Most standard fields use the same naming conventions as Wireshark display fields. However, there are some subtle differences between Cloudflare and Wireshark:
Wireshark supports CIDR (Classless Inter-Domain Routing) notation for expressing IP address ranges in equality comparisons (
ip.src == 1.2.3.0/24
, for example). Cloudflare does not.To evaluate a range of addresses using CIDR notation, use the
in
comparison operator as in this example:ip.src in {1.2.3.0/24 4.5.6.0/24}
.In Wireshark,
ssl
is a protocol field containing hundreds of other fields of various types that are available for comparison in multiple ways. However, in the Rules languagessl
is a single Boolean field that indicates whether the connection from the client to Cloudflare is encrypted.The Cloudflare Rules language does not support the
slice
operator.
The Cloudflare Rules language supports these standard fields.
http.cookie
http.cookie
String
Represents the entire cookie as a string.
Example value:
http.host
http.host
String
Represents the hostname used in the full request URI.
Example value:
http.referer
http.referer
String
Represents the HTTP Referer request header, which contains the address of the web page that linked to the currently requested page.
Example value:
http.request.full_uri
http.request.full_uri
String
Represents the full URI as received by the web server (does not include #fragment
, which is not sent to web servers).
Example value:
http.request.method
http.request.method
String
Represents the HTTP method, returned as a string of uppercase characters.
Example value:
http.request.cookies
http.request.cookies
Map<Array<String>>
Represents the Cookie
HTTP header associated with a request as a Map (associative array). The cookie values are not pre-processed and retain the original case used in the request.
Decoding: The cookie names are URL decoded. If two cookies have the same name after decoding, their value arrays are merged.
Example:
Example value:
http.request.timestamp.sec
http.request.timestamp.sec
Integer
Represents the timestamp when Cloudflare received the request, expressed as Unix time in seconds. This value is 10 digits long.
To obtain the timestamp milliseconds, use the http.request.timestamp.msec
field.
Example value:
When validating HMAC tokens in an expression, pass this field as the currentTimestamp argument to the is_timed_hmac_valid_v0() validation function.
http.request.timestamp.msec
http.request.timestamp.msec
Integer
Represents the millisecond when Cloudflare received the request, between 0 and 999.
To obtain the complete timestamp, use both http.request.timestamp.sec
and http.request.timestamp.msec
fields.
Example value:
Here is the formatted information for the provided rows:
http.request.uri
http.request.uri
String
Represents the URI path and query string of the request.
Example value:
http.request.uri.path
http.request.uri.path
String
Represents the URI path of the request.
Example value:
http.request.uri.path.extension
http.request.uri.path.extension
String
The lowercased file extension in the URI path without the dot (.
) character. This corresponds to the string after the last dot in the URI path, excluding the query string.
If the first character of the last path segment is a dot and the segment does not contain other dot characters, the field value will be an empty string (""
). Having a dot as the first character does not represent a file extension and is commonly used in Unix-like systems to denote a hidden file or directory.
Example values:
- If the URI path is
/articles/index.html
, the field value will behtml
. - If the URI path is
/articles/index.
, the field value will be an empty string (""
).
Example values
URI path | Field value |
---|---|
/foo | "" |
/foo.mp3 | ”mp3” |
/.mp3 | "" |
/.foo.mp3 | ”mp3” |
/foo.tar.bz2 | ”bz2” |
/foo. | "" |
/foo.MP3 | ”mp3” |
http.request.uri.query
http.request.uri.query
String
Represents the entire query string, without the ?
delimiter.
Example value:
http.user_agent
http.user_agent
String
Represents the HTTP User-Agent request header, which contains a characteristic string to identify the client operating system and web browser.
Example value:
http.request.version
http.request.version
String
Represents the version of the HTTP protocol used. Use this field when different checks are needed for different versions.
Example values:
HTTP/1.1
HTTP/3
http.x_forwarded_for
http.x_forwarded_for
String
Represents the full X-Forwarded-For
HTTP header.
Example value:
ip.src
ip.src
IP address
Represents the client TCP IP address, which may be adjusted to reflect the actual address of the client using HTTP headers such as X-Forwarded-For
or X-Real-IP
.
Example value:
ip.src.lat
ip.src.lat
String
Represents the latitude associated with the client IP address.
Example value:
ip.src.lon
ip.src.lon
String
Represents the longitude associated with the client IP address.
Example value:
ip.src.city
ip.src.city
String
Represents the city associated with the client IP address.
Example value:
ip.src.postal_code
ip.src.postal_code
String
Represents the postal code associated with the incoming request.
Example value:
ip.src.metro_code
ip.src.metro_code
String
Represents the metro code or Designated Market Area (DMA) code associated with the incoming request.
Example value:
ip.src.region
ip.src.region
String
Represents the region name associated with the incoming request.
Example value:
ip.src.region_code
ip.src.region_code
String
Represents the region code associated with the incoming request.
Example value:
ip.src.timezone.name
ip.src.timezone.name
String
Represents the name of the timezone associated with the incoming request. This field is only available in rewrite expressions of Transform Rules.
Example value:
ip.src.asnum
ip.src.asnum
Number
Represents the 16- or 32-bit integer representing the Autonomous System (AS) number associated with the client IP address.
Note: This field has the same value as the ip.geoip.asnum
field, which is deprecated. The ip.geoip.asnum
field is still available for new and existing rules, but you should use the ip.src.asnum
field instead.
ip.src.continent
ip.src.continent
String
Represents the continent code associated with the client IP address:
- AF – Africa
- AN – Antarctica
- AS – Asia
- EU – Europe
- NA – North America
- OC – Oceania
- SA – South America
- T1 – Tor network
Note: This field has the same value as the ip.geoip.continent
field, which is deprecated. The ip.geoip.continent
field is still available for new and existing rules, but you should use the ip.src.continent
field instead.
ip.src.country
ip.src.country
String
Represents the 2-letter country code in ISO 3166-1 Alpha 2 format.
Example value:
For more information on the ISO 3166-1 Alpha 2 format, refer to ISO 3166-1 Alpha 2 on Wikipedia.
Note: This field has the same value as the ip.geoip.country
field, which is deprecated. The ip.geoip.country
field is still available for new and existing rules, but you should use the ip.src.country
field instead.
ip.src.subdivision_1_iso_code
ip.src.subdivision_1_iso_code
String
Represents the ISO 3166-2 code for the first-level region associated with the IP address. When the actual value is not available, this field contains an empty string.
Example value:
For more information on the ISO 3166-2 standard and the available regions, refer to ISO 3166-2 on Wikipedia.
Note: This field has the same value as the ip.geoip.subdivision_1_iso_code
field, which is deprecated. The ip.geoip.subdivision_1_iso_code
field is still available for new and existing rules, but you should use the ip.src.subdivision_1_iso_code
field instead.
ip.src.subdivision_2_iso_code
ip.src.subdivision_2_iso_code
String
Represents the ISO 3166-2 code for the second-level region associated with the IP address. When the actual value is not available, this field contains an empty string.
Example value:
For more information on the ISO 3166-2 standard and the available regions, refer to ISO 3166-2 on Wikipedia.
Note: This field has the same value as the ip.geoip.subdivision_2_iso_code
field, which is deprecated. The ip.geoip.subdivision_2_iso_code
field is still available for new and existing rules, but you should use the ip.src.subdivision_2_iso_code
field instead.
ip.src.is_in_european_union
ip.src.is_in_european_union
Boolean
Returns true
when the request originates from a country in the European Union (EU).
Countries in the EU (from geolocation data)
Country code | Country name |
---|---|
AT | Austria |
AX | Åland Islands |
BE | Belgium |
BG | Bulgaria |
CY | Cyprus |
CZ | Czechia |
DE | Germany |
DK | Denmark |
EE | Estonia |
ES | Spain |
FI | Finland |
FR | France |
GF | French Guiana |
GP | Guadeloupe |
GR | Greece |
HR | Croatia |
HU | Hungary |
IE | Ireland |
IT | Italy |
LT | Lithuania |
LU | Luxembourg |
LV | Latvia |
MF | Saint Martin |
MQ | Martinique |
MT | Malta |
NL | The Netherlands |
PL | Poland |
PT | Portugal |
RE | Réunion |
RO | Romania |
SE | Sweden |
SI | Slovenia |
SK | Slovakia |
YT | Mayotte |
The EU country list was obtained from MaxMind’s GeoIP2 database on 2023-12-05. For details on obtaining up-to-date country information, refer to the MaxMind website.
raw.http.request.full_uri
raw.http.request.full_uri
String
Similar to the http.request.full_uri non-raw field. Represents the full URI as received by the web server without the URI fragment (if any) and without any transformation.
Note: This raw field may include some basic normalization done by Cloudflare’s HTTP server. However, this can change in the future.
raw.http.request.uri
raw.http.request.uri
String
Similar to the http.request.uri non-raw field. Represents the URI path and query string of the request without any transformation.
Note: This raw field may include some basic normalization done by Cloudflare’s HTTP server. However, this can change in the future.
raw.http.request.uri.path
raw.http.request.uri.path
String
Similar to the http.request.uri.path non-raw field. Represents the URI path of the request without any transformation.
Note: This raw field may include some basic normalization done by Cloudflare’s HTTP server. However, this can change in the future.
raw.http.request.uri.path.extension
raw.http.request.uri.path.extension
String
Similar to the http.request.uri.path.extension non-raw field. Represents the file extension in the request URI path without any transformation.
raw.http.request.uri.query
raw.http.request.uri.query
String
Similar to the http.request.uri.query non-raw field. Represents the entire query string without the ?
delimiter and without any transformation.
Note: This raw field may include some basic normalization done by Cloudflare’s HTTP server. However, this can change in the future.
ssl
ssl
Boolean
Returns true
when the HTTP connection to the client is encrypted.
GeoIP is the registered trademark of MaxMind, Inc.