Standard fields | Cloudflare Ruleset Engine docs (2024)

Most standard fields use the same naming conventions as Wireshark display fields. However, there are some subtle differences between Cloudflare and Wireshark:

• Wireshark supports CIDR (Classless Inter-Domain Routing) notation for expressing IP address ranges in equality comparisons (ip.src == 1.2.3.0/24, for example). Cloudflare does not.

  To evaluate a range of addresses using CIDR notation, use the in comparison operator as in this example: ip.src in {1.2.3.0/24 4.5.6.0/24}.

• In Wireshark, ssl is a protocol field containing hundreds of other fields of various types that are available for comparison in multiple ways. However, in the Rules language ssl is a single Boolean field that indicates whether the connection from the client to Cloudflare is encrypted.

• The Cloudflare Rules language does not support the slice operator.

The Cloudflare Rules language supports these standard fields.

http.cookie String

Represents the entire cookie as a string.

Example value:

session=8521F670545D7865F79C3D7BEDC29CCE;-background=light

http.host String

Represents the hostname used in the full request URI.

Example value:

www.example.org

http.referer String

Represents the HTTP Referer request header, which contains the address of the web page that linked to the currently requested page.

Example value:

Referer: htt­ps://developer.example.org/en-US/docs/Web/JavaScript

http.request.full_uri String

Represents the full URI as received by the web server (does not include #fragment, which is not sent to web servers).

Example value:

htt­ps://www.example.org/articles/index?section=539061&expand=comments

http.request.method String

Represents the HTTP method, returned as a string of uppercase characters.

Example value:

GET

http.request.cookies Map<Array<String>>

Represents the Cookie HTTP header associated with a request as a Map (associative array). The cookie values are not pre-processed and retain the original case used in the request.

Decoding: The cookie names are URL decoded. If two cookies have the same name after decoding, their value arrays are merged.

Example:

any(http.request.cookies["app"][*] == "test")

Example value:

{"app": ["test"]}

http.request.timestamp.sec Integer

Represents the timestamp when Cloudflare received the request, expressed as Unix time in seconds. This value is 10 digits long.

To obtain the timestamp milliseconds, use the http.request.timestamp.msec field.

Example value:

1484063137
See Also
Encrypted DNS Traffic: Boost Your Online Privacy NowThe 6 Best DNS Servers for Improved Online SafetyGlossary | Cloudflare Style GuideDNS Server Explained: How It Powers Your Internet Experience

When validating HMAC tokens in an expression, pass this field as the currentTimestamp argument to the is_timed_hmac_valid_v0() validation function.

http.request.timestamp.msec Integer

Represents the millisecond when Cloudflare received the request, between 0 and 999.

To obtain the complete timestamp, use both http.request.timestamp.sec and http.request.timestamp.msec fields.

Example value:

857

Here is the formatted information for the provided rows:

http.request.uri String

Represents the URI path and query string of the request.

Example value:

/articles/index?section=539061&expand=comments

http.request.uri.path String

Represents the URI path of the request.

Example value:

/articles/index

http.request.uri.path.extension String

The lowercased file extension in the URI path without the dot (.) character. This corresponds to the string after the last dot in the URI path, excluding the query string.

If the first character of the last path segment is a dot and the segment does not contain other dot characters, the field value will be an empty string (""). Having a dot as the first character does not represent a file extension and is commonly used in Unix-like systems to denote a hidden file or directory.

Example values:

• If the URI path is /articles/index.html, the field value will be html.
• If the URI path is /articles/index., the field value will be an empty string ("").

http.request.uri.query String

Represents the entire query string, without the ? delimiter.

Example value:

section=539061&expand=comments

http.user_agent String

Represents the HTTP User-Agent request header, which contains a characteristic string to identify the client operating system and web browser.

Example value:

Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36

http.request.version String

Represents the version of the HTTP protocol used. Use this field when different checks are needed for different versions.

Example values:

• HTTP/1.1
• HTTP/3

http.x_forwarded_for String

Represents the full X-Forwarded-For HTTP header.

Example value:

203.0.113.195, 70.41.3.18

ip.src IP address

Represents the client TCP IP address, which may be adjusted to reflect the actual address of the client using HTTP headers such as X-Forwarded-For or X-Real-IP.

Example value:

93.184.216.34

ip.src.lat String

Represents the latitude associated with the client IP address.

Example value:

37.78044

ip.src.lon String

Represents the longitude associated with the client IP address.

Example value:

-122.39055

ip.src.city String

Represents the city associated with the client IP address.

Example value:

San Francisco

ip.src.postal_code String

Represents the postal code associated with the incoming request.

Example value:

78701

ip.src.metro_code String

Represents the metro code or Designated Market Area (DMA) code associated with the incoming request.

Example value:

635

ip.src.region String

Represents the region name associated with the incoming request.

Example value:

Texas

ip.src.region_code String

Represents the region code associated with the incoming request.

Example value:

TX

ip.src.timezone.name String

Represents the name of the timezone associated with the incoming request. This field is only available in rewrite expressions of Transform Rules.

Example value:

America/Chicago

ip.src.asnum Number

Represents the 16- or 32-bit integer representing the Autonomous System (AS) number associated with the client IP address.

Note: This field has the same value as the ip.geoip.asnum field, which is deprecated. The ip.geoip.asnum field is still available for new and existing rules, but you should use the ip.src.asnum field instead.

ip.src.continent String

Represents the continent code associated with the client IP address:

• AF – Africa
• AN – Antarctica
• AS – Asia
• EU – Europe
• NA – North America
• OC – Oceania
• SA – South America
• T1 – Tor network

Note: This field has the same value as the ip.geoip.continent field, which is deprecated. The ip.geoip.continent field is still available for new and existing rules, but you should use the ip.src.continent field instead.

ip.src.country String

Represents the 2-letter country code in ISO 3166-1 Alpha 2 format.

Example value:

GB

For more information on the ISO 3166-1 Alpha 2 format, refer to ISO 3166-1 Alpha 2 on Wikipedia.

Note: This field has the same value as the ip.geoip.country field, which is deprecated. The ip.geoip.country field is still available for new and existing rules, but you should use the ip.src.country field instead.

ip.src.subdivision_1_iso_code String

Represents the ISO 3166-2 code for the first-level region associated with the IP address. When the actual value is not available, this field contains an empty string.

Example value:

GB-ENG

For more information on the ISO 3166-2 standard and the available regions, refer to ISO 3166-2 on Wikipedia.

Note: This field has the same value as the ip.geoip.subdivision_1_iso_code field, which is deprecated. The ip.geoip.subdivision_1_iso_code field is still available for new and existing rules, but you should use the ip.src.subdivision_1_iso_code field instead.

ip.src.subdivision_2_iso_code String

Represents the ISO 3166-2 code for the second-level region associated with the IP address. When the actual value is not available, this field contains an empty string.

Example value:

GB-SWK

For more information on the ISO 3166-2 standard and the available regions, refer to ISO 3166-2 on Wikipedia.

Note: This field has the same value as the ip.geoip.subdivision_2_iso_code field, which is deprecated. The ip.geoip.subdivision_2_iso_code field is still available for new and existing rules, but you should use the ip.src.subdivision_2_iso_code field instead.

ip.src.is_in_european_union Boolean

Returns true when the request originates from a country in the European Union (EU).

raw.http.request.full_uri String

Similar to the http.request.full_uri non-raw field. Represents the full URI as received by the web server without the URI fragment (if any) and without any transformation.

Note: This raw field may include some basic normalization done by Cloudflare’s HTTP server. However, this can change in the future.

raw.http.request.uri String

Similar to the http.request.uri non-raw field. Represents the URI path and query string of the request without any transformation.

Note: This raw field may include some basic normalization done by Cloudflare’s HTTP server. However, this can change in the future.

raw.http.request.uri.path String

Similar to the http.request.uri.path non-raw field. Represents the URI path of the request without any transformation.

Note: This raw field may include some basic normalization done by Cloudflare’s HTTP server. However, this can change in the future.

raw.http.request.uri.path.extension String

Similar to the http.request.uri.path.extension non-raw field. Represents the file extension in the request URI path without any transformation.

raw.http.request.uri.query String

Similar to the http.request.uri.query non-raw field. Represents the entire query string without the ? delimiter and without any transformation.

Note: This raw field may include some basic normalization done by Cloudflare’s HTTP server. However, this can change in the future.

ssl Boolean

Returns true when the HTTP connection to the client is encrypted.

GeoIP is the registered trademark of MaxMind, Inc.