index.yaml

entries:
  - name: http.cookie
    data_type: String
    categories: [Request, Headers]
    keywords: [request, cookie, header, client, visitor]
    summary: The entire cookie as a string.
    example_value: |-
      "session=8521F670545D7865F79C3D7BEDC29CCE;-background=light"

  - name: http.host
    data_type: String
    categories: [Request, URI]
    keywords: [request, uri, url, domain, client, visitor]
    summary: The hostname used in the full request URI.
    description: |-
      The `http.host` field contains the `Host` header from the original request.

      If you have configured [Origin Rules](/rules/origin-rules/) that change the hostname, they will not be reflected in the `http.host` field value.
    example_value: |-
      "www.example.org"

  - name: http.referer
    data_type: String
    categories: [Request, Headers]
    keywords: [request, header, referer, referrer, client, visitor]
    summary: The HTTP `Referer` request header, which contains the address of the web page that linked to the currently requested page.
    example_value: |-
      "https://developer.example.org/en-US/docs/Web/JavaScript"

  - name: http.request.full_uri
    data_type: String
    categories: [Request, URI]
    keywords: [request, uri, url, client, visitor]
    summary: The full URI as received by the web server.
    description: |-
      The value will not include the `#fragment` part, which is not sent to web servers.
    example_value: |-
      "https://www.example.org/articles/index?section=539061&expand=comments"

  - name: http.request.method
    data_type: String
    categories: [Request]
    keywords: [request, client, visitor]
    summary: The HTTP method, returned as a string of uppercase characters.
    example_value: |-
      "GET"

  - name: http.request.cookies
    data_type: Map<Array<String>>
    categories: [Request, Headers]
    keywords: [request, header, client, visitor]
    plan_info_label: Pro or above
    summary: The `Cookie` HTTP header associated with a request represented as a Map (associative array).
    description: |-
      Requires a Cloudflare Pro, Business, or Enterprise plan.

      The cookie names are URL decoded. If two cookies have the same name after decoding, their value arrays are merged.

      The cookie values are not pre-processed and retain the original case used in the request.
    example_value: |-
      { "app": ["test"] }
    example_block: |-
      any(http.request.cookies["app"][*] == "test")

  - name: http.request.timestamp.sec
    data_type: Integer
    categories: [Request]
    keywords: [request, timestamp, client, visitor]
    summary: The timestamp when Cloudflare received the request, expressed as UNIX time in seconds.
    description: |-
      The field value is 10 digits long.

      When validating HMAC tokens in an expression, pass this field as the `currentTimestamp` argument to the [`is_timed_hmac_valid_v0()`](/ruleset-engine/rules-language/functions/#hmac-validation) validation function.

      To obtain the timestamp milliseconds, use the [`http.request.timestamp.msec`](/ruleset-engine/rules-language/fields/reference/http.request.timestamp.msec/) field.
    example_value: |-
      1484063137

  - name: http.request.timestamp.msec
    data_type: Integer
    categories: [Request]
    keywords: [request, timestamp, client, visitor]
    summary: The millisecond when Cloudflare received the request, between 0–999.
    description: |-
      To obtain the complete timestamp, use both [`http.request.timestamp.sec`](/ruleset-engine/rules-language/fields/reference/http.request.timestamp.sec/) and [`http.request.timestamp.msec`](/ruleset-engine/rules-language/fields/reference/http.request.timestamp.msec/) fields.
    example_value: |-
      857

  - name: http.request.uri
    data_type: String
    categories: [Request, URI]
    keywords: [request, uri, url, path, query, query string, client, visitor]
    summary: The URI path and query string of the request.
    example_value: |-
      "/articles/index?section=539061&expand=comments"

  - name: http.request.uri.path
    data_type: String
    categories: [Request, URI]
    keywords: [request, uri, url, path, client, visitor]
    summary: The URI path of the request.
    example_value: |-
      "/articles/index"

  - name: http.request.uri.path.extension
    data_type: String
    categories: [Request, URI]
    keywords: [request, uri, url, path, client, visitor]
    summary: The lowercased file extension in the URI path without the dot (`.`) character.
    description: |-
      This corresponds to the string after the last dot in the URI path, excluding the query string.

      If the first character of the last path segment is a dot and the segment does not contain other dot characters, the field value will be an empty string (`""`). Having a dot as the first character does not represent a file extension and is commonly used in UNIX-like systems to denote a hidden file or directory.

      Example values:

      - If the URI path is `/articles/index.html`, the field value will be `"html"`.
      - If the URI path is `/articles/index.`, the field value will be an empty string (`""`).

      Example values:

      | URI path       | Field value |
      | -------------- | ----------- |
      | `/foo`         | `""`        |
      | `/foo.mp3`     | `"mp3"`     |
      | `/.mp3`        | `""`        |
      | `/.foo.mp3`    | `"mp3"`     |
      | `/foo.tar.bz2` | `"bz2"`     |
      | `/foo.`        | `""`        |
      | `/foo.MP3`     | `"mp3"`     |

  - name: http.request.uri.query
    data_type: String
    categories: [Request, URI]
    keywords: [request, uri, url, query, query string, client, visitor]
    summary: The entire query string, without the `?` delimiter.
    example_value: |-
      "section=539061&expand=comments"

  - name: http.user_agent
    data_type: String
    categories: [Request, Headers]
    keywords: [request, header, agent, user-agent, browser, client, visitor]
    summary: The HTTP `User-Agent` request header, which contains a characteristic string to identify the client operating system and web browser.
    example_value: |-
      "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36"

  - name: http.request.version
    data_type: String
    categories: [Request]
    keywords: [request, protocol, client, visitor]
    summary: The version of the HTTP protocol used. Use this field when different checks are needed for different versions.
    description: |-
      Example values:

      - `"HTTP/1.1"`
      - `"HTTP/3"`

  - name: http.x_forwarded_for
    data_type: String
    categories: [Request, Headers]
    keywords: [request, header, proxy, ip, client, visitor]
    summary: The full value of the `X-Forwarded-For` HTTP header.
    example_value: |-
      "203.0.113.195, 70.41.3.18"

  - name: ip.src
    data_type: IP address
    categories: [Request]
    keywords: [request, proxy, ip, client, visitor]
    summary: The client TCP IP address, which may be adjusted to reflect the actual address of the client using HTTP headers such as `X-Forwarded-For` or `X-Real-IP`.
    example_value: |-
      93.184.216.34

  - name: ip.src.lat
    data_type: String
    categories: [Request, Geolocation]
    keywords: [request, location, geolocation, client, visitor]
    summary: The latitude associated with the client IP address.
    example_value: |-
      "37.78044"

  - name: ip.src.lon
    data_type: String
    categories: [Request, Geolocation]
    keywords: [request, location, geolocation, client, visitor]
    summary: The longitude associated with the client IP address.
    example_value: |-
      "-122.39055"

  - name: ip.src.city
    data_type: String
    categories: [Request, Geolocation]
    keywords: [request, location, geolocation, client, visitor]
    summary: The city associated with the client IP address.
    example_value: |-
      "San Francisco"

  - name: ip.src.postal_code
    data_type: String
    categories: [Request, Geolocation]
    keywords: [request, location, geolocation, zip, zip code, client, visitor]
    summary: The postal code associated with the incoming request.
    example_value: |-
      "78701"

  - name: ip.src.metro_code
    data_type: String
    categories: [Request, Geolocation]
    keywords: [request, location, geolocation, dma, client, visitor]
    summary: The metro code or Designated Market Area (DMA) code associated with the incoming request.
    example_value: |-
      "635"

  - name: ip.src.region
    data_type: String
    categories: [Request, Geolocation]
    keywords: [request, location, geolocation, state, client, visitor]
    summary: The region name associated with the incoming request.
    example_value: |-
      "Texas"

  - name: ip.src.region_code
    data_type: String
    categories: [Request, Geolocation]
    keywords: [request, location, geolocation, state, client, visitor]
    summary: The region code associated with the incoming request.
    example_value: |-
      "TX"

  - name: ip.src.timezone.name
    data_type: String
    categories: [Request, Geolocation]
    keywords:
      [request, location, geolocation, time zone, clock, client, visitor]
    summary: The name of the timezone associated with the incoming request.
    description: |-
      This field is only available in rewrite expressions of [Transform Rules](/rules/transform/).
    example_value: |-
      "America/Chicago"

  - name: ip.src.asnum
    data_type: Number
    categories: [Request, Geolocation]
    keywords:
      [request, location, geolocation, asn, ip.geoip.asnum, client, visitor]
    summary: The 16-bit or 32-bit integer representing the Autonomous System (AS) number associated with the client IP address.
    description: |-
      This field has the same value as the `ip.geoip.asnum` field, which is deprecated. The `ip.geoip.asnum` field is still available for new and existing rules, but you should use the `ip.src.asnum` field instead.

      _GeoIP is the registered trademark of MaxMind, Inc._

  - name: ip.src.continent
    data_type: String
    categories: [Request, Geolocation]
    keywords:
      [request, location, geolocation, ip.geoip.continent, client, visitor]
    summary: The continent code associated with the client IP address.
    description: |-
      Values:

      - `"AF"`: Africa
      - `"AN"`: Antarctica
      - `"AS"`: Asia
      - `"EU"`: Europe
      - `"NA"`: North America
      - `"OC"`: Oceania
      - `"SA"`: South America
      - `"T1"`: Tor network

      This field has the same value as the `ip.geoip.continent` field, which is deprecated. The `ip.geoip.continent` field is still available for new and existing rules, but you should use the `ip.src.continent` field instead.

      _GeoIP is the registered trademark of MaxMind, Inc._

  - name: ip.src.country
    data_type: String
    categories: [Request, Geolocation]
    keywords:
      [request, location, geolocation, ip.geoip.country, client, visitor]
    summary: The 2-letter country code in [ISO 3166-1 Alpha 2](https://www.iso.org/obp/ui/#search/code/) format.
    example_value: |-
      "GB"
    description: |-
      For more information on the ISO 3166-1 Alpha 2 format, refer to [ISO 3166-1 Alpha 2](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2) on Wikipedia.

      This field has the same value as the `ip.geoip.country` field, which is deprecated. The `ip.geoip.country` field is still available for new and existing rules, but you should use the `ip.src.country` field instead.

      _GeoIP is the registered trademark of MaxMind, Inc._

  - name: ip.src.subdivision_1_iso_code
    data_type: String
    categories: [Request, Geolocation]
    keywords:
      [
        request,
        location,
        geolocation,
        ip.geoip.subdivision_1_iso_code,
        region,
        client,
        visitor,
      ]
    plan_info_label: Business or above
    summary: The ISO 3166-2 code for the first-level region associated with the IP address.
    example_value: |-
      "GB-ENG"
    description: |-
      When the actual value is not available, this field contains an empty string.

      Requires a Cloudflare Business or Enterprise plan.

      For more information on the ISO 3166-2 standard and the available regions, refer to [ISO 3166-2](https://en.wikipedia.org/wiki/ISO_3166-2) on Wikipedia.

      This field has the same value as the `ip.geoip.subdivision_1_iso_code` field, which is deprecated. The `ip.geoip.subdivision_1_iso_code` field is still available for new and existing rules, but you should use the `ip.src.subdivision_1_iso_code` field instead.

      _GeoIP is the registered trademark of MaxMind, Inc._

  - name: ip.src.subdivision_2_iso_code
    data_type: String
    categories: [Request, Geolocation]
    keywords:
      [
        request,
        location,
        geolocation,
        ip.geoip.subdivision_2_iso_code,
        region,
        client,
        visitor,
      ]
    plan_info_label: Business or above
    summary: The ISO 3166-2 code for the second-level region associated with the IP address.
    example_value: |-
      "GB-SWK"
    description: |-
      When the actual value is not available, this field contains an empty string.

      Requires a Cloudflare Business or Enterprise plan.

      For more information on the ISO 3166-2 standard and the available regions, refer to [ISO 3166-2](https://en.wikipedia.org/wiki/ISO_3166-2) on Wikipedia.

      This field has the same value as the `ip.geoip.subdivision_2_iso_code` field, which is deprecated. The `ip.geoip.subdivision_2_iso_code` field is still available for new and existing rules, but you should use the `ip.src.subdivision_2_iso_code` field instead.

      _GeoIP is the registered trademark of MaxMind, Inc._

  - name: ip.src.is_in_european_union
    data_type: Boolean
    categories: [Request, Geolocation]
    keywords:
      [
        request,
        location,
        geolocation,
        ip.geoip.is_in_european_union,
        country,
        client,
        visitor,
      ]
    plan_info_label: Business or above
    summary: Whether the request originates from a country in the European Union (EU).
    description: |-
      Requires a Cloudflare Business or Enterprise plan.

      Countries in the EU (from geolocation data):

      | Country code | Country name    |
      | ------------ | --------------- |
      | `AT`         | Austria         |
      | `AX`         | Åland Islands   |
      | `BE`         | Belgium         |
      | `BG`         | Bulgaria        |
      | `CY`         | Cyprus          |
      | `CZ`         | Czechia         |
      | `DE`         | Germany         |
      | `DK`         | Denmark         |
      | `EE`         | Estonia         |
      | `ES`         | Spain           |
      | `FI`         | Finland         |
      | `FR`         | France          |
      | `GF`         | French Guiana   |
      | `GP`         | Guadeloupe      |
      | `GR`         | Greece          |
      | `HR`         | Croatia         |
      | `HU`         | Hungary         |
      | `IE`         | Ireland         |
      | `IT`         | Italy           |
      | `LT`         | Lithuania       |
      | `LU`         | Luxembourg      |
      | `LV`         | Latvia          |
      | `MF`         | Saint Martin    |
      | `MQ`         | Martinique      |
      | `MT`         | Malta           |
      | `NL`         | The Netherlands |
      | `PL`         | Poland          |
      | `PT`         | Portugal        |
      | `RE`         | Réunion         |
      | `RO`         | Romania         |
      | `SE`         | Sweden          |
      | `SI`         | Slovenia        |
      | `SK`         | Slovakia        |
      | `YT`         | Mayotte         |

      This field has the same value as the `ip.geoip.is_in_european_union` field, which is deprecated. The `ip.geoip.is_in_european_union` field is still available for new and existing rules, but you should use the `ip.src.is_in_european_union` field instead.

      _GeoIP is the registered trademark of MaxMind, Inc._

  - name: raw.http.request.full_uri
    data_type: String
    categories: [Request, URI, Raw fields]
    keywords: [request, uri, url, raw, client, visitor]
    summary: The raw full URI as received by the web server without any transformation.
    description: |-
      The value will not include the `#fragment` part, which is not sent to web servers.

      This is the raw field version of the [`http.request.full_uri`](/ruleset-engine/rules-language/fields/reference/http.request.full_uri/) field. Raw fields, prefixed with `raw.`, preserve original request values for later evaluations. These fields are immutable during the entire request evaluation workflow, and they are not affected by the actions of previously matched rules.

      **Note**: This raw field may include some basic normalization done by Cloudflare's HTTP server. However, this can change in the future.

  - name: raw.http.request.uri
    data_type: String
    categories: [Request, URI, Raw fields]
    keywords:
      [request, uri, url, path, query, query string, raw, client, visitor]
    summary: The URI path and query string of the request without any transformation.
    description: |-
      This is the raw field version of the [`http.request.uri`](/ruleset-engine/rules-language/fields/reference/http.request.uri/) field. Raw fields, prefixed with `raw.`, preserve original request values for later evaluations. These fields are immutable during the entire request evaluation workflow, and they are not affected by the actions of previously matched rules.

      **Note**: This raw field may include some basic normalization done by Cloudflare's HTTP server. However, this can change in the future.

  - name: raw.http.request.uri.path
    data_type: String
    categories: [Request, URI, Raw fields]
    keywords: [request, uri, url, path, raw, client, visitor]
    summary: The raw URI path of the request without any transformation.
    description: |-
      This is the raw field version of the [`http.request.uri.path`](/ruleset-engine/rules-language/fields/reference/http.request.uri.path/) field. Raw fields, prefixed with `raw.`, preserve original request values for later evaluations. These fields are immutable during the entire request evaluation workflow, and they are not affected by the actions of previously matched rules.

      **Note**: This raw field may include some basic normalization done by Cloudflare's HTTP server. However, this can change in the future.

  - name: raw.http.request.uri.path.extension
    data_type: String
    categories: [Request, URI, Raw fields]
    keywords: [request, uri, url, path, raw, client, visitor]
    summary: The raw file extension in the request URI path without any transformation.
    description: |-
      This is the raw field version of the [`http.request.uri.path.extension`](/ruleset-engine/rules-language/fields/reference/http.request.uri.path.extension/) field. Raw fields, prefixed with `raw.`, preserve original request values for later evaluations. These fields are immutable during the entire request evaluation workflow, and they are not affected by the actions of previously matched rules.

  - name: raw.http.request.uri.query
    data_type: String
    categories: [Request, URI, Raw fields]
    keywords: [request, uri, url, query, query string, raw, client, visitor]
    summary: The entire query string without the `?` delimiter and without any transformation.
    description: |-
      This is the raw field version of the [`http.request.uri.query`](/ruleset-engine/rules-language/fields/reference/http.request.uri.query/) field. Raw fields, prefixed with `raw.`, preserve original request values for later evaluations. These fields are immutable during the entire request evaluation workflow, and they are not affected by the actions of previously matched rules.

      **Note**: This raw field may include some basic normalization done by Cloudflare's HTTP server. However, this can change in the future.

  - name: raw.http.response.headers
    data_type: Map<Array<String>>
    categories: [Response, Headers, Raw fields]
    keywords: [response, raw]
    summary: The HTTP response headers without any transformation represented as a Map (or associative array).
    description: |-
      This is the raw field version of the [`http.response.headers`](/ruleset-engine/rules-language/fields/reference/http.response.headers/) field. Raw fields, prefixed with `raw.`, preserve original response values for later evaluations. These fields are immutable during the entire request evaluation workflow, and they are not affected by the actions of previously matched rules.
    example_value: |-
      {"server": ["nginx"]}
    example_block: |-
      any(raw.http.response.headers["server"][*] == "nginx")

  - name: raw.http.response.headers.names
    data_type: Array<String>
    categories: [Response, Headers, Raw fields]
    keywords: [response, raw]
    summary: The names of the headers in the HTTP response without any transformation.
    description: |-
      This is the raw field version of the [`http.response.headers.names`](/ruleset-engine/rules-language/fields/reference/http.response.headers.names/) field. Raw fields, prefixed with `raw.`, preserve original response values for later evaluations. These fields are immutable during the entire request evaluation workflow, and they are not affected by the actions of previously matched rules.
    example_value: |-
      ["content-type"]
    example_block: |-
      any(raw.http.response.headers.names[*] == "content-type")

  - name: raw.http.response.headers.values
    data_type: Array<String>
    categories: [Response, Headers, Raw fields]
    keywords: [response, raw]
    summary: The values of the headers in the HTTP response without any transformation.
    description: |-
      This is the raw field version of the [`http.response.headers.values`](/ruleset-engine/rules-language/fields/reference/http.response.headers.values/) field. Raw fields, prefixed with `raw.`, preserve original response values for later evaluations. These fields are immutable during the entire request evaluation workflow, and they are not affected by the actions of previously matched rules.
    example_value: |-
      Example 1: ["application/json"]
      Example 2: ["This header value is longer than 10 bytes"]
    example_block: |-
      # Example 1: Check for specific header value.
      any(raw.http.response.headers.values[*] == "application/json")

      # Example 2: Match requests according to the specified operator and the length/size entered for the header value.
      any(len(raw.http.response.headers.values[*])[*] gt 10)

  - name: ssl
    data_type: Boolean
    categories: [Request]
    keywords: [request, tls, https, client, visitor]
    summary: Returns `true` when the HTTP connection to the client is encrypted.

  - name: cf.api_gateway.auth_id_present
    data_type: Boolean
    categories: [Request]
    keywords: [request, session, api shield, client, visitor]
    plan_info_label: Enterprise add-on
    summary: Indicates whether the request contained an API session authentication token, as defined by API Shield's saved [session identifiers](/api-shield/get-started/#session-identifiers).

  - name: cf.api_gateway.request_violates_schema
    data_type: Boolean
    categories: [Request]
    keywords: [request, api shield, client, visitor]
    summary: Indicates whether the request [violated the schema](/api-shield/security/schema-validation/) assigned to the respective saved endpoint.

  - name: cf.api_gateway.fallthrough_detected
    data_type: Boolean
    categories: [Request]
    keywords: [request, api shield, client, visitor]
    summary: Indicates whether the request matched a saved endpoint in [Endpoint Management](/api-shield/management-and-monitoring/).

  - name: cf.bot_management.verified_bot
    data_type: Boolean
    categories: [Request, Bots]
    keywords: [request, bots, client, visitor]
    plan_info_label: Enterprise add-on
    summary: Indicates whether the request originated from a known good bot or crawler.
    description: |-
      Provides the same information as [`cf.client.bot`](/ruleset-engine/rules-language/fields/reference/cf.client.bot/).

      Requires a Cloudflare Enterprise plan with [Bot Management](/bots/plans/bm-subscription/) enabled.

  - name: cf.verified_bot_category
    data_type: String
    categories: [Request, Bots]
    keywords: [request, bots, client, visitor]
    summary: Provides the type and purpose of a verified bot.
    description: |-
      For more details, refer to [Verified bot categories](/bots/concepts/bot/verified-bots/#categories).

  - name: cf.bot_management.score
    data_type: Number
    categories: [Request, Bots]
    keywords: [request, bots, client, visitor]
    plan_info_label: Enterprise add-on
    summary: Represents the likelihood that a request originates from a bot using a score from 1–99.
    description: |-
      A low score indicates that the request comes from a bot or an automated agent. A high score indicates that a human issued the request.

      Requires a Cloudflare Enterprise plan with [Bot Management](/bots/plans/bm-subscription/) enabled.

  - name: cf.bot_management.static_resource
    data_type: Boolean
    categories: [Request, Bots]
    keywords: [request, bots, client, visitor]
    plan_info_label: Enterprise add-on
    summary: Indicates whether static resources should be included when you create a rule using [`cf.bot_management.score`](/ruleset-engine/rules-language/fields/reference/cf.bot_management.score/).
    description: |-
      For more details, refer to [Static resource protection](/bots/additional-configurations/static-resources/).

      Requires a Cloudflare Enterprise plan with [Bot Management](/bots/plans/bm-subscription/) enabled.

  - name: cf.bot_management.ja3_hash
    data_type: String
    categories: [Request, Bots]
    keywords: [request, bots, client, visitor]
    plan_info_label: Enterprise add-on
    summary: Provides an SSL/TLS fingerprint to help you identify potential bot requests.
    description: |-
      For more details, refer to [JA3/JA4 Fingerprint](/bots/additional-configurations/ja3-ja4-fingerprint/).

      Requires a Cloudflare Enterprise plan with [Bot Management](/bots/plans/bm-subscription/) enabled.

  - name: cf.bot_management.ja4
    data_type: String
    categories: [Request, Bots]
    keywords: [request, bots, client, visitor]
    plan_info_label: Enterprise add-on
    summary: Provides an SSL/TLS fingerprint to help you identify potential bot requests.
    description: |-
      For more details, refer to [JA3/JA4 Fingerprint](/bots/additional-configurations/ja3-ja4-fingerprint/).

      Requires a Cloudflare Enterprise plan with [Bot Management](/bots/plans/bm-subscription/) enabled.

  - name: cf.bot_management.js_detection.passed
    data_type: Boolean
    categories: [Request, Bots]
    keywords: [request, bots, client, visitor]
    plan_info_label: Enterprise add-on
    summary: Indicates whether the visitor has previously passed a JS Detection.
    description: |-
      For more details, refer to [JavaScript detections](/bots/additional-configurations/javascript-detections/).

      Requires a Cloudflare Enterprise plan with [Bot Management](/bots/plans/bm-subscription/) enabled.

  - name: cf.bot_management.detection_ids
    data_type: Array<Number>
    categories: [Request, Bots]
    keywords: [request, bots, client, visitor]
    plan_info_label: Enterprise add-on
    summary: List of IDs that correlate to the Bot Management heuristic detections made on a request.
    description: |-
      Use this field to explicitly match a specific heuristic or to exclude a heuristic in a rule. You can have multiple heuristic detections on the same request.

      Requires a Cloudflare Enterprise plan with [Bot Management](/bots/plans/bm-subscription/) enabled.
    example_block: |-
      any(cf.bot_management.detection_ids[*] eq 33554817)

  - name: cf.client.bot
    data_type: Boolean
    categories: [Request, Bots]
    keywords: [request, bots, client, visitor]
    summary: Indicates whether the request originated from a known good bot or crawler.
    description: |-
      Provides the same information as [`cf.bot_management.verified_bot`](/ruleset-engine/rules-language/fields/reference/cf.bot_management.verified_bot/).

  - name: cf.edge.server_ip
    data_type: IP address
    categories: [Request]
    keywords: [request, cloudflare, client, visitor]
    summary: Represents the global network's IP address to which the HTTP request has resolved.
    description: |-
      This field is only meaningful for [BYOIP customers](/byoip/).

  - name: cf.edge.server_port
    data_type: Number
    categories: [Request]
    keywords: [request, cloudflare, client, visitor]
    summary: Represents the port number at which the Cloudflare global network received the request.
    description: |-
      Use this field to filter traffic on a specific port. The value is a port number in the range 1–65535.

  - name: cf.hostname.metadata
    data_type: String
    categories: [Request]
    keywords: [request, cloudflare, saas, platforms, client, visitor]
    summary: Returns the string representation of the per-hostname [custom metadata](/cloudflare-for-platforms/cloudflare-for-saas/domain-support/custom-metadata/) JSON object set by SSL for SaaS customers.

  - name: cf.random_seed
    data_type: Bytes
    categories: [Request]
    keywords: [request, cloudflare, client, visitor]
    summary: Returns per-request random bytes that you can use in the [`uuidv4()`](/ruleset-engine/rules-language/functions/#uuidv4) function.

  - name: cf.ray_id
    data_type: String
    categories: [Request]
    keywords: [request, cloudflare, client, visitor]
    summary: The Ray ID of the current request.
    description: |-
      A [Ray ID](/fundamentals/reference/cloudflare-ray-id/) is an identifier given to every request that goes through Cloudflare.

  - name: cf.threat_score
    data_type: Number
    categories: [Request]
    keywords: [request, cloudflare, score, client, visitor]
    summary: Represents a Cloudflare threat score.
    description: |-
      Previously, a threat score represented a Cloudflare threat score from 0–100, where 0 indicated low risk. Now, the threat score is always `0` (zero).

  - name: cf.tls_cipher
    data_type: String
    categories: [Request, SSL/TLS]
    keywords: [request, ssl, tls, client, visitor]
    summary: The cipher for the connection to Cloudflare.
    example_value: |-
      "AES128-SHA256"

  - name: cf.tls_client_auth.cert_revoked
    data_type: Boolean
    categories: [Request, mTLS]
    keywords: [request, ssl, mtls, client, visitor]
    summary: Indicates whether the request presented a valid but revoked client certificate.
    description: |-
      When `true`, the [`cf.tls_client_auth.cert_verified`](/ruleset-engine/rules-language/fields/reference/cf.tls_client_auth.cert_verified/) field is also `true`.

      This field is only filled in if the request includes a client certificate for [mTLS authentication](/ssl/client-certificates/enable-mtls/).

  - name: cf.tls_client_auth.cert_verified
    data_type: Boolean
    categories: [Request, mTLS]
    keywords: [request, ssl, mtls, client, visitor]
    summary: Returns `true` when a request presents a valid client certificate.
    description: |-
      Also returns `true` when a request includes a valid certificate that was revoked (refer to [`cf.tls_client_auth.cert_revoked`](/ruleset-engine/rules-language/fields/reference/cf.tls_client_auth.cert_revoked/)).

      This field is only filled in if the request includes a client certificate for [mTLS authentication](/ssl/client-certificates/enable-mtls/).

  - name: cf.tls_client_auth.cert_presented
    data_type: Boolean
    categories: [Request, mTLS]
    keywords: [request, ssl, mtls, client, visitor]
    summary: Returns `true` when a request presents a certificate (valid or not).
    description: |-
      This field is only filled in if the request includes a client certificate for [mTLS authentication](/ssl/client-certificates/enable-mtls/).

  - name: cf.tls_client_auth.cert_issuer_dn
    data_type: String
    categories: [Request, mTLS]
    keywords: [request, ssl, mtls, client, visitor]
    summary: The Distinguished Name (DN) of the Certificate Authority (CA) that issued the certificate included in the request.
    description: |-
      This field is only filled in if the request includes a client certificate for [mTLS authentication](/ssl/client-certificates/enable-mtls/).
    example_value: |-
      "CN=Access Testing CA,OU=TX,O=Access Testing,L=Austin,ST=Texas,C=US"

  - name: cf.tls_client_auth.cert_subject_dn
    data_type: String
    categories: [Request, mTLS]
    keywords: [request, ssl, mtls, client, visitor]
    summary: The Distinguished Name (DN) of the owner (or requester) of the certificate included in the request.
    description: |-
      This field is only filled in if the request includes a client certificate for [mTLS authentication](/ssl/client-certificates/enable-mtls/).
    example_value: |-
      "CN=James Royal,OU=Access Admins,O=Access,L=Austin,ST=Texas,C=US"

  - name: cf.tls_client_auth.cert_issuer_dn_rfc2253
    data_type: String
    categories: [Request, mTLS]
    keywords: [request, ssl, mtls, client, visitor]
    summary: The Distinguished Name (DN) of the Certificate Authority (CA) that issued the certificate in the request in [RFC 2253](https://datatracker.ietf.org/doc/html/rfc2253) format.
    description: |-
      This field is only filled in if the request includes a client certificate for [mTLS authentication](/ssl/client-certificates/enable-mtls/).
    example_value: |-
      "CN=Access Testing CA,OU=TX,O=Access Testing,L=Austin,ST=Texas,C=US"

  - name: cf.tls_client_auth.cert_subject_dn_rfc2253
    data_type: String
    categories: [Request, mTLS]
    keywords: [request, ssl, mtls, client, visitor]
    summary: The Distinguished Name (DN) of the owner (or requester) of the certificate in the request in [RFC 2253](https://datatracker.ietf.org/doc/html/rfc2253) format.
    description: |-
      This field is only filled in if the request includes a client certificate for [mTLS authentication](/ssl/client-certificates/enable-mtls/).
    example_value: |-
      "CN=James Royal,OU=Access Admins,O=Access,L=Austin,ST=Texas,C=US"

  - name: cf.tls_client_auth.cert_issuer_dn_legacy
    data_type: String
    categories: [Request, mTLS]
    keywords: [request, ssl, mtls, client, visitor]
    summary: The Distinguished Name (DN) of the Certificate Authority (CA) that issued the certificate in the request in a legacy format.
    description: |-
      This field is only filled in if the request includes a client certificate for [mTLS authentication](/ssl/client-certificates/enable-mtls/).
    example_value: |-
      "/C=US/ST=Texas/L=Austin/O=Access Testing/OU=TX/CN=Access Testing CA"

  - name: cf.tls_client_auth.cert_subject_dn_legacy
    data_type: String
    categories: [Request, mTLS]
    keywords: [request, ssl, mtls, client, visitor]
    summary: The Distinguished Name (DN) of the owner (or requester) of the certificate in the request in a legacy format.
    description: |-
      This field is only filled in if the request includes a client certificate for [mTLS authentication](/ssl/client-certificates/enable-mtls/).
    example_value: |-
      "/C=US/ST=Texas/L=Austin/O=Access/OU=Access Admins/CN=James Royal"

  - name: cf.tls_client_auth.cert_serial
    data_type: String
    categories: [Request, mTLS]
    keywords: [request, ssl, mtls, client, visitor]
    summary: Serial number of the certificate in the request.
    description: |-
      This field is only filled in if the request includes a client certificate for [mTLS authentication](/ssl/client-certificates/enable-mtls/).
    example_value: |-
      "527E0F20A20EA2A4146C78390F34CE7AF0878CA4"

  - name: cf.tls_client_auth.cert_issuer_serial
    data_type: String
    categories: [Request, mTLS]
    keywords: [request, ssl, mtls, client, visitor]
    summary: Serial number of the direct issuer of the certificate in the request.
    description: |-
      This field is only filled in if the request includes a client certificate for [mTLS authentication](/ssl/client-certificates/enable-mtls/).
    example_value: |-
      "2688201DBA77402EA87118876F2E1B24CF8B0395"

  - name: cf.tls_client_auth.cert_fingerprint_sha256
    data_type: String
    categories: [Request, mTLS]
    keywords: [request, ssl, mtls, client, visitor]
    summary: The SHA-256 fingerprint of the certificate in the request.
    description: |-
      This field is only filled in if the request includes a client certificate for [mTLS authentication](/ssl/client-certificates/enable-mtls/).
    example_value: |-
      "af363dc85bc942a892d3cee9796190fdb36d89cd588a4f1cb17c74a943439714"

  - name: cf.tls_client_auth.cert_fingerprint_sha1
    data_type: String
    categories: [Request, mTLS]
    keywords: [request, ssl, mtls, client, visitor]
    summary: The SHA-1 fingerprint of the certificate in the request.
    description: |-
      This field is only filled in if the request includes a client certificate for [mTLS authentication](/ssl/client-certificates/enable-mtls/).
    example_value: |-
      "933ad5282c560ae3f482a43ecd73bc9de878a190"

  - name: cf.tls_client_auth.cert_not_before
    data_type: String
    categories: [Request, mTLS]
    keywords: [request, ssl, mtls, client, visitor]
    summary: The certificate in the request is not valid before this date.
    description: |-
      This field is only filled in if the request includes a client certificate for [mTLS authentication](/ssl/client-certificates/enable-mtls/).
    example_value: |-
      "Mar 21 13:35:00 2022 GMT"

  - name: cf.tls_client_auth.cert_not_after
    data_type: String
    categories: [Request, mTLS]
    keywords: [request, ssl, mtls, client, visitor]
    summary: The certificate in the request is not valid after this date.
    description: |-
      This field is only filled in if the request includes a client certificate for [mTLS authentication](/ssl/client-certificates/enable-mtls/).
    example_value: |-
      "Mar 21 13:35:00 2023 GMT"

  - name: cf.tls_client_auth.cert_ski
    data_type: String
    categories: [Request, mTLS]
    keywords: [request, ssl, mtls, client, visitor]
    summary: The Subject Key Identifier (SKI) of the certificate in the request.
    description: |-
      This field is only filled in if the request includes a client certificate for [mTLS authentication](/ssl/client-certificates/enable-mtls/).
    example_value: |-
      "27846FAE6EAC4A8DAD9101B519CF1EB460242831"

  - name: cf.tls_client_auth.cert_issuer_ski
    data_type: String
    categories: [Request, mTLS]
    keywords: [request, ssl, mtls, client, visitor]
    summary: The Subject Key Identifier (SKI) of the direct issuer of the certificate in the request.
    description: |-
      This field is only filled in if the request includes a client certificate for [mTLS authentication](/ssl/client-certificates/enable-mtls/).
    example_value: |-
      "8204924CF49D471E855862706D889F58F6B784D3"

  - name: cf.tls_client_extensions_sha1
    data_type: String
    categories: [Request, SSL/TLS]
    keywords: [request, ssl, tls, client, visitor]
    summary: The SHA-1 fingerprint of TLS client extensions, encoded in Base64 using big-endian format.
    description: For the little-endian version of this field, refer to [`cf.tls_client_extensions_sha1_le`](/ruleset-engine/rules-language/fields/reference/cf.tls_client_extensions_sha1_le/).
    example_value: |-
      "OWFiM2I5ZDc0YWI0YWYzZmFkMGU0ZjhlYjhiYmVkMjgxNTU5YTU2Mg=="

  - name: cf.tls_client_extensions_sha1_le
    data_type: String
    categories: [Request, SSL/TLS]
    keywords: [request, ssl, tls, client, visitor]
    summary: The SHA-1 fingerprint of TLS client extensions, encoded in Base64 using little-endian format.
    description: For the big-endian version of this field, refer to [`cf.tls_client_extensions_sha1`](/ruleset-engine/rules-language/fields/reference/cf.tls_client_extensions_sha1/).
    example_value: |-
      "7zIpdDU5pvFPPBI2/PCzqbaXnRA="

  - name: cf.tls_ciphers_sha1
    data_type: String
    categories: [Request, SSL/TLS]
    keywords: [request, ssl, tls, client, visitor]
    summary: The SHA-1 fingerprint of the client TLS cipher list in received order, encoded in Base64 using big-endian format.
    example_value: |-
      "GXSPDLP4G3X+prK73a4wBuOaHRc="

  - name: cf.tls_client_hello_length
    data_type: Number
    categories: [Request, SSL/TLS]
    keywords: [request, ssl, tls, client, visitor]
    summary: The length of the client hello message sent in a [TLS handshake](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake).
    description: |-
      Specifically, the length of the bytestring of the client hello.
    example_value: |-
      508

  - name: cf.tls_client_random
    data_type: String
    categories: [Request, SSL/TLS]
    keywords: [request, ssl, tls, client, visitor]
    summary: The value of the 32-byte random value provided by the client in a [TLS handshake](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake), encoded in Base64.
    description: |-
      For more details, refer to [RFC 8446](https://datatracker.ietf.org/doc/html/rfc8446#section-4.1.2).
    example_value: |-
      "YWJjZA=="

  - name: cf.tls_version
    data_type: String
    categories: [Request, SSL/TLS]
    keywords: [request, ssl, tls, client, visitor]
    summary: The TLS version of the connection to Cloudflare.
    example_value: |-
      "TLSv1.2"

  - name: cf.edge.client_tcp
    data_type: Boolean
    categories: [Request]
    keywords: [request, tcp, network, client]
    summary: Indicates if the request was made over TCP.
    example_value: |-
      true

  - name: cf.edge.client_quic
    data_type: Boolean
    categories: [Request]
    keywords: [request, quic, network, client, http3]
    summary: Indicates if the request was made over QUIC.
    example_value: |-
      true

  - name: cf.edge.l4.delivery_rate
    data_type: Integer
    categories: [Request]
    keywords:
      [request, l4, delivery rate, bandwidth, network, performance, transport]
    summary: The most recent data delivery rate estimate for the client connection, in bytes per second.
    description: |-
      Reports the transport layer delivery rate estimate measured by Cloudflare for the connection between the client and Cloudflare, in bytes per second.

      This metric reflects the rate at which data is being successfully delivered over the connection. It can be used to build rules that respond to connection quality, such as serving lower-quality content to clients on slow connections.

      Returns `0` when L4 statistics are not available for the request.
    example_value: |-
      123456
    example_block: |-
      # Match requests where the delivery rate is below 100 KB/s
      cf.edge.l4.delivery_rate < 100000

  - name: cf.timings.client_tcp_rtt_msec
    data_type: Number
    categories: [Request]
    keywords: [request, timing, tcp, rtt, performance, latency]
    summary: The smoothed TCP round-trip time (RTT) from client to Cloudflare in milliseconds.
    example_value: |-
      20

  - name: cf.timings.client_quic_rtt_msec
    data_type: Integer
    categories: [Request]
    keywords: [request, timing, quic, rtt, performance, latency, http3]
    summary: The smoothed QUIC round-trip time (RTT) from client to Cloudflare in milliseconds.
    description: |-
      Reports the smoothed round-trip time for the QUIC connection between the client and Cloudflare, in milliseconds.

      This field is only populated for QUIC (HTTP/3) connections. For TCP connections, the value is `0`. Use [`cf.edge.client_quic`](/ruleset-engine/rules-language/fields/reference/cf.edge.client_quic/) to check if the connection used QUIC before evaluating this field.
    example_value: |-
      42
    example_block: |-
      # Match QUIC requests where the RTT exceeds 200 ms
      cf.edge.client_quic and cf.timings.client_quic_rtt_msec > 200

  - name: cf.timings.edge_msec
    data_type: Integer
    categories: [Request]
    keywords: [request, timing, edge, performance]
    summary: The time spent processing a request within the Cloudflare global network in milliseconds.
    description: |-
      The value corresponds to the time interval between when the Cloudflare edge server accepted the HTTP request headers for processing and just before the HTTP response headers were available to be sent to the client.

      The value does not include:
        - The time spent forwarding the request to the origin server (refer to [`cf.timings.origin_ttfb_msec`](/ruleset-engine/rules-language/fields/reference/cf.timings.origin_ttfb_msec/)).
        - The network transfer time to the client.
    example_value: |-
      28
    example_block: |-
      # Matches requests where Cloudflare's edge processing time was greater than 500 milliseconds
      cf.timings.edge_msec > 500

  - name: cf.timings.origin_ttfb_msec
    data_type: Integer
    categories: [Request]
    keywords: [request, timing, ttfb, performance, origin, latency]
    summary: The round-trip time (RTT) between the Cloudflare global network and the origin server in milliseconds.
    description: |-
      This field provides insight into origin server latency. It represents the Time to First Byte (TTFB) from the perspective of the Cloudflare edge server.

      This metric includes both the network RTT and the time the origin server spent handling the request.

      If the request was served from the Cloudflare CDN cache and the origin server was not reached, the value of this field will be `0`.
    example_value: |-
      150
    example_block: |-
      # Matches requests where the origin response time (TTFB) was greater than 2 seconds:
      cf.timings.origin_ttfb_msec > 2000

  - name: cf.timings.worker_msec
    data_type: Integer
    categories: [Request]
    keywords: [request, timing, workers, performance, latency]
    summary: The time spent executing a Cloudflare Worker in milliseconds.
    description: |-
      This field provides the wall-clock time that a Cloudflare Worker spent handling the request, measured in milliseconds.

      Use this field to identify slow Worker executions, set up alerts for performance regressions, or add Worker execution time as a request header using Transform Rules for downstream observability.

      If the request did not invoke a Worker, the value of this field will be `0`.
    example_value: |-
      12
    example_block: |-
      # Matches requests where the Worker execution time exceeded 500 milliseconds
      cf.timings.worker_msec > 500

  - name: cf.waf.content_scan.has_obj
    data_type: Boolean
    categories: [Request]
    keywords:
      [
        request,
        cloudflare,
        content scanning,
        malicious uploads,
        client,
        visitor,
      ]
    plan_info_label: Enterprise add-on
    summary: Indicates whether the request contains at least one content object.
    description: |-
      Requires a Cloudflare Enterprise plan with [malicious uploads detection](/waf/detections/malicious-uploads/).
    example_block: |-
      # Check if requests to a specific endpoint include any content objects
      cf.waf.content_scan.has_obj and http.request.uri.path eq "/upload"

  - name: cf.waf.content_scan.has_malicious_obj
    data_type: Boolean
    categories: [Request]
    keywords:
      [
        request,
        cloudflare,
        content scanning,
        malicious uploads,
        client,
        visitor,
      ]
    plan_info_label: Enterprise add-on
    summary: Indicates whether the request contains at least one malicious content object.
    description: |-
      Requires a Cloudflare Enterprise plan with [malicious uploads detection](/waf/detections/malicious-uploads/).
    example_block: |-
      # Check if requests to a specific endpoint include any malicious content objects
      cf.waf.content_scan.has_malicious_obj and http.request.uri.path eq "/upload"

  - name: cf.waf.content_scan.num_malicious_obj
    data_type: Integer
    categories: [Request]
    keywords:
      [
        request,
        cloudflare,
        content scanning,
        malicious uploads,
        client,
        visitor,
      ]
    plan_info_label: Enterprise add-on
    summary: The number of malicious content objects detected in the request (zero or greater).
    description: |-
      Requires a Cloudflare Enterprise plan with [malicious uploads detection](/waf/detections/malicious-uploads/).
    example_block: |-
      # Check if requests to a specific endpoint contain more than two malicious content objects
      cf.waf.content_scan.num_malicious_obj > 2 and http.request.uri.path eq "/upload"

  - name: cf.waf.content_scan.has_failed
    data_type: Boolean
    categories: [Request]
    keywords:
      [
        request,
        cloudflare,
        content scanning,
        malicious uploads,
        client,
        visitor,
      ]
    plan_info_label: Enterprise add-on
    summary: Indicates whether the file scanner was unable to scan any of the content objects detected in the request.
    description: |-
      Requires a Cloudflare Enterprise plan with [malicious uploads detection](/waf/detections/malicious-uploads/).

  - name: cf.waf.content_scan.num_obj
    data_type: Integer
    categories: [Request]
    keywords:
      [
        request,
        cloudflare,
        content scanning,
        malicious uploads,
        client,
        visitor,
      ]
    plan_info_label: Enterprise add-on
    summary: The number of content objects detected in the request (zero or greater).
    description: |-
      Requires a Cloudflare Enterprise plan with [malicious uploads detection](/waf/detections/malicious-uploads/).
    example_block: |-
      # Check if requests to a specific endpoint contain more than two content objects
      cf.waf.content_scan.num_obj > 2 and http.request.uri.path eq "/upload"

  - name: cf.waf.content_scan.obj_sizes
    data_type: Array<Integer>
    categories: [Request]
    keywords:
      [
        request,
        cloudflare,
        content scanning,
        malicious uploads,
        client,
        visitor,
      ]
    plan_info_label: Enterprise add-on
    summary: An array of file sizes in bytes, in the order the content objects were detected in the request.
    description: |-
      Requires a Cloudflare Enterprise plan with [malicious uploads detection](/waf/detections/malicious-uploads/).
    example_block: |-
      # Check if requests to a specific endpoint contain any content objects larger than 500 KB (512,000 bytes)
      any(cf.waf.content_scan.obj_sizes[*] > 512000) and http.request.uri.path eq "/upload"

  - name: cf.waf.content_scan.obj_types
    data_type: Array<String>
    categories: [Request]
    keywords:
      [
        request,
        cloudflare,
        content scanning,
        malicious uploads,
        client,
        visitor,
      ]
    plan_info_label: Enterprise add-on
    summary: An array of file types in the order the content objects were detected in the request.
    description: |-
      If Cloudflare cannot determine the file type of a content object, the corresponding value in the `obj_types` array will be `application/octet-stream`.

      Requires a Cloudflare Enterprise plan with [malicious uploads detection](/waf/detections/malicious-uploads/).
    example_block: |-
      # Check if requests to a specific endpoint contain content objects other than PDFs
      any(cf.waf.content_scan.obj_types[*] != "application/pdf") and http.request.uri.path eq "/upload"

  - name: cf.waf.content_scan.obj_results
    data_type: Array<String>
    categories: [Request]
    keywords:
      [
        request,
        cloudflare,
        content scanning,
        malicious uploads,
        client,
        visitor,
      ]
    plan_info_label: Enterprise add-on
    summary: An array of scan results in the order the content objects were detected in the request.
    description: |-
      The possible values are: `clean`, `suspicious`, `infected`, and `not scanned`.

      Requires a Cloudflare Enterprise plan with [malicious uploads detection](/waf/detections/malicious-uploads/).
    example_block: |-
      # Check if requests to a specific endpoint contain any suspicious or infected content objects
      any(cf.waf.content_scan.obj_results[*] in {"suspicious" "infected"}) and http.request.uri.path eq "/upload"

  - name: cf.waf.score
    data_type: Number
    categories: [Request]
    keywords: [request, cloudflare, attack score, waf score, client, visitor]
    plan_info_label: Enterprise
    summary: A global score from 1–99 that combines the score of each WAF attack vector into a single score.
    description: |-
      The special score `100` indicates that Cloudflare did not score the request.

      This is the standard [WAF attack score](/waf/detections/attack-score/) to detect variants of attack patterns.

      Requires a Cloudflare Enterprise plan. You must also enable [attack score detection](/waf/detections/attack-score/).

  - name: cf.waf.score.sqli
    data_type: Number
    categories: [Request]
    keywords: [request, cloudflare, attack score, waf score, client, visitor]
    plan_info_label: Enterprise
    summary: An attack score from 1–99 classifying the SQL injection (SQLi) attack vector.
    description: |-
      Requires a Cloudflare Enterprise plan. You must also enable [attack score detection](/waf/detections/attack-score/).

  - name: cf.waf.score.xss
    data_type: Number
    categories: [Request]
    keywords: [request, cloudflare, attack score, waf score, client, visitor]
    plan_info_label: Enterprise
    summary: An attack score from 1–99 classifying the cross-site scripting (XSS) attack vector.
    description: |-
      Requires a Cloudflare Enterprise plan. You must also enable [attack score detection](/waf/detections/attack-score/).

  - name: cf.waf.score.rce
    data_type: Number
    categories: [Request]
    keywords: [request, cloudflare, attack score, waf score, client, visitor]
    plan_info_label: Enterprise
    summary: An attack score from 1–99 classifying the command injection or Remote Code Execution (RCE) attack vector.
    description: |-
      Requires a Cloudflare Enterprise plan. You must also enable [attack score detection](/waf/detections/attack-score/).

  - name: cf.waf.score.class
    data_type: String
    categories: [Request]
    keywords: [request, cloudflare, attack score, waf score, client, visitor]
    plan_info_label: Business or above
    summary: The attack score class of the current request, based on the WAF attack score.
    description: |-
      Can have one of the following values: `attack`, `likely_attack`, `likely_clean`, `clean`.

      Requires a Cloudflare Business plan or above. You must also enable [attack score detection](/waf/detections/attack-score/).

  - name: cf.waf.auth_detected
    data_type: Boolean
    categories: [Request]
    keywords:
      [
        request,
        cloudflare,
        leaked credentials,
        exposed credentials,
        client,
        visitor,
      ]
    plan_info_label: Enterprise
    summary: Indicates whether the Cloudflare WAF detected authentication credentials in the request.
    description: |-
      Requires a Cloudflare Enterprise plan. You must also enable [leaked credentials detection](/waf/detections/leaked-credentials/).

  - name: cf.waf.credential_check.password_leaked
    data_type: Boolean
    categories: [Request]
    keywords:
      [
        request,
        cloudflare,
        leaked credentials,
        exposed credentials,
        client,
        visitor,
      ]
    summary: Indicates whether the password detected in the request was previously leaked.
    description: |-
      Only available when [leaked credentials detection](/waf/detections/leaked-credentials/) is enabled.

  - name: cf.waf.credential_check.username_leaked
    data_type: Boolean
    categories: [Request]
    keywords:
      [
        request,
        cloudflare,
        leaked credentials,
        exposed credentials,
        client,
        visitor,
      ]
    plan_info_label: Enterprise
    summary: Indicates whether the username detected in the request was previously leaked.
    description: |-
      Requires a Cloudflare Enterprise plan. You must also enable [leaked credentials detection](/waf/detections/leaked-credentials/).

  - name: cf.waf.credential_check.username_and_password_leaked
    data_type: Boolean
    categories: [Request]
    keywords:
      [
        request,
        cloudflare,
        authentication,
        leaked credentials,
        exposed credentials,
        client,
        visitor,
      ]
    plan_info_label: Pro or above
    summary: Indicates whether the auth credentials detected in the request (username-password pair) were previously leaked.
    description: |-
      Requires a Cloudflare Pro plan or above. You must also enable [leaked credentials detection](/waf/detections/leaked-credentials/).

  - name: cf.waf.credential_check.username_password_similar
    data_type: Boolean
    categories: [Request]
    keywords:
      [
        request,
        cloudflare,
        leaked credentials,
        exposed credentials,
        client,
        visitor,
      ]
    plan_info_label: Enterprise
    summary: Indicates whether a similar version of the username and password credentials detected in the request were previously leaked.
    description: |-
      Requires a Cloudflare Enterprise plan. You must also enable [leaked credentials detection](/waf/detections/leaked-credentials/).

  - name: cf.llm.prompt.detected
    data_type: Boolean
    categories: [Request]
    keywords: [request, cloudflare, ai, client, visitor]
    plan_info_label: Enterprise
    summary: Indicates whether Cloudflare detected an LLM prompt in the incoming request.
    description: |-
      When a prompt is not present, the other LLM-related fields will have default values.

      Requires a Cloudflare Enterprise plan. You must also enable [AI Security for Apps](/waf/detections/ai-security-for-apps/).

  - name: cf.llm.prompt.pii_detected
    data_type: Boolean
    categories: [Request]
    keywords: [request, cloudflare, ai, client, visitor]
    plan_info_label: Enterprise
    summary: Indicates whether any personally identifiable information (PII) has been detected in the LLM prompt included in the request.
    description: |-
      Equivalent to checking if the [`cf.llm.prompt.pii_categories`](/ruleset-engine/rules-language/fields/reference/cf.llm.prompt.pii_categories/) field is not empty.

      Requires a Cloudflare Enterprise plan. You must also enable [AI Security for Apps](/waf/detections/ai-security-for-apps/).

  - name: cf.llm.prompt.pii_categories
    data_type: Array<String>
    categories: [Request]
    keywords: [request, cloudflare, ai, client, visitor]
    plan_info_label: Enterprise
    summary: Array of string values with the personally identifiable information (PII) categories found in the LLM prompt included in the request.
    description: |-
      The possible values are the following:

      Category                    | Description
      ----------------------------|-----------------------------------------------------------------------------------------------------------------------------------------
      `CREDIT_CARD`               | Credit card number
      `CRYPTO`                    | Crypto wallet number (currently only Bitcoin address)
      `DATE_TIME`                 | Absolute or relative dates or periods or times smaller than a day
      `EMAIL_ADDRESS`             | Email address
      `IBAN_CODE`                 | International Bank Account Number (IBAN)
      `IP_ADDRESS`                | Internet Protocol (IP) address
      `NRP`                       | A person's nationality, religious or political group
      `LOCATION`                  | Name of politically or geographically defined location (cities, provinces, countries, international regions, bodies of water, mountains)
      `PERSON`                    | Full person name
      `PHONE_NUMBER`              | Telephone number
      `MEDICAL_LICENSE`           | Common medical license numbers
      `URL`                       | Uniform Resource Locator (URL), used to locate a resource on the Internet
      `US_BANK_NUMBER`            | US bank account number
      `US_DRIVER_LICENSE`         | US driver license
      `US_ITIN`                   | US Individual Taxpayer Identification Number (ITIN)
      `US_PASSPORT`               | US passport number
      `US_SSN`                    | US Social Security Number (SSN)
      `UK_NHS`                    | UK NHS number
      `UK_NINO`                   | UK National Insurance Number
      `ES_NIF`                    | Spanish NIF number (personal tax ID)
      `ES_NIE`                    | Spanish NIE number (foreigners ID card)
      `IT_FISCAL_CODE`            | Italian personal tax ID code
      `IT_DRIVER_LICENSE`         | Italian driver license number
      `IT_VAT_CODE`               | Italian VAT code number
      `IT_PASSPORT`               | Italian passport number
      `IT_IDENTITY_CARD`          | Italian identity card number
      `PL_PESEL`                  | Polish PESEL number
      `SG_NRIC_FIN`               | National Registration Identification Card (Singapore)
      `SG_UEN`                    | Unique Entity Number (for entities registered in Singapore)
      `AU_ABN`                    | Australian Business Number (ABN)
      `AU_ACN`                    | Australian Company Number (ACN)
      `AU_TFN`                    | Australian tax file number (TFN)
      `AU_MEDICARE`               | Medicare number (issued by Australian government)
      `IN_PAN`                    | Indian Permanent Account Number (PAN)
      `IN_AADHAAR`                | Individual identity number (issued by Indian government)
      `IN_VEHICLE_REGISTRATION`   | Vehicle registration number (issued by Indian government)
      `IN_VOTER`                  | Numeric voter ID (issued by Indian Election Commission)
      `IN_PASSPORT`               | Indian Passport Number
      `FI_PERSONAL_IDENTITY_CODE` | Finnish Personal Identity Code

      The categories list is based on the [list of PII entities supported by Presidio](https://microsoft.github.io/presidio/supported_entities/). Presidio is the data protection and de-identification SDK used in AI Security for Apps.

      Requires a Cloudflare Enterprise plan. You must also enable [AI Security for Apps](/waf/detections/ai-security-for-apps/).
    example_block: |-
      # Matches requests where PII categorized as "EMAIL_ADDRESS" or "IBAN_CODE" was detected:
      (cf.llm.prompt.pii_detected and any(cf.llm.prompt.pii_categories[*] in {"EMAIL_ADDRESS" "IBAN_CODE"}))

  - name: cf.llm.prompt.unsafe_topic_detected
    data_type: Boolean
    categories: [Request]
    keywords: [request, cloudflare, ai, client, visitor]
    plan_info_label: Enterprise
    summary: Indicates whether the incoming request includes any unsafe topic category in the LLM prompt.
    description: |-
      Equivalent to checking if the [`cf.llm.prompt.unsafe_topic_categories`](/ruleset-engine/rules-language/fields/reference/cf.llm.prompt.unsafe_topic_categories/) field is not empty.

      Requires a Cloudflare Enterprise plan. You must also enable [AI Security for Apps](/waf/detections/ai-security-for-apps/).

  - name: cf.llm.prompt.unsafe_topic_categories
    data_type: Array<String>
    categories: [Request]
    keywords: [request, cloudflare, ai, client, visitor]
    plan_info_label: Enterprise
    summary: Array of string values with the type of unsafe topics detected in the LLM prompt.
    description: |-
      The possible values are the following:

      | Value | Category name             | Description                                                                                                       |
      | ----- | ------------------------- | ----------------------------------------------------------------------------------------------------------------- |
      | `S1`  | Violent crimes            | Violent crimes against people or animals.                                                                         |
      | `S2`  | Non-violent crimes        | Non-violent offenses such as fraud, theft, drug creation, or hacking.                                             |
      | `S3`  | Sex-related crimes        | Sex-related crimes, including trafficking, assault, and harassment.                                               |
      | `S4`  | Child sexual exploitation | Sexual exploitation of children.                                                                                  |
      | `S5`  | Defamation                | False statements that are likely to damage a living person's reputation.                                          |
      | `S6`  | Specialized advice        | Specialized financial, medical, or legal advice, or misrepresent dangerous things as safe.                        |
      | `S7`  | Privacy                   | Sensitive, nonpublic personal information that could endanger an individual.                                      |
      | `S8`  | Intellectual property     | Violate a third party's intellectual property rights.                                                             |
      | `S9`  | Indiscriminate weapons    | Creation of indiscriminate weapons like chemical, biological, or nuclear arms.                                    |
      | `S10` | Hate                      | Demean or dehumanize people based on their race, religion, sexual orientation, or other personal characteristics. |
      | `S11` | Suicide and self-harm     | Encourage or endorse suicide, self-injury, or disordered eating.                                                  |
      | `S12` | Sexual content            | Erotic content.                                                                                                   |
      | `S13` | Elections                 | False information about the time, place, or manner of voting in elections.                                        |
      | `S14` | Code interpreter abuse    | Misuse of code execution capabilities.                                                                            |

      Requires a Cloudflare Enterprise plan. You must also enable [AI Security for Apps](/waf/detections/ai-security-for-apps/).
    example_block: |-
      # Matches requests where an unsafe topic categorized as "S2" (Non-violent crimes) or "S10" (Hate) was detected in the LLM prompt:
      (cf.llm.prompt.unsafe_topic_detected and any(cf.llm.prompt.unsafe_topic_categories[*] in {"S2" "S10"}))

  - name: cf.llm.prompt.injection_score
    data_type: Number
    categories: [Request]
    keywords: [request, cloudflare, ai, client, visitor]
    plan_info_label: Enterprise
    summary: A score from 1–99 that represents the likelihood that the LLM prompt in the request is trying to perform a prompt injection attack.

    description: |-
      A low score (for example, below `20`) indicates that there is a high probability that the LLM prompt in the request is trying to perform a prompt injection attack.

      The special score `100` indicates that Cloudflare did not score the request.

      Requires a Cloudflare Enterprise plan. You must also enable [AI Security for Apps](/waf/detections/ai-security-for-apps/).

  - name: cf.llm.prompt.token_count
    data_type: Number
    categories: [Request]
    keywords: [request, cloudflare, ai, client, visitor]
    plan_info_label: Enterprise
    summary: An estimated token count for the LLM prompt in the request.
    description: |-
      The count is calculated using a general-purpose tokenizer and may not exactly match the count reported by your LLM provider.

      Requires a Cloudflare Enterprise plan. You must also enable [AI Security for Apps](/waf/detections/ai-security-for-apps/).
    example_block: |-
      # Matches requests where the estimated token count exceeds 4,000:
      (cf.llm.prompt.token_count gt 4000)

  - name: cf.llm.prompt.custom_topic_categories
    data_type: Map<Number>
    categories: [Request]
    keywords: [request, cloudflare, ai, client, visitor]
    plan_info_label: Enterprise
    summary: A map of custom topic labels to relevance scores (1–99) for the LLM prompt in the request.
    description: |-
      Lower scores indicate the prompt is more relevant to that topic. Only populated when [custom topics](/waf/detections/ai-security-for-apps/unsafe-topics/#custom-topics) are configured.

      Requires a Cloudflare Enterprise plan. You must also enable [AI Security for Apps](/waf/detections/ai-security-for-apps/).
    example_block: |-
      # Matches requests where the prompt is highly relevant to the "competitors" custom topic:
      (cf.llm.prompt.custom_topic_categories["competitors"] lt 30)

  - name: cf.worker.upstream_zone
    data_type: String
    categories: [Request]
    keywords: [request, cloudflare, workers]
    summary: Identifies whether a request comes from a worker or not.
    description: |-
      When a request comes from a worker, this field will hold the name of the zone for that worker. Otherwise, `cf.worker.upstream_zone` is empty.

  - name: cf.bot_management.corporate_proxy
    data_type: Boolean
    categories: [Request, Bots]
    keywords: [request, bots, proxy, client, visitor]
    plan_info_label: Enterprise add-on
    summary: Indicates whether the incoming request comes from an identified Enterprise-only cloud-based corporate proxy or secure web gateway.
    description: |-
      Requires a Cloudflare Enterprise plan with [Bot Management](/bots/plans/bm-subscription/) enabled.
    example_block: |-
      not cf.bot_management.verified_bot
      and not cf.bot_management.static_resource
      and not cf.bot_management.corporate_proxy
      and cf.bot_management.score lt 30

  - name: http.request.jwt.claims.aud
    data_type: Map<Array<String>>
    categories: [Request, JWT validation]
    keywords: [request, jwt, api shield, client, visitor]
    plan_info_label: Enterprise add-on
    summary: The `aud` (audience) claim identifies the recipients that the JSON Web Token (JWT) is intended for.
    description: |-
      Each principal intended to process the JWT must identify itself with a value in the audience claim. In the general case, the `aud` value is an array of case-sensitive strings, each containing a `StringOrURI` value. For details, refer to the [Registered Claim Names](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1) in RFC 7519.

      Requires a Cloudflare Enterprise plan with a paid add-on.

      For more information on validating JSON Web Tokens, refer to [JSON Web Tokens Validation](/api-shield/security/jwt-validation/) in the API Shield documentation.

  - name: http.request.jwt.claims.aud.names
    data_type: Array<String>
    categories: [Request, JWT validation]
    keywords: [request, jwt, api shield, client, visitor]
    plan_info_label: Enterprise add-on
    summary: The `aud` (audience) claim identifies the recipients that the JSON Web Token (JWT) is intended for.
    description: |-
      Each principal intended to process the JWT must identify itself with a value in the audience claim. In the general case, the `aud` value is an array of case-sensitive strings, each containing a `StringOrURI` value. For details, refer to the [Registered Claim Names](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1) in RFC 7519.

      Requires a Cloudflare Enterprise plan with a paid add-on.

      For more information on validating JSON Web Tokens, refer to [JSON Web Tokens Validation](/api-shield/security/jwt-validation/) in the API Shield documentation.

  - name: http.request.jwt.claims.aud.values
    data_type: Array<String>
    categories: [Request, JWT validation]
    keywords: [request, jwt, api shield, client, visitor]
    plan_info_label: Enterprise add-on
    summary: The `aud` (audience) claim identifies the recipients that the JSON Web Token (JWT) is intended for.
    description: |-
      Each principal intended to process the JWT must identify itself with a value in the audience claim. In the general case, the `aud` value is an array of case-sensitive strings, each containing a `StringOrURI` value. For details, refer to the [Registered Claim Names](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1) in RFC 7519.

      Requires a Cloudflare Enterprise plan with a paid add-on.

      For more information on validating JSON Web Tokens, refer to [JSON Web Tokens Validation](/api-shield/security/jwt-validation/) in the API Shield documentation.

  - name: http.request.jwt.claims.iat.sec
    data_type: Map<Array<Integer>>
    categories: [Request, JWT validation]
    keywords: [request, jwt, api shield, client, visitor]
    plan_info_label: Enterprise add-on
    summary: The `iat` (issued at) claim identifies the time (number of seconds) at which the JWT was issued.
    description: |-
      For details, refer to the [Registered Claim Names](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1) in RFC 7519.

      Requires a Cloudflare Enterprise plan with a paid add-on.

      For more information on validating JSON Web Tokens, refer to [JSON Web Tokens Validation](/api-shield/security/jwt-validation/) in the API Shield documentation.

  - name: http.request.jwt.claims.iat.sec.names
    data_type: Array<String>
    categories: [Request, JWT validation]
    keywords: [request, jwt, api shield, client, visitor]
    plan_info_label: Enterprise add-on
    summary: The `iat` (issued at) claim identifies the time (number of seconds) at which the JWT was issued.
    description: |-
      For details, refer to the [Registered Claim Names](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1) in RFC 7519.

      Requires a Cloudflare Enterprise plan with a paid add-on.

      For more information on validating JSON Web Tokens, refer to [JSON Web Tokens Validation](/api-shield/security/jwt-validation/) in the API Shield documentation.

  - name: http.request.jwt.claims.iat.sec.values
    data_type: Array<Integer>
    categories: [Request, JWT validation]
    keywords: [request, jwt, api shield, client, visitor]
    plan_info_label: Enterprise add-on
    summary: The `iat` (issued at) claim identifies the time (number of seconds) at which the JWT was issued.
    description: |-
      For details, refer to the [Registered Claim Names](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1) in RFC 7519.

      Requires a Cloudflare Enterprise plan with a paid add-on.

      For more information on validating JSON Web Tokens, refer to [JSON Web Tokens Validation](/api-shield/security/jwt-validation/) in the API Shield documentation.

  - name: http.request.jwt.claims.iss
    data_type: Map<Array<String>>
    categories: [Request, JWT validation]
    keywords: [request, jwt, api shield, client, visitor]
    plan_info_label: Enterprise add-on
    summary: The `iss` (issuer) claim identifies the principal that issued the JWT.
    description: |-
      For details, refer to the [Registered Claim Names](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1) in RFC 7519.

      Requires a Cloudflare Enterprise plan with a paid add-on.

      For more information on validating JSON Web Tokens, refer to [JSON Web Tokens Validation](/api-shield/security/jwt-validation/) in the API Shield documentation.

  - name: http.request.jwt.claims.iss.names
    data_type: Array<String>
    categories: [Request, JWT validation]
    keywords: [request, jwt, api shield, client, visitor]
    plan_info_label: Enterprise add-on
    summary: The `iss` (issuer) claim identifies the principal that issued the JWT.
    description: |-
      For details, refer to the [Registered Claim Names](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1) in RFC 7519.

      Requires a Cloudflare Enterprise plan with a paid add-on.

      For more information on validating JSON Web Tokens, refer to [JSON Web Tokens Validation](/api-shield/security/jwt-validation/) in the API Shield documentation.

  - name: http.request.jwt.claims.iss.values
    data_type: Array<String>
    categories: [Request, JWT validation]
    keywords: [request, jwt, api shield, client, visitor]
    plan_info_label: Enterprise add-on
    summary: The `iss` (issuer) claim identifies the principal that issued the JWT.
    description: |-
      For details, refer to the [Registered Claim Names](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1) in RFC 7519.

      Requires a Cloudflare Enterprise plan with a paid add-on.

      For more information on validating JSON Web Tokens, refer to [JSON Web Tokens Validation](/api-shield/security/jwt-validation/) in the API Shield documentation.

  - name: http.request.jwt.claims.jti
    data_type: Map<Array<String>>
    categories: [Request, JWT validation]
    keywords: [request, jwt, api shield, client, visitor]
    plan_info_label: Enterprise add-on
    summary: The `jti` (JWT ID) claim provides a unique identifier for the JWT.
    description: |-
      For details, refer to the [Registered Claim Names](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1) in RFC 7519.

      Requires a Cloudflare Enterprise plan with a paid add-on.

      For more information on validating JSON Web Tokens, refer to [JSON Web Tokens Validation](/api-shield/security/jwt-validation/) in the API Shield documentation.

  - name: http.request.jwt.claims.jti.names
    data_type: Array<String>
    categories: [Request, JWT validation]
    keywords: [request, jwt, api shield, client, visitor]
    plan_info_label: Enterprise add-on
    summary: The `jti` (JWT ID) claim provides a unique identifier for the JWT.
    description: |-
      For details, refer to the [Registered Claim Names](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1) in RFC 7519.

      Requires a Cloudflare Enterprise plan with a paid add-on.

      For more information on validating JSON Web Tokens, refer to [JSON Web Tokens Validation](/api-shield/security/jwt-validation/) in the API Shield documentation.

  - name: http.request.jwt.claims.jti.values
    data_type: Array<String>
    categories: [Request, JWT validation]
    keywords: [request, jwt, api shield, client, visitor]
    plan_info_label: Enterprise add-on
    summary: The `jti` (JWT ID) claim provides a unique identifier for the JWT.
    description: |-
      For details, refer to the [Registered Claim Names](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1) in RFC 7519.

      Requires a Cloudflare Enterprise plan with a paid add-on.

      For more information on validating JSON Web Tokens, refer to [JSON Web Tokens Validation](/api-shield/security/jwt-validation/) in the API Shield documentation.

  - name: http.request.jwt.claims.nbf.sec
    data_type: Map<Array<Integer>>
    categories: [Request, JWT validation]
    keywords: [request, jwt, api shield, client, visitor]
    plan_info_label: Enterprise add-on
    summary: The `nbf` (not before) claim identifies the time (number of seconds) before which the JWT must not be accepted for processing.
    description: |-
      For details, refer to the [Registered Claim Names](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1) in RFC 7519.

      Requires a Cloudflare Enterprise plan with a paid add-on.

      For more information on validating JSON Web Tokens, refer to [JSON Web Tokens Validation](/api-shield/security/jwt-validation/) in the API Shield documentation.

  - name: http.request.jwt.claims.nbf.sec.names
    data_type: Array<String>
    categories: [Request, JWT validation]
    keywords: [request, jwt, api shield, client, visitor]
    plan_info_label: Enterprise add-on
    summary: The `nbf` (not before) claim identifies the time (number of seconds) before which the JWT must not be accepted for processing.
    description: |-
      For details, refer to the [Registered Claim Names](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1) in RFC 7519.

      Requires a Cloudflare Enterprise plan with a paid add-on.

      For more information on validating JSON Web Tokens, refer to [JSON Web Tokens Validation](/api-shield/security/jwt-validation/) in the API Shield documentation.

  - name: http.request.jwt.claims.nbf.sec.values
    data_type: Array<Integer>
    categories: [Request, JWT validation]
    keywords: [request, jwt, api shield, client, visitor]
    plan_info_label: Enterprise add-on
    summary: The `nbf` (not before) claim identifies the time (number of seconds) before which the JWT must not be accepted for processing.
    description: |-
      For details, refer to the [Registered Claim Names](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1) in RFC 7519.

      Requires a Cloudflare Enterprise plan with a paid add-on.

      For more information on validating JSON Web Tokens, refer to [JSON Web Tokens Validation](/api-shield/security/jwt-validation/) in the API Shield documentation.

  - name: http.request.jwt.claims.sub
    data_type: Map<Array<String>>
    categories: [Request, JWT validation]
    keywords: [request, jwt, api shield, client, visitor]
    plan_info_label: Enterprise add-on
    summary: The `sub` (subject) claim identifies the principal that is the subject of the JWT.
    description: |-
      The claims in a JWT are normally statements about the subject. For details, refer to the [Registered Claim Names](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1) in RFC 7519.

      Requires a Cloudflare Enterprise plan with a paid add-on.

      For more information on validating JSON Web Tokens, refer to [JSON Web Tokens Validation](/api-shield/security/jwt-validation/) in the API Shield documentation.

  - name: http.request.jwt.claims.sub.names
    data_type: Array<String>
    categories: [Request, JWT validation]
    keywords: [request, jwt, api shield, client, visitor]
    plan_info_label: Enterprise add-on
    summary: The `sub` (subject) claim identifies the principal that is the subject of the JWT.
    description: |-
      The claims in a JWT are normally statements about the subject. For details, refer to the [Registered Claim Names](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1) in RFC 7519.

      Requires a Cloudflare Enterprise plan with a paid add-on.

      For more information on validating JSON Web Tokens, refer to [JSON Web Tokens Validation](/api-shield/security/jwt-validation/) in the API Shield documentation.

  - name: http.request.jwt.claims.sub.values
    data_type: Array<String>
    categories: [Request, JWT validation]
    keywords: [request, jwt, api shield, client, visitor]
    plan_info_label: Enterprise add-on
    summary: The `sub` (subject) claim identifies the principal that is the subject of the JWT.
    description: |-
      The claims in a JWT are normally statements about the subject. For details, refer to the [Registered Claim Names](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1) in RFC 7519.

      Requires a Cloudflare Enterprise plan with a paid add-on.

      For more information on validating JSON Web Tokens, refer to [JSON Web Tokens Validation](/api-shield/security/jwt-validation/) in the API Shield documentation.

  - name: http.request.uri.args
    data_type: Map<Array<String>>
    categories: [Request, URI]
    keywords: [request, uri, url, arguments, query string, client, visitor]
    summary: The HTTP URI arguments associated with a request represented as a Map (associative array).
    description: |-
      When an argument repeats, the array contains multiple items in the order they appear in the request.

      The values are not pre-processed and retain the original case used in the request.

      - **Decoding**: No decoding performed
      - **Non-ASCII**: Preserved
    example_value: |-
      {"search": ["red+apples"]}
    example_block: |-
      any(http.request.uri.args["search"][*] == "red+apples")

  - name: http.request.uri.args.names
    data_type: Array<String>
    categories: [Request, URI]
    keywords: [request, uri, url, arguments, query string, client, visitor]
    summary: The names of the arguments in the HTTP URI query string.
    description: |-
      When a name repeats, the array contains multiple items in the order that they appear in the request.

      The names are not pre-processed and retain the original case used in the request.

      - **Decoding**: No decoding performed
      - **Non-ASCII**: Preserved
    example_value: |-
      ["search"]
    example_block: |-
      any(http.request.uri.args.names[*] == "search")

  - name: http.request.uri.args.values
    data_type: Array<String>
    categories: [Request, URI]
    keywords: [request, uri, url, arguments, query string, client, visitor]
    summary: The values of arguments in the HTTP URI query string.
    description: |-
      The values are not pre-processed and retain the original case used in the request. They are in the same order as in the request.

      Duplicated values are listed multiple times.

      - **Decoding**: No decoding performed
      - **Non-ASCII**: Preserved
    example_value: |-
      ["red+apples"]
    example_block: |-
      any(http.request.uri.args.values[*] == "red+apples")

  - name: raw.http.request.uri.args
    data_type: Map<Array<String>>
    categories: [Request, URI, Raw fields]
    keywords: [request, uri, url, arguments, query string, raw, client, visitor]
    summary: The raw HTTP URI arguments associated with a request represented as a Map (associative array).
    description: |-
      This is the raw field version of the [`http.request.uri.args`](/ruleset-engine/rules-language/fields/reference/http.request.uri.args/) field. Raw fields, prefixed with `raw.`, preserve original request values for later evaluations. These fields are immutable during the entire request evaluation workflow, and they are not affected by the actions of previously matched rules.

  - name: raw.http.request.uri.args.names
    data_type: Array<String>
    categories: [Request, URI, Raw fields]
    keywords: [request, uri, url, arguments, query string, raw, client, visitor]
    summary: The raw names of the arguments in the HTTP URI query string.
    description: |-
      This is the raw field version of the [`http.request.uri.args.names`](/ruleset-engine/rules-language/fields/reference/http.request.uri.args.names/) field. Raw fields, prefixed with `raw.`, preserve original request values for later evaluations. These fields are immutable during the entire request evaluation workflow, and they are not affected by the actions of previously matched rules.

  - name: raw.http.request.uri.args.values
    data_type: Array<String>
    categories: [Request, URI, Raw fields]
    keywords: [request, uri, url, arguments, query string, raw, client, visitor]
    summary: The raw values of arguments in the HTTP URI query string.
    description: |-
      This is the raw field version of the [`http.request.uri.args.values`](/ruleset-engine/rules-language/fields/reference/http.request.uri.args.values/) field. Raw fields, prefixed with `raw.`, preserve original request values for later evaluations. These fields are immutable during the entire request evaluation workflow, and they are not affected by the actions of previously matched rules.

  - name: http.request.headers
    data_type: Map<Array<String>>
    categories: [Request, Headers]
    keywords: [request, client, visitor]
    summary: The HTTP request headers represented as a Map (or associative array).
    description: |-
      The keys of the associative array are the names of HTTP request headers converted to lowercase.

      When there are repeating headers, the array includes them in the order they appear in the request.

      The request header values are not pre-processed and retain the original case used in the request.

      - **Decoding**: No decoding performed
      - **Whitespace**: Preserved
      - **Non-ASCII**: Preserved

      When the HTTP request contains too many headers, this field may not contain all of the headers sent in the HTTP request. In this situation, the [`http.request.headers.truncated`](/ruleset-engine/rules-language/fields/reference/http.request.headers.truncated/) field will be set to `true`.
    example_value: |-
      {"content-type": ["application/json"]}
    example_block: |-
      any(http.request.headers["content-type"][*] == "application/json")

  - name: http.request.headers.names
    data_type: Array<String>
    categories: [Request, Headers]
    keywords: [request, client, visitor]
    summary: The names of the headers in the HTTP request.
    description: |-
      The names are not pre-processed and retain the original case used in the request.

      The order of header names is not guaranteed but will match [`http.request.headers.values`](/ruleset-engine/rules-language/fields/reference/http.request.headers.values/).

      Duplicate headers are listed multiple times.

      - **Decoding**: No decoding performed
      - **Whitespace**: Preserved
      - **Non-ASCII**: Preserved

      When the HTTP request contains too many headers, this field may not contain the names of all of the headers sent in the HTTP request. In this situation, the [`http.request.headers.truncated`](/ruleset-engine/rules-language/fields/reference/http.request.headers.truncated/) field will be set to `true`.

      **Note**: In HTTP/2, the names of HTTP headers are always in lowercase. Recent versions of the `curl` tool [enable HTTP/2 by default](https://curl.se/docs/manpage.html#--http2) for HTTPS connections.
    example_value: |-
      ["content-type"]
    example_block: |-
      any(http.request.headers.names[*] == "content-type")

  - name: http.request.headers.values
    data_type: Array<String>
    categories: [Request, Headers]
    keywords: [request, client, visitor]
    summary: The values of the headers in the HTTP request.
    description: |-
      The values are not pre-processed and retain the original case used in the request.

      The order of header values is not guaranteed but will match [`http.request.headers.names`](/ruleset-engine/rules-language/fields/reference/http.request.headers.names/).

      Duplicate headers are listed multiple times.

      - **Decoding**: No decoding performed
      - **Whitespace**: Preserved
      - **Non-ASCII**: Preserved

      When the HTTP request contains too many headers, this field may not contain the values of all of the headers sent in the HTTP request. In this situation, the [`http.request.headers.truncated`](/ruleset-engine/rules-language/fields/reference/http.request.headers.truncated/) field will be set to `true`.

      **Note**: In HTTP/2, the names of HTTP headers are always in lowercase. Recent versions of the `curl` tool [enable HTTP/2 by default](https://curl.se/docs/manpage.html#--http2) for HTTPS connections.
    example_value: |-
      Example 1: ["application/json"]
      Example 2: ["This header value is longer than 10 bytes"]

    example_block: |-
      # Example 1: Check for specific header value.
      any(http.request.headers.values[*] == "application/json")

      # Example 2: Match requests according to the specified operator and the length/size entered for the header value.
      any(len(http.request.headers.values[*])[*] gt 10)

  - name: http.request.headers.truncated
    data_type: Boolean
    categories: [Request, Headers]
    keywords: [request, client, visitor]
    summary: Indicates whether the HTTP request contains too many headers.
    description: |-
      When `true`, [`http.request.headers`](/ruleset-engine/rules-language/fields/reference/http.request.headers/), [`http.request.headers.names`](/ruleset-engine/rules-language/fields/reference/http.request.headers.names/), and [`http.request.headers.values`](/ruleset-engine/rules-language/fields/reference/http.request.headers.values/) may not contain all of the headers sent in the HTTP request.

  - name: http.request.accepted_languages
    data_type: Array<String>
    categories: [Request, Headers]
    keywords: [request, client, visitor]
    summary: List of language tags provided in the [`Accept-Language`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Accept-Language) HTTP request header.
    description: |-
      Language tags are sorted by weight (`;q=<weight>`, with a default weight of `1`) in descending order.

      If the HTTP header is not present in the request or is empty, `http.request.accepted_languages[0]` will return a "[missing value](/ruleset-engine/rules-language/values/#notes)", which the [`concat()`](/ruleset-engine/rules-language/functions/#concat) function will handle as an empty string.

      If the HTTP header includes the language tag `*` it will not be stored in the array.

      **Note**: This field is only available in [Transform Rules](/rules/transform/).
    example_block: |-
      # Example 1: Request with header "Accept-Language: fr-CH, fr;q=0.8, en;q=0.9, de;q=0.7, *;q=0.5".
      # In this case:
      http.request.accepted_languages[0] ==> "fr-CH"
      http.request.accepted_languages    ==> ["fr-CH", "en", "fr", "de"]

      # Example 2: Request without an `Accept-Language` HTTP header and a URI of "https://www.example.com/my-path".
      # In this case:
      concat("/", http.request.accepted_languages[0], http.request.uri.path) ==> "//my-path"

  - name: http.request.body.raw
    data_type: String
    categories: [Request, Body, Raw fields]
    keywords: [request, body, raw, client, visitor]
    plan_info_label: Enterprise
    summary: The unaltered HTTP request body.
    description: |-
      When the value of [`http.request.body.truncated`](/ruleset-engine/rules-language/fields/reference/http.request.body.truncated/) is `true`, the return value may be truncated.

      - **Decoding**: No decoding performed
      - **Whitespace**: Preserved
      - **Non-ASCII**: Preserved

      Requires a Cloudflare Enterprise plan.

  - name: http.request.body.truncated
    data_type: Boolean
    categories: [Request, Body]
    keywords: [request, body, client, visitor]
    plan_info_label: Enterprise
    summary: Indicates whether the HTTP request body is truncated.
    description: |-
      When `true`, `http.request.body.*` fields may not contain all of the HTTP request body.

      Requires a Cloudflare Enterprise plan.

  - name: http.request.body.size
    data_type: Number
    categories: [Request, Body]
    keywords: [request, body, client, visitor]
    plan_info_label: Enterprise
    summary: The total size of the HTTP request body (in bytes).
    description: |-
      This field may have a value larger than the one returned by `len(http.request.body.raw)`, since the [`http.request.body.raw`](/ruleset-engine/rules-language/fields/reference/http.request.body.raw/) field only considers the request body up to a maximum size that varies according to your Cloudflare plan.

      Requires a Cloudflare Enterprise plan.

  - name: http.request.body.form
    data_type: Map<Array<String>>
    categories: [Request, Body]
    keywords: [request, body, form, client, visitor]
    plan_info_label: Enterprise
    summary: The HTTP request body of a form represented as a Map (or associative array).
    description: |-
      Populated when the `Content-Type` header is `application/x-www-form-urlencoded`.

      The values are not pre-processed and retain the original case used in the request.

      When a field repeats, then the array contains multiple items in the order they are in the request.

      The return value may be truncated if [`http.request.body.truncated`](/ruleset-engine/rules-language/fields/reference/http.request.body.truncated) is `true`.

      - **Decoding**: No decoding performed
      - **Whitespace**: Preserved
      - **Non-ASCII**: Preserved

      Requires a Cloudflare Enterprise plan.
    example_value: |-
      {username": ["admin"]}
    example_block: |-
      any(http.request.body.form["username"][*] == "admin")

  - name: http.request.body.form.names
    data_type: Array<String>
    categories: [Request, Body]
    keywords: [request, body, form, client, visitor]
    plan_info_label: Enterprise
    summary: The names of the form fields in an HTTP request.
    description: |-
      Populated when the `Content-Type` header is `application/x-www-form-urlencoded`.

      Names are not pre-processed and retain the original case used in the request. They are listed in the same order as in the request.

      Duplicate names are listed multiple times.

      The return value may be truncated if [`http.request.body.truncated`](/ruleset-engine/rules-language/fields/reference/http.request.body.truncated) is `true`.

      - **Decoding**: No decoding performed
      - **Whitespace**: Preserved
      - **Non-ASCII**: Preserved

      Requires a Cloudflare Enterprise plan.
    example_value: |-
      ["username"]
    example_block: |-
      any(http.request.body.form.names[*] == "username")

  - name: http.request.body.form.values
    data_type: Array<String>
    categories: [Request, Body]
    keywords: [request, body, form, client, visitor]
    plan_info_label: Enterprise
    summary: The values of the form fields in an HTTP request.
    description: |-
      Populated when the `Content-Type` header is `application/x-www-form-urlencoded`.

      Values are not pre-processed and retain the original case used in the request. They are listed in the same order as in the request.

      Duplicated values are listed multiple times.

      The return value may be truncated if [`http.request.body.truncated`](/ruleset-engine/rules-language/fields/reference/http.request.body.truncated) is `true`.

      - **Decoding**: No decoding performed
      - **Whitespace**: Preserved
      - **Non-ASCII**: Preserved

      Requires a Cloudflare Enterprise plan.
    example_value: |-
      ["admin"]
    example_block: |-
      any(http.request.body.form.values[*] == "admin")

  - name: http.request.body.mime
    data_type: String
    categories: [Request, Body]
    keywords: [request, body, client, visitor]
    summary: The MIME type of the request detected from the request body.
    description: |-
      Supports the most common MIME types of the following general categories: video, audio, image, application, text.
    example_value: |-
      "image/jpeg"
    example_block: |-
      http.request.body.mime in {"image/bmp" "image/gif" "image/jpeg" "image/png" "image/tiff"}

  - name: http.request.body.multipart
    data_type: Map<Array<String>>
    categories: [Request, Body]
    keywords: [request, body, client, visitor]
    plan_info_label: Enterprise
    summary: A Map (or associative array) representation of multipart names to multipart values in the request body.
    description: |-
      Requires a Cloudflare Enterprise plan.
    example_value: |-
      {"username": ["alice_doe"], "role": ["editor"], "picture": [<binary_content_of_file>]}
    example_block: |-
      any(http.request.body.multipart["role"][*] == "admin")

  - name: http.request.body.multipart.names
    data_type: Array<Array<String>>
    categories: [Request, Body]
    keywords: [request, body, client, visitor]
    plan_info_label: Enterprise
    summary: List of multipart names for every part in the multipart body.
    description: |-
      Requires a Cloudflare Enterprise plan.
    example_value: |-
      [["username"], ["picture"]]
    example_block: |-
      any(http.request.body.multipart.names[*][0] == "picture")

  - name: http.request.body.multipart.values
    data_type: Array<String>
    categories: [Request, Body]
    keywords: [request, body, client, visitor]
    plan_info_label: Enterprise
    summary: List of multipart values for every part in the multipart body.
    description: |-
      Requires a Cloudflare Enterprise plan.
    example_value: |-
      ["alice_doe", <binary_content_of_file>]
    example_block: |-
      any(http.request.body.multipart.values[*] == "alice_doe")

  - name: http.request.body.multipart.content_types
    data_type: Array<Array<String>>
    categories: [Request, Body]
    keywords: [request, body, client, visitor]
    plan_info_label: Enterprise
    summary: List of `Content-Type` headers for each part in the multipart body.
    description: |-
      Requires a Cloudflare Enterprise plan.
    example_value: |-
      [["text/plain"], ["image/jpeg"]]
    example_block: |-
      any(http.request.body.multipart.content_types[*][0] == "application/octet-stream")

  - name: http.request.body.multipart.content_dispositions
    data_type: Array<Array<String>>
    categories: [Request, Body]
    keywords: [request, body, client, visitor]
    plan_info_label: Enterprise
    summary: List of `Content-Disposition` headers for each part in the multipart body.
    description: |-
      Requires a Cloudflare Enterprise plan.
    example_value: |-
      [["form-data; name=\"username\""], ["form-data; name=\"picture\""]]
    example_block: |-
      any(http.request.body.multipart.content_dispositions[*][0] in {"form-data; name=\"username\"" "form-data; name=\"picture\""})

  - name: http.request.body.multipart.content_transfer_encodings
    data_type: Array<Array<String>>
    categories: [Request, Body]
    keywords: [request, body, client, visitor]
    plan_info_label: Enterprise
    summary: List of `Content-Transfer-Encoding` headers for each part in the multipart body.
    description: |-
      Requires a Cloudflare Enterprise plan.
    example_value: |-
      [["quoted-printable"], ["base64"]]
    example_block: |-
      any(http.request.body.multipart.content_transfer_encodings[*][0] == "binary")

  - name: http.request.body.multipart.filenames
    data_type: Array<Array<String>>
    categories: [Request, Body]
    keywords: [request, body, client, visitor]
    plan_info_label: Enterprise
    summary: List of filenames for each part in the multipart body.
    description: |-
      Requires a Cloudflare Enterprise plan.
    example_value: |-
      [["file1.txt"], ["photo.jpg"]]
    example_block: |-
      any(http.request.body.multipart.filenames[*][0] in {"token.txt" "password.txt"})

  - name: http.response.code
    data_type: Integer
    categories: [Response]
    keywords: [response]
    summary: The HTTP status code returned to the client, either set by a Cloudflare product or returned by the origin server.
    description: |-
      **Note**: The availability of HTTP response fields depends on the exact Cloudflare feature and your Cloudflare plan.
    example_value: |-
      403

  - name: http.response.headers
    data_type: Map<Array<String>>
    categories: [Response, Headers]
    keywords: [response]
    summary: The HTTP response headers represented as a Map (or associative array).
    description: |-
      When there are repeating headers, the array includes them in the order they appear in the response. The keys convert to lowercase.

      - **Decoding**: No decoding performed
      - **Whitespace**: Preserved
      - **Non-ASCII**: Preserved

      **Note**: The availability of HTTP response fields depends on the exact Cloudflare feature and your Cloudflare plan.
    example_value: |-
      {"server": ["nginx"]}
    example_block: |-
      any(http.response.headers["server"][*] == "nginx")

  - name: http.response.headers.names
    data_type: Array<String>
    categories: [Response, Headers]
    keywords: [response]
    summary: The names of the headers in the HTTP response.
    description: |-
      The names are not pre-processed and retain the original case used in the response.

      The order of header names is not guaranteed but will match [`http.response.headers.values`](/ruleset-engine/rules-language/fields/reference/http.response.headers.values/).

      Duplicate headers are listed multiple times.

      - **Decoding**: No decoding performed
      - **Whitespace**: Preserved
      - **Non-ASCII**: Preserved

      **Note**: The availability of HTTP response fields depends on the exact Cloudflare feature and your Cloudflare plan.
    example_value: |-
      ["content-type"]
    example_block: |-
      any(http.response.headers.names[*] == "content-type")

  - name: http.response.headers.values
    data_type: Array<String>
    categories: [Response, Headers]
    keywords: [response]
    summary: The values of the headers in the HTTP response.
    description: |-
      The values are not pre-processed and retain the original case used in the response.

      The order of header values is not guaranteed but will match [`http.response.headers.names`](/ruleset-engine/rules-language/fields/reference/http.response.headers.names/).

      Duplicate headers are listed multiple times.

      - **Decoding**: No decoding performed
      - **Whitespace**: Preserved
      - **Non-ASCII**: Preserved

      **Note**: The availability of HTTP response fields depends on the exact Cloudflare feature and your Cloudflare plan.
    example_value: |-
      Example 1: ["application/json"]
      Example 2: ["This header value is longer than 10 bytes"]
    example_block: |-
      # Example 1: Check for specific header value.
      any(http.response.headers.values[*] == "application/json")

      # Example 2: Match requests according to the specified operator and the length/size entered for the header value.
      any(len(http.response.headers.values[*])[*] gt 10)

  - name: http.response.content_type.media_type
    data_type: String
    categories: [Response, Headers]
    keywords: [response]
    summary: The lowercased content type (including subtype and suffix) without any extra parameters, based on the response's `Content-Type` header.
    description: |-
      The field value will not include parameters such as `charset`.

      Example values:

      | Content-Type header                     | Field value         |
      | --------------------------------------- | ------------------- |
      | `text/html`                             | `"text/html"`       |
      | `text/html; charset=utf-8`              | `"text/html"`       |
      | `text/html+extra`                       | `"text/html+extra"` |
      | `text/html+extra; charset=utf-8`        | `"text/html+extra"` |
      | `text/HTML`                             | `"text/html"`       |
      | `text/html; charset=utf-8; other=value` | `"text/html"`       |

      **Note**: The availability of HTTP response fields depends on the exact Cloudflare feature and your Cloudflare plan.
  - name: cf.response.1xxx_code
    data_type: Integer
    categories: [Response]
    keywords: [response, cloudflare]
    summary: Contains the specific code for 1XXX Cloudflare errors.
    description: |-
      Use this field to differentiate between 1XXX errors associated with the same HTTP status code. The default value is `0`.

      For a list of 1XXX errors, refer to [Troubleshooting Cloudflare 1XXX errors](/support/troubleshooting/http-status-codes/cloudflare-1xxx-errors/).

      **Note**: This field is only available in [Response Header Transform Rules](/rules/transform/response-header-modification/) and [Custom Errors](/rules/custom-errors/).
    example_value: |-
      1020

  - name: cf.response.error_type
    data_type: String
    categories: [Response]
    keywords: [response, cloudflare]
    summary: A string with the type of error in the response being returned.
    description: |-
      The default value is an empty string (`""`).

      The available values are the following:

      - `"managed_challenge"`
      - `"iuam"`
      - `"legacy_challenge"`
      - `"ip_ban"`
      - `"waf"`
      - `"5xx"`
      - `"1xxx"`
      - `"always_online"`
      - `"country_challenge"`
      - `"ratelimit"`

      You can use this field to customize the response for a specific type of error (for example, all 1XXX errors or all WAF block actions).

      **Note**: This field is only available in [Response Header Transform Rules](/rules/transform/response-header-modification/) and [Custom Errors](/rules/custom-errors/).