You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
* [Browser Rendering] Add signature headers
* rewording
* Update automatic-request-headers.mdx
-capitalized the signature headers
-fixed link for signature agent (does not have the .well-known path)
-added back in instructions on how to verify using web bot auth
---------
Co-authored-by: Kathy <[email protected]>
Copy file name to clipboardExpand all lines: src/content/docs/browser-rendering/reference/automatic-request-headers.mdx
+10-6Lines changed: 10 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -5,15 +5,19 @@ sidebar:
5
5
order: 2
6
6
---
7
7
8
-
When using the [REST API](/browser-rendering/rest-api/) to fetch content via Browser Rendering, Cloudflare adds the following headers to outbound requests made to the target URL:
8
+
Cloudflare automatically attaches headers to every [REST API](/browser-rendering/rest-api/) request made through Browser Rendering. These headers make it easy for destination servers to identify that these requests came from Cloudflare.
9
+
10
+
:::note[Note]
11
+
12
+
These headers are meant to ensure transparency and cannot be removed or overridden (with `setExtraHTTPHeaders`, for example).
|`cf-biso-request-id`| A unique identifier for the Browser Rendering request |
13
19
|`cf-biso-devtools`| A flag indicating the request originated from Cloudflare's rendering infrastructure |
20
+
|`Signature-agent`|[The location of the bot public keys](https://web-bot-auth.cloudflare-browser-rendering-085.workers.dev), used to sign the request and verify it came from Cloudflare |
21
+
|`Signature` and `Signature-input`| A digital signature, used to validate requests, as shown in [this architecture document](https://datatracker.ietf.org/doc/html/draft-meunier-web-bot-auth-architecture)|
14
22
15
-
:::note[Note]
16
-
17
-
These headers are unique to Browser Rendering and are automatically included and cannot be removed or overridden (such as via `setExtraHTTPHeaders`). They are intended to ensure transparency, allowing destination servers to identify traffic as coming from Cloudflare Browser Rendering.
18
-
19
-
:::
23
+
The `Signature` headers use an authentication method called [Web Bot Auth](/bots/concepts/bot/verified-bots/web-bot-auth/). Web Bot Auth leverages cryptographic signatures in HTTP messages to verify that a request comes from an automated bot. To verify a request originated from Cloudflare Browser Rendering, use the keys found on [this directory](https://web-bot-auth.cloudflare-browser-rendering-085.workers.dev/.well-known/http-message-signatures-directory) to verify the `Signature` and `Signature-Input` found in the headers from the incoming request. A successful verification proves that the request originated from Cloudflare Browser Rendering and has not been tampered with in transit.
0 commit comments