Standard fields
Most standard fields use the same naming conventions as Wireshark display fields ↗. However, there are some subtle differences between Cloudflare and Wireshark:
-
Wireshark supports CIDR (Classless Inter-Domain Routing) notation ↗ for expressing IP address ranges in equality comparisons (
ip.src == 1.2.3.0/24, for example). Cloudflare does not.To evaluate a range of addresses using CIDR notation, use the
incomparison operator as in this example:ip.src in {1.2.3.0/24 4.5.6.0/24}. -
In Wireshark,
sslis a protocol field containing hundreds of other fields of various types that are available for comparison in multiple ways. However, in the Rules languagesslis a single Boolean field that indicates whether the connection from the client to Cloudflare is encrypted. -
The Cloudflare Rules language does not support the
sliceoperator.
The Cloudflare Rules language supports these standard fields.
http.cookie String
The entire cookie as a string.
Example value:
session=8521F670545D7865F79C3D7BEDC29CCE;-background=lighthttp.host String
The hostname used in the full request URI.
Example value:
www.example.orghttp.referer String
The HTTP Referer request header, which contains the address of the web page that linked to the currently requested page.
Example value:
Referer: https://developer.example.org/en-US/docs/Web/JavaScripthttp.request.full_uri String
The full URI as received by the web server (does not include #fragment, which is not sent to web servers).
Example value:
https://www.example.org/articles/index?section=539061&expand=commentshttp.request.method String
The HTTP method, returned as a string of uppercase characters.
Example value:
GEThttp.request.cookies Map<Array<String>>
The Cookie HTTP header associated with a request represented as a Map (associative array). The cookie values are not pre-processed and retain the original case used in the request.
Decoding: The cookie names are URL decoded. If two cookies have the same name after decoding, their value arrays are merged.
Example:
any(http.request.cookies["app"][*] == "test")Example value:
{ "app": ["test"] }http.request.timestamp.sec Integer
The timestamp when Cloudflare received the request, expressed as UNIX time in seconds. This value is 10 digits long.
To obtain the timestamp milliseconds, use the http.request.timestamp.msec field.
Example value:
1484063137When validating HMAC tokens in an expression, pass this field as the currentTimestamp argument to the is_timed_hmac_valid_v0() validation function.
http.request.timestamp.msec Integer
The millisecond when Cloudflare received the request, between 0 and 999.
To obtain the complete timestamp, use both http.request.timestamp.sec and http.request.timestamp.msec fields.
Example value:
857Here is the formatted information for the provided rows:
http.request.uri String
The URI path and query string of the request.
Example value:
/articles/index?section=539061&expand=commentshttp.request.uri.path String
The URI path of the request.
Example value:
/articles/indexhttp.request.uri.path.extension String
The lowercased file extension in the URI path without the dot (.) character. This corresponds to the string after the last dot in the URI path, excluding the query string.
If the first character of the last path segment is a dot and the segment does not contain other dot characters, the field value will be an empty string (""). Having a dot as the first character does not represent a file extension and is commonly used in UNIX-like systems to denote a hidden file or directory.
Example values:
- If the URI path is
/articles/index.html, the field value will behtml. - If the URI path is
/articles/index., the field value will be an empty string ("").
Example values
| URI path | Field value |
|---|---|
/foo | "" |
/foo.mp3 | "mp3" |
/.mp3 | "" |
/.foo.mp3 | "mp3" |
/foo.tar.bz2 | "bz2" |
/foo. | "" |
/foo.MP3 | "mp3" |
http.request.uri.query String
The entire query string, without the ? delimiter.
Example value:
section=539061&expand=commentshttp.user_agent String
The HTTP User-Agent request header, which contains a characteristic string to identify the client operating system and web browser.
Example value:
Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36http.request.version String
The version of the HTTP protocol used. Use this field when different checks are needed for different versions.
Example values:
HTTP/1.1HTTP/3
http.x_forwarded_for String
The full X-Forwarded-For HTTP header.
Example value:
203.0.113.195, 70.41.3.18ip.src IP address
The client TCP IP address, which may be adjusted to reflect the actual address of the client using HTTP headers such as X-Forwarded-For or X-Real-IP.
Example value:
93.184.216.34ip.src.lat String
The latitude associated with the client IP address.
Example value:
37.78044ip.src.lon String
The longitude associated with the client IP address.
Example value:
-122.39055ip.src.city String
The city associated with the client IP address.
Example value:
San Franciscoip.src.postal_code String
The postal code associated with the incoming request.
Example value:
78701ip.src.metro_code String
The metro code or Designated Market Area (DMA) code associated with the incoming request.
Example value:
635ip.src.region String
The region name associated with the incoming request.
Example value:
Texasip.src.region_code String
The region code associated with the incoming request.
Example value:
TXip.src.timezone.name String
The name of the timezone associated with the incoming request. This field is only available in rewrite expressions of Transform Rules.
Example value:
America/Chicagoip.src.asnum Number
The 16-bit or 32-bit integer representing the Autonomous System (AS) number associated with the client IP address.
This field has the same value as the ip.geoip.asnum field, which is deprecated. The ip.geoip.asnum field is still available for new and existing rules, but you should use the ip.src.asnum field instead.
ip.src.continent String
The continent code associated with the client IP address:
- AF: Africa
- AN: Antarctica
- AS: Asia
- EU: Europe
- NA: North America
- OC: Oceania
- SA: South America
- T1: Tor network
This field has the same value as the ip.geoip.continent field, which is deprecated. The ip.geoip.continent field is still available for new and existing rules, but you should use the ip.src.continent field instead.
ip.src.country String
The 2-letter country code in ISO 3166-1 Alpha 2 ↗ format.
Example value:
GBFor more information on the ISO 3166-1 Alpha 2 format, refer to ISO 3166-1 Alpha 2 ↗ on Wikipedia.
This field has the same value as the ip.geoip.country field, which is deprecated. The ip.geoip.country field is still available for new and existing rules, but you should use the ip.src.country field instead.
ip.src.subdivision_1_iso_code String
The ISO 3166-2 code for the first-level region associated with the IP address. When the actual value is not available, this field contains an empty string.
Example value:
GB-ENGFor more information on the ISO 3166-2 standard and the available regions, refer to ISO 3166-2 ↗ on Wikipedia.
This field has the same value as the ip.geoip.subdivision_1_iso_code field, which is deprecated. The ip.geoip.subdivision_1_iso_code field is still available for new and existing rules, but you should use the ip.src.subdivision_1_iso_code field instead.
ip.src.subdivision_2_iso_code String
The ISO 3166-2 code for the second-level region associated with the IP address. When the actual value is not available, this field contains an empty string.
Example value:
GB-SWKFor more information on the ISO 3166-2 standard and the available regions, refer to ISO 3166-2 ↗ on Wikipedia.
This field has the same value as the ip.geoip.subdivision_2_iso_code field, which is deprecated. The ip.geoip.subdivision_2_iso_code field is still available for new and existing rules, but you should use the ip.src.subdivision_2_iso_code field instead.
ip.src.is_in_european_union Boolean
Returns true when the request originates from a country in the European Union (EU).
Countries in the EU (from geolocation data)
| Country code | Country name |
|---|---|
AT | Austria |
AX | Åland Islands |
BE | Belgium |
BG | Bulgaria |
CY | Cyprus |
CZ | Czechia |
DE | Germany |
DK | Denmark |
EE | Estonia |
ES | Spain |
FI | Finland |
FR | France |
GF | French Guiana |
GP | Guadeloupe |
GR | Greece |
HR | Croatia |
HU | Hungary |
IE | Ireland |
IT | Italy |
LT | Lithuania |
LU | Luxembourg |
LV | Latvia |
MF | Saint Martin |
MQ | Martinique |
MT | Malta |
NL | The Netherlands |
PL | Poland |
PT | Portugal |
RE | Réunion |
RO | Romania |
SE | Sweden |
SI | Slovenia |
SK | Slovakia |
YT | Mayotte |
The EU country list was obtained from MaxMind's GeoIP2 database on 2023-12-05. For details on obtaining up-to-date country information, refer to the MaxMind website ↗.
This field has the same value as the ip.geoip.is_in_european_union field, which is deprecated. The ip.geoip.is_in_european_union field is still available for new and existing rules, but you should use the ip.src.is_in_european_union field instead.
raw.http.request.full_uri String
The raw full URI as received by the web server without the URI fragment (if any) and without any transformation.
This is the raw field version of the http.request.full_uri field. Raw fields, prefixed with raw., preserve original request values for later evaluations. These fields are immutable during the entire request evaluation workflow, and they are not affected by the actions of previously matched rules.
Note: This raw field may include some basic normalization done by Cloudflare's HTTP server. However, this can change in the future.
raw.http.request.uri String
The raw URI path and query string of the request without any transformation.
This is the raw field version of the http.request.uri field. Raw fields, prefixed with raw., preserve original request values for later evaluations. These fields are immutable during the entire request evaluation workflow, and they are not affected by the actions of previously matched rules.
Note: This raw field may include some basic normalization done by Cloudflare's HTTP server. However, this can change in the future.
raw.http.request.uri.path String
The raw URI path of the request without any transformation.
This is the raw field version of the http.request.uri.path field. Raw fields, prefixed with raw., preserve original request values for later evaluations. These fields are immutable during the entire request evaluation workflow, and they are not affected by the actions of previously matched rules.
Note: This raw field may include some basic normalization done by Cloudflare's HTTP server. However, this can change in the future.
raw.http.request.uri.path.extension String
The raw file extension in the request URI path without any transformation.
This is the raw field version of the http.request.uri.path.extension field. Raw fields, prefixed with raw., preserve original request values for later evaluations. These fields are immutable during the entire request evaluation workflow, and they are not affected by the actions of previously matched rules.
raw.http.request.uri.query String
The entire query string without the ? delimiter and without any transformation.
This is the raw field version of the http.request.uri.query field. Raw fields, prefixed with raw., preserve original request values for later evaluations. These fields are immutable during the entire request evaluation workflow, and they are not affected by the actions of previously matched rules.
Note: This raw field may include some basic normalization done by Cloudflare's HTTP server. However, this can change in the future.
ssl Boolean
Returns true when the HTTP connection to the client is encrypted.
GeoIP is the registered trademark of MaxMind, Inc.