[Fundamentals] Update http-headers.mdx (#19516)

ngayerie · ToriLindsay · web-flow · commit 43225a6c16fe · 2025-02-10T13:23:14.000-06:00
* Update http-headers.mdx

* Update src/content/docs/fundamentals/reference/http-headers.mdx

Co-authored-by: ToriLindsay &lt;tgalatro@cloudflare.com&gt;

* Update src/content/docs/fundamentals/reference/http-headers.mdx

Co-authored-by: ToriLindsay &lt;tgalatro@cloudflare.com&gt;

---------

Co-authored-by: ToriLindsay &lt;tgalatro@cloudflare.com&gt;
diff --git a/src/content/docs/fundamentals/reference/http-headers.mdx b/src/content/docs/fundamentals/reference/http-headers.mdx
@@ -117,7 +117,7 @@ Currently, this header is a JSON object, containing only one key called `scheme`
 
 ### CF-Worker
 
-The `CF-Worker` request header is added to an edge Worker subrequest that identifies the host that spawned the subrequest. This is useful when you want to protect yourself against cross-zone Worker subrequests. For example: `CF-Worker: example.com`.
+The `CF-Worker` request header is added to an edge Worker subrequest that identifies the host that spawned the subrequest. For example: `CF-Worker: example.com`.
 
 You can add `CF-Worker` header on server logs similar to the way you add the [`CF-RAY`](/support/troubleshooting/general-troubleshooting/gathering-information-for-troubleshooting-sites/#add-the-cf-ray-header-to-your-logs) header. To do that, add `$http_cf_worker` in the log format file: `log_format cf_custom "CF-Worker:$http_cf_worker"'`
 
@@ -131,6 +131,10 @@ The intended purpose of this header is to provide a means for recipients (for ex
 
 :::note
 When configuring WAF custom rules, do not match on this header. These rules are applied before Cloudflare adds the `CF-Worker` header. Instead, use the [`cf.worker.upstream_zone`](/ruleset-engine/rules-language/fields/reference/cf.worker.upstream_zone/) field, which contains the same value and exists for the same purpose.
+
+To block a specific Worker, add a `Block` action triggered by the expression `cf.worker.upstream_zone eq "example.com"`.
+
+To block all Worker subrequests except those from your own zone's Worker, add a `Block` action triggered by the expression `not (cf.worker.upstream_zone in {"" "customer-zone.com"})`.
 :::
 
 ### Connection
