Dynamic fields
Dynamic fields represent computed or derived values, typically related to threat intelligence about an HTTP request.
The Cloudflare Rules language supports these dynamic fields.
cf.bot_management.verified_bot Boolean
When true, this field indicates the request originated from a known good bot or crawler. Provides the same information as cf.client.bot.
cf.verified_bot_category String
Provides the type and purpose of a verified bot. For more details, refer to Verified Bot Categories.
cf.bot_management.score Number
Represents the likelihood that a request originates from a bot using a score from 1–99. A low score indicates that the request comes from a bot or an automated agent. A high score indicates that a human issued the request.
cf.bot_management.static_resource Boolean
Indicates whether static resources should be included when you create a rule using cf.bot_management.score. For more details, refer to Static resource protection.
cf.bot_management.ja3_hash String
Provides an SSL/TLS fingerprint to help you identify potential bot requests. For more details, refer to JA3/JA4 Fingerprint.
cf.bot_management.ja4 String
Provides an SSL/TLS fingerprint to help you identify potential bot requests. For more details, refer to JA3/JA4 Fingerprint.
cf.bot_management.js_detection.passed Boolean
Indicates whether the visitor has previously passed a JS Detection. For more details, refer to JavaScript detections.
cf.bot_management.detection_ids Array<Number>
List of IDs that correlate to the Bot Management heuristic detections made on a request (you can have multiple heuristic detections on the same request). Use this field to explicitly match a specific heuristic or to exclude a heuristic in a rule.
Example:
any(cf.bot_management.detection_ids[*] eq 33554817)cf.client.bot Boolean
When true, this field indicates the request originated from a known good bot or crawler. Provides the same information as cf.bot_management.verified_bot.
cf.edge.server_ip IP Address
Represents the global network’s IP address to which the HTTP request has resolved. This field is only meaningful for BYOIP customers.
cf.edge.server_port Number
Represents the port number at which the Cloudflare global network received the request. Use this field to filter traffic on a specific port. The value is a port number in the range 1–65535.
cf.hostname.metadata String
Returns the string representation of the per-hostname custom metadata JSON object set by SSL for SaaS customers.
cf.random_seed Bytes
Returns per-request random bytes that you can use in the uuidv4() function.
cf.ray_id String
The Ray ID of the current request. A Ray ID is an identifier given to every request that goes through Cloudflare.
cf.threat_score Number
Represents a Cloudflare threat score from 0–100, where 0 indicates low risk. Values above 10 may represent spammers or bots, and values above 40 identify bad actors on the Internet. It is rare to see values above 60. A common recommendation is to challenge requests with a score above 10 and to block those above 50.
cf.tls_cipher String
The cipher for the connection to Cloudflare.
Example:
"AES128-SHA256"cf.tls_client_auth.cert_revoked Boolean
Returns true when a request presents a valid but revoked client certificate. When true, the cf.tls_client_auth.cert_verified field is also true.
cf.tls_client_auth.cert_verified Boolean
Returns true when a request presents a valid client certificate. Also returns true when a request includes a valid certificate that was revoked (see cf.tls_client_auth.cert_revoked).
cf.tls_client_auth.cert_presented Boolean
Returns true when a request presents a certificate (valid or not).
cf.tls_client_auth.cert_issuer_dn String
The Distinguished Name (DN) of the Certificate Authority (CA) that issued the certificate included in the request.
Example:
"CN=Access Testing CA,OU=TX,O=Access Testing,L=Austin,ST=Texas,C=US"cf.tls_client_auth.cert_subject_dn String
The Distinguished Name (DN) of the owner (or requester) of the certificate included in the request.
Example:
"CN=James Royal,OU=Access Admins,O=Access,L=Austin,ST=Texas,C=US"cf.tls_client_auth.cert_issuer_dn_rfc2253 String
The Distinguished Name (DN) of the Certificate Authority (CA) that issued the certificate in the request in RFC 2253 ↗ format.
Example:
"CN=Access Testing CA,OU=TX,O=Access Testing,L=Austin,ST=Texas,C=US"cf.tls_client_auth.cert_subject_dn_rfc2253 String
The Distinguished Name (DN) of the owner (or requester) of the certificate in the request in RFC 2253 ↗ format.
Example:
"CN=James Royal,OU=Access Admins,O=Access,L=Austin,ST=Texas,C=US"cf.tls_client_auth.cert_issuer_dn_legacy String
The Distinguished Name (DN) of the Certificate Authority (CA) that issued the certificate in the request in a legacy format.
Example:
"/C=US/ST=Texas/L=Austin/O=Access Testing/OU=TX/CN=Access Testing CA"cf.tls_client_auth.cert_subject_dn_legacy String
The Distinguished Name (DN) of the owner (or requester) of the certificate in the request in a legacy format.
Example:
"/C=US/ST=Texas/L=Austin/O=Access/OU=Access Admins/CN=James Royal"cf.tls_client_auth.cert_serial String
Serial number of the certificate in the request.
Example:
"527E0F20A20EA2A4146C78390F34CE7AF0878CA4"cf.tls_client_auth.cert_issuer_serial String
Serial number of the direct issuer of the certificate in the request.
Example:
"2688201DBA77402EA87118876F2E1B24CF8B0395"cf.tls_client_auth.cert_fingerprint_sha256 String
The SHA-256 fingerprint of the certificate in the request.
Example:
"af363dc85bc942a892d3cee9796190fdb36d89cd588a4f1cb17c74a943439714"cf.tls_client_auth.cert_fingerprint_sha1 String
The SHA-1 fingerprint of the certificate in the request.
Example:
"933ad5282c560ae3f482a43ecd73bc9de878a190"cf.tls_client_auth.cert_not_before String
The certificate in the request is not valid before this date.
Example:
"Mar 21 13:35:00 2022 GMT"cf.tls_client_auth.cert_not_after String
The certificate in the request is not valid after this date.
Example:
"Mar 21 13:35:00 2023 GMT"cf.tls_client_auth.cert_ski String
The Subject Key Identifier (SKI) of the certificate in the request.
Example:
"27846FAE6EAC4A8DAD9101B519CF1EB460242831"cf.tls_client_auth.cert_issuer_ski String
The Subject Key Identifier (SKI) of the direct issuer of the certificate in the request.
Example:
"8204924CF49D471E855862706D889F58F6B784D3"cf.tls_client_extensions_sha1 String
The SHA-1 fingerprint of TLS client extensions, encoded in Base64.
Example:
"OWFiM2I5ZDc0YWI0YWYzZmFkMGU0ZjhlYjhiYmVkMjgxNTU5YTU2Mg=="cf.tls_client_hello_length Number
The length of the client hello message sent in a TLS handshake ↗. Specifically, the length of the bytestring of the client hello.
Example:
508cf.tls_client_random String
The value of the 32-byte random value provided by the client in a TLS handshake ↗, encoded in Base64. Refer to RFC 8446 ↗ for more details.
Example:
"YWJjZA=="cf.tls_version String
The TLS version of the connection to Cloudflare.
Example:
"TLSv1.2"cf.waf.content_scan.has_obj Boolean
When true, the request contains at least one content object ↗.
For more details, refer to Malicious uploads detection.
cf.waf.content_scan.has_malicious_obj Boolean
When true, the request contains at least one malicious content object.
For more details, refer to Malicious uploads detection.
cf.waf.content_scan.num_malicious_obj Integer
The number of malicious content objects detected in the request (zero or greater).
For more details, refer to Malicious uploads detection.
cf.waf.content_scan.has_failed Boolean
When true, the file scanner was unable to scan all the content objects detected in the request.
For more details, refer to Malicious uploads detection.
cf.waf.content_scan.num_obj Integer
The number of content objects detected in the request (zero or greater).
For more details, refer to Malicious uploads detection.
cf.waf.content_scan.obj_sizes Array<Integer>
An array of file sizes in bytes, in the order the content objects were detected in the request.
For more details, refer to Malicious uploads detection.
cf.waf.content_scan.obj_types Array<String>
An array of file types in the order the content objects were detected in the request. If Cloudflare cannot determine the file type of a content object, the corresponding value in the obj_types array will be application/octet-stream.
For more details, refer to Malicious uploads detection.
cf.waf.content_scan.obj_results Array<String>
An array of scan results in the order the content objects were detected in the request. The possible values are: clean, suspicious, infected, and not scanned.
For more details, refer to Malicious uploads detection.
cf.waf.score Number
A global score from 1 to 99 that combines the score of each WAF attack vector into a single score. This is the standard WAF attack score to detect variants of attack patterns.
cf.waf.score.sqli Number
An attack score from 1 to 99 classifying the SQL injection (SQLi) attack vector.
cf.waf.score.xss Number
An attack score from 1 to 99 classifying the cross-site scripting (XSS) attack vector.
cf.waf.score.rce Number
An attack score from 1 to 99 classifying the command injection or Remote Code Execution (RCE) attack vector.
cf.waf.score.class String
The attack score class of the current request, based on the WAF attack score. Can have one of the following values: attack, likely_attack, likely_clean, clean.
cf.waf.auth_detected Boolean
When true, the Cloudflare WAF detected authentication credentials in the request.
Only available when leaked credentials detection is enabled.
cf.waf.credential_check.password_leaked Boolean
When true, the password detected in the request was previously leaked.
Only available when leaked credentials detection is enabled.
cf.waf.credential_check.username_leaked Boolean
When true, the username detected in the request was previously leaked.
Only available when leaked credentials detection is enabled.
cf.waf.credential_check.username_and_password_leaked Boolean
When true, the authentication credentials detected in the request (username and password pair) were previously leaked.
Only available when leaked credentials detection is enabled.
cf.waf.credential_check.username_password_similar Boolean
When true, a similar version of the username and password credentials detected in the request were previously leaked.
Only available when leaked credentials detection is enabled.
cf.worker.upstream_zone String
Identifies whether a request comes from a worker or not. When a request comes from a worker, this field will hold the name of the zone for that worker. Otherwise, cf.worker.upstream_zone is empty.
The Bot Management Corporate Proxy field contains identified cloud-based corporate proxies and secure web gateways that are Enterprise-only, and provide outbound security services to their clients.
You can access the Corporate Proxy field in custom rules, rate limiting rules, or Workers to provide different security rules for traffic from these sources. You can also exempt them from rules using Bot Management scores.
not cf.bot_management.verified_botand not cf.bot_management.static_resourceand not cf.bot_management.corporate_proxyand cf.bot_management.score lt 30API Shield users can now create custom rules using claims present in tokens processed by JSON Web Tokens Validation.
http.request.jwt.claims.aud Map<Array<String>>
http.request.jwt.claims.aud.names Array<String>
http.request.jwt.claims.aud.values Array<String>
The aud (audience) claim identifies the recipients that the JSON Web Token (JWT) is intended for. Each principal intended to process the JWT must identify itself with a value in the audience claim. In the general case, the aud value is an array of case-sensitive strings, each containing a StringOrURI value.
Refer to the Registered Claim Names ↗ in RFC 7519 for more information.
http.request.jwt.claims.iat.sec Map<Array<Integer>>
http.request.jwt.claims.iat.sec.names Array<String>
http.request.jwt.claims.iat.sec.values Array<Integer>
The iat (issued at) claim identifies the time (number of seconds) at which the JWT was issued.
Refer to the Registered Claim Names ↗ in RFC 7519 for more information.
http.request.jwt.claims.iss Map<Array<String>>
http.request.jwt.claims.iss.names Array<String>
http.request.jwt.claims.iss.values Array<String>
The iss (issuer) claim identifies the principal that issued the JWT.
Refer to the Registered Claim Names ↗ in RFC 7519 for more information.
http.request.jwt.claims.jti Map<Array<String>>
http.request.jwt.claims.jti.names Array<String>
http.request.jwt.claims.jti.values Array<String>
The jti (JWT ID) claim provides a unique identifier for the JWT.
Refer to the Registered Claim Names ↗ in RFC 7519 for more information.
http.request.jwt.claims.nbf.sec Map<Array<Integer>>
http.request.jwt.claims.nbf.sec.names Array<String>
http.request.jwt.claims.nbf.sec.values Array<Integer>
The nbf (not before) claim identifies the time (number of seconds) before which the JWT must not be accepted for processing.
Refer to the Registered Claim Names ↗ in RFC 7519 for more information.
http.request.jwt.claims.sub Map<Array<String>>
http.request.jwt.claims.sub.names Array<String>
http.request.jwt.claims.sub.values Array<String>
The sub (subject) claim identifies the principal that is the subject of the JWT. The claims in a JWT are normally statements about the subject.
Refer to the Registered Claim Names ↗ in RFC 7519 for more information.