitor's region (value from theip.src.regionfield).cf-region-code: The visitor's region code (value from theip.src.region_codefield).cf-metro-code: The visitor's metro code (value from theip.src.metro_codefield).cf-postal-code: The visitor's postal code (value from theip.src.postal_codefield).cf-timezone: The name of the visitor's timezone (value from theip.src.timezone.namefield).
Encoding of non-ASCII header values
Section titled “Encoding of non-ASCII header values”Cloudflare always converts non-ASCII characters to UTF-8 (using hexadecimal character representation) in HTTP request and response header values. This applies to location headers added by the Add visitor location headers managed transform.
For example, the header value São Paulo would be encoded as S\u00c3\u00a3o Paulo.
Add "True-Client-IP" header
Section titled “Add "True-Client-IP" header”Adds a true-client-ip request header with the visitor's IP address.
This Managed Transform is unavailable when Remove visitor IP headers is enabled.
Remove visitor IP headers
Section titled “Remove visitor IP headers”Removes HTTP headers that may contain the visitor's IP address from the request sent to the origin server. Handles the following HTTP request headers:
cf-connecting-ipx-forwarded-for(refer to the notes below)true-client-ip
This Managed Transform is unavailable when Add "True-Client-IP" header is enabled.
Visitor IP address in the x-forwarded-for HTTP header
Section titled “Visitor IP address in the x-forwarded-for HTTP header”For the x-forwarded-for HTTP request header, enabling Remove visitor IP headers will only remove the visitor IP from the header value when Cloudflare receives a request proxied by at least another CDN (content delivery network). In this case, Cloudflare will only keep the IP address of the last proxy.
For example, consider an incoming request proxied by two CDNs (CDN_1 and CDN_2) before reaching the Cloudflare network. The x-forwarded-for header would be similar to the following:
x-forwarded-for: <VISITOR_IP>, <THIRD_PARTY_CDN_1_IP>, <THIRD_PARTY_CDN_2_IP>
With Remove visitor IP headers enabled, the x-forwarded-for header sent to the origin server will be:
x-forwarded-for: <THIRD_PARTY_CDN_2_IP>
Add leaked credentials checks header
Section titled “Add leaked credentials checks header”Adds an Exposed-Credential-Check request header whenever the WAF detects leaked credentials in the incoming request.
The header can have these values:
| Header + Value | Description | Availability |
|---|---|---|
Exposed-Credential-Check: 1 | Previously leaked username and password detected | Pro plan and above |
Exposed-Credential-Check: 2 | Previously leaked username detected | Enterprise plan |
Exposed-Credential-Check: 3 | Similar combination of previously leaked username and password detected | Enterprise plan |
Exposed-Credential-Check: 4 | Previously leaked password detected | All plans |
You will only receive this managed header at your origin server if:
- The leaked credentials detection in the WAF is turned on.
- The Add Leaked Credentials Checks Header managed transform is turned on.
- Your Cloudflare plan supports the type of credentials detection. For example, Free plans can only know if a password was previously leaked. In this situation, Cloudflare will add an
Exposed-Credential-Check: 4header to the request.
Add malicious uploads detection header
Section titled “Add malicious uploads detection header”Adds a Malicious-Uploads-Detection request header indicating the outcome of scanning uploaded content for malicious signatures.
The header can have one of the following values:
| Header + Value | Description |
|---|---|
Malicious-Uploads-Detection: 1 | The request contains at least one malicious content object (cf.waf.content_scan.has_malicious_obj is true). |
Malicious-Uploads-Detection: 2 | The file scanner was unable to scan all the content objects detected in the request (cf.waf.content_scan.has_failed is true). |
Malicious-Uploads-Detection: 3 | The request contains at least one content object (cf.waf.content_scan.has_obj is true). |
For more information, refer to Malicious uploads detection.
HTTP response headers
Section titled “HTTP response headers”Remove "X-Powered-By" headers
Section titled “Remove "X-Powered-By" headers”Removes the X-Powered-By HTTP response header that provides information about the application at the origin server that handled the request.
Add security headers
Section titled “Add security headers”Adds several security-related HTTP response headers. The added response headers and values are the following:
x-content-type-options: nosniffx-xss-protection: 1; mode=blockx-frame-options: SAMEORIGINreferrer-policy: same-originexpect-ct: max-age=86400, enforce
To increase protection, enable HTTP Strict Transport Security (HSTS) for your website.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark