+ );
+};
+
+export default FieldBadges;
diff --git a/src/content/config.ts b/src/content/config.ts
index 0b38f7067b8e656..48fd7eedfa6d829 100644
--- a/src/content/config.ts
+++ b/src/content/config.ts
@@ -1,5 +1,6 @@
import { z, defineCollection } from "astro:content";
import { docsSchema, i18nSchema } from "@astrojs/starlight/schema";
+import { file } from "astro/loaders";
import {
appsSchema,
changelogsSchema,
@@ -13,6 +14,7 @@ import {
videosSchema,
workersAiSchema,
changelogsNextSchema,
+ fieldsSchema,
} from "~/schemas";
const partialSchema = z.object({
@@ -78,4 +80,8 @@ export const collections = {
"changelogs-next": defineCollection({
schema: changelogsNextSchema,
}),
+ fields: defineCollection({
+ schema: fieldsSchema,
+ type: "data",
+ }),
};
diff --git a/src/content/docs/api-shield/security/jwt-validation/transform-rules.mdx b/src/content/docs/api-shield/security/jwt-validation/transform-rules.mdx
index a4d91d49ad2a64d..e2b705f71acdff8 100644
--- a/src/content/docs/api-shield/security/jwt-validation/transform-rules.mdx
+++ b/src/content/docs/api-shield/security/jwt-validation/transform-rules.mdx
@@ -31,4 +31,4 @@ As an example, to send the `x-send-jwt-claim-user` request header to the origin,
4. Enter a rule name and a filter expression, if applicable.
5. Choose **Set dynamic**.
6. Set the header name to `x-send-jwt-claim-user`.
-7. Set the value to `lookup_json_string(http.request.jwt.claims[""][0], "claim_name")`, where `` is your token configuration ID found in JWT Validation and `claim_name` is the [JWT claim](/ruleset-engine/rules-language/fields/dynamic-fields/#json-web-tokens-validation-claims) you want to add to the header.
+7. Set the value to `lookup_json_string(http.request.jwt.claims[""][0], "claim_name")`, where `` is your token configuration ID found in JWT Validation and `claim_name` is the JWT claim you want to add to the header.
diff --git a/src/content/docs/bots/troubleshooting.mdx b/src/content/docs/bots/troubleshooting.mdx
index 396c7f2787c1f64..b059d584bf73d0d 100644
--- a/src/content/docs/bots/troubleshooting.mdx
+++ b/src/content/docs/bots/troubleshooting.mdx
@@ -90,7 +90,7 @@ Cloudflare has built an allowlist of good, automated bots, e.g. Google Search En
This allowlist is large based on reverse DNS verification, meaning that the IPs we allow really match the requesting service. In addition to this, Cloudflare uses multiple validation methods including ASN blocks and public lists. If none of these validation types are available for a customer, we use internal Cloudflare data and machine learning to identify legitimate IP addresses from good bots.
-To allow traffic from good bots, use the [Verified Bot](/ruleset-engine/rules-language/fields/dynamic-fields/#cfbot_managementverified_bot) field in your WAF custom rule.
+To allow traffic from good bots, use the [Verified Bot](/ruleset-engine/rules-language/fields/reference/cf.bot_management.verified_bot/) field in your WAF custom rule.
---
diff --git a/src/content/docs/cache/how-to/cache-rules/settings.mdx b/src/content/docs/cache/how-to/cache-rules/settings.mdx
index 1fd1190fe59e5cf..8a4ea68918902b9 100644
--- a/src/content/docs/cache/how-to/cache-rules/settings.mdx
+++ b/src/content/docs/cache/how-to/cache-rules/settings.mdx
@@ -6,10 +6,9 @@ sidebar:
head:
- tag: title
content: Cache Rules settings
-
---
-import { Details } from "~/components"
+import { Details } from "~/components";
These are the settings that you can configure when creating a cache rule.
@@ -31,11 +30,11 @@ The fields available for Cache Rule matching expressions in the **Expression Bui
- Cookie value of - `http.request.cookies`
- File extension - `http.request.uri.path.extension`
-If you select the [**Edit expression**](/ruleset-engine/rules-language/expressions/edit-expressions/#expression-editor) option, you can enter any of the [available fields](/ruleset-engine/rules-language/fields/).
+If you select the [**Edit expression**](/ruleset-engine/rules-language/expressions/edit-expressions/#expression-editor) option, you can enter any of the [available fields](/ruleset-engine/rules-language/fields/reference/).
:::note
-The fields mentioned above support all types of purge. However, the [remaining available fields](/ruleset-engine/rules-language/fields/) support purge by tags, prefix (URL), hostname, and everything but are not compatible with [single file purge](/cache/how-to/purge-cache/purge-by-single-file/).
+The fields mentioned above support all types of purge. However, the [remaining available fields](/ruleset-engine/rules-language/fields/reference/) support purge by tags, prefix (URL), hostname, and everything but are not compatible with [single file purge](/cache/how-to/purge-cache/purge-by-single-file/).
:::
@@ -43,22 +42,22 @@ The fields mentioned above support all types of purge. However, the [remaining a
The operators available for Cache Rule expressions are:
-* equals
-* does not equal
-* contains
-* does not contain
-* matches regex
-* does not match regex
-* is in
-* is not in
-* starts with
-* ends with
-* does not start with
-* does not end with
+- equals
+- does not equal
+- contains
+- does not contain
+- matches regex
+- does not match regex
+- is in
+- is not in
+- starts with
+- ends with
+- does not start with
+- does not end with
:::note
-Not all operators are available for every selected field.
+Not all operators are available for every selected field.
:::
## Cache eligibility
@@ -75,26 +74,23 @@ When you select **Eligible for cache**, you can change the configuration setting
:::note
-If you use cache rules, image transformations, and zone versioning simultaneously, some settings may not be applied correctly.
+If you use cache rules, image transformations, and zone versioning simultaneously, some settings may not be applied correctly.
:::
#### Edge TTL
Edge Cache TTL refers to the maximum cache time-to-live (TTL), or how long an asset should be considered fresh or available to serve from Cloudflare’s cache in response to requests. This setting has three primary options:
-* **Use cache control-header if present, bypass cache if not**: If a cache-control header is present on the response, follow its directives. If not, skip caching entirely.
-* **Use cache-control header if present, use default Cloudflare caching behavior if not**: If a cache-control header is present on the response, follow its directives. If not, cache in accordance with our [default edge TTL settings](/cache/how-to/configure-cache-status-code/#edge-ttl).
-* **Ignore cache-control header and use this TTL**: Completely ignore any cache-control header on the response and instead cache the response for a duration specified in the timing dropdown.
-
-Additionally, you can select how long you would like a particular matching status code’s content to be cached in Cloudflare’s global network. In **Status Code TTL** section you can define the TTL duration for one or more status codes of responses from the origin server. This setting can be applied to a *Single code* status code, to a *Greater than or equal* or *Less than or equal* status code, or to a *Range* of status codes. Status code TTLs are similar to **Ignore cache-control header and use this TTL** in that the cache-control header on the response will be ignored in favor of the TTL specified by the cache rule. For more information, refer to [Status code TTL](/cache/how-to/configure-cache-status-code/).
+- **Use cache control-header if present, bypass cache if not**: If a cache-control header is present on the response, follow its directives. If not, skip caching entirely.
+- **Use cache-control header if present, use default Cloudflare caching behavior if not**: If a cache-control header is present on the response, follow its directives. If not, cache in accordance with our [default edge TTL settings](/cache/how-to/configure-cache-status-code/#edge-ttl).
+- **Ignore cache-control header and use this TTL**: Completely ignore any cache-control header on the response and instead cache the response for a duration specified in the timing dropdown.
+Additionally, you can select how long you would like a particular matching status code's content to be cached in Cloudflare's global network. In **Status Code TTL** section you can define the TTL duration for one or more status codes of responses from the origin server. This setting can be applied to a _Single code_ status code, to a _Greater than or equal_ or _Less than or equal_ status code, or to a _Range_ of status codes. Status code TTLs are similar to **Ignore cache-control header and use this TTL** in that the cache-control header on the response will be ignored in favor of the TTL specified by the cache rule. For more information, refer to [Status code TTL](/cache/how-to/configure-cache-status-code/).
API configuration object name: `"edge_ttl"`.
-
-
| API values | Configuration |
| ------------------- | ------------------------------------------------------------------------------------------------------------------------------- |
| `respect_origin` | Use cache-control header if present, use default [Cloudflare caching behavior](/cache/concepts/default-cache-behavior/) if not. |
@@ -136,7 +132,6 @@ API configuration object name: `"edge_ttl"`.
Refer to [Create a cache rule via API](/cache/how-to/cache-rules/create-api/#example-requests) for complete API examples.
-
#### Browser TTL
@@ -145,7 +140,6 @@ Browser TTL refers to the maximum cache time-to-live (TTL) that an asset should
Select if you want to **Bypass cache**, **Respect origin**, or **Override origin**. If you wish to override the browser TTL value, define how long resources cached by client browsers will remain valid from the dropdown menu. For more information, refer to [Browser Cache TTL](/cache/how-to/edge-browser-cache-ttl/#browser-cache-ttl).
-
API configuration object name: `"browser_ttl"`.
@@ -166,7 +160,6 @@ API values for the `"default"` property (integer): values available depend on yo
Refer to [Create a cache rule via API](/cache/how-to/cache-rules/create-api/#example-requests) for complete API examples.
-
#### Cache Key
@@ -175,25 +168,25 @@ Cache keys refer to the criteria that Cloudflare uses to determine how to store
Define the request components used to define a [custom cache key](/cache/how-to/cache-keys/), customizing the following options:
-* You can switch on or off [Cache deception armor](/cache/cache-security/cache-deception-armor/), [Cache by device type](/automatic-platform-optimization/reference/cache-device-type/), and [Sort query string](/cache/how-to/cache-keys/#query-string).
+- You can switch on or off [Cache deception armor](/cache/cache-security/cache-deception-armor/), [Cache by device type](/automatic-platform-optimization/reference/cache-device-type/), and [Sort query string](/cache/how-to/cache-keys/#query-string).
Enterprise customers have these additional options for custom cache keys:
-* In the **Query string** section, you can select **All query string parameters**, **All query string parameters except** and enter an exception, **No query parameters except** and enter the parameters, or **Ignore query string** (also available for pay-as-you-go customers).
-* In the **Headers** section, you can specify header names along with their values. For custom headers, values are optional; however, for the following restricted headers, you must include one to three specific values:
+- In the **Query string** section, you can select **All query string parameters**, **All query string parameters except** and enter an exception, **No query parameters except** and enter the parameters, or **Ignore query string** (also available for pay-as-you-go customers).
+- In the **Headers** section, you can specify header names along with their values. For custom headers, values are optional; however, for the following restricted headers, you must include one to three specific values:
- * `accept`
- * `accept-charset`
- * `accept-encoding`
- * `accept-datetime`
- * `accept-language`
- * `referer`
- * `user-agent`
+ - `accept`
+ - `accept-charset`
+ - `accept-encoding`
+ - `accept-datetime`
+ - `accept-language`
+ - `referer`
+ - `user-agent`
To check for a header's presence without including its value, use the **Check presence of** option. You can also choose whether to **Include origin header**.
-* In the **Cookie** section, you can include cookie names and their values, and check for the presence of another cookie.
-* In the **Host** section, you can select **Use original host** and **Resolved host**. In the **User** section, you can select **Device type**, **Country**, and **Language**.
+- In the **Cookie** section, you can include cookie names and their values, and check for the presence of another cookie.
+- In the **Host** section, you can select **Use original host** and **Resolved host**. In the **User** section, you can select **Device type**, **Country**, and **Language**.
@@ -247,7 +240,6 @@ API values: `"ignore_query_strings_order"`, `"cache_deception_armor"`, `"cache_b
Refer to [Create a cache rule via API](/cache/how-to/cache-rules/create-api/#example-requests) for complete API examples.
-
#### Cache Reserve Eligibility
@@ -258,7 +250,7 @@ This rule can also be used to specify Cache Reserve eligibility for website reso
:::note
-Cloudflare will still enforce the plan-based [cacheable file limits](/cache/concepts/default-cache-behavior/#customization-options-and-limits) when using this configuration.
+Cloudflare will still enforce the plan-based [cacheable file limits](/cache/concepts/default-cache-behavior/#customization-options-and-limits) when using this configuration.
:::
@@ -283,7 +275,6 @@ If `minimum_file_size` is omitted and `eligible` is true, Cloudflare will use 0
Refer to [Create a cache rule via API](/cache/how-to/cache-rules/create-api/#example-requests) for complete API examples.
-
#### Caching on Port (Enterprise-only)
@@ -292,10 +283,9 @@ Cloudflare supports several [network ports](/fundamentals/reference/network-port
:::note
-Cloudflare supports many ports by default and will cache on them without needing this rule to be configured. For ports that Cloudflare supports, but for which caching is disabled, use this rule.
+Cloudflare supports many ports by default and will cache on them without needing this rule to be configured. For ports that Cloudflare supports, but for which caching is disabled, use this rule.
:::
-
API configuration property name: `"additional_cacheable_ports"` (array of integer values).
@@ -310,14 +300,12 @@ API configuration property name: `"additional_cacheable_ports"` (array of intege
Refer to [Create a cache rule via API](/cache/how-to/cache-rules/create-api/#example-requests) for complete API examples.
-
#### Proxy Read Timeout (Enterprise-only)
Defines a timeout value between two successive read operations to your origin server. The default value can be found in the [Connection limits](/fundamentals/reference/connection-limits/) table. If you are attempting to reduce [`HTTP 524`](/support/troubleshooting/cloudflare-errors/troubleshooting-cloudflare-5xx-errors/#error-524-a-timeout-occurred) errors because of timeouts from an origin server, try increasing this timeout value using the API endpoint below.
-
API configuration property name: `"read_timeout"` (integer).
@@ -331,14 +319,12 @@ API configuration property name: `"read_timeout"` (integer).
Refer to [Create a cache rule via API](/cache/how-to/cache-rules/create-api/#example-requests) for complete API examples.
-
#### Serve stale content while revalidating
Defines if Cloudflare will serve stale content while updating the latest content from the origin server. If serving stale content is disabled, Cloudflare will not serve stale content while getting the latest content from the origin.
-
API configuration property name: `"serve_stale"` > `"disable_stale_while_updating"` (boolean).
@@ -354,14 +340,12 @@ API configuration property name: `"serve_stale"` > `"disable_stale_while_updatin
Refer to [Create a cache rule via API](/cache/how-to/cache-rules/create-api/#example-requests) for complete API examples.
-
#### Respect Strong ETags
Turn on or off byte-for-byte equivalency checks between the Cloudflare cache and the origin server. When enabled, Cloudflare will use [strong ETag](/cache/reference/etag-headers/#strong-etags) header validation to ensure that resources in the Cloudflare cache and on the origin server are byte-for-byte identical. If disabled, Cloudflare converts ETag headers into [weak ETag](/cache/reference/etag-headers/#weak-etags) headers.
-
API configuration property name: `"respect_strong_etags"` (boolean).
@@ -375,14 +359,12 @@ API configuration property name: `"respect_strong_etags"` (boolean).
Refer to [Create a cache rule via API](/cache/how-to/cache-rules/create-api/#example-requests) for complete API examples.
-
#### Origin error page pass-through
Turn on or off Cloudflare error pages generated from error HTTP status codes sent from the origin server. If enabled, this setting enables the use of error pages issued by the origin.
-
API configuration property name: `"origin_error_page_passthru"` (boolean).
@@ -396,14 +378,12 @@ API configuration property name: `"origin_error_page_passthru"` (boolean).
Refer to [Create a cache rule via API](/cache/how-to/cache-rules/create-api/#example-requests) for complete API examples.
-
#### Origin Cache Control (Enterprise-only)
When this option is enabled, Cloudflare will aim to strictly adhere to [RFC 7234](https://datatracker.ietf.org/doc/html/rfc7234). Enterprise customers have the ability to select if Cloudflare will adhere to this behavior. Free, Pro, and Business customers have this option enabled by default and cannot disable it.
-
API configuration property name: `"origin_cache_control"` (boolean).
@@ -417,5 +397,4 @@ API configuration property name: `"origin_cache_control"` (boolean).
Refer to [Create a cache rule via API](/cache/how-to/cache-rules/create-api/#example-requests) for complete API examples.
-
diff --git a/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/domain-support/custom-metadata.mdx b/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/domain-support/custom-metadata.mdx
index 842a4efdbe41c09..8c78e1237a358b7 100644
--- a/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/domain-support/custom-metadata.mdx
+++ b/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/domain-support/custom-metadata.mdx
@@ -83,7 +83,7 @@ export default {
## Accessing custom metadata in a rule expression
-Use the [`cf.hostname.metadata`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfhostnamemetadata) field to access the metadata object in rule expressions. To obtain the different values from the JSON object, use the [`lookup_json_string`](/ruleset-engine/rules-language/functions/#lookup_json_string) function.
+Use the [`cf.hostname.metadata`](/ruleset-engine/rules-language/fields/reference/cf.hostname.metadata/) field to access the metadata object in rule expressions. To obtain the different values from the JSON object, use the [`lookup_json_string`](/ruleset-engine/rules-language/functions/#lookup_json_string) function.
The following rule expression defines that there will be a rule match if the `security_tag` value in custom metadata contains the value `low`:
diff --git a/src/content/docs/ddos-protection/managed-rulesets/http/override-expressions.mdx b/src/content/docs/ddos-protection/managed-rulesets/http/override-expressions.mdx
index 4090ada36803e16..60466dcc19f0b56 100644
--- a/src/content/docs/ddos-protection/managed-rulesets/http/override-expressions.mdx
+++ b/src/content/docs/ddos-protection/managed-rulesets/http/override-expressions.mdx
@@ -43,4 +43,4 @@ You can use the following fields in override expressions:
- `ssl`
- `cf.tls_client_auth.cert_verified`
-Refer to [Fields](/ruleset-engine/rules-language/fields/) in the Rules language documentation for more information.
+Refer to the [Fields reference](/ruleset-engine/rules-language/fields/reference/) in the Rules language documentation for more information.
diff --git a/src/content/docs/ddos-protection/managed-rulesets/network/override-expressions.mdx b/src/content/docs/ddos-protection/managed-rulesets/network/override-expressions.mdx
index 90d97511d01f398..e8afc28f7d3afaa 100644
--- a/src/content/docs/ddos-protection/managed-rulesets/network/override-expressions.mdx
+++ b/src/content/docs/ddos-protection/managed-rulesets/network/override-expressions.mdx
@@ -34,11 +34,11 @@ You can use the following fields in override expressions:
- `udp.srcport`
- `udp.dstport`
-Refer to [Fields](/ruleset-engine/rules-language/fields/) in the Rules language documentation for more information.
+Refer to the [Fields reference](/ruleset-engine/rules-language/fields/reference/) in the Rules language documentation for more information.
## Important remarks
- Each expression is limited to 4,000 characters, which means you can enter approximately a maximum of 200 IP addresses in a single expression. However, you can enter IP addresses in CIDR format, which allows you to include a larger number of IP addresses. For example, you can use `192.0.0.0/24` to match IP addresses from `192.0.0.0` to `192.0.0.255`.
- An expression is not an allowlist and does not become part of the attack fingerprint. The expression applies to the scope of the override and is used right before applying a mitigation action, to determine if the sensitivity level and action need to be adjusted.
-
+
For example, if you have an expression matching packets with a specific source IP address and the override sets the sensitivity level to low, this override will only lower the sensitivity level for traffic that comes directly from that source IP address. If the DDoS protection system detects an attack coming from many source IP addresses targeted at a single destination IP and port, the generated fingerprint will only match the common criteria of the attack which, in this example, does not include the source IP address. The system will trigger the required mitigation actions at the default high sensitivity level because the traffic did not come from the user-provided source IP address. Therefore, traffic from the source IP in the override expression may still be blocked because the fingerprint only contains the destination IP address and port of the attack.
diff --git a/src/content/docs/firewall/cf-dashboard/create-edit-delete-rules.mdx b/src/content/docs/firewall/cf-dashboard/create-edit-delete-rules.mdx
index 7f2eb685020d425..15004ab803fedfb 100644
--- a/src/content/docs/firewall/cf-dashboard/create-edit-delete-rules.mdx
+++ b/src/content/docs/firewall/cf-dashboard/create-edit-delete-rules.mdx
@@ -32,7 +32,7 @@ When an incoming HTTP request matches a firewall rule expression, Cloudflare per
4. In the **Create firewall rule** page that displays, use the **Rule name** input to supply a descriptive name.
-5. Under **When incoming requests match**, use the **Field** drop-down list to choose an HTTP property (refer to [Fields reference](/ruleset-engine/rules-language/fields/) for details). For each request, the value of the property you choose for **Field** is compared to the value you specify for **Value**.
+5. Under **When incoming requests match**, use the **Field** drop-down list to choose an HTTP property (refer to the [Fields reference](/ruleset-engine/rules-language/fields/reference/) for details). For each request, the value of the property you choose for **Field** is compared to the value you specify for **Value**.
Alternatively, use the [Expression Editor](/ruleset-engine/rules-language/expressions/edit-expressions/#expression-editor) to define the rule expression.
diff --git a/src/content/docs/fundamentals/basic-tasks/trace-request/how-to.mdx b/src/content/docs/fundamentals/basic-tasks/trace-request/how-to.mdx
index 1138daf13fee7a7..0e200fa91bb1851 100644
--- a/src/content/docs/fundamentals/basic-tasks/trace-request/how-to.mdx
+++ b/src/content/docs/fundamentals/basic-tasks/trace-request/how-to.mdx
@@ -34,9 +34,9 @@ import { GlossaryTooltip } from "~/components"
* **Protocol** (HTTP protocol version)
* **Request headers**
* **Cookies**
- * **Geolocation** (request source [country](/ruleset-engine/rules-language/fields/standard-fields/#ipsrccountry), [region](/ruleset-engine/rules-language/fields/standard-fields/#ipsrcregion), and [city](/ruleset-engine/rules-language/fields/standard-fields/#ipsrccity))
+ * **Geolocation** (request source [country](/ruleset-engine/rules-language/fields/reference/ip.src.country/), [region](/ruleset-engine/rules-language/fields/reference/ip.src.region/), and [city](/ruleset-engine/rules-language/fields/reference/ip.src.city/))
* [**Bot score**](/bots/concepts/bot-score/)
- * **Threat score**
+ * **Threat score**
* **Request body** (for `POST`, `PUT`, and `PATCH` requests)
* **Skip challenge** (skips a Cloudflare-issued [challenge](/waf/reference/cloudflare-challenges/), if any, allowing the trace to continue)
diff --git a/src/content/docs/fundamentals/reference/http-request-headers.mdx b/src/content/docs/fundamentals/reference/http-request-headers.mdx
index 3bb2535ee54cb76..c820ec5847abeda 100644
--- a/src/content/docs/fundamentals/reference/http-request-headers.mdx
+++ b/src/content/docs/fundamentals/reference/http-request-headers.mdx
@@ -134,7 +134,7 @@ The intended purpose of this header is to provide a means for recipients (for ex
:::note
-When configuring WAF custom rules, do not match on this header. These rules are applied before Cloudflare adds the `CF-Worker` header. Instead, use the [`cf.worker.upstream_zone`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfworkerupstream_zone) dynamic field, which contains the same value and exists for the same purpose.
+When configuring WAF custom rules, do not match on this header. These rules are applied before Cloudflare adds the `CF-Worker` header. Instead, use the [`cf.worker.upstream_zone`](/ruleset-engine/rules-language/fields/reference/cf.worker.upstream_zone/) dynamic field, which contains the same value and exists for the same purpose.
:::
diff --git a/src/content/docs/learning-paths/mtls/mtls-app-security/index.mdx b/src/content/docs/learning-paths/mtls/mtls-app-security/index.mdx
index b53d48e341a3d7f..df5bb0b5d6f9d3c 100644
--- a/src/content/docs/learning-paths/mtls/mtls-app-security/index.mdx
+++ b/src/content/docs/learning-paths/mtls/mtls-app-security/index.mdx
@@ -63,7 +63,7 @@ Use the values from the previous step.
mTLS is verified and checked in the [Cloudflare WAF phase](/waf/reference/phases/). This is done by creating WAF [Custom Rules](/waf/custom-rules/) using the dynamic fields.
-All Client Certificate details can be found in the [`cf.tls_*`](/ruleset-engine/rules-language/fields/dynamic-fields/#cftls_cipher) dynamic fields in the [Cloudflare Ruleset Engine](/ruleset-engine/).
+All Client Certificate details can be found in the [`cf.tls_*`](/ruleset-engine/rules-language/fields/reference/) fields in the [Cloudflare Ruleset Engine](/ruleset-engine/).
Example WAF Custom Rule with action block:
diff --git a/src/content/docs/learning-paths/mtls/mtls-app-security/related-features.mdx b/src/content/docs/learning-paths/mtls/mtls-app-security/related-features.mdx
index 6f5b2ea5345a781..fea150e35a38ece 100644
--- a/src/content/docs/learning-paths/mtls/mtls-app-security/related-features.mdx
+++ b/src/content/docs/learning-paths/mtls/mtls-app-security/related-features.mdx
@@ -13,7 +13,7 @@ To make it easier to differentiate between Client Certificates, you can generate
In cases of noticing excessive traffic, anomalous traffic (strange sequences of requests), or generally too many attack attempts registered from specific devices using your Client Certificates, it is best to [revoke](/ssl/client-certificates/revoke-client-certificate/) those.
-Additionally, ensure to have a WAF [Custom Rule](/waf/custom-rules/) in place to block [revoked](/api-shield/security/mtls/configure/#check-for-revoked-certificates) Client Certificates. Review the available [`cf.tls_*`](/ruleset-engine/rules-language/fields/dynamic-fields/#cftls_cipher) dynamic fields.
+Additionally, ensure to have a WAF [Custom Rule](/waf/custom-rules/) in place to block [revoked](/api-shield/security/mtls/configure/#check-for-revoked-certificates) Client Certificates. Review the available [`cf.tls_*`](/ruleset-engine/rules-language/fields/reference/) fields.
Example WAF Custom Rule with action block:
@@ -47,7 +47,7 @@ Each Enterprise account can upload up to five CAs, though this can be increased.
## Client Certificate Deployment
-There are different ways to safely and securely deploy Client Certificates across devices.
+There are different ways to safely and securely deploy Client Certificates across devices.
Some of the most used methods are [embedding](/ssl/client-certificates/configure-your-mobile-app-or-iot-device/#3-embed-the-client-certificate-in-your-mobile-app) the Client Certificate into an application and allowing user devices to download and install that app, or use mobile device management (MDM) to distribute certificates across devices, or to allow user devices to directly download and install the Client Certificate into a device's Certificate Store.
@@ -60,6 +60,7 @@ In complex microservices environments, you can leverage Service Mesh to automate
It is generally recommended to [customize the cipher suites](/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/) of your Cloudflare [Edge Certificates](/ssl/edge-certificates/). This only applies to the Edge Certificates, not Client Certificates.
The recommended TLS versions for mTLS are:
+
- TLS 1.2: still broadly compatible and secure.
- TLS 1.3: preferred for new implementations due to its enhanced security and efficiency.
@@ -99,7 +100,7 @@ Contact your account team for more information.
[Revoked](/api-shield/security/mtls/configure/#check-for-revoked-certificates) Client Certificates are not automatically blocked unless you have an active WAF Custom Rule specifically checking for and blocking them. This check only applies to Client Certificates issued by the Cloudflare-managed CA. Cloudflare currently does not check certificate revocation lists (CRL) for CAs that have been uploaded by the customer ([BYO CA](/ssl/client-certificates/byo-ca/)). One can opt for Workers to manage a custom business logic and block revoked Client Certificates. See the [Workers section](/learning-paths/mtls/mtls-workers/) for more information.
:::
-In order to effectively implement mTLS with Cloudflare, it is strongly recommended to properly configure the [Cloudflare WAF](/waf/). Review the available [`cf.tls_*`](/ruleset-engine/rules-language/fields/dynamic-fields/#cftls_cipher) dynamic fields.
+In order to effectively implement mTLS with Cloudflare, it is strongly recommended to properly configure the [Cloudflare WAF](/waf/). Review the available [`cf.tls_*`](/ruleset-engine/rules-language/fields/reference/) fields.
Example WAF Custom Rule with action block:
@@ -111,7 +112,7 @@ Example WAF Custom Rule with action block:
This expression will check if the request is coming from one of the hostnames and will block the request if the Client Certificate is either not verified or revoked.
-Another example WAF Custom Rule with action block, using the [cf.tls_client_auth.cert_fingerprint_sha256](/ruleset-engine/rules-language/fields/dynamic-fields/#cftls_client_authcert_fingerprint_sha256) field, for a specific Client Certificate (replace `ADD_STRING_OF_CLIENT_CERT_SHA256_FINGERPRINT`):
+Another example WAF Custom Rule with action block, using the [`cf.tls_client_auth.cert_fingerprint_sha256`](/ruleset-engine/rules-language/fields/reference/cf.tls_client_auth.cert_fingerprint_sha256/) field, for a specific Client Certificate (replace `ADD_STRING_OF_CLIENT_CERT_SHA256_FINGERPRINT`):
@@ -119,7 +120,7 @@ Another example WAF Custom Rule with action block, using the [cf.tls_client_auth
(http.request.uri.path in {"/headers"} and http.host in {"mtls.example.com" "mtls2.example.com"} and not cf.tls_client_auth.cert_verified and cf.tls_client_auth.cert_fingerprint_sha256 ne "ADD_STRING_OF_CLIENT_CERT_SHA256_FINGERPRINT")
```
-Here is another example of a WAF custom rule to associate a serial number with a hostname:
+Here is another example of a WAF custom rule to associate a serial number with a hostname:
@@ -127,11 +128,12 @@ Here is another example of a WAF custom rule to associate a serial number with a
(http.host in {"mtls.example.com" "mtls2.example.com"} and cf.tls_client_auth.cert_serial ne "ADD_STRING_OF_CLIENT_CERT_SERIAL")
```
-This expression will check for a specific [Client Certificate serial number](/ruleset-engine/rules-language/fields/dynamic-fields/#cftls_client_authcert_serial) linked to specific hostnames, allowing for more granular control.
+This expression will check for a specific [Client Certificate serial number](/ruleset-engine/rules-language/fields/reference/cf.tls_client_auth.cert_serial/) linked to specific hostnames, allowing for more granular control.
## Rate Limiting by Client Certificates
By enabling [forwarding a certificate](/ssl/client-certificates/enable-mtls/#cloudflare-api) via the Cloudflare API, the first request of an mTLS connection will include the following headers:
+
- `Cf-Client-Cert-Der-Base64` (raw certificate in DER format, encoded as base64)
- `Cf-Client-Cert-Sha256` (SHA256 fingerprint of the certificate)
@@ -156,6 +158,5 @@ In addition to mTLS, customers can purchase [API Shield](/api-shield/) features,
Cloudflare Workers can provide details around the Client Certificate, such as returning information via headers to the client or to the origin server. Learn more in the [mTLS with Workers section](/learning-paths/mtls/mtls-workers/) below.
-
:::note
Snippets do not support any [Bindings](/workers/runtime-apis/bindings/) and do not work with mTLS. However, you can [validate JSON web tokens (JWT)](/rules/snippets/examples/jwt-validation/).
diff --git a/src/content/docs/load-balancing/additional-options/load-balancing-rules/reference.mdx b/src/content/docs/load-balancing/additional-options/load-balancing-rules/reference.mdx
index 7e966f8b242a5e4..d16aac9464430ed 100644
--- a/src/content/docs/load-balancing/additional-options/load-balancing-rules/reference.mdx
+++ b/src/content/docs/load-balancing/additional-options/load-balancing-rules/reference.mdx
@@ -3,7 +3,6 @@ pcx_content_type: reference
title: Supported fields and operators
sidebar:
order: 51
-
---
The fields that are supported by load balancing rules depend on whether Cloudflare proxies the traffic going through your load balancer or not.
@@ -29,57 +28,106 @@ Consider the following table to know how the fields available in the [Expression
Regardless of your traffic [proxy status](/load-balancing/understand-basics/proxy-modes/), Load Balancing rules can access values for the following fields:
-
-
-
Field
-
Name in Expression Builder
-
Description
-
-
-
-
-
cf.load_balancer.name `Bytes`
-
Load Balancer Name
-
-
Represents the name of the load balancer executing these rules.
-
- Example value:
- lb.example.com
-
-
-
-
-
cf.load_balancer.region `Bytes`
-
Load Balancer Region
-
-
Provides the region name of the data center processing the request.
-
- Example value:
- ENAM
-
-
-
-
-
ip.src `IP address`
-
IP Source Address
-
-
If proxied, this field provides the client TCP IP address, which may be adjusted to reflect the actual address of the client by using HTTP headers such as X-Forwarded-For or X-Real-IP.
-
If unproxied (DNS-only), this field provides the ECS source address, if available. If not available, it provides the client resolver IP address.
-
Deprecation Warning: In the future, this field will always be set to the client resolver IP address for unproxied requests. To check for the presence of ECS and use the ECS IP, see the fields dns.rr.opt.client and dns.rr.opt.client.addr, respectively.
-
- Example value:
- 1.2.3.4
-
-
-
-
+
+
+
Field
+
Name in Expression Builder
+
Description
+
+
+
+
+
+ cf.load_balancer.name
+
+ `Bytes`
+
+
+ Load Balancer Name
+
+
+
Represents the name of the load balancer executing these rules.
+
+ Example value:
+
+ lb.example.com
+
+
+
+
+
+ cf.load_balancer.region
+
+ `Bytes`
+
+
+ Load Balancer Region
+
+
+
+ Provides the{" "}
+
+ region name
+ {" "}
+ of the data center processing the request.
+
+
+ Example value:
+
+ ENAM
+
+
+
+
+
+ ip.src
+
+ `IP address`
+
+
+ IP Source Address
+
+
+
+ If proxied, this field provides the client TCP IP address, which may
+ be adjusted to reflect the actual address of the client by using HTTP
+ headers such as X-Forwarded-For or X-Real-IP
+ .
+
+
+ If unproxied (DNS-only), this field provides the ECS source address,
+ if available. If not available, it provides the client resolver IP
+ address.
+
+
+ Deprecation Warning: In the future, this field will
+ always be set to the client resolver IP address for unproxied
+ requests. To check for the presence of ECS and use the ECS IP, see the
+ fields{" "}
+
+ dns.rr.opt.client
+ {" "}
+ and{" "}
+
+ dns.rr.opt.client.addr
+
+ , respectively.
+
+
+ Example value:
+
+ 1.2.3.4
+
+
+
+
## Proxied-only fields
If your traffic is proxied through Cloudflare, you have access to all the fields listed under [Fields supported regardless of proxy](#fields-supported-regardless-of-proxy) in addition to the following fields:
-Many of these fields are referenced from the [Rules language documentation](/ruleset-engine/rules-language/fields/).
+Many of these fields are referenced from the [Rules language documentation](/ruleset-engine/rules-language/fields/reference/).
@@ -91,7 +139,7 @@ Many of these fields are referenced from the [Rules language documentation](/rul
Represents the values of arguments in the HTTP URI query string. The values are not pre-processed and retain the original case used in the request. They are in the same order as in the request.
@@ -242,7 +290,7 @@ Many of these fields are referenced from the [Rules language documentation](/rul
Represents the version of the HTTP protocol used. Use this field when you require different checks for different versions.
@@ -285,82 +333,148 @@ Many of these fields are referenced from the [Rules language documentation](/rul
If your traffic is not proxied through Cloudflare, you have access to all the fields listed under [Fields supported regardless of proxy](#fields-supported-regardless-of-proxy) in addition to the following fields:
-
-
-
Field
-
Name in Expression Builder
-
Description
-
-
-
-
-
dns.qry.name `Bytes`
-
Query Name
-
-
Represents the query name asked.
-
- Example value:
- example.com.
-
-
-
-
-
dns.qry.name.len `Integer`
-
Query Name Length
-
-
Represents the length in bytes of the query name.
-
- Example value:
- 123
-
-
-
-
-
dns.qry.qu `Boolean`
-
Question
-
-
When true, this field indicates that the received DNS message was a question.
+ If present, this field represents the ECS address sent with the DNS
+ request.
+
+
+ Example value:
+
+ 1.2.3.0
+
+
+
+
## Operators and grouping symbols
-* **Comparison operators** specify how values defined in an expression must relate to the actual HTTP request value for the expression to return true.
+- **Comparison operators** specify how values defined in an expression must relate to the actual HTTP request value for the expression to return true.
-* **Logical operators** combine two expressions to form a compound expression and use order of precedence to determine how an expression is evaluated.
+- **Logical operators** combine two expressions to form a compound expression and use order of precedence to determine how an expression is evaluated.
-* **Grouping symbols** allow you to organize expressions, enforce operator precedence, and nest expressions.
+- **Grouping symbols** allow you to organize expressions, enforce operator precedence, and nest expressions.
For examples and usage, refer to [Operators and grouping symbols](/ruleset-engine/rules-language/operators/) in the Rules language documentation.
diff --git a/src/content/docs/magic-firewall/about/protocol-validation-rules.mdx b/src/content/docs/magic-firewall/about/protocol-validation-rules.mdx
index e45e4855dd6e295..5d98286f5e341fd 100644
--- a/src/content/docs/magic-firewall/about/protocol-validation-rules.mdx
+++ b/src/content/docs/magic-firewall/about/protocol-validation-rules.mdx
@@ -6,6 +6,6 @@ pcx_content_type: concept
Magic Firewall supports [Session Initiation Protocol (SIP)](https://datatracker.ietf.org/doc/html/rfc2543) to inspect traffic validity and enforce a positive security model.
-You can use the `sip` field when creating a rule to determine if packets are valid SIP Layer 7 (L7) protocol. Refer to [Magic Firewall fields](/ruleset-engine/rules-language/fields/magic-firewall/), specifically the `sip` field, for more information on this topic.
+You can use the `sip` field when creating a rule to determine if packets are valid SIP Layer 7 (L7) protocol. Refer to [Magic Firewall fields](/magic-firewall/reference/magic-firewall-fields/), specifically the `sip` field, for more information on this topic.
Contact your account manager if you need Magic Firewall to support additional protocols.
diff --git a/src/content/docs/magic-firewall/about/traffic-types.mdx b/src/content/docs/magic-firewall/about/traffic-types.mdx
index 8bb443f03c922af..cbb62430ca6e38b 100644
--- a/src/content/docs/magic-firewall/about/traffic-types.mdx
+++ b/src/content/docs/magic-firewall/about/traffic-types.mdx
@@ -10,4 +10,4 @@ Magic Firewall enables you to allow or block traffic on a variety of packet char
Magic Firewall supports layers three and four — network and transport — protocols such as TCP, UDP, and ICMP. Any type of layer three or four protocols can go through Magic Firewall and then be matched on those protocols.
-To view the list of available fields, refer to [Magic Firewall fields](/ruleset-engine/rules-language/fields/magic-firewall/).
+To view the list of available fields, refer to [Magic Firewall fields](/magic-firewall/reference/magic-firewall-fields/).
diff --git a/src/content/docs/magic-firewall/reference/magic-firewall-fields.mdx b/src/content/docs/magic-firewall/reference/magic-firewall-fields.mdx
index 535624b9922b8ef..7595cfb98d02c09 100644
--- a/src/content/docs/magic-firewall/reference/magic-firewall-fields.mdx
+++ b/src/content/docs/magic-firewall/reference/magic-firewall-fields.mdx
@@ -1,6 +1,309 @@
---
-pcx_content_type: navigation
title: Magic Firewall fields
-external_link: /ruleset-engine/rules-language/fields/magic-firewall/
+pcx_content_type: reference
+head:
+ - tag: title
+ content: Magic Firewall fields
+---
+
+import { Type } from "~/components";
+
+:::note
+Some Magic Firewall fields are available only to customers who purchased Magic Firewall's advanced features. Refer to [Magic Firewall plans](/magic-firewall/plans/) for more information.
+:::
+
+## `cf.colo.name`
+
+`cf.colo.name`
+
+The data center that is handling this traffic.
+
+Example value: `sfo06`
+
+---
+
+## `cf.colo.region`
+
+`cf.colo.region`
+
+Region of the data center that is handling this traffic.
+
+Example value: `WNAM`
+
+---
+
+## `icmp`
+
+`icmp`
+
+The raw ICMP packet as a list of bytes. It should be used in conjunction with the bit_slice function when other structured fields are lacking.
+
+---
+
+## `icmp.type`
+
+`icmp.type`
+
+The [ICMP type](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol#header_type). Only applies to ICMP packets.
+
+Example value: `8`
+
+---
+
+## `icmp.code`
+
+`icmp.code`
+
+The [ICMP code](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol#header_code). Only applies to ICMP packets.
+
+Example value: `2`
+
+---
+
+## `ip`
+
+`ip`
+
+The raw IP packet as a list of bytes. It should be used in conjunction with the bit_slice function when other structured fields are lacking.
---
+
+## `ip.dst`
+
+`ip.dst`
+
+The destination address as specified in the IP packet.
+
+Example value: `192.0.2.2`
+
+---
+
+## `ip.dst.country`
+
+`ip.dst.country`
+
+Represents the 2-letter country code associated with the server IP address in [ISO 3166-1 Alpha 2](https://www.iso.org/obp/ui/#search/code/) format.
+
+Example value: `GB`
+
+For more information on the ISO 3166-1 Alpha 2 format, refer to [ISO 3166-1 Alpha 2](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2) on Wikipedia.
+
+---
+
+## `ip.src.country`
+
+`ip.src.country`
+
+Represents the 2-letter country code associated with the client IP address in [ISO 3166-1 Alpha 2](https://www.iso.org/obp/ui/#search/code/) format.
+
+Example value: `GB`
+
+For more information on the ISO 3166-1 Alpha 2 format, refer to [ISO 3166-1 Alpha 2](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2) on Wikipedia.
+
+For Magic Firewall, the `ip.geoip.country` field (which is deprecated) will match on either source or destination address. The `ip.geoip.country` field is still available for new and existing rules, but you should use the `ip.src.country` and/or `ip.dst.country` fields instead.
+
+---
+
+## `ip.hdr_len`
+
+`ip.hdr_len`
+
+The length of the IPv4 header in bytes.
+
+Example value: `5`
+
+---
+
+## `ip.len`
+
+`ip.len`
+
+The length of the packet including the header.
+
+Example value: `60`
+
+---
+
+## `ip.opt.type`
+
+`ip.opt.type`
+
+The first byte of [IP options field](https://en.wikipedia.org/wiki/IPv4#Options), if the options field is set.
+
+Example value: `25`
+
+---
+
+## `ip.proto`
+
+`ip.proto`
+
+The transport layer for the packet, if it can be determined.
+
+Example values: `icmp`, `tcp`
+
+---
+
+## `ip.src`
+
+`ip.src`
+
+The source address of the IP Packet.
+
+---
+
+## `ip.src.country`
+
+`ip.src.country`
+
+Represents the 2-letter country code associated with the client IP address in [ISO 3166-1 Alpha 2](https://www.iso.org/obp/ui/#search/code/) format.
+
+Example value: `GB`
+
+For more information on the ISO 3166-1 Alpha 2 format, refer to [ISO 3166-1 Alpha 2](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2) on Wikipedia.
+
+---
+
+## `ip.ttl`
+
+`ip.ttl`
+
+The time-to-live of the IP Packet.
+
+Example values: `54`
+
+---
+
+## `sip`
+
+`sip`
+
+Determines if packets are valid L7 protocol [SIP](https://datatracker.ietf.org/doc/html/rfc2543). Requires UDP packets to operate.
+
+Use a guard clause as shown below to ensure the packet is UDP (wirefilter):
+
+`ip.proto == "udp"`
+
+---
+
+## `tcp`
+
+`tcp`
+
+The raw TCP packet as a list of bytes. It should be used in conjunction with the bit_slice function when other structured fields are lacking.
+
+---
+
+## `tcp.flags`
+
+`tcp.flags`
+
+The numeric value of the TCP flags byte.
+
+---
+
+## `tcp.flags.ack`
+
+`tcp.flags.ack`
+
+TCP acknowledgment flag.
+
+---
+
+## `tcp.flags.cwr`
+
+`tcp.flags.cwr`
+
+TCP congestion window reduced flag.
+
+---
+
+## `tcp.flags.ecn`
+
+`tcp.flags.ecn`
+
+TCP ECN-Echo flag.
+
+---
+
+## `tcp.flags.fin`
+
+`tcp.flags.fin`
+
+TCP flag indicating this is the last packet from sender.
+
+---
+
+## `tcp.flags.push`
+
+`tcp.flags.push`
+
+TCP push flag.
+
+---
+
+## `tcp.flags.reset`
+
+`tcp.flags.reset`
+
+TCP reset flag.
+
+---
+
+## `tcp.flags.syn`
+
+`tcp.flags.syn`
+
+TCP synchronize flag.
+
+---
+
+## `tcp.flags.urg`
+
+`tcp.flags.urg`
+
+TCP urgent flag.
+
+---
+
+## `tcp.srcport`
+
+`tcp.srcport`
+
+Source port number of the IP packet. Only applies to TCP packets.
+
+---
+
+## `tcp.dstport`
+
+`tcp.dstport`
+
+Destination port number of the IP packet. Only applies to TCP packets.
+
+---
+
+## `udp`
+
+`udp`
+
+The raw UDP packet as a list of bytes. It should be used in conjunction with the bit_slice function when other structured fields are lacking.
+
+---
+
+## `udp.dstport`
+
+`udp.dstport`
+
+Destination port number of the IP packet. Only applies to UDP packets.
+
+---
+
+## `udp.srcport`
+
+`udp.srcport`
+
+Source port number of the IP packet. Only applies to UDP packets.
+
+---
+
+_GeoIP is the registered trademark of MaxMind, Inc._
diff --git a/src/content/docs/rules/compression-rules/index.mdx b/src/content/docs/rules/compression-rules/index.mdx
index 8dd59ca5a92647a..c9e836c6760e60f 100644
--- a/src/content/docs/rules/compression-rules/index.mdx
+++ b/src/content/docs/rules/compression-rules/index.mdx
@@ -39,11 +39,11 @@ Compression Rules are available in all Cloudflare plans. Users in the Free plan
The following fields are commonly used in expressions of compression rules:
-| Field in [Expression Builder](/ruleset-engine/rules-language/expressions/edit-expressions/#expression-builder) | Field name |
-| -------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------ |
-| _Media Type_ | [`http.response.content_type.media_type`](/ruleset-engine/rules-language/fields/http-request-response/#httpresponsecontent_typemedia_type) |
-| _File extension_ | [`http.request.uri.path.extension`](/ruleset-engine/rules-language/fields/standard-fields/#httprequesturipathextension) |
-| N/A | [`raw.http.request.uri.path.extension`](/ruleset-engine/rules-language/fields/standard-fields/#rawhttprequesturipathextension) |
+| Field in [Expression Builder](/ruleset-engine/rules-language/expressions/edit-expressions/#expression-builder) | Field name |
+| -------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------- |
+| _Media Type_ | [`http.response.content_type.media_type`](/ruleset-engine/rules-language/fields/reference/http.response.content_type.media_type/) |
+| _File extension_ | [`http.request.uri.path.extension`](/ruleset-engine/rules-language/fields/reference/http.request.uri.path.extension/) |
+| N/A | [`raw.http.request.uri.path.extension`](/ruleset-engine/rules-language/fields/reference/raw.http.request.uri.path.extension/) |
## Important remarks
diff --git a/src/content/docs/rules/custom-error-responses/create-api.mdx b/src/content/docs/rules/custom-error-responses/create-api.mdx
index e7845e10e0ee68f..460cb04715190e0 100644
--- a/src/content/docs/rules/custom-error-responses/create-api.mdx
+++ b/src/content/docs/rules/custom-error-responses/create-api.mdx
@@ -33,9 +33,9 @@ Follow this workflow to create a custom error response rule for a given zone via
The examples in this section use the following fields in their rule expressions:
-- [`http.response.code`](/ruleset-engine/rules-language/fields/http-request-response/#httpresponsecode): Represents the HTTP status code returned to the client, either set by a Cloudflare product or returned by the origin server. Use this field to customize the error response for error codes returned by the origin server or by a Cloudflare product such as a Worker.
+- [`http.response.code`](/ruleset-engine/rules-language/fields/reference/http.response.code/): Represents the HTTP status code returned to the client, either set by a Cloudflare product or returned by the origin server. Use this field to customize the error response for error codes returned by the origin server or by a Cloudflare product such as a Worker.
-- [`cf.response.1xxx_code`](/ruleset-engine/rules-language/fields/http-request-response/#cfresponse1xxx_code): Contains the specific error code for Cloudflare-generated errors. This field will only work for Cloudflare-generated errors such as [52x](/support/troubleshooting/cloudflare-errors/troubleshooting-cloudflare-5xx-errors/) and [1xxx](/support/troubleshooting/cloudflare-errors/troubleshooting-cloudflare-1xxx-errors/).
+- [`cf.response.1xxx_code`](/ruleset-engine/rules-language/fields/reference/cf.response.1xxx_code/): Contains the specific error code for Cloudflare-generated errors. This field will only work for Cloudflare-generated errors such as [52x](/support/troubleshooting/cloudflare-errors/troubleshooting-cloudflare-5xx-errors/) and [1xxx](/support/troubleshooting/cloudflare-errors/troubleshooting-cloudflare-1xxx-errors/).
### Custom JSON response for all 5xx errors
diff --git a/src/content/docs/rules/reference/page-rules-migration.mdx b/src/content/docs/rules/reference/page-rules-migration.mdx
index 2de656a697bfa93..f67d13639cef858 100644
--- a/src/content/docs/rules/reference/page-rules-migration.mdx
+++ b/src/content/docs/rules/reference/page-rules-migration.mdx
@@ -49,7 +49,7 @@ The evaluation and execution order of Rules features is different from Page Rule
Modern Rules use filter expressions instead of URL patterns. These expressions, built with the Rules language, allow greater precision by leveraging [fields](/ruleset-engine/rules-language/fields/), [functions](/ruleset-engine/rules-language/functions/), and [operators](/ruleset-engine/rules-language/operators/).
-The following example demonstrates the use of the [`http.request.full_uri`](/ruleset-engine/rules-language/fields/standard-fields/#httprequestfull_uri) field and the `wildcard` operator for [wildcard matching](/ruleset-engine/rules-language/operators/#wildcard-matching):
+The following example demonstrates the use of the [`http.request.full_uri`](/ruleset-engine/rules-language/fields/reference/http.request.full_uri/) field and the `wildcard` operator for [wildcard matching](/ruleset-engine/rules-language/operators/#wildcard-matching):
A **Page Rules URL** like:
diff --git a/src/content/docs/rules/reference/troubleshooting.mdx b/src/content/docs/rules/reference/troubleshooting.mdx
index 7f3a3dbd07978e0..07b9e1d53d0599a 100644
--- a/src/content/docs/rules/reference/troubleshooting.mdx
+++ b/src/content/docs/rules/reference/troubleshooting.mdx
@@ -81,4 +81,4 @@ In the current example, you could use the `raw.http.request.uri.path` field in b
This way, the two rules will work as intended. Additionally, this allows you to use the same expression in the two rules, even when the first rule is updating the URI path value.
-For a list of raw fields, refer to the [Fields](/ruleset-engine/rules-language/fields/) reference page.
+For a list of raw fields, refer to the [Fields reference](/ruleset-engine/rules-language/fields/reference/).
diff --git a/src/content/docs/rules/transform/managed-transforms/reference.mdx b/src/content/docs/rules/transform/managed-transforms/reference.mdx
index 13f011ab804301e..f3b8719763eedfb 100644
--- a/src/content/docs/rules/transform/managed-transforms/reference.mdx
+++ b/src/content/docs/rules/transform/managed-transforms/reference.mdx
@@ -38,38 +38,38 @@ Adds HTTP headers with bot-related values to the request sent to the origin serv
Adds HTTP headers with [Mutual TLS](/api-shield/security/mtls/) (mTLS) client authentication values to the request sent to the origin server:
-- `cf-cert-revoked`: Value from the [`cf.tls_client_auth.cert_revoked`](/ruleset-engine/rules-language/fields/dynamic-fields/#cftls_client_authcert_revoked) field.
-- `cf-cert-verified`: Value from the [`cf.tls_client_auth.cert_verified`](/ruleset-engine/rules-language/fields/dynamic-fields/#cftls_client_authcert_verified) field.
-- `cf-cert-presented`: Value from the [`cf.tls_client_auth.cert_presented`](/ruleset-engine/rules-language/fields/dynamic-fields/#cftls_client_authcert_presented) field.
-- `cf-cert-issuer-dn`: Value from the [`cf.tls_client_auth.cert_issuer_dn`](/ruleset-engine/rules-language/fields/dynamic-fields/#cftls_client_authcert_issuer_dn) field.
-- `cf-cert-subject-dn`: Value from the [`cf.tls_client_auth.cert_subject_dn`](/ruleset-engine/rules-language/fields/dynamic-fields/#cftls_client_authcert_subject_dn) field.
-- `cf-cert-issuer-dn-rfc2253`: Value from the [`cf.tls_client_auth.cert_issuer_dn_rfc2253`](/ruleset-engine/rules-language/fields/dynamic-fields/#cftls_client_authcert_issuer_dn_rfc2253) field.
-- `cf-cert-subject-dn-rfc2253`: Value from the [`cf.tls_client_auth.cert_subject_dn_rfc2253`](/ruleset-engine/rules-language/fields/dynamic-fields/#cftls_client_authcert_subject_dn_rfc2253) field.
-- `cf-cert-issuer-dn-legacy`: Value from the [`cf.tls_client_auth.cert_issuer_dn_legacy`](/ruleset-engine/rules-language/fields/dynamic-fields/#cftls_client_authcert_issuer_dn_legacy) field.
-- `cf-cert-subject-dn-legacy`: Value from the [`cf.tls_client_auth.cert_subject_dn_legacy`](/ruleset-engine/rules-language/fields/dynamic-fields/#cftls_client_authcert_subject_dn_legacy) field.
-- `cf-cert-serial`: Value from the [`cf.tls_client_auth.cert_serial`](/ruleset-engine/rules-language/fields/dynamic-fields/#cftls_client_authcert_serial) field.
-- `cf-cert-issuer-serial`: Value from the [`cf.tls_client_auth.cert_issuer_serial`](/ruleset-engine/rules-language/fields/dynamic-fields/#cftls_client_authcert_issuer_serial) field.
-- `cf-cert-fingerprint-sha256`: Value from the [`cf.tls_client_auth.cert_fingerprint_sha256`](/ruleset-engine/rules-language/fields/dynamic-fields/#cftls_client_authcert_fingerprint_sha256) field.
-- `cf-cert-fingerprint-sha1`: Value from the [`cf.tls_client_auth.cert_fingerprint_sha1`](/ruleset-engine/rules-language/fields/dynamic-fields/#cftls_client_authcert_fingerprint_sha1) field.
-- `cf-cert-not-before`: Value from the [`cf.tls_client_auth.cert_not_before`](/ruleset-engine/rules-language/fields/dynamic-fields/#cftls_client_authcert_not_before) field.
-- `cf-cert-not-after`: Value from the [`cf.tls_client_auth.cert_not_after`](/ruleset-engine/rules-language/fields/dynamic-fields/#cftls_client_authcert_not_after) field.
-- `cf-cert-ski`: Value from the [`cf.tls_client_auth.cert_ski`](/ruleset-engine/rules-language/fields/dynamic-fields/#cftls_client_authcert_ski) field.
-- `cf-cert-issuer-ski`: Value from the [`cf.tls_client_auth.cert_issuer_ski`](/ruleset-engine/rules-language/fields/dynamic-fields/#cftls_client_authcert_issuer_ski) field.
+- `cf-cert-revoked`: Value from the [`cf.tls_client_auth.cert_revoked`](/ruleset-engine/rules-language/fields/reference/cf.tls_client_auth.cert_revoked/) field.
+- `cf-cert-verified`: Value from the [`cf.tls_client_auth.cert_verified`](/ruleset-engine/rules-language/fields/reference/cf.tls_client_auth.cert_verified/) field.
+- `cf-cert-presented`: Value from the [`cf.tls_client_auth.cert_presented`](/ruleset-engine/rules-language/fields/reference/cf.tls_client_auth.cert_presented/) field.
+- `cf-cert-issuer-dn`: Value from the [`cf.tls_client_auth.cert_issuer_dn`](/ruleset-engine/rules-language/fields/reference/cf.tls_client_auth.cert_issuer_dn/) field.
+- `cf-cert-subject-dn`: Value from the [`cf.tls_client_auth.cert_subject_dn`](/ruleset-engine/rules-language/fields/reference/cf.tls_client_auth.cert_subject_dn/) field.
+- `cf-cert-issuer-dn-rfc2253`: Value from the [`cf.tls_client_auth.cert_issuer_dn_rfc2253`](/ruleset-engine/rules-language/fields/reference/cf.tls_client_auth.cert_issuer_dn_rfc2253/) field.
+- `cf-cert-subject-dn-rfc2253`: Value from the [`cf.tls_client_auth.cert_subject_dn_rfc2253`](/ruleset-engine/rules-language/fields/reference/cf.tls_client_auth.cert_subject_dn_rfc2253/) field.
+- `cf-cert-issuer-dn-legacy`: Value from the [`cf.tls_client_auth.cert_issuer_dn_legacy`](/ruleset-engine/rules-language/fields/reference/cf.tls_client_auth.cert_issuer_dn_legacy/) field.
+- `cf-cert-subject-dn-legacy`: Value from the [`cf.tls_client_auth.cert_subject_dn_legacy`](/ruleset-engine/rules-language/fields/reference/cf.tls_client_auth.cert_subject_dn_legacy/) field.
+- `cf-cert-serial`: Value from the [`cf.tls_client_auth.cert_serial`](/ruleset-engine/rules-language/fields/reference/cf.tls_client_auth.cert_serial/) field.
+- `cf-cert-issuer-serial`: Value from the [`cf.tls_client_auth.cert_issuer_serial`](/ruleset-engine/rules-language/fields/reference/cf.tls_client_auth.cert_issuer_serial/) field.
+- `cf-cert-fingerprint-sha256`: Value from the [`cf.tls_client_auth.cert_fingerprint_sha256`](/ruleset-engine/rules-language/fields/reference/cf.tls_client_auth.cert_fingerprint_sha256/) field.
+- `cf-cert-fingerprint-sha1`: Value from the [`cf.tls_client_auth.cert_fingerprint_sha1`](/ruleset-engine/rules-language/fields/reference/cf.tls_client_auth.cert_fingerprint_sha1/) field.
+- `cf-cert-not-before`: Value from the [`cf.tls_client_auth.cert_not_before`](/ruleset-engine/rules-language/fields/reference/cf.tls_client_auth.cert_not_before/) field.
+- `cf-cert-not-after`: Value from the [`cf.tls_client_auth.cert_not_after`](/ruleset-engine/rules-language/fields/reference/cf.tls_client_auth.cert_not_after/) field.
+- `cf-cert-ski`: Value from the [`cf.tls_client_auth.cert_ski`](/ruleset-engine/rules-language/fields/reference/cf.tls_client_auth.cert_ski/) field.
+- `cf-cert-issuer-ski`: Value from the [`cf.tls_client_auth.cert_issuer_ski`](/ruleset-engine/rules-language/fields/reference/cf.tls_client_auth.cert_issuer_ski/) field.
### Add visitor location headers
Adds HTTP headers with location information for the visitor's IP address to the request sent to the origin server:
-- `cf-ipcity`: The visitor's city (value from the [`ip.src.city`](/ruleset-engine/rules-language/fields/standard-fields/#ipsrccity) field).
-- `cf-ipcountry`: The visitor's country (value from the [`ip.src.country`](/ruleset-engine/rules-language/fields/standard-fields/#ipsrccountry) field).
-- `cf-ipcontinent`: The visitor's continent (value from the [`ip.src.continent`](/ruleset-engine/rules-language/fields/standard-fields/#ipsrccontinent) field).
-- `cf-iplongitude`: The visitor's longitude (value from the [`ip.src.lon`](/ruleset-engine/rules-language/fields/standard-fields/#ipsrclon) field).
-- `cf-iplatitude`: The visitor's latitude (value from the [`ip.src.lat`](/ruleset-engine/rules-language/fields/standard-fields/#ipsrclat) field).
-- `cf-region`: The visitor's region (value from the [`ip.src.region`](/ruleset-engine/rules-language/fields/standard-fields/#ipsrcregion) field).
-- `cf-region-code`: The visitor's region code (value from the [`ip.src.region_code`](/ruleset-engine/rules-language/fields/standard-fields/#ipsrcregion_code) field).
-- `cf-metro-code`: The visitor's metro code (value from the [`ip.src.metro_code`](/ruleset-engine/rules-language/fields/standard-fields/#ipsrcmetro_code) field).
-- `cf-postal-code`: The visitor's postal code (value from the [`ip.src.postal_code`](/ruleset-engine/rules-language/fields/standard-fields/#ipsrcpostal_code) field).
-- `cf-timezone`: The name of the visitor's timezone (value from the [`ip.src.timezone.name`](/ruleset-engine/rules-language/fields/standard-fields/#ipsrctimezonename) field).
+- `cf-ipcity`: The visitor's city (value from the [`ip.src.city`](/ruleset-engine/rules-language/fields/reference/ip.src.city/) field).
+- `cf-ipcountry`: The visitor's country (value from the [`ip.src.country`](/ruleset-engine/rules-language/fields/reference/ip.src.country/) field).
+- `cf-ipcontinent`: The visitor's continent (value from the [`ip.src.continent`](/ruleset-engine/rules-language/fields/reference/ip.src.continent/) field).
+- `cf-iplongitude`: The visitor's longitude (value from the [`ip.src.lon`](/ruleset-engine/rules-language/fields/reference/ip.src.lon/) field).
+- `cf-iplatitude`: The visitor's latitude (value from the [`ip.src.lat`](/ruleset-engine/rules-language/fields/reference/ip.src.lat/) field).
+- `cf-region`: The visitor's region (value from the [`ip.src.region`](/ruleset-engine/rules-language/fields/reference/ip.src.region/) field).
+- `cf-region-code`: The visitor's region code (value from the [`ip.src.region_code`](/ruleset-engine/rules-language/fields/reference/ip.src.region_code/) field).
+- `cf-metro-code`: The visitor's metro code (value from the [`ip.src.metro_code`](/ruleset-engine/rules-language/fields/reference/ip.src.metro_code/) field).
+- `cf-postal-code`: The visitor's postal code (value from the [`ip.src.postal_code`](/ruleset-engine/rules-language/fields/reference/ip.src.postal_code/) field).
+- `cf-timezone`: The name of the visitor's timezone (value from the [`ip.src.timezone.name`](/ruleset-engine/rules-language/fields/reference/ip.src.timezone.name/) field).
:::caution
Turning on [IP geolocation](/network/ip-geolocation/) will send a `cf-ipcountry` HTTP header to your origin server even when **Add visitor location headers** is turned off.
@@ -136,11 +136,11 @@ Adds a `Malicious-Uploads-Detection` request header indicating the outcome of sc
The header can have one of the following values:
-| Header + Value | Description |
-| -------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `Malicious-Uploads-Detection: 1` | The request contains at least one malicious content object ([`cf.waf.content_scan.has_malicious_obj`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfwafcontent_scanhas_malicious_obj) is `true`). |
-| `Malicious-Uploads-Detection: 2` | The file scanner was unable to scan all the content objects detected in the request ([`cf.waf.content_scan.has_failed`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfwafcontent_scanhas_failed) is `true`). |
-| `Malicious-Uploads-Detection: 3` | The request contains at least one content object ([`cf.waf.content_scan.has_obj`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfwafcontent_scanhas_obj) is `true`). |
+| Header + Value | Description |
+| -------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `Malicious-Uploads-Detection: 1` | The request contains at least one malicious content object ([`cf.waf.content_scan.has_malicious_obj`](/ruleset-engine/rules-language/fields/reference/cf.waf.content_scan.has_malicious_obj/) is `true`). |
+| `Malicious-Uploads-Detection: 2` | The file scanner was unable to scan all the content objects detected in the request ([`cf.waf.content_scan.has_failed`](/ruleset-engine/rules-language/fields/reference/cf.waf.content_scan.has_failed/) is `true`). |
+| `Malicious-Uploads-Detection: 3` | The request contains at least one content object ([`cf.waf.content_scan.has_obj`](/ruleset-engine/rules-language/fields/reference/cf.waf.content_scan.has_obj/) is `true`). |
For more information, refer to [Malicious uploads detection](/waf/detections/malicious-uploads/).
diff --git a/src/content/docs/rules/transform/url-rewrite/reference/fields-functions.mdx b/src/content/docs/rules/transform/url-rewrite/reference/fields-functions.mdx
index eac205d08a81a78..e0770b369667fce 100644
--- a/src/content/docs/rules/transform/url-rewrite/reference/fields-functions.mdx
+++ b/src/content/docs/rules/transform/url-rewrite/reference/fields-functions.mdx
@@ -26,6 +26,6 @@ A rewrite expression (that is, the expression that defines the dynamic URL rewri
- `http.request.headers.*`
- `http.request.accepted_languages`
-Refer to [Fields](/ruleset-engine/rules-language/fields/) for reference information on these fields.
+Refer to the [Fields reference](/ruleset-engine/rules-language/fields/reference/) for more information on these fields.
The [`concat()`](/ruleset-engine/rules-language/functions/#concat), [`regex_replace()`](/ruleset-engine/rules-language/functions/#regex_replace), and [`wildcard_replace()`](/ruleset-engine/rules-language/functions/#wildcard_replace) functions can appear only **once** in a rewrite expression.
diff --git a/src/content/docs/rules/url-forwarding/bulk-redirects/concepts.mdx b/src/content/docs/rules/url-forwarding/bulk-redirects/concepts.mdx
index 148f072251bfd26..3bc19e60dd4b9ff 100644
--- a/src/content/docs/rules/url-forwarding/bulk-redirects/concepts.mdx
+++ b/src/content/docs/rules/url-forwarding/bulk-redirects/concepts.mdx
@@ -107,7 +107,7 @@ At the left of the `in` operator you can only use fields directly and not values
- `http.request.full_uri`
- `raw.http.request.full_uri`
-Refer to [Fields](/ruleset-engine/rules-language/fields/) for more information.
+Refer to the [Fields reference](/ruleset-engine/rules-language/fields/reference/) for more information.
:::
diff --git a/src/content/docs/rules/url-forwarding/single-redirects/settings.mdx b/src/content/docs/rules/url-forwarding/single-redirects/settings.mdx
index fcffaecce39ce33..2ea2442a69c3353 100644
--- a/src/content/docs/rules/url-forwarding/single-redirects/settings.mdx
+++ b/src/content/docs/rules/url-forwarding/single-redirects/settings.mdx
@@ -64,7 +64,7 @@ Performs a dynamic URL redirect, where the target URL is determined by an expres
A dynamic URL redirect has the following configuration parameters:
-- **Expression**: An [expression](/ruleset-engine/rules-language/expressions/) that defines the target URL of the redirect. The result of evaluating this expression will be used in the `Location` HTTP header returned in the redirect response. Refer to the [fields](/ruleset-engine/rules-language/fields/) and [functions](/ruleset-engine/rules-language/functions/) you can use in expressions.
+- **Expression**: An [expression](/ruleset-engine/rules-language/expressions/) that defines the target URL of the redirect. The result of evaluating this expression will be used in the `Location` HTTP header returned in the redirect response. Refer to the [fields](/ruleset-engine/rules-language/fields/reference/) and [functions](/ruleset-engine/rules-language/functions/) you can use in expressions.
- **Status code**: The HTTP status code of the redirect response (_301_ by default). Must be one of the following: _301_ (Moved permanently), _302_ (Found, also known as Moved temporarily), _307_ (Temporary redirect), or _308_ (Permanent redirect).
diff --git a/src/content/docs/ruleset-engine/about/rules.mdx b/src/content/docs/ruleset-engine/about/rules.mdx
index ef8bb635e73430e..e9552c5f349602b 100644
--- a/src/content/docs/ruleset-engine/about/rules.mdx
+++ b/src/content/docs/ruleset-engine/about/rules.mdx
@@ -30,7 +30,7 @@ When you use `true` as the rule filter expression, this means "apply the rule to
* A rule filter expression must evaluate to a boolean value (either `true` or `false`).
-* Rules of specific Cloudflare products, such as [Transform Rules](/rules/transform/), may include other expressions used to specify dynamic values. These expressions do not have to evaluate to a boolean value.
+* Rules of specific Cloudflare products, such as [Transform Rules](/rules/transform/), may include other expressions used to specify dynamic values. These expressions do not have to evaluate to a boolean value.
:::
### Field values during rule evaluation
@@ -45,5 +45,5 @@ For example:
:::note
-If you want to use the original field values in rules evaluated later, you can use raw fields (for example, `raw.http.request.uri.path`) in their expressions. These special fields are immutable during the entire request evaluation workflow. For a list of raw fields, refer to [Fields](/ruleset-engine/rules-language/fields/).
+If you want to use the original field values in rules evaluated later, you can use raw fields (for example, `raw.http.request.uri.path`) in their expressions. These special fields are immutable during the entire request evaluation workflow. For a list of raw fields, refer to the [Fields reference](/ruleset-engine/rules-language/fields/reference/).
:::
diff --git a/src/content/docs/ruleset-engine/rules-language/fields/dynamic-fields.mdx b/src/content/docs/ruleset-engine/rules-language/fields/dynamic-fields.mdx
deleted file mode 100644
index 988a61f357ede50..000000000000000
--- a/src/content/docs/ruleset-engine/rules-language/fields/dynamic-fields.mdx
+++ /dev/null
@@ -1,599 +0,0 @@
----
-title: Dynamic fields
-pcx_content_type: reference
-sidebar:
- order: 2
-head:
- - tag: title
- content: Dynamic fields | Fields reference
----
-
-import { Render, Type, GlossaryTooltip } from "~/components";
-
-Dynamic fields represent computed or derived values, typically related to threat intelligence about an HTTP request.
-
-:::note
-
-- Access to `cf.api_gateway.auth_id_present` requires a Cloudflare Enterprise plan with [API Shield](/api-shield/) enabled.
-
-- Access to `cf.bot_management.*` fields requires a Cloudflare Enterprise plan with [Bot Management](/bots/plans/bm-subscription/) enabled.
-
-- Access to `cf.waf.content_scan.*` fields requires a Cloudflare Enterprise plan with [malicious uploads detection](/waf/detections/malicious-uploads/) enabled.
-
-- Access to fields `cf.waf.auth_detected` and `cf.waf.credential_check.*` depends on your Cloudflare plan and add-ons. For more information, refer to [Leaked credentials detection](/waf/detections/leaked-credentials/).
-
-- The `cf.tls_client_auth.*` string fields are only filled in if the request includes a client certificate for [mTLS authentication](/ssl/client-certificates/enable-mtls/).
-
-:::
-
-The Cloudflare Rules language supports these dynamic fields.
-
-## `cf.api_gateway.auth_id_present`
-
-`cf.api_gateway.auth_id_present`
-
-Indicates whether the request contained an API session authentication token, as defined by API Shield's saved [session identifiers](/api-shield/get-started/#session-identifiers/).
-
-## `cf.api_gateway.request_violates_schema`
-
-`cf.api_gateway.request_violates_schema`
-
-Indicates whether the request [violated the schema](/api-shield/security/schema-validation/) assigned to the respective saved endpoint.
-
-## `cf.api_gateway.fallthrough_detected`
-
-`cf.api_gateway.fallthrough_detected`
-
-Indicates whether the request matched a saved endpoint in [Endpoint Management](/api-shield/management-and-monitoring/).
-
-## `cf.bot_management.verified_bot`
-
-`cf.bot_management.verified_bot`
-
-When `true`, this field indicates the request originated from a known good bot or crawler. Provides the same information as [`cf.client.bot`](#cfclientbot).
-
-## `cf.verified_bot_category`
-
-`cf.verified_bot_category`
-
-Provides the type and purpose of a verified bot. For more details, refer to [Verified Bot Categories](/bots/reference/verified-bot-categories/).
-
-## `cf.bot_management.score`
-
-`cf.bot_management.score`
-
-Represents the likelihood that a request originates from a bot using a score from 1–99. A low score indicates that the request comes from a bot or an automated agent. A high score indicates that a human issued the request.
-
-## `cf.bot_management.static_resource`
-
-`cf.bot_management.static_resource`
-
-Indicates whether static resources should be included when you create a rule using [`cf.bot_management.score`](#cfbot_managementscore). For more details, refer to [Static resource protection](/bots/reference/static-resources/).
-
-## `cf.bot_management.ja3_hash`
-
-`cf.bot_management.ja3_hash`
-
-Provides an SSL/TLS fingerprint to help you identify potential bot requests. For more details, refer to [JA3/JA4 Fingerprint](/bots/concepts/ja3-ja4-fingerprint/).
-
-## `cf.bot_management.ja4`
-
-`cf.bot_management.ja4`
-
-Provides an SSL/TLS fingerprint to help you identify potential bot requests. For more details, refer to [JA3/JA4 Fingerprint](/bots/concepts/ja3-ja4-fingerprint/).
-
-## `cf.bot_management.js_detection.passed`
-
-`cf.bot_management.js_detection.passed`
-
-Indicates whether the visitor has previously passed a JS Detection. For more details, refer to [JavaScript detections](/bots/reference/javascript-detections/).
-
-## `cf.bot_management.detection_ids`
-
-`cf.bot_management.detection_ids`
-
-List of IDs that correlate to the Bot Management heuristic detections made on a request (you can have multiple heuristic detections on the same request). Use this field to explicitly match a specific heuristic or to exclude a heuristic in a rule.
-
-Example usage:
-
-```txt
-any(cf.bot_management.detection_ids[*] eq 33554817)
-```
-
-## `cf.client.bot`
-
-`cf.client.bot`
-
-When `true`, this field indicates the request originated from a known good bot or crawler. Provides the same information as [`cf.bot_management.verified_bot`](#cfbot_managementverified_bot).
-
-## `cf.edge.server_ip`
-
-`cf.edge.server_ip`
-
-Represents the global network's IP address to which the HTTP request has resolved. This field is only meaningful for [BYOIP customers](/byoip/).
-
-## `cf.edge.server_port`
-
-`cf.edge.server_port`
-
-Represents the port number at which the Cloudflare global network received the request. Use this field to filter traffic on a specific port. The value is a port number in the range 1–65535.
-
-## `cf.hostname.metadata`
-
-`cf.hostname.metadata`
-
-Returns the string representation of the per-hostname [custom metadata](/cloudflare-for-platforms/cloudflare-for-saas/domain-support/custom-metadata/) JSON object set by SSL for SaaS customers.
-
-## `cf.random_seed`
-
-`cf.random_seed`
-
-Returns per-request random bytes that you can use in the [`uuidv4()`](/ruleset-engine/rules-language/functions/#uuidv4) function.
-
-## `cf.ray_id`
-
-`cf.ray_id`
-
-The Ray ID of the current request. A [Ray ID](/fundamentals/reference/cloudflare-ray-id/) is an identifier given to every request that goes through Cloudflare.
-
-## `cf.threat_score`
-
-`cf.threat_score`
-
-Represents a Cloudflare threat score from 0–100, where 0 indicates low risk. Values above 10 may represent spammers or bots, and values above 40 identify bad actors on the Internet. It is rare to see values above 60. A common recommendation is to challenge requests with a score above 10 and to block those above 50.
-
-## `cf.tls_cipher`
-
-`cf.tls_cipher`
-
-The cipher for the connection to Cloudflare.
-
-Example value:
-
-```txt
-"AES128-SHA256"
-```
-
-## `cf.tls_client_auth.cert_revoked`
-
-`cf.tls_client_auth.cert_revoked`
-
-Returns `true` when a request presents a valid but revoked client certificate. When `true`, the [`cf.tls_client_auth.cert_verified`](#cftls_client_authcert_verified) field is also `true`.
-
-## `cf.tls_client_auth.cert_verified`
-
-`cf.tls_client_auth.cert_verified`
-
-Returns `true` when a request presents a valid client certificate. Also returns `true` when a request includes a valid certificate that was revoked (refer to [`cf.tls_client_auth.cert_revoked`](#cftls_client_authcert_revoked)).
-
-## `cf.tls_client_auth.cert_presented`
-
-`cf.tls_client_auth.cert_presented`
-
-Returns `true` when a request presents a certificate (valid or not).
-
-## `cf.tls_client_auth.cert_issuer_dn`
-
-`cf.tls_client_auth.cert_issuer_dn`
-
-The Distinguished Name (DN) of the Certificate Authority (CA) that issued the certificate included in the request.
-
-Example value:
-
-```txt
-"CN=Access Testing CA,OU=TX,O=Access Testing,L=Austin,ST=Texas,C=US"
-```
-
-## `cf.tls_client_auth.cert_subject_dn`
-
-`cf.tls_client_auth.cert_subject_dn`
-
-The Distinguished Name (DN) of the owner (or requester) of the certificate included in the request.
-
-Example value:
-
-```txt
-"CN=James Royal,OU=Access Admins,O=Access,L=Austin,ST=Texas,C=US"
-```
-
-## `cf.tls_client_auth.cert_issuer_dn_rfc2253`
-
-`cf.tls_client_auth.cert_issuer_dn_rfc2253`
-
-The Distinguished Name (DN) of the Certificate Authority (CA) that issued the certificate in the request in [RFC 2253](https://datatracker.ietf.org/doc/html/rfc2253) format.
-
-Example value:
-
-```txt
-"CN=Access Testing CA,OU=TX,O=Access Testing,L=Austin,ST=Texas,C=US"
-```
-
-## `cf.tls_client_auth.cert_subject_dn_rfc2253`
-
-`cf.tls_client_auth.cert_subject_dn_rfc2253`
-
-The Distinguished Name (DN) of the owner (or requester) of the certificate in the request in [RFC 2253](https://datatracker.ietf.org/doc/html/rfc2253) format.
-
-Example value:
-
-```txt
-"CN=James Royal,OU=Access Admins,O=Access,L=Austin,ST=Texas,C=US"
-```
-
-## `cf.tls_client_auth.cert_issuer_dn_legacy`
-
-`cf.tls_client_auth.cert_issuer_dn_legacy`
-
-The Distinguished Name (DN) of the Certificate Authority (CA) that issued the certificate in the request in a legacy format.
-
-Example value:
-
-```txt
-"/C=US/ST=Texas/L=Austin/O=Access Testing/OU=TX/CN=Access Testing CA"
-```
-
-## `cf.tls_client_auth.cert_subject_dn_legacy`
-
-`cf.tls_client_auth.cert_subject_dn_legacy`
-
-The Distinguished Name (DN) of the owner (or requester) of the certificate in the request in a legacy format.
-
-Example value:
-
-```txt
-"/C=US/ST=Texas/L=Austin/O=Access/OU=Access Admins/CN=James Royal"
-```
-
-## `cf.tls_client_auth.cert_serial`
-
-`cf.tls_client_auth.cert_serial`
-
-Serial number of the certificate in the request.
-
-Example value:
-
-```txt
-"527E0F20A20EA2A4146C78390F34CE7AF0878CA4"
-```
-
-## `cf.tls_client_auth.cert_issuer_serial`
-
-`cf.tls_client_auth.cert_issuer_serial`
-
-Serial number of the direct issuer of the certificate in the request.
-
-Example value:
-
-```txt
-"2688201DBA77402EA87118876F2E1B24CF8B0395"
-```
-
-## `cf.tls_client_auth.cert_fingerprint_sha256`
-
-`cf.tls_client_auth.cert_fingerprint_sha256`
-
-The SHA-256 fingerprint of the certificate in the request.
-
-Example value:
-
-```txt
-"af363dc85bc942a892d3cee9796190fdb36d89cd588a4f1cb17c74a943439714"
-```
-
-## `cf.tls_client_auth.cert_fingerprint_sha1`
-
-`cf.tls_client_auth.cert_fingerprint_sha1`
-
-The SHA-1 fingerprint of the certificate in the request.
-
-Example value:
-
-```txt
-"933ad5282c560ae3f482a43ecd73bc9de878a190"
-```
-
-## `cf.tls_client_auth.cert_not_before`
-
-`cf.tls_client_auth.cert_not_before`
-
-The certificate in the request is not valid before this date.
-
-Example value:
-
-```txt
-"Mar 21 13:35:00 2022 GMT"
-```
-
-## `cf.tls_client_auth.cert_not_after`
-
-`cf.tls_client_auth.cert_not_after`
-
-The certificate in the request is not valid after this date.
-
-Example value:
-
-```txt
-"Mar 21 13:35:00 2023 GMT"
-```
-
-## `cf.tls_client_auth.cert_ski`
-
-`cf.tls_client_auth.cert_ski`
-
-The Subject Key Identifier (SKI) of the certificate in the request.
-
-Example value:
-
-```txt
-"27846FAE6EAC4A8DAD9101B519CF1EB460242831"
-```
-
-## `cf.tls_client_auth.cert_issuer_ski`
-
-`cf.tls_client_auth.cert_issuer_ski`
-
-The Subject Key Identifier (SKI) of the direct issuer of the certificate in the request.
-
-Example value:
-
-```txt
-"8204924CF49D471E855862706D889F58F6B784D3"
-```
-
-## `cf.tls_client_extensions_sha1`
-
-`cf.tls_client_extensions_sha1`
-
-The SHA-1 fingerprint of TLS client extensions, encoded in Base64.
-
-Example value:
-
-```txt
-"OWFiM2I5ZDc0YWI0YWYzZmFkMGU0ZjhlYjhiYmVkMjgxNTU5YTU2Mg=="
-```
-
-## `cf.tls_client_hello_length`
-
-`cf.tls_client_hello_length`
-
-The length of the client hello message sent in a [TLS handshake](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake). Specifically, the length of the bytestring of the client hello.
-
-Example value:
-
-```txt
-508
-```
-
-## `cf.tls_client_random`
-
-`cf.tls_client_random`
-
-The value of the 32-byte random value provided by the client in a [TLS handshake](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake), encoded in Base64. Refer to [RFC 8446](https://datatracker.ietf.org/doc/html/rfc8446#section-4.1.2) for more details.
-
-Example value:
-
-```txt
-"YWJjZA=="
-```
-
-## `cf.tls_version`
-
-`cf.tls_version`
-
-The TLS version of the connection to Cloudflare.
-
-Example value:
-
-```txt
-"TLSv1.2"
-```
-
-## `cf.waf.content_scan.has_obj`
-
-`cf.waf.content_scan.has_obj`
-
-When `true`, the request contains at least one content object.
-
-For more details, refer to [Malicious uploads detection](/waf/detections/malicious-uploads/).
-
-## `cf.waf.content_scan.has_malicious_obj`
-
-`cf.waf.content_scan.has_malicious_obj`
-
-When `true`, the request contains at least one malicious content object.
-
-For more details, refer to [Malicious uploads detection](/waf/detections/malicious-uploads/).
-
-## `cf.waf.content_scan.num_malicious_obj`
-
-`cf.waf.content_scan.num_malicious_obj`
-
-The number of malicious content objects detected in the request (zero or greater).
-
-For more details, refer to [Malicious uploads detection](/waf/detections/malicious-uploads/).
-
-## `cf.waf.content_scan.has_failed`
-
-`cf.waf.content_scan.has_failed`
-
-When `true`, the file scanner was unable to scan all the content objects detected in the request.
-
-For more details, refer to [Malicious uploads detection](/waf/detections/malicious-uploads/).
-
-## `cf.waf.content_scan.num_obj`
-
-`cf.waf.content_scan.num_obj`
-
-The number of content objects detected in the request (zero or greater).
-
-For more details, refer to [Malicious uploads detection](/waf/detections/malicious-uploads/).
-
-## `cf.waf.content_scan.obj_sizes`
-
-`cf.waf.content_scan.obj_sizes`
-
-An array of file sizes in bytes, in the order the content objects were detected in the request.
-
-For more details, refer to [Malicious uploads detection](/waf/detections/malicious-uploads/).
-
-## `cf.waf.content_scan.obj_types`
-
-`cf.waf.content_scan.obj_types`
-
-An array of file types in the order the content objects were detected in the request. If Cloudflare cannot determine the file type of a content object, the corresponding value in the `obj_types` array will be `application/octet-stream`.
-
-For more details, refer to [Malicious uploads detection](/waf/detections/malicious-uploads/).
-
-## `cf.waf.content_scan.obj_results`
-
-`cf.waf.content_scan.obj_results`
-
-An array of scan results in the order the content objects were detected in the request. The possible values are: `clean`, `suspicious`, `infected`, and `not scanned`.
-
-For more details, refer to [Malicious uploads detection](/waf/detections/malicious-uploads/).
-
-## `cf.waf.score`
-
-`cf.waf.score`
-
-A global score from `1` to `99` that combines the score of each WAF attack vector into a single score. This is the standard [WAF attack score](/waf/detections/attack-score/) to detect variants of attack patterns.
-
-## `cf.waf.score.sqli`
-
-`cf.waf.score.sqli`
-
-An attack score from `1` to `99` classifying the SQL injection (SQLi) attack vector.
-
-## `cf.waf.score.xss`
-
-`cf.waf.score.xss`
-
-An attack score from `1` to `99` classifying the cross-site scripting (XSS) attack vector.
-
-## `cf.waf.score.rce`
-
-`cf.waf.score.rce`
-
-An attack score from `1` to `99` classifying the command injection or Remote Code Execution (RCE) attack vector.
-
-## `cf.waf.score.class`
-
-`cf.waf.score.class`
-
-The attack score class of the current request, based on the WAF attack score. Can have one of the following values: `attack`, `likely_attack`, `likely_clean`, `clean`.
-
-## `cf.waf.auth_detected`
-
-`cf.waf.auth_detected`
-
-When `true`, the Cloudflare WAF detected authentication credentials in the request.
-
-Only available when [leaked credentials detection](/waf/detections/leaked-credentials/) is enabled.
-
-## `cf.waf.credential_check.password_leaked`
-
-`cf.waf.credential_check.password_leaked`
-
-When `true`, the password detected in the request was previously leaked.
-
-Only available when [leaked credentials detection](/waf/detections/leaked-credentials/) is enabled.
-
-## `cf.waf.credential_check.username_leaked`
-
-`cf.waf.credential_check.username_leaked`
-
-When `true`, the username detected in the request was previously leaked.
-
-Only available when [leaked credentials detection](/waf/detections/leaked-credentials/) is enabled.
-
-## `cf.waf.credential_check.username_and_password_leaked`
-
-`cf.waf.credential_check.username_and_password_leaked`
-
-When `true`, the authentication credentials detected in the request (username and password pair) were previously leaked.
-
-Only available when [leaked credentials detection](/waf/detections/leaked-credentials/) is enabled.
-
-## `cf.waf.credential_check.username_password_similar`
-
-`cf.waf.credential_check.username_password_similar`
-
-When `true`, a similar version of the username and password credentials detected in the request were previously leaked.
-
-Only available when [leaked credentials detection](/waf/detections/leaked-credentials/) is enabled.
-
-## `cf.worker.upstream_zone`
-
-`cf.worker.upstream_zone`
-
-Identifies whether a request comes from a worker or not. When a request comes from a worker, this field will hold the name of the zone for that worker. Otherwise, `cf.worker.upstream_zone` is empty.
-
-## Corporate Proxy
-
-
-
-## JSON Web Tokens Validation claims
-
-[API Shield](/api-shield/) users can now create [custom rules](/waf/custom-rules/) using claims present in tokens processed by [JSON Web Tokens Validation](/api-shield/security/jwt-validation/).
-
-Users can also use any custom JWT claim. Refer to the [WAF documentation](/waf/custom-rules/use-cases/check-jwt-claim-to-protect-admin-user/) for an example of a custom JWT claim.
-
-### `aud` (audience)
-
-`http.request.jwt.claims.aud`
-`http.request.jwt.claims.aud.names`
-`http.request.jwt.claims.aud.values`
-
-The `aud` (audience) claim identifies the recipients that the JSON Web Token (JWT) is intended for. Each principal intended to process the JWT must identify itself with a value in the audience claim. In the general case, the `aud` value is an array of case-sensitive strings, each containing a `StringOrURI` value.
-
-
-
-### `iat` (issued at)
-
-`http.request.jwt.claims.iat.sec`
-`http.request.jwt.claims.iat.sec.names`
-`http.request.jwt.claims.iat.sec.values`
-
-The `iat` (issued at) claim identifies the time (number of seconds) at which the JWT was issued.
-
-
-
-### `iss` (issuer)
-
-`http.request.jwt.claims.iss`
-`http.request.jwt.claims.iss.names`
-`http.request.jwt.claims.iss.values`
-
-The `iss` (issuer) claim identifies the principal that issued the JWT.
-
-
-
-### `jti` (JWT ID)
-
-`http.request.jwt.claims.jti`
-`http.request.jwt.claims.jti.names`
-`http.request.jwt.claims.jti.values`
-
-The `jti` (JWT ID) claim provides a unique identifier for the JWT.
-
-
-
-### `nbf` (not before)
-
-`http.request.jwt.claims.nbf.sec`
-`http.request.jwt.claims.nbf.sec.names`
-`http.request.jwt.claims.nbf.sec.values`
-
-The `nbf` (not before) claim identifies the time (number of seconds) before which the JWT must not be accepted for processing.
-
-
-
-### `sub` (subject)
-
-`http.request.jwt.claims.sub`
-`http.request.jwt.claims.sub.names`
-`http.request.jwt.claims.sub.values`
-
-The `sub` (subject) claim identifies the principal that is the subject of the JWT. The claims in a JWT are normally statements about the subject.
-
-
diff --git a/src/content/docs/ruleset-engine/rules-language/fields/http-request-body.mdx b/src/content/docs/ruleset-engine/rules-language/fields/http-request-body.mdx
deleted file mode 100644
index a1bc8040360b2d1..000000000000000
--- a/src/content/docs/ruleset-engine/rules-language/fields/http-request-body.mdx
+++ /dev/null
@@ -1,245 +0,0 @@
----
-title: HTTP request body fields
-pcx_content_type: reference
-sidebar:
- order: 6
-head:
- - tag: title
- content: HTTP request body fields | Fields reference
----
-
-import { Type } from "~/components";
-
-:::note
-Access to HTTP request body fields requires a Cloudflare Enterprise plan with a paid add-on, except for the `http.request.body.mime` field.
-:::
-
-The Rules language includes fields that represent properties of an HTTP request body. Many of these return [arrays](/ruleset-engine/rules-language/values/#arrays) containing the respective values.
-
-:::caution
-
-All `http.request.body.*` fields (except [`http.request.body.size`](#httprequestbodysize)) handle a given maximum body size, which varies per plan. For Enterprise customers, the maximum body size analyzed by Cloudflare is 128 KB; for lower Cloudflare plans, the maximum size is lower. You cannot define expressions that rely on request body data beyond the maximum size set for your plan. If the request body is larger, the body fields will contain a truncated value and the [`http.request.body.truncated`](#httprequestbodytruncated) field will be set to `true`. The [`http.request.body.size`](#httprequestbodysize) field will contain the full size of the request without any truncation.
-
-The maximum body size applies only to the values of HTTP body fields — the origin server will still receive the complete request body.
-
-:::
-
-The Cloudflare Rules language supports these HTTP body fields.
-
-## `http.request.body.raw`
-
-`http.request.body.raw`
-
-The unaltered HTTP request body.
-
-When the value of [`http.request.body.truncated`](#httprequestbodytruncated) is true, the return value may be truncated.
-
-- Decoding: no decoding performed
-- Whitespace: preserved
-- Non-ASCII: preserved
-
-## `http.request.body.truncated`
-
-`http.request.body.truncated`
-
-Indicates whether the HTTP request body is truncated.
-
-When true, `http.request.body` fields may not contain all of the HTTP request body.
-
-## `http.request.body.size`
-
-`http.request.body.size`
-
-The total size of the HTTP request body (in bytes).
-
-:::note
-This field may have a value larger than the one returned by `len(http.request.body.raw)`, since the [`http.request.body.raw`](#httprequestbodyraw) field only considers the request body up to a maximum size that varies according to your Cloudflare plan.
-:::
-
-## `http.request.body.form`
-
-`http.request.body.form`
-
-The HTTP request body of a form represented as a Map (or associative array). Populated when the `Content-Type` header is `application/x-www-form-urlencoded`.
-
-The values are not pre-processed and retain the original case used in the request.
-
-When a field repeats, then the array contains multiple items in the order they are in the request.
-
-The return value may be truncated if [`http.request.body.truncated`](#httprequestbodytruncated) is true.
-
-- **Decoding:** no decoding performed
-- **Whitespace:** preserved
-- **Non-ASCII:** preserved
-
-Example value:
-
-`{"username": ["admin"]}`
-
-Example usage:
-
-`any(http.request.body.form["username"][*] == "admin")`
-
-## `http.request.body.form.names`
-
-`http.request.body.form.names`
-
-The names of the form fields in an HTTP request where the content type is `application/x-www-form-urlencoded`.
-
-Names are not pre-processed and retain the original case used in the request. They are listed in the same order as in the request.
-
-Duplicate names are listed multiple times.
-
-The return value may be truncated if [`http.request.body.truncated`](#httprequestbodytruncated) is true.
-
-- **Decoding:** no decoding performed
-- **Whitespace:** preserved
-- **Non-ASCII:** preserved
-
-Example value:
-
-`["username"]`
-
-Example usage:
-
-`any(http.request.body.form.names[*] == "username")`
-
-## `http.request.body.form.values`
-
-`http.request.body.form.values`
-
-The values of the form fields in an HTTP request where the content type is `application/x-www-form-urlencoded`.
-
-The values are not pre-processed and retain the original case used in the request. They are listed in the same order as in the request.
-
-Duplicated values are listed multiple times.
-
-The return value may be truncated if [`http.request.body.truncated`](#httprequestbodytruncated) is true.
-
-- **Decoding:** no decoding performed
-- **Whitespace:** preserved
-- **Non-ASCII:** preserved
-
-Example value:
-
-`["admin"]`
-
-Example usage:
-
-`any(http.request.body.form.values[*] == "admin")`
-
-## `http.request.body.mime`
-
-`http.request.body.mime`
-
-The MIME type of the request detected from the request body.
-
-Supports the most common MIME types of the following general categories: video, audio, image, application, text.
-
-Example value:
-
-`"image/jpeg"`
-
-Example usage:
-
-`http.request.body.mime in {"image/bmp" "image/gif" "image/jpeg" "image/png" "image/tiff"}`
-
-This field is available on all Cloudflare plans.
-
-## `http.request.body.multipart`
-
-`http.request.body.multipart`
-
-A Map (or associative array) representation of multipart names to multipart values in the request body.
-
-Example value:
-
-`{"username": ["alice_doe"], "role": ["editor"], "picture": []}`
-
-Example usage:
-
-`any(http.request.body.multipart["role"][*] == "admin")`
-
-## `http.request.body.multipart.names`
-
-`http.request.body.multipart.names`
-
-List of multipart names for every part in the multipart body.
-
-Example value:
-
-`[["username"], ["picture"]]`
-
-Example usage:
-
-`any(http.request.body.multipart.names[*][0] == "picture")`
-
-## `http.request.body.multipart.values`
-
-`http.request.body.multipart.values`
-
-List of multipart values for every part in the multipart body.
-
-Example value:
-
-`["alice_doe", ]`
-
-Example usage:
-
-`any(http.request.body.multipart.values[*] == "alice_doe")`
-
-## `http.request.body.multipart.content_types`
-
-`http.request.body.multipart.content_types`
-
-List of `Content-Type` headers for each part in the multipart body.
-
-Example value:
-
-`[["text/plain"], ["image/jpeg"]]`
-
-Example usage:
-
-`any(http.request.body.multipart.content_types[*][0] == "application/octet-stream")`
-
-## `http.request.body.multipart.content_dispositions`
-
-`http.request.body.multipart.content_dispositions`
-
-List of `Content-Disposition` headers for each part in the multipart body.
-
-Example value:
-
-`[["form-data; name=\"username\""], ["form-data; name=\"picture\""]]`
-
-Example usage:
-
-`any(http.request.body.multipart.content_dispositions[*][0] in {"form-data; name=\"username\"" "form-data; name=\"picture\""})`
-
-## `http.request.body.multipart.content_transfer_encodings`
-
-`http.request.body.multipart.content_transfer_encodings`
-
-List of `Content-Transfer-Encoding` headers for each part in the multipart body.
-
-Example value:
-
-`[["quoted-printable"], ["base64"]]`
-
-Example usage:
-
-`any(http.request.body.multipart.content_transfer_encodings[*][0] == "binary")`
-
-## `http.request.body.multipart.filenames`
-
-`http.request.body.multipart.filenames`
-
-List of filenames for each part in the multipart body.
-
-Example value:
-
-`[["file1.txt"], ["photo.jpg"]]`
-
-Example usage:
-
-`any(http.request.body.multipart.filenames[*][0] in {"token.txt" "password.txt"})`
diff --git a/src/content/docs/ruleset-engine/rules-language/fields/http-request-header.mdx b/src/content/docs/ruleset-engine/rules-language/fields/http-request-header.mdx
deleted file mode 100644
index ea15cc2c400fff1..000000000000000
--- a/src/content/docs/ruleset-engine/rules-language/fields/http-request-header.mdx
+++ /dev/null
@@ -1,152 +0,0 @@
----
-title: HTTP request header fields
-pcx_content_type: reference
-sidebar:
- order: 5
-head:
- - tag: title
- content: HTTP request header fields | Fields reference
----
-
-import { Type } from "~/components";
-
-The Rules language includes fields that represent properties of HTTP request headers. Many of these return [arrays](/ruleset-engine/rules-language/values/#arrays) containing the respective values.
-
-The Cloudflare Rules language supports these HTTP header fields.
-
-## `http.request.headers`
-
-`http.request.headers`
-
-The HTTP request headers represented as a Map (or associative array).
-
-The keys of the associative array are the names of HTTP request headers converted to lowercase.
-
-When there are repeating headers, the array includes them in the order they appear in the request.
-
-The request header values are not pre-processed and retain the original case used in the request.
-
-- **Decoding:** no decoding performed
-- **Whitespace:** preserved
-- **Non-ASCII:** preserved
-
-Example usage:
-
-```txt
-any(http.request.headers["content-type"][*] == "application/json")
-```
-
-Example value:
-
-```
-{"content-type": ["application/json"]}
-```
-
-## `http.request.headers.names`
-
-`http.request.headers.names`
-
-The names of the headers in the HTTP request.
-
-The names are not pre-processed and retain the original case used in the request.
-
-:::note
-In HTTP/2, the names of HTTP headers are always in lowercase. Recent versions of the `curl` tool [enable HTTP/2 by default](https://curl.se/docs/manpage.html#--http2) for HTTPS connections.
-:::
-
-The order of header names is not guaranteed but will match [`http.request.headers.values`](#httprequestheadersvalues).
-
-Duplicate headers are listed multiple times.
-
-- **Decoding:** no decoding performed
-- **Whitespace:** preserved
-- **Non-ASCII:** preserved
-
-Example usage:
-
-```txt
-any(http.request.headers.names[*] == "content-type")
-```
-
-Example value: `["content-type"]`
-
-## `http.request.headers.values`
-
-`http.request.headers.values`
-
-The values of the headers in the HTTP request.
-
-The values are not pre-processed and retain the original case used in the request.
-
-The order of header values is not guaranteed but will match [`http.request.headers.names`](#httprequestheadersnames).
-
-Duplicate headers are listed multiple times.
-
-- **Decoding:** no decoding performed
-- **Whitespace:** preserved
-- **Non-ASCII:** preserved
-
-Example value 1:
-
-```txt
-["application/json"]
-```
-
-Example usage 1:
-
-```txt
-any(http.request.headers.values[*] == "application/json")
-```
-
-Additionally used to match requests according to the specified operator and the length/size entered for the header value.
-
-Example value 2:
-
-```txt
-["This header value is longer than 10 bytes"]
-```
-
-Example usage 2:
-
-```txt
-any(len(http.request.headers.values[*])[*] gt 10)
-```
-
-## `http.request.headers.truncated`
-
-`http.request.headers.truncated`
-
-Returns `true` when the HTTP request contains too many headers; otherwise, returns `false`.
-
-When `true`, [`http.request.headers`](#httprequestheaders), [`http.request.headers.names`](#httprequestheadersnames), and [`http.request.headers.values`](#httprequestheadersvalues) may not contain all of the headers sent in the HTTP request.
-
-## `http.request.accepted_languages`
-
-`http.request.accepted_languages`
-
-List of language tags provided in the [`Accept-Language`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Language) HTTP request header, sorted by weight (`;q=`, with a default weight of `1`) in descending order.
-
-If the HTTP header is not present in the request or is empty, `http.request.accepted_languages[0]` will return a "[missing value](/ruleset-engine/rules-language/values/#notes)", which the [`concat()`](/ruleset-engine/rules-language/functions/#concat) function will handle as an empty string.
-
-If the HTTP header includes the language tag `*` it will not be stored in the array.
-
-Example 1:
-
-Request with header `Accept-Language: fr-CH, fr;q=0.8, en;q=0.9, de;q=0.7, *;q=0.5`. In this case:
-
-```txt
-http.request.accepted_languages[0] ==> "fr-CH"
-http.request.accepted_languages ==> ["fr-CH", "en", "fr", "de"]
-```
-
-Example 2:
-
-Request without an `Accept-Language` HTTP header and a URI of `https://www.example.com/my-path`. In this case:
-
-```txt
-concat("/", http.request.accepted_languages[0], http.request.uri.path) ==> "//my-path"
-```
-
-:::note
-This field is only available in [Transform Rules](/rules/transform/).
-:::
diff --git a/src/content/docs/ruleset-engine/rules-language/fields/http-request-response.mdx b/src/content/docs/ruleset-engine/rules-language/fields/http-request-response.mdx
deleted file mode 100644
index e8ff32e90f6b830..000000000000000
--- a/src/content/docs/ruleset-engine/rules-language/fields/http-request-response.mdx
+++ /dev/null
@@ -1,166 +0,0 @@
----
-title: HTTP request response fields
-pcx_content_type: reference
-sidebar:
- order: 7
-head:
- - tag: title
- content: HTTP request response fields | Fields reference
----
-
-import { Details, Type } from "~/components";
-
-The Cloudflare Rules language supports these HTTP response fields.
-
-## `http.response.code`
-
-`http.response.code`
-
-The HTTP status code returned to the client, either set by a Cloudflare product or returned by the origin server.
-
-Example value:
-`403`
-
-## `http.response.headers`
-
-`http.response.headers`
-
-The HTTP response headers represented as a Map (or associative array).
-
-When there are repeating headers, the array includes them in the order they appear in the response. The keys convert to lowercase.
-
-- Decoding: no decoding performed
-- Whitespace: preserved
-- Non-ASCII: preserved
-
-Example value:
-
-```txt
-{"server": ["nginx"]}
-```
-
-Example usage:
-
-```txt
-any(http.response.headers["server"][*] == "nginx")
-```
-
-## `http.response.headers.names`
-
-`http.response.headers.names`
-
-The names of the headers in the HTTP response. The names are not pre-processed and retain the original case used in the response.
-
-The order of header names is not guaranteed but will match [`http.response.headers.values`](#httpresponseheadersvalues).
-
-Duplicate headers are listed multiple times.
-
-- Decoding: no decoding performed
-- Whitespace: preserved
-- Non-ASCII: preserved
-
-Example value:
-
-`["content-type"]`
-
-Example usage:
-
-```txt
-any(http.response.headers.names[*] == "content-type")
-```
-
-## `http.response.headers.values`
-
-`http.response.headers.values`
-
-The values of the headers in the HTTP response.
-
-The values are not pre-processed and retain the original case used in the response.
-
-The order of header values is not guaranteed but will match [`http.response.headers.names`](#httpresponseheadersnames).
-
-Duplicate headers are listed multiple times.
-
-- Decoding: no decoding performed
-- Whitespace: preserved
-- Non-ASCII: preserved
-
-Example value 1:
-
-`["application/json"]`
-
-Example usage 1:
-
-```txt
-any(http.response.headers.values[*] == "application/json")
-```
-
-Additionally used to match responses according to the specified operator and the length/size entered for the header value.
-
-Example value 2:
-
-`["This header value is longer than 10 bytes"]`
-
-Example usage 2:
-
-```txt
-any(len(http.response.headers.values[*])[*] gt 10)
-```
-
-## `http.response.content_type.media_type`
-
-`http.response.content_type.media_type`
-
-The lowercased content type (including subtype and suffix) without any parameters such as `charset`, based on the response's `Content-Type` header.
-
-
-
-| Content-Type header | Field value |
-| --------------------------------------- | ------------------- |
-| `text/html` | `"text/html"` |
-| `text/html; charset=utf-8` | `"text/html"` |
-| `text/html+extra` | `"text/html+extra"` |
-| `text/html+extra; charset=utf-8` | `"text/html+extra"` |
-| `text/HTML` | `"text/html"` |
-| `text/html; charset=utf-8; other=value` | `"text/html"` |
-
-
-
-## `cf.response.1xxx_code`
-
-`cf.response.1xxx_code`
-
-Contains the specific code for 1XXX Cloudflare errors. Use this field to differentiate between 1XXX errors associated with the same HTTP status code. The default value is `0`. For a list of 1XXX errors, refer to [Troubleshooting Cloudflare 1XXX errors](/support/troubleshooting/cloudflare-errors/troubleshooting-cloudflare-1xxx-errors/).
-
-Example value:
-
-`1020`
-
-:::note
-Note: This field is only available in [HTTP response header modifications](/rules/transform/response-header-modification/) and [Custom Error Responses](/rules/custom-error-responses/).
-:::
-
-## `cf.response.error_type`
-
-`cf.response.error_type`
-
-A string with the type of error in the response being returned. The default value is an empty string (`""`).
-
-The available values are the following:
-
-- `"managed_challenge"`
-- `"iuam"`
-- `"legacy_challenge"`
-- `"ip_ban"`
-- `"waf"`
-- `"5xx"`
-- `"1xxx"`
-- `"always_online"`
-- `"country_challenge"`
-- `"ratelimit"`
-
-You can use this field to customize the response for a specific type of error (for example, all 1XXX errors or all WAF block actions).
-
-:::note
-This field is only available in [HTTP response header modifications](/rules/transform/response-header-modification/) and [Custom Error Responses](/rules/custom-error-responses/).
-:::
diff --git a/src/content/docs/ruleset-engine/rules-language/fields/index.mdx b/src/content/docs/ruleset-engine/rules-language/fields/index.mdx
index f87360c5015c080..9b1d3a30bddb585 100644
--- a/src/content/docs/ruleset-engine/rules-language/fields/index.mdx
+++ b/src/content/docs/ruleset-engine/rules-language/fields/index.mdx
@@ -10,6 +10,23 @@ head:
import { DirectoryListing } from "~/components";
-The Cloudflare Rules language supports a range of field types:
+The Cloudflare Rules language supports different types of fields such as:
-
+- Request fields that represent the basic properties of incoming requests, including specific fields for accessing request headers, URI components, and the request body.
+- Dynamic fields that represent computed or derived values, typically related to threat intelligence about an HTTP request.
+- Response fields that represent the basic properties of the received response.
+- Raw fields that preserve the original request values for later evaluations.
+
+Refer to the [Fields reference](/ruleset-engine/rules-language/fields/reference/) for the list of available fields.
+
+## Differences from Wireshark display fields
+
+Most fields supported by the Cloudflare Rules language use the same naming conventions as [Wireshark display fields](https://www.wireshark.org/docs/wsug_html_chunked/ChWorkBuildDisplayFilterSection.html). However, there are some subtle differences between Cloudflare and Wireshark:
+
+- Wireshark supports [CIDR (Classless Inter-Domain Routing) notation](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) for expressing IP address ranges in equality comparisons (`ip.src == 1.2.3.0/24`, for example). Cloudflare does not.
+
+ To evaluate a range of addresses using CIDR notation, use the `in` [comparison operator](/ruleset-engine/rules-language/operators/#comparison-operators) as in this example: `ip.src in {1.2.3.0/24 4.5.6.0/24}`.
+
+- In Wireshark, `ssl` is a protocol field containing hundreds of other fields of various types that are available for comparison in multiple ways. However, in the Rules language `ssl` is a single Boolean field that indicates whether the connection from the client to Cloudflare is encrypted.
+
+- The Cloudflare Rules language does not support the `slice` operator.
diff --git a/src/content/docs/ruleset-engine/rules-language/fields/magic-firewall.mdx b/src/content/docs/ruleset-engine/rules-language/fields/magic-firewall.mdx
deleted file mode 100644
index 3e9ee7c10bd9fcc..000000000000000
--- a/src/content/docs/ruleset-engine/rules-language/fields/magic-firewall.mdx
+++ /dev/null
@@ -1,311 +0,0 @@
----
-title: Magic firewall fields
-pcx_content_type: reference
-sidebar:
- order: 2
-head:
- - tag: title
- content: Magic firewall fields | Fields reference
----
-
-import { Type } from "~/components";
-
-:::note
-Some Magic Firewall fields are available only to customers who purchased Magic Firewall's advanced features. Refer to [Magic Firewall plans](/magic-firewall/plans/) for more information.
-:::
-
-## `cf.colo.name`
-
-`cf.colo.name`
-
-The data center that is handling this traffic.
-
-Example value: `"sfo06"`
-
----
-
-## `cf.colo.region`
-
-`cf.colo.region`
-
-Region of the data center that is handling this traffic.
-
-Example value: `"WNAM"`
-
----
-
-## `icmp`
-
-`icmp`
-
-The raw ICMP packet as a list of bytes. It should be used in conjunction with the bit_slice function when other structured fields are lacking.
-
----
-
-## `icmp.type`
-
-`icmp.type`
-
-The [ICMP type](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol#header_type). Only applies to ICMP packets.
-
-Example value: `8`
-
----
-
-## `icmp.code`
-
-`icmp.code`
-
-The [ICMP code](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol#header_code). Only applies to ICMP packets.
-
-Example value: `2`
-
----
-
-## `ip`
-
-`ip`
-
-The raw IP packet as a list of bytes. It should be used in conjunction with the bit_slice function when other structured fields are lacking.
-
----
-
-## `ip.dst`
-
-`ip.dst`
-
-The destination address as specified in the IP packet.
-
-Example value: `192.0.2.2`
-
----
-
-## `ip.dst.country`
-
-`ip.dst.country`
-
-Represents the 2-letter country code associated with the server IP address in [ISO 3166-1 Alpha 2](https://www.iso.org/obp/ui/#search/code/) format.
-
-Example value: `"GB"`
-
-For more information on the ISO 3166-1 Alpha 2 format, refer to [ISO 3166-1 Alpha 2](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2) on Wikipedia.
-
----
-
-## `ip.src.country`
-
-`ip.src.country`
-
-Represents the 2-letter country code associated with the client IP address in [ISO 3166-1 Alpha 2](https://www.iso.org/obp/ui/#search/code/) format.
-
-Example value: `"GB"`
-
-For more information on the ISO 3166-1 Alpha 2 format, refer to [ISO 3166-1 Alpha 2](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2) on Wikipedia.
-
-For Magic Firewall, the `ip.geoip.country` field (which is deprecated) will match on either source or destination address. The `ip.geoip.country` field is still available for new and existing rules, but you should use the `ip.src.country` and/or `ip.dst.country` fields instead.
-
----
-
-## `ip.hdr_len`
-
-`ip.hdr_len`
-
-The length of the IPv4 header in bytes.
-
-Example value: `5`
-
----
-
-## `ip.len`
-
-`ip.len`
-
-The length of the packet including the header.
-
-Example value: `60`
-
----
-
-## `ip.opt.type`
-
-`ip.opt.type`
-
-The first byte of [IP options field](https://en.wikipedia.org/wiki/IPv4#Options), if the options field is set.
-
-Example value: `25`
-
----
-
-## `ip.proto`
-
-`ip.proto`
-
-The transport layer for the packet, if it can be determined.
-
-Example values: `"icmp"`, `"tcp"`
-
----
-
-## `ip.src`
-
-`ip.src`
-
-The source address of the IP Packet.
-
----
-
-## `ip.src.country`
-
-`ip.src.country`
-
-Represents the 2-letter country code associated with the client IP address in [ISO 3166-1 Alpha 2](https://www.iso.org/obp/ui/#search/code/) format.
-
-Example value: `"GB"`
-
-For more information on the ISO 3166-1 Alpha 2 format, refer to [ISO 3166-1 Alpha 2](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2) on Wikipedia.
-
----
-
-## `ip.ttl`
-
-`ip.ttl`
-
-The time-to-live of the IP Packet.
-
-Example values: `54`
-
----
-
-## `sip`
-
-`sip`
-
-Determines if packets are valid L7 protocol [SIP](https://datatracker.ietf.org/doc/html/rfc2543). Requires UDP packets to operate.
-
-Use a guard clause as shown below to ensure the packet is UDP (wirefilter):
-
-`ip.proto == "udp"`
-
----
-
-## `tcp`
-
-`tcp`
-
-The raw TCP packet as a list of bytes. It should be used in conjunction with the bit_slice function when other structured fields are lacking.
-
----
-
-## `tcp.flags`
-
-`tcp.flags`
-
-The numeric value of the TCP flags byte.
-
----
-
-## `tcp.flags.ack`
-
-`tcp.flags.ack`
-
-TCP acknowledgment flag.
-
----
-
-## `tcp.flags.cwr`
-
-`tcp.flags.cwr`
-
-TCP congestion window reduced flag.
-
----
-
-## `tcp.flags.ecn`
-
-`tcp.flags.ecn`
-
-TCP ECN-Echo flag.
-
----
-
-## `tcp.flags.fin`
-
-`tcp.flags.fin`
-
-TCP flag indicating this is the last packet from sender.
-
----
-
-## `tcp.flags.push`
-
-`tcp.flags.push`
-
-TCP push flag.
-
----
-
-## `tcp.flags.reset`
-
-`tcp.flags.reset`
-
-TCP reset flag.
-
----
-
-## `tcp.flags.syn`
-
-`tcp.flags.syn`
-
-TCP synchronize flag.
-
----
-
-## `tcp.flags.urg`
-
-`tcp.flags.urg`
-
-TCP urgent flag.
-
----
-
-## `tcp.srcport`
-
-`tcp.srcport`
-
-Source port number of the IP packet. Only applies to TCP packets.
-
----
-
-## `tcp.dstport`
-
-`tcp.dstport`
-
-Destination port number of the IP packet. Only applies to TCP packets.
-
----
-
-## `udp`
-
-`udp`
-
-The raw UDP packet as a list of bytes. It should be used in conjunction with the bit_slice function when other structured fields are lacking.
-
----
-
-## `udp.dstport`
-
-`udp.dstport`
-
-Destination port number of the IP packet. Only applies to UDP packets.
-
----
-
-## `udp.srcport`
-
-`udp.srcport`
-
-Source port number of the IP packet. Only applies to UDP packets.
-
----
-
-_GeoIP is the registered trademark of MaxMind, Inc._
diff --git a/src/content/docs/ruleset-engine/rules-language/fields/reference/index.mdx b/src/content/docs/ruleset-engine/rules-language/fields/reference/index.mdx
new file mode 100644
index 000000000000000..cab4bf3a07a0b54
--- /dev/null
+++ b/src/content/docs/ruleset-engine/rules-language/fields/reference/index.mdx
@@ -0,0 +1,9 @@
+---
+pcx_content_type: navigation
+title: Fields reference
+hideChildren: true
+---
+
+import FieldCatalog from "~/pages/ruleset-engine/rules-language/fields/reference/index.astro";
+
+
diff --git a/src/content/docs/ruleset-engine/rules-language/fields/standard-fields.mdx b/src/content/docs/ruleset-engine/rules-language/fields/standard-fields.mdx
deleted file mode 100644
index ede51025be34f78..000000000000000
--- a/src/content/docs/ruleset-engine/rules-language/fields/standard-fields.mdx
+++ /dev/null
@@ -1,547 +0,0 @@
----
-title: Standard fields
-pcx_content_type: reference
-sidebar:
- order: 1
-head:
- - tag: title
- content: Standard fields | Fields reference
----
-
-import { Details, Render, Type } from "~/components";
-
-Most standard fields use the same naming conventions as [Wireshark display fields](https://www.wireshark.org/docs/wsug_html_chunked/ChWorkBuildDisplayFilterSection.html). However, there are some subtle differences between Cloudflare and Wireshark:
-
-- Wireshark supports [CIDR (Classless Inter-Domain Routing) notation](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) for expressing IP address ranges in equality comparisons (`ip.src == 1.2.3.0/24`, for example). Cloudflare does not.
-
- To evaluate a range of addresses using CIDR notation, use the `in` [comparison operator](/ruleset-engine/rules-language/operators/#comparison-operators) as in this example: `ip.src in {1.2.3.0/24 4.5.6.0/24}`.
-
-- In Wireshark, `ssl` is a protocol field containing hundreds of other fields of various types that are available for comparison in multiple ways. However, in the Rules language `ssl` is a single Boolean field that indicates whether the connection from the client to Cloudflare is encrypted.
-
-- The Cloudflare Rules language does not support the `slice` operator.
-
-:::note[Availability notes]
-
-- Geolocation information is provided and maintained by MaxMind. Access to `ip.src.is_in_european_union`, `ip.src.subdivision_1_iso_code`, and `ip.src.subdivision_2_iso_code` fields requires a Cloudflare Business or Enterprise plan.
-
-- Access to `http.request.cookies` field requires a Cloudflare Pro, Business, or Enterprise plan.
-
-:::
-
-The Cloudflare Rules language supports these standard fields.
-
-## `http.cookie`
-
-`http.cookie`
-
-The entire cookie as a string.
-
-Example value:
-
-```txt
-"session=8521F670545D7865F79C3D7BEDC29CCE;-background=light"
-```
-
-## `http.host`
-
-`http.host`
-
-The hostname used in the full request URI.
-
-Example value:
-
-```txt
-"www.example.org"
-```
-
-## `http.referer`
-
-`http.referer`
-
-The HTTP `Referer` request header, which contains the address of the web page that linked to the currently requested page.
-
-Example value:
-
-```txt
-"https://developer.example.org/en-US/docs/Web/JavaScript"
-```
-
-## `http.request.full_uri`
-
-`http.request.full_uri`
-
-The full URI as received by the web server (does not include `#fragment`, which is not sent to web servers).
-
-Example value:
-
-```txt
-"https://www.example.org/articles/index?section=539061&expand=comments"
-```
-
-## `http.request.method`
-
-`http.request.method`
-
-The HTTP method, returned as a string of uppercase characters.
-
-Example value:
-
-```txt
-"GET"
-```
-
-## `http.request.cookies`
-
-`http.request.cookies`
-
-The `Cookie` HTTP header associated with a request represented as a Map (associative array). The cookie values are not pre-processed and retain the original case used in the request.
-
-**Decoding:** The cookie names are URL decoded. If two cookies have the same name after decoding, their value arrays are merged.
-
-Example value:
-
-```txt
-{ "app": ["test"] }
-```
-
-Example usage:
-
-```txt
-any(http.request.cookies["app"][*] == "test")
-```
-
-## `http.request.timestamp.sec`
-
-`http.request.timestamp.sec`
-
-The timestamp when Cloudflare received the request, expressed as UNIX time in seconds. This value is 10 digits long.
-
-To obtain the timestamp milliseconds, use the [`http.request.timestamp.msec`](#httprequesttimestampmsec) field.
-
-Example value:
-
-```txt
-1484063137
-```
-
-When validating HMAC tokens in an expression, pass this field as the `currentTimestamp` argument to the [`is_timed_hmac_valid_v0()`](/ruleset-engine/rules-language/functions/#hmac-validation) validation function.
-
-## `http.request.timestamp.msec`
-
-`http.request.timestamp.msec`
-
-The millisecond when Cloudflare received the request, between 0 and 999.
-
-To obtain the complete timestamp, use both [`http.request.timestamp.sec`](#httprequesttimestampsec) and [`http.request.timestamp.msec`](#httprequesttimestampmsec) fields.
-
-Example value:
-
-```txt
-857
-```
-
-## `http.request.uri`
-
-`http.request.uri`
-
-The URI path and query string of the request.
-
-Example value:
-
-```txt
-"/articles/index?section=539061&expand=comments"
-```
-
-## `http.request.uri.path`
-
-`http.request.uri.path`
-
-The URI path of the request.
-
-Example value:
-
-```txt
-"/articles/index"
-```
-
-## `http.request.uri.path.extension`
-
-`http.request.uri.path.extension`
-
-The lowercased file extension in the URI path without the dot (`.`) character. This corresponds to the string after the last dot in the URI path, excluding the query string.
-
-If the first character of the last path segment is a dot and the segment does not contain other dot characters, the field value will be an empty string (`""`). Having a dot as the first character does not represent a file extension and is commonly used in UNIX-like systems to denote a hidden file or directory.
-
-Example values:
-
-- If the URI path is `/articles/index.html`, the field value will be `"html"`.
-- If the URI path is `/articles/index.`, the field value will be an empty string (`""`).
-
-
-
-| URI path | Field value |
-| -------------- | ----------- |
-| `/foo` | `""` |
-| `/foo.mp3` | `"mp3"` |
-| `/.mp3` | `""` |
-| `/.foo.mp3` | `"mp3"` |
-| `/foo.tar.bz2` | `"bz2"` |
-| `/foo.` | `""` |
-| `/foo.MP3` | `"mp3"` |
-
-
-
-## `http.request.uri.query`
-
-`http.request.uri.query`
-
-The entire query string, without the `?` delimiter.
-
-Example value:
-
-```txt
-"section=539061&expand=comments"
-```
-
-## `http.user_agent`
-
-`http.user_agent`
-
-The HTTP `User-Agent` request header, which contains a characteristic string to identify the client operating system and web browser.
-
-Example value:
-
-```txt
-"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36"
-```
-
-## `http.request.version`
-
-`http.request.version`
-
-The version of the HTTP protocol used. Use this field when different checks are needed for different versions.
-
-Example values:
-
-- `"HTTP/1.1"`
-- `"HTTP/3"`
-
-## `http.x_forwarded_for`
-
-`http.x_forwarded_for`
-
-The full value of the `X-Forwarded-For` HTTP header.
-
-Example value:
-
-```txt
-"203.0.113.195, 70.41.3.18"
-```
-
-## `ip.src`
-
-`ip.src`
-
-The client TCP IP address, which may be adjusted to reflect the actual address of the client using HTTP headers such as `X-Forwarded-For` or `X-Real-IP`.
-
-Example value:
-
-```txt
-93.184.216.34
-```
-
-## `ip.src.lat`
-
-`ip.src.lat`
-
-The latitude associated with the client IP address.
-
-Example value:
-
-```txt
-"37.78044"
-```
-
-## `ip.src.lon`
-
-`ip.src.lon`
-
-The longitude associated with the client IP address.
-
-Example value:
-
-```txt
-"-122.39055"
-```
-
-## `ip.src.city`
-
-`ip.src.city`
-
-The city associated with the client IP address.
-
-Example value:
-
-```txt
-"San Francisco"
-```
-
-## `ip.src.postal_code`
-
-`ip.src.postal_code`
-
-The postal code associated with the incoming request.
-
-Example value:
-
-```txt
-"78701"
-```
-
-## `ip.src.metro_code`
-
-`ip.src.metro_code`
-
-The metro code or Designated Market Area (DMA) code associated with the incoming request.
-
-Example value:
-
-```txt
-"635"
-```
-
-## `ip.src.region`
-
-`ip.src.region`
-
-The region name associated with the incoming request.
-
-Example value:
-
-```txt
-"Texas"
-```
-
-## `ip.src.region_code`
-
-`ip.src.region_code`
-
-The region code associated with the incoming request.
-
-Example value:
-
-```txt
-"TX"
-```
-
-## `ip.src.timezone.name`
-
-`ip.src.timezone.name`
-
-The name of the timezone associated with the incoming request. This field is only available in rewrite expressions of [Transform Rules](/rules/transform/).
-
-Example value:
-
-```txt
-"America/Chicago"
-```
-
-## `ip.src.asnum`
-
-`ip.src.asnum`
-
-The 16-bit or 32-bit integer representing the Autonomous System (AS) number associated with the client IP address.
-
-This field has the same value as the `ip.geoip.asnum` field, which is deprecated. The `ip.geoip.asnum` field is still available for new and existing rules, but you should use the `ip.src.asnum` field instead.
-
-## `ip.src.continent`
-
-`ip.src.continent`
-
-The continent code associated with the client IP address:
-
-- `"AF"`: Africa
-- `"AN"`: Antarctica
-- `"AS"`: Asia
-- `"EU"`: Europe
-- `"NA"`: North America
-- `"OC"`: Oceania
-- `"SA"`: South America
-- `"T1"`: Tor network
-
-This field has the same value as the `ip.geoip.continent` field, which is deprecated. The `ip.geoip.continent` field is still available for new and existing rules, but you should use the `ip.src.continent` field instead.
-
-## `ip.src.country`
-
-`ip.src.country`
-
-The 2-letter country code in [ISO 3166-1 Alpha 2](https://www.iso.org/obp/ui/#search/code/) format.
-
-Example value:
-
-```txt
-"GB"
-```
-
-For more information on the ISO 3166-1 Alpha 2 format, refer to [ISO 3166-1 Alpha 2](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2) on Wikipedia.
-
-This field has the same value as the `ip.geoip.country` field, which is deprecated. The `ip.geoip.country` field is still available for new and existing rules, but you should use the `ip.src.country` field instead.
-
-## `ip.src.subdivision_1_iso_code`
-
-`ip.src.subdivision_1_iso_code`
-
-The ISO 3166-2 code for the first-level region associated with the IP address. When the actual value is not available, this field contains an empty string.
-
-Example value:
-
-```txt
-"GB-ENG"
-```
-
-For more information on the ISO 3166-2 standard and the available regions, refer to [ISO 3166-2](https://en.wikipedia.org/wiki/ISO_3166-2) on Wikipedia.
-
-This field has the same value as the `ip.geoip.subdivision_1_iso_code` field, which is deprecated. The `ip.geoip.subdivision_1_iso_code` field is still available for new and existing rules, but you should use the `ip.src.subdivision_1_iso_code` field instead.
-
-## `ip.src.subdivision_2_iso_code`
-
-`ip.src.subdivision_2_iso_code`
-
-The ISO 3166-2 code for the second-level region associated with the IP address. When the actual value is not available, this field contains an empty string.
-
-Example value:
-
-```txt
-"GB-SWK"
-```
-
-For more information on the ISO 3166-2 standard and the available regions, refer to [ISO 3166-2](https://en.wikipedia.org/wiki/ISO_3166-2) on Wikipedia.
-
-This field has the same value as the `ip.geoip.subdivision_2_iso_code` field, which is deprecated. The `ip.geoip.subdivision_2_iso_code` field is still available for new and existing rules, but you should use the `ip.src.subdivision_2_iso_code` field instead.
-
-## `ip.src.is_in_european_union`
-
-`ip.src.is_in_european_union`
-
-Returns `true` when the request originates from a country in the European Union (EU).
-
-
-
-| Country code | Country name |
-| ------------ | --------------- |
-| `AT` | Austria |
-| `AX` | Åland Islands |
-| `BE` | Belgium |
-| `BG` | Bulgaria |
-| `CY` | Cyprus |
-| `CZ` | Czechia |
-| `DE` | Germany |
-| `DK` | Denmark |
-| `EE` | Estonia |
-| `ES` | Spain |
-| `FI` | Finland |
-| `FR` | France |
-| `GF` | French Guiana |
-| `GP` | Guadeloupe |
-| `GR` | Greece |
-| `HR` | Croatia |
-| `HU` | Hungary |
-| `IE` | Ireland |
-| `IT` | Italy |
-| `LT` | Lithuania |
-| `LU` | Luxembourg |
-| `LV` | Latvia |
-| `MF` | Saint Martin |
-| `MQ` | Martinique |
-| `MT` | Malta |
-| `NL` | The Netherlands |
-| `PL` | Poland |
-| `PT` | Portugal |
-| `RE` | Réunion |
-| `RO` | Romania |
-| `SE` | Sweden |
-| `SI` | Slovenia |
-| `SK` | Slovakia |
-| `YT` | Mayotte |
-
-The EU country list was obtained from MaxMind's GeoIP2 database on 2023-12-05. For details on obtaining up-to-date country information, refer to the [MaxMind website](https://dev.maxmind.com/geoip/geolite2-free-geolocation-data).
-
-
-
-This field has the same value as the `ip.geoip.is_in_european_union` field, which is deprecated. The `ip.geoip.is_in_european_union` field is still available for new and existing rules, but you should use the `ip.src.is_in_european_union` field instead.
-
-## `raw.http.request.full_uri`
-
-`raw.http.request.full_uri`
-
-The raw full URI as received by the web server without the URI fragment (if any) and without any transformation.
-
-
-
-**Note:** This raw field may include some basic normalization done by Cloudflare's HTTP server. However, this can change in the future.
-
-## `raw.http.request.uri`
-
-`raw.http.request.uri`
-
-The raw URI path and query string of the request without any transformation.
-
-
-
-**Note:** This raw field may include some basic normalization done by Cloudflare's HTTP server. However, this can change in the future.
-
-## `raw.http.request.uri.path`
-
-`raw.http.request.uri.path`
-
-The raw URI path of the request without any transformation.
-
-
-
-**Note:** This raw field may include some basic normalization done by Cloudflare's HTTP server. However, this can change in the future.
-
-## `raw.http.request.uri.path.extension`
-
-`raw.http.request.uri.path.extension`
-
-The raw file extension in the request URI path without any transformation.
-
-
-
-## `raw.http.request.uri.query`
-
-`raw.http.request.uri.query`
-
-The entire query string without the `?` delimiter and without any transformation.
-
-
-
-**Note:** This raw field may include some basic normalization done by Cloudflare's HTTP server. However, this can change in the future.
-
-## `ssl`
-
-`ssl`
-
-Returns `true` when the HTTP connection to the client is encrypted.
-
----
-
-_GeoIP is the registered trademark of MaxMind, Inc._
diff --git a/src/content/docs/ruleset-engine/rules-language/fields/uri.mdx b/src/content/docs/ruleset-engine/rules-language/fields/uri.mdx
deleted file mode 100644
index ba93a9198615321..000000000000000
--- a/src/content/docs/ruleset-engine/rules-language/fields/uri.mdx
+++ /dev/null
@@ -1,111 +0,0 @@
----
-title: URI argument and value fields
-pcx_content_type: reference
-sidebar:
- order: 4
-head:
- - tag: title
- content: URI argument and value fields | Fields reference
----
-
-import { Render, Type } from "~/components";
-
-The Cloudflare Rules language includes URI argument and value fields associated with HTTP requests. Many of these fields return [arrays](/ruleset-engine/rules-language/values/#arrays) containing the respective values.
-
-The Cloudflare Rules language supports these URI argument and value fields.
-
-## `http.request.uri.args`
-
-`http.request.uri.args`
-
-The HTTP URI arguments associated with a request represented as a Map (associative array).
-
-When an argument repeats, the array contains multiple items in the order they appear in the request.
-
-The values are not pre-processed and retain the original case used in the request.
-
-- **Decoding:** no decoding performed
-- **Non-ASCII:** preserved
-
-Example:
-
-`any(http.request.uri.args["search"][*] == "red+apples")`
-
-Example value:
-
-`{"search": ["red+apples"]}`
-
-## `http.request.uri.args.names`
-
-`http.request.uri.args.names`
-
-The names of the arguments in the HTTP URI query string. The names are not pre-processed and retain the original case used in the request.
-
-When a name repeats, the array contains multiple items in the order that they appear in the request.
-
-- **Decoding:** no decoding performed
-- **Non-ASCII:** preserved
-
-Example:
-
-`any(http.request.uri.args.names[*] == "search")`
-
-Example value:
-
-`["search"]`
-
-## `http.request.uri.args.values`
-
-`http.request.uri.args.values`
-
-The values of arguments in the HTTP URI query string. The values are not pre-processed and retain the original case used in the request. They are in the same order as in the request.
-
-Duplicated values are listed multiple times.
-
-- **Decoding:** no decoding performed
-- **Non-ASCII:** preserved
-
-Example:
-
-`any(http.request.uri.args.values[*] == "red+apples")`
-
-Example value:
-
-`["red+apples"]`
-
-## `raw.http.request.uri.args`
-
-`raw.http.request.uri.args`
-
-The raw HTTP URI arguments associated with a request represented as a Map (associative array).
-
-
-
-## `raw.http.request.uri.args.names`
-
-`raw.http.request.uri.args.names`
-
-The raw names of the arguments in the HTTP URI query string.
-
-
-
-## `raw.http.request.uri.args.values`
-
-`raw.http.request.uri.args.values`
-
-The raw values of arguments in the HTTP URI query string.
-
-
diff --git a/src/content/docs/ruleset-engine/rules-language/functions.mdx b/src/content/docs/ruleset-engine/rules-language/functions.mdx
index 3cf94fdef440359..cfa47bd5d8a236f 100644
--- a/src/content/docs/ruleset-engine/rules-language/functions.mdx
+++ b/src/content/docs/ruleset-engine/rules-language/functions.mdx
@@ -274,7 +274,7 @@ For example, if `http.request.uri.path` is `"/blog/first-post"`, then `starts_wi
{/* prettier-ignore */}
substring(field , start , end ):
-Returns part of the `field` value (the value of a String or Bytes [field](/ruleset-engine/rules-language/fields/)) from the `start` byte index up to (but excluding) the `end` byte index. The first byte in `field` has index `0`. If you do not provide the optional `end` index, the function returns the part of the string from `start` index to the end of the string.
+Returns part of the `field` value (the value of a String or Bytes [field](/ruleset-engine/rules-language/fields/reference/)) from the `start` byte index up to (but excluding) the `end` byte index. The first byte in `field` has index `0`. If you do not provide the optional `end` index, the function returns the part of the string from `start` index to the end of the string.
The `start` and `end` indexes can be negative integer values, which allows you to access characters from the end of the string instead of the beginning.
@@ -354,7 +354,7 @@ any(url_decode(http.request.body.form.values[*])[*] contains "an xss attack")
{/* prettier-ignore */}
uuidv4(source ):
-Generates a random UUIDv4 (Universally Unique Identifier, version 4) based on the given argument (a source of randomness). To obtain an array of random bytes, use the [`cf.random_seed`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfrandom_seed) field.
+Generates a random UUIDv4 (Universally Unique Identifier, version 4) based on the given argument (a source of randomness). To obtain an array of random bytes, use the [`cf.random_seed`](/ruleset-engine/rules-language/fields/reference/cf.random_seed/) field.
For example, `uuidv4(cf.random_seed)` will return a UUIDv4 similar to `49887398-6bcf-485f-8899-f15dbef4d1d5`.
diff --git a/src/content/docs/ruleset-engine/rules-language/values.mdx b/src/content/docs/ruleset-engine/rules-language/values.mdx
index 854d855c9e347aa..7c403385f580450 100644
--- a/src/content/docs/ruleset-engine/rules-language/values.mdx
+++ b/src/content/docs/ruleset-engine/rules-language/values.mdx
@@ -172,7 +172,7 @@ For maps where the values have an `Array` type, you cannot directly use [operato
### Examples
-The following example is based on the [`http.request.headers`](/ruleset-engine/rules-language/fields/http-request-header/) field with a data type of `Map>`, where array elements are of `String` data type.
+The following example is based on the [`http.request.headers`](/ruleset-engine/rules-language/fields/reference/http.request.headers/) field with a data type of `Map>`, where array elements are of `String` data type.
If an incoming HTTP request included a single `Accept: application/json` HTTP header, the following expressions would evaluate to the indicated values:
@@ -184,7 +184,7 @@ any(http.request.headers["accept"][*] == "application/json") # ==> true
any(http.request.headers["accept"][*] == "text/plain") # ==> false
```
-The following example is based on the [`http.request.uri.args`](/ruleset-engine/rules-language/fields/uri/#httprequesturiargs) field with a data type of `Map>`, where array elements are of `String` data type.
+The following example is based on the [`http.request.uri.args`](/ruleset-engine/rules-language/fields/reference/http.request.uri.args/) field with a data type of `Map>`, where array elements are of `String` data type.
If an HTTP request included three `filter` URI arguments `waf`, `botm`, and `cdn`, the following expressions would evaluate to the indicated values:
diff --git a/src/content/docs/waf/account/rate-limiting-rulesets/create-dashboard.mdx b/src/content/docs/waf/account/rate-limiting-rulesets/create-dashboard.mdx
index d172af4d70a83e3..fe5a341f49ebba7 100644
--- a/src/content/docs/waf/account/rate-limiting-rulesets/create-dashboard.mdx
+++ b/src/content/docs/waf/account/rate-limiting-rulesets/create-dashboard.mdx
@@ -43,7 +43,7 @@ To create a new custom rate limiting ruleset:
The available characteristics depend on your Cloudflare plan and product subscriptions.
-10. (Optional) To define an expression that specifies the conditions for incrementing the rate counter, enable **Use custom counting expression** and set the expression. By default, the counting expression is the same as the rule expression. The counting expression can include [response fields](/ruleset-engine/rules-language/fields/http-request-response/).
+10. (Optional) To define an expression that specifies the conditions for incrementing the rate counter, enable **Use custom counting expression** and set the expression. By default, the counting expression is the same as the rule expression. The counting expression can include [response fields](/ruleset-engine/rules-language/fields/reference/).
11. Under **When rate exceeds**, define the maximum number of requests and the time period to consider when determining the rate.
diff --git a/src/content/docs/waf/custom-rules/use-cases/allow-traffic-from-specific-countries.mdx b/src/content/docs/waf/custom-rules/use-cases/allow-traffic-from-specific-countries.mdx
index 164127a025db588..3a712a5b7e9186e 100644
--- a/src/content/docs/waf/custom-rules/use-cases/allow-traffic-from-specific-countries.mdx
+++ b/src/content/docs/waf/custom-rules/use-cases/allow-traffic-from-specific-countries.mdx
@@ -3,7 +3,7 @@ pcx_content_type: configuration
title: Allow traffic from specific countries only
---
-This example blocks requests based on country code using the [`ip.src.country`](/ruleset-engine/rules-language/fields/standard-fields/#ipsrccountry) field, only allowing requests from two countries: United States and Mexico.
+This example blocks requests based on country code using the [`ip.src.country`](/ruleset-engine/rules-language/fields/reference/ip.src.country/) field, only allowing requests from two countries: United States and Mexico.
- **Expression**: `(not ip.src.country in {"US" "MX"})`
- **Action**: _Block_
diff --git a/src/content/docs/waf/custom-rules/use-cases/allow-traffic-from-verified-bots.mdx b/src/content/docs/waf/custom-rules/use-cases/allow-traffic-from-verified-bots.mdx
index d02d6026b6cc252..1af3b3320fb6c96 100644
--- a/src/content/docs/waf/custom-rules/use-cases/allow-traffic-from-verified-bots.mdx
+++ b/src/content/docs/waf/custom-rules/use-cases/allow-traffic-from-verified-bots.mdx
@@ -8,7 +8,7 @@ head:
This example challenges requests from a list of countries, but allows traffic from search engine bots — such as Googlebot and Bingbot — and from other [verified bots](/bots/concepts/bot/#verified-bots).
-The rule expression uses the [`cf.client.bot`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfclientbot) field to determine if the request originated from a known good bot or crawler.
+The rule expression uses the [`cf.client.bot`](/ruleset-engine/rules-language/fields/reference/cf.client.bot/) field to determine if the request originated from a known good bot or crawler.
- **Expression**: `(ip.src.country in {"US" "MX"} and not cf.client.bot)`
- **Action**: _Managed Challenge_
diff --git a/src/content/docs/waf/custom-rules/use-cases/block-traffic-from-specific-countries.mdx b/src/content/docs/waf/custom-rules/use-cases/block-traffic-from-specific-countries.mdx
index c086ffb10947a9b..f0c7fa25d16450a 100644
--- a/src/content/docs/waf/custom-rules/use-cases/block-traffic-from-specific-countries.mdx
+++ b/src/content/docs/waf/custom-rules/use-cases/block-traffic-from-specific-countries.mdx
@@ -3,7 +3,7 @@ pcx_content_type: configuration
title: Block traffic from specific countries
---
-This example blocks requests based on country code using the [`ip.src.country`](/ruleset-engine/rules-language/fields/standard-fields/#ipsrccountry) field.
+This example blocks requests based on country code using the [`ip.src.country`](/ruleset-engine/rules-language/fields/reference/ip.src.country/) field.
- **Expression**: `(ip.src.country in {"KN" "SY"})`
- **Action**: _Block_
diff --git a/src/content/docs/waf/custom-rules/use-cases/challenge-bad-bots.mdx b/src/content/docs/waf/custom-rules/use-cases/challenge-bad-bots.mdx
index 3f95eda99b119cc..46b102962745a6f 100644
--- a/src/content/docs/waf/custom-rules/use-cases/challenge-bad-bots.mdx
+++ b/src/content/docs/waf/custom-rules/use-cases/challenge-bad-bots.mdx
@@ -13,9 +13,9 @@ Bot score ranges from 1 through 99. A low score indicates the request comes from
These examples use:
-- [`cf.bot_management.score`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfbot_managementscore) to target requests from bots
-- [`cf.bot_management.verified_bot`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfbot_managementverified_bot) to identify requests from [known good bots](https://radar.cloudflare.com/verified-bots)
-- [`cf.bot_management.ja3_hash`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfbot_managementja3_hash) to target specific [JA3 Fingerprints](/bots/concepts/ja3-ja4-fingerprint/)
+- [`cf.bot_management.score`](/ruleset-engine/rules-language/fields/reference/cf.bot_management.score/) to target requests from bots
+- [`cf.bot_management.verified_bot`](/ruleset-engine/rules-language/fields/reference/cf.bot_management.verified_bot/) to identify requests from [known good bots](https://radar.cloudflare.com/verified-bots)
+- [`cf.bot_management.ja3_hash`](/ruleset-engine/rules-language/fields/reference/cf.bot_management.ja3_hash/) to target specific [JA3 Fingerprints](/bots/concepts/ja3-ja4-fingerprint/)
## Suggested rules
diff --git a/src/content/docs/waf/custom-rules/use-cases/exempt-partners-hotlink-protection.mdx b/src/content/docs/waf/custom-rules/use-cases/exempt-partners-hotlink-protection.mdx
index 90531304e62afbd..bce35e011ce980c 100644
--- a/src/content/docs/waf/custom-rules/use-cases/exempt-partners-hotlink-protection.mdx
+++ b/src/content/docs/waf/custom-rules/use-cases/exempt-partners-hotlink-protection.mdx
@@ -9,7 +9,7 @@ When enabled, [Cloudflare Hotlink Protection](/waf/tools/scrape-shield/hotlink-p
You can use custom rules to protect against hotlinking while allowing inline links from your partners. In this case, you will need to disable [Hotlink Protection](/waf/tools/scrape-shield/hotlink-protection/) within the **Scrape Shield** app so that partner referrals are not blocked by that feature.
-This example uses the [`http.referer`](/ruleset-engine/rules-language/fields/standard-fields/#httpreferer) field to target HTTP referrals from partner sites.
+This example uses the [`http.referer`](/ruleset-engine/rules-language/fields/reference/http.referer/) field to target HTTP referrals from partner sites.
The `not` operator matches HTTP referrals that are not from partner sites, and the action blocks them:
diff --git a/src/content/docs/waf/custom-rules/use-cases/require-specific-cookie.mdx b/src/content/docs/waf/custom-rules/use-cases/require-specific-cookie.mdx
index cec213b9d947ad1..a215f4157b9bb92 100644
--- a/src/content/docs/waf/custom-rules/use-cases/require-specific-cookie.mdx
+++ b/src/content/docs/waf/custom-rules/use-cases/require-specific-cookie.mdx
@@ -5,7 +5,7 @@ title: Require a specific cookie
To secure a sensitive area such as a development area, you can share a cookie with trusted individuals and then filter requests so that only users with that cookie can access your site.
-Use the [`http.cookie`](/ruleset-engine/rules-language/fields/standard-fields/#httpcookie) field to target requests based on the presence of a specific cookie.
+Use the [`http.cookie`](/ruleset-engine/rules-language/fields/reference/http.cookie/) field to target requests based on the presence of a specific cookie.
This example comprises two rules:
diff --git a/src/content/docs/waf/custom-rules/use-cases/require-specific-headers.mdx b/src/content/docs/waf/custom-rules/use-cases/require-specific-headers.mdx
index 48794c2c1efbc60..044970a07aa44a7 100644
--- a/src/content/docs/waf/custom-rules/use-cases/require-specific-headers.mdx
+++ b/src/content/docs/waf/custom-rules/use-cases/require-specific-headers.mdx
@@ -3,7 +3,7 @@ pcx_content_type: configuration
title: Require specific HTTP headers
---
-Many organizations qualify traffic based on the presence of specific HTTP request headers. Use the Rules language [HTTP request header fields](/ruleset-engine/rules-language/fields/http-request-header/) to target requests with specific headers.
+Many organizations qualify traffic based on the presence of specific HTTP request headers. Use the Rules language [HTTP request header fields](/ruleset-engine/rules-language/fields/reference/) to target requests with specific headers.
This example uses the `http.headers.names` field to look for the presence of an `X-CSRF-Token` header. The [`lower()`](/ruleset-engine/rules-language/functions/#lower) transformation function converts the value to lowercase so that the expression is case insensitive.
diff --git a/src/content/docs/waf/custom-rules/use-cases/require-specific-http-ports.mdx b/src/content/docs/waf/custom-rules/use-cases/require-specific-http-ports.mdx
index 505fa7ef299fc24..e8c4c18a0d259c9 100644
--- a/src/content/docs/waf/custom-rules/use-cases/require-specific-http-ports.mdx
+++ b/src/content/docs/waf/custom-rules/use-cases/require-specific-http-ports.mdx
@@ -7,7 +7,7 @@ import { Render } from "~/components";
By default, Cloudflare allows requests on a [number of different HTTP ports](/fundamentals/reference/network-ports/).
-You can target requests based on their HTTP port with the [`cf.edge.server_port`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfedgeserver_port) field. Use the `in` [comparison operator](/ruleset-engine/rules-language/operators/#comparison-operators) to target a set of ports.
+You can target requests based on their HTTP port with the [`cf.edge.server_port`](/ruleset-engine/rules-language/fields/reference/cf.edge.server_port/) field. Use the `in` [comparison operator](/ruleset-engine/rules-language/operators/#comparison-operators) to target a set of ports.
This example blocks requests to `www.example.com` that are not on ports `80` or `443`:
diff --git a/src/content/docs/waf/custom-rules/use-cases/stop-rudy-attacks.mdx b/src/content/docs/waf/custom-rules/use-cases/stop-rudy-attacks.mdx
index 141bf271b511839..a9e9e6fb2c66ce3 100644
--- a/src/content/docs/waf/custom-rules/use-cases/stop-rudy-attacks.mdx
+++ b/src/content/docs/waf/custom-rules/use-cases/stop-rudy-attacks.mdx
@@ -7,7 +7,7 @@ R-U-Dead-Yet (R.U.D.Y.) attacks accomplish denial of service (DoS) by submitting
This example combines three expressions to target HTTP `POST` requests that do not contain a legitimate authenticated session cookie:
-- The first expression uses the [`http.request.uri.path`](/ruleset-engine/rules-language/fields/standard-fields/#httprequesturipath) field to target the paths to secure from R.U.D.Y.:
+- The first expression uses the [`http.request.uri.path`](/ruleset-engine/rules-language/fields/reference/http.request.uri.path/) field to target the paths to secure from R.U.D.Y.:
```txt
http.request.uri.path matches "(comment|conversation|event|poll)/create"
diff --git a/src/content/docs/waf/custom-rules/use-cases/update-rules-customers-partners.mdx b/src/content/docs/waf/custom-rules/use-cases/update-rules-customers-partners.mdx
index e7b2bc70520c1e1..6bd23643d1972d0 100644
--- a/src/content/docs/waf/custom-rules/use-cases/update-rules-customers-partners.mdx
+++ b/src/content/docs/waf/custom-rules/use-cases/update-rules-customers-partners.mdx
@@ -22,8 +22,8 @@ If a customer or partner is large enough, you could set up a custom rule based o
This example uses:
-- The [`ip.src.asnum`](/ruleset-engine/rules-language/fields/standard-fields/#ipsrcasnum) field to specify the general region.
-- The [`cf.bot_management.score`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfbot_managementscore) field to ensure partner traffic does not come from bots.
+- The [`ip.src.asnum`](/ruleset-engine/rules-language/fields/reference/ip.src.asnum/) field to specify the general region.
+- The [`cf.bot_management.score`](/ruleset-engine/rules-language/fields/reference/cf.bot_management.score/) field to ensure partner traffic does not come from bots.
Example rule:
@@ -39,8 +39,8 @@ Access to [Bot Management](/bots/plans/bm-subscription/) requires a Cloudflare E
This example uses:
-- The [`ip.src.asnum`](/ruleset-engine/rules-language/fields/standard-fields/#ipsrcasnum) field to specify the general region.
-- The [`cf.threat_score`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfthreat_score) dynamic field to ensure requests are not high-risk traffic.
+- The [`ip.src.asnum`](/ruleset-engine/rules-language/fields/reference/ip.src.asnum/) field to specify the general region.
+- The [`cf.threat_score`](/ruleset-engine/rules-language/fields/reference/cf.threat_score/) dynamic field to ensure requests are not high-risk traffic.
If a request meets these criteria, your custom rule skips [User Agent Blocking](/waf/tools/user-agent-blocking/) rules.
@@ -57,7 +57,7 @@ For smaller organizations, you could set up custom rules based on IP addresses.
This example:
- Specifies the source IP address and the host.
-- Uses the [`cf.bot_management.score`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfbot_managementscore) field to ensure requests are not high-risk traffic.
+- Uses the [`cf.bot_management.score`](/ruleset-engine/rules-language/fields/reference/cf.bot_management.score/) field to ensure requests are not high-risk traffic.
Example rule:
diff --git a/src/content/docs/waf/detections/attack-score.mdx b/src/content/docs/waf/detections/attack-score.mdx
index a36c824d67b9fa2..b6fdb0e8dd2045e 100644
--- a/src/content/docs/waf/detections/attack-score.mdx
+++ b/src/content/docs/waf/detections/attack-score.mdx
@@ -26,11 +26,11 @@ The Cloudflare WAF provides the following attack score fields:
| Score | Data type | Minimum plan required | Attack vector | Field |
| ---------------------- | --------- | --------------------- | --------------------------- | --------------------------------------------------------------------------------------------- |
-| WAF Attack Score | Number | Enterprise | N/A (global score) | [`cf.waf.score`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfwafscore) |
-| WAF SQLi Attack Score | Number | Enterprise | SQL injection (SQLi) | [`cf.waf.score.sqli`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfwafscoresqli) |
-| WAF XSS Attack Score | Number | Enterprise | Cross-site scripting (XSS) | [`cf.waf.score.xss`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfwafscorexss) |
-| WAF RCE Attack Score | Number | Enterprise | Remote Code Execution (RCE) | [`cf.waf.score.rce`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfwafscorerce) |
-| WAF Attack Score Class | String | Business | N/A (global classification) | [`cf.waf.score.class`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfwafscoreclass) |
+| WAF Attack Score | Number | Enterprise | N/A (global score) | [`cf.waf.score`](/ruleset-engine/rules-language/fields/reference/cf.waf.score/) |
+| WAF SQLi Attack Score | Number | Enterprise | SQL injection (SQLi) | [`cf.waf.score.sqli`](/ruleset-engine/rules-language/fields/reference/cf.waf.score.sqli/) |
+| WAF XSS Attack Score | Number | Enterprise | Cross-site scripting (XSS) | [`cf.waf.score.xss`](/ruleset-engine/rules-language/fields/reference/cf.waf.score.xss/) |
+| WAF RCE Attack Score | Number | Enterprise | Remote Code Execution (RCE) | [`cf.waf.score.rce`](/ruleset-engine/rules-language/fields/reference/cf.waf.score.rce/) |
+| WAF Attack Score Class | String | Business | N/A (global classification) | [`cf.waf.score.class`](/ruleset-engine/rules-language/fields/reference/cf.waf.score.class/) |
You can use these fields in expressions of [custom rules](/waf/custom-rules/) and [rate limiting rules](/waf/rate-limiting-rules/). Attack score fields of data type `Number` vary between `1` and `99` with the following meaning:
diff --git a/src/content/docs/waf/detections/leaked-credentials/index.mdx b/src/content/docs/waf/detections/leaked-credentials/index.mdx
index 3fd95e2c78db6cc..d948e30330d8241 100644
--- a/src/content/docs/waf/detections/leaked-credentials/index.mdx
+++ b/src/content/docs/waf/detections/leaked-credentials/index.mdx
@@ -75,11 +75,11 @@ When specifying a custom detection location, only the location of the username f
Expressions used to specify custom detection locations can include the following fields and functions:
- Fields:
- - [`http.request.body.form`](/ruleset-engine/rules-language/fields/http-request-body/#httprequestbodyform)
- - [`http.request.body.multipart`](/ruleset-engine/rules-language/fields/http-request-body/#httprequestbodymultipart)
- - [`http.request.body.raw`](/ruleset-engine/rules-language/fields/http-request-body/#httprequestbodyraw)
- - [`http.request.headers`](/ruleset-engine/rules-language/fields/http-request-header/#httprequestheaders)
- - [`http.request.uri.query`](/ruleset-engine/rules-language/fields/standard-fields/#httprequesturiquery)
+ - [`http.request.body.form`](/ruleset-engine/rules-language/fields/reference/http.request.body.form/)
+ - [`http.request.body.multipart`](/ruleset-engine/rules-language/fields/reference/http.request.body.multipart/)
+ - [`http.request.body.raw`](/ruleset-engine/rules-language/fields/reference/http.request.body.raw/)
+ - [`http.request.headers`](/ruleset-engine/rules-language/fields/reference/http.request.headers/)
+ - [`http.request.uri.query`](/ruleset-engine/rules-language/fields/reference/http.request.uri.query/)
- Functions:
- [`lookup_json_string()`](/ruleset-engine/rules-language/functions/#lookup_json_string)
- [`url_decode()`](/ruleset-engine/rules-language/functions/#url_decode)
@@ -96,8 +96,8 @@ For instructions on configuring a custom detection location, refer to [Get start
| Similar Password Leaked | [`cf.waf.credential_check.username_password_similar`][4] | Enterprise plan |
| Authentication detected | [`cf.waf.auth_detected`][5] | Enterprise plan |
-[1]: /ruleset-engine/rules-language/fields/dynamic-fields/#cfwafcredential_checkpassword_leaked
-[2]: /ruleset-engine/rules-language/fields/dynamic-fields/#cfwafcredential_checkusername_and_password_leaked
-[3]: /ruleset-engine/rules-language/fields/dynamic-fields/#cfwafcredential_checkusername_leaked
-[4]: /ruleset-engine/rules-language/fields/dynamic-fields/#cfwafcredential_checkusername_password_similar
-[5]: /ruleset-engine/rules-language/fields/dynamic-fields/#cfwafauth_detected
+[1]: /ruleset-engine/rules-language/fields/reference/cf.waf.credential_check.password_leaked/
+[2]: /ruleset-engine/rules-language/fields/reference/cf.waf.credential_check.username_and_password_leaked/
+[3]: /ruleset-engine/rules-language/fields/reference/cf.waf.credential_check.username_leaked/
+[4]: /ruleset-engine/rules-language/fields/reference/cf.waf.credential_check.username_password_similar/
+[5]: /ruleset-engine/rules-language/fields/reference/cf.waf.auth_detected/
diff --git a/src/content/docs/waf/detections/malicious-uploads/index.mdx b/src/content/docs/waf/detections/malicious-uploads/index.mdx
index 8058c6fda9434ca..6f21a355c2a2a62 100644
--- a/src/content/docs/waf/detections/malicious-uploads/index.mdx
+++ b/src/content/docs/waf/detections/malicious-uploads/index.mdx
@@ -77,13 +77,13 @@ When content scanning is enabled, you can use the following fields in WAF rules:
| Field name in the dashboard | Field name in expressions |
| ------------------------------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------- |
-| Has content object | [`cf.waf.content_scan.has_obj`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfwafcontent_scanhas_obj) |
-| Has malicious content object | [`cf.waf.content_scan.has_malicious_obj`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfwafcontent_scanhas_malicious_obj) |
-| Number of malicious content objects | [`cf.waf.content_scan.num_malicious_obj`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfwafcontent_scannum_malicious_obj) |
-| Content scan has failed | [`cf.waf.content_scan.has_failed`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfwafcontent_scanhas_failed) |
-| Number of content objects | [`cf.waf.content_scan.num_obj`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfwafcontent_scannum_obj) |
-| Content object size (in bytes) | [`cf.waf.content_scan.obj_sizes`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfwafcontent_scanobj_sizes) |
-| Content object type | [`cf.waf.content_scan.obj_types`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfwafcontent_scanobj_types) |
-| Content object result Values: `clean`, `suspicious`, `infected`, and `not scanned` | [`cf.waf.content_scan.obj_results`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfwafcontent_scanobj_results) |
+| Has content object | [`cf.waf.content_scan.has_obj`](/ruleset-engine/rules-language/fields/reference/cf.waf.content_scan.has_obj/) |
+| Has malicious content object | [`cf.waf.content_scan.has_malicious_obj`](/ruleset-engine/rules-language/fields/reference/cf.waf.content_scan.has_malicious_obj/) |
+| Number of malicious content objects | [`cf.waf.content_scan.num_malicious_obj`](/ruleset-engine/rules-language/fields/reference/cf.waf.content_scan.num_malicious_obj/) |
+| Content scan has failed | [`cf.waf.content_scan.has_failed`](/ruleset-engine/rules-language/fields/reference/cf.waf.content_scan.has_failed/) |
+| Number of content objects | [`cf.waf.content_scan.num_obj`](/ruleset-engine/rules-language/fields/reference/cf.waf.content_scan.num_obj/) |
+| Content object size (in bytes) | [`cf.waf.content_scan.obj_sizes`](/ruleset-engine/rules-language/fields/reference/cf.waf.content_scan.obj_sizes/) |
+| Content object type | [`cf.waf.content_scan.obj_types`](/ruleset-engine/rules-language/fields/reference/cf.waf.content_scan.obj_types/) |
+| Content object result Values: `clean`, `suspicious`, `infected`, and `not scanned` | [`cf.waf.content_scan.obj_results`](/ruleset-engine/rules-language/fields/reference/cf.waf.content_scan.obj_results/) |
For examples of rule expressions using these fields, refer to [Example rules](/waf/detections/malicious-uploads/example-rules/).
diff --git a/src/content/docs/waf/managed-rules/index.mdx b/src/content/docs/waf/managed-rules/index.mdx
index 6b5ffa09444a6c5..6f488a884513daa 100644
--- a/src/content/docs/waf/managed-rules/index.mdx
+++ b/src/content/docs/waf/managed-rules/index.mdx
@@ -52,4 +52,4 @@ At the zone level, you can only deploy each WAF managed ruleset once. At the [ac
Cloudflare analyzes the body of incoming requests up to a certain maximum size that varies according to your Cloudflare plan. For Enterprise customers, the maximum body size is 128 KB, while for other plans the limit is lower. This means that the behavior of specific managed rules that analyze request bodies can vary according to your current Cloudflare plan.
-If included in your plan, you can use [request body fields](/ruleset-engine/rules-language/fields/http-request-body/) such as `http.request.body.truncated` or `http.request.headers.truncated` in [custom rules](/waf/custom-rules/) that apply appropriate actions to requests that have not been fully analyzed by Cloudflare due to the maximum body size.
+If included in your plan, you can use [request body fields](/ruleset-engine/rules-language/fields/reference/) such as `http.request.body.truncated` or `http.request.headers.truncated` in [custom rules](/waf/custom-rules/) that apply appropriate actions to requests that have not been fully analyzed by Cloudflare due to the maximum body size.
diff --git a/src/content/docs/waf/rate-limiting-rules/best-practices.mdx b/src/content/docs/waf/rate-limiting-rules/best-practices.mdx
index 13bcbebe35e37f0..c53bb3622be2905 100644
--- a/src/content/docs/waf/rate-limiting-rules/best-practices.mdx
+++ b/src/content/docs/waf/rate-limiting-rules/best-practices.mdx
@@ -224,7 +224,7 @@ _This example rule requires Advanced Rate Limiting and payload inspection._
:::note
-If the request body is not JSON, you can use the [`http.request.body.raw`](/ruleset-engine/rules-language/fields/http-request-body/#httprequestbodyraw) field and regular expressions (along with the [`matches` operator](/ruleset-engine/rules-language/operators/#comparison-operators)) to achieve the same goal.
+If the request body is not JSON, you can use the [`http.request.body.raw`](/ruleset-engine/rules-language/fields/reference/http.request.body.raw/) field and regular expressions (along with the [`matches` operator](/ruleset-engine/rules-language/operators/#comparison-operators)) to achieve the same goal.
:::
### Limit requests from bots
diff --git a/src/content/docs/waf/rate-limiting-rules/create-zone-dashboard.mdx b/src/content/docs/waf/rate-limiting-rules/create-zone-dashboard.mdx
index 4968d62a0b2526d..572eed74cd15ef0 100644
--- a/src/content/docs/waf/rate-limiting-rules/create-zone-dashboard.mdx
+++ b/src/content/docs/waf/rate-limiting-rules/create-zone-dashboard.mdx
@@ -28,7 +28,7 @@ import { Render } from "~/components";
7. Under **With the same characteristics**, add one or more characteristics that will define the request counters for rate limiting purposes. Each value combination will have its own counter to determine the rate. Refer to [How Cloudflare determines the request rate](/waf/rate-limiting-rules/request-rate/) for more information.
-8. (Optional) To define an expression that specifies the conditions for incrementing the rate counter, enable **Use custom counting expression** and set the expression. By default, the counting expression is the same as the rule expression. The counting expression can include [response fields](/ruleset-engine/rules-language/fields/http-request-response/).
+8. (Optional) To define an expression that specifies the conditions for incrementing the rate counter, enable **Use custom counting expression** and set the expression. By default, the counting expression is the same as the rule expression. The counting expression can include [response fields](/ruleset-engine/rules-language/fields/reference/).
9. Under **When rate exceeds**, define the maximum number of requests and the time period to consider when determining the rate.
diff --git a/src/content/docs/waf/rate-limiting-rules/parameters.mdx b/src/content/docs/waf/rate-limiting-rules/parameters.mdx
index 5d3a82a8d8f57ab..714a5f926fcab3f 100644
--- a/src/content/docs/waf/rate-limiting-rules/parameters.mdx
+++ b/src/content/docs/waf/rate-limiting-rules/parameters.mdx
@@ -73,7 +73,7 @@ Only available in the Cloudflare dashboard when you enable **Use custom counting
Defines the criteria used for determining the request rate. By default, the counting expression is the same as the rule matching expression (defined in **If incoming requests match**). This default is also applied when you set this field to an empty string (`""`).
-The counting expression can include [HTTP response fields](/ruleset-engine/rules-language/fields/http-request-response/). When there are response fields in the counting expression, the counting will happen after the response is sent.
+The counting expression can include [HTTP response fields](/ruleset-engine/rules-language/fields/reference/). When there are response fields in the counting expression, the counting will happen after the response is sent.
In some cases, you cannot include HTTP response fields in the counting expression due to configuration restrictions. Refer to [Configuration restrictions](#configuration-restrictions) for details.
@@ -231,4 +231,4 @@ To use claims inside a JSON Web Token (JWT), you must first set up a [token vali
- If the rule expression [includes IP lists](/waf/tools/lists/use-in-expressions/), you must enable the **Also apply rate limiting to cached assets** parameter.
-- The rule counting expression, defined in the **Increment counter when** parameter, cannot include both [HTTP response fields](/ruleset-engine/rules-language/fields/http-request-response/) and [IP lists](/waf/tools/lists/custom-lists/#lists-with-ip-addresses-ip-lists). If you use IP lists, you must enable the **Also apply rate limiting to cached assets** parameter.
+- The rule counting expression, defined in the **Increment counter when** parameter, cannot include both [HTTP response fields](/ruleset-engine/rules-language/fields/reference/) and [IP lists](/waf/tools/lists/custom-lists/#lists-with-ip-addresses-ip-lists). If you use IP lists, you must enable the **Also apply rate limiting to cached assets** parameter.
diff --git a/src/content/docs/waf/tools/lists/custom-lists.mdx b/src/content/docs/waf/tools/lists/custom-lists.mdx
index 955dc978878c9c2..51b78d7263ef792 100644
--- a/src/content/docs/waf/tools/lists/custom-lists.mdx
+++ b/src/content/docs/waf/tools/lists/custom-lists.mdx
@@ -38,11 +38,11 @@ Use custom lists in rule [expressions](/ruleset-engine/rules-language/expression
The fields you can use vary according to the list item type:
-| List item type | Available fields |
-| -------------- | ---------------------------------------------------------------------------------------- |
-| IP address | Fields with type `IP address` listed in [Fields](/ruleset-engine/rules-language/fields/) |
-| Hostname | `http.host` |
-| ASN | `ip.src.asnum` |
+| List item type | Available fields |
+| -------------- | ---------------------------------------------------------------------------------------------------------------- |
+| IP address | Fields with type `IP address` listed in the [Fields reference](/ruleset-engine/rules-language/fields/reference/) |
+| Hostname | `http.host` |
+| ASN | `ip.src.asnum` |
For more information and examples, refer to [Use lists in expressions](/waf/tools/lists/use-in-expressions/).
diff --git a/src/content/docs/waiting-room/additional-options/waiting-room-rules/bypass-rules.mdx b/src/content/docs/waiting-room/additional-options/waiting-room-rules/bypass-rules.mdx
index 3f95706ed203d25..48f9293f6950116 100644
--- a/src/content/docs/waiting-room/additional-options/waiting-room-rules/bypass-rules.mdx
+++ b/src/content/docs/waiting-room/additional-options/waiting-room-rules/bypass-rules.mdx
@@ -10,13 +10,10 @@ import { Details } from "~/components"
A Waiting Room Bypass Rule is a type of Waiting Room Rule built on Cloudflare’s Ruleset Engine and managed via the Waiting Room API. A Waiting Room Bypass Rule allows you to indicate specific traffic or areas of your site or application that you do not want a waiting room to apply to. Each bypass rule is created and managed at the individual waiting room level for precise control over your waiting room traffic.
-To indicate where you want your bypass rules to apply, write [custom logic](/ruleset-engine/rules-language/) using the [fields](/ruleset-engine/rules-language/fields/) available via the Cloudflare Ruleset Engine from the following fields categories:
+To indicate where you want your bypass rules to apply, write [custom logic](/ruleset-engine/rules-language/) using the [fields](/ruleset-engine/rules-language/fields/reference/) available via the Cloudflare Ruleset Engine, except the following:
-* [Standard fields](/ruleset-engine/rules-language/fields/standard-fields)
-* [Dynamic fields](/ruleset-engine/rules-language/fields/dynamic-fields) except `cf.threat_score` and fields starting with `cf.bot_management`
-* [URI and argument value fields](/ruleset-engine/rules-language/fields/uri/)
-* [HTTP request header fields](/ruleset-engine/rules-language/fields/http-request-header/)
-* [HTTP request body fields](/ruleset-engine/rules-language/fields/http-request-body/)
+- `cf.threat_score` and fields starting with `cf.bot_management`
+- HTTP response fields
Please be advised that the waiting room will not apply to all the traffic that matches the expressions written for bypass rules and will not be counted as active users. No Waiting Room features, including but not limited to, Event pre-queueing, Reject queueing method, or Queue-all will apply to this traffic. Be mindful of this when creating and enabling Bypass Waiting Room rules. Only use bypass rules for traffic you are confident will not overwhelm your origin or cause significant traffic surges.
diff --git a/src/content/fields/index.yaml b/src/content/fields/index.yaml
new file mode 100644
index 000000000000000..4788bfacb9fd4f9
--- /dev/null
+++ b/src/content/fields/index.yaml
@@ -0,0 +1,1866 @@
+entries:
+ - name: http.cookie
+ data_type: String
+ categories: [Request, Headers]
+ keywords: [request, cookie, header, client, visitor]
+ summary: The entire cookie as a string.
+ example_value: |-
+ "session=8521F670545D7865F79C3D7BEDC29CCE;-background=light"
+
+ - name: http.host
+ data_type: String
+ categories: [Request, URI]
+ keywords: [request, uri, url, domain, client, visitor]
+ summary: The hostname used in the full request URI.
+ example_value: |-
+ "www.example.org"
+
+ - name: http.referer
+ data_type: String
+ categories: [Request, Headers]
+ keywords: [request, header, referer, referrer, client, visitor]
+ summary: The HTTP `Referer` request header, which contains the address of the web page that linked to the currently requested page.
+ example_value: |-
+ "https://developer.example.org/en-US/docs/Web/JavaScript"
+
+ - name: http.request.full_uri
+ data_type: String
+ categories: [Request, URI]
+ keywords: [request, uri, url, client, visitor]
+ summary: The full URI as received by the web server.
+ description: |-
+ The value will not include the `#fragment` part, which is not sent to web servers.
+ example_value: |-
+ "https://www.example.org/articles/index?section=539061&expand=comments"
+
+ - name: http.request.method
+ data_type: String
+ categories: [Request]
+ keywords: [request, client, visitor]
+ summary: The HTTP method, returned as a string of uppercase characters.
+ example_value: |-
+ "GET"
+
+ - name: http.request.cookies
+ data_type: Map>
+ categories: [Request, Headers]
+ keywords: [request, header, client, visitor]
+ plan_info_label: Pro or above
+ summary: The `Cookie` HTTP header associated with a request represented as a Map (associative array).
+ description: |-
+ Requires a Cloudflare Pro, Business, or Enterprise plan.
+
+ The cookie names are URL decoded. If two cookies have the same name after decoding, their value arrays are merged.
+
+ The cookie values are not pre-processed and retain the original case used in the request.
+ example_value: |-
+ { "app": ["test"] }
+ example_block: |-
+ any(http.request.cookies["app"][*] == "test")
+
+ - name: http.request.timestamp.sec
+ data_type: Integer
+ categories: [Request]
+ keywords: [request, timestamp, client, visitor]
+ summary: The timestamp when Cloudflare received the request, expressed as UNIX time in seconds.
+ description: |-
+ The field value is 10 digits long.
+
+ When validating HMAC tokens in an expression, pass this field as the `currentTimestamp` argument to the [`is_timed_hmac_valid_v0()`](/ruleset-engine/rules-language/functions/#hmac-validation) validation function.
+
+ To obtain the timestamp milliseconds, use the [`http.request.timestamp.msec`](/ruleset-engine/rules-language/fields/reference/http.request.timestamp.msec/) field.
+ example_value: |-
+ 1484063137
+
+ - name: http.request.timestamp.msec
+ data_type: Integer
+ categories: [Request]
+ keywords: [request, timestamp, client, visitor]
+ summary: The millisecond when Cloudflare received the request, between 0–999.
+ description: |-
+ To obtain the complete timestamp, use both [`http.request.timestamp.sec`](/ruleset-engine/rules-language/fields/reference/http.request.timestamp.sec/) and [`http.request.timestamp.msec`](/ruleset-engine/rules-language/fields/reference/http.request.timestamp.msec/) fields.
+ example_value: |-
+ 857
+
+ - name: http.request.uri
+ data_type: String
+ categories: [Request, URI]
+ keywords: [request, uri, url, path, query, query string, client, visitor]
+ summary: The URI path and query string of the request.
+ example_value: |-
+ "/articles/index?section=539061&expand=comments"
+
+ - name: http.request.uri.path
+ data_type: String
+ categories: [Request, URI]
+ keywords: [request, uri, url, path, client, visitor]
+ summary: The URI path of the request.
+ example_value: |-
+ "/articles/index"
+
+ - name: http.request.uri.path.extension
+ data_type: String
+ categories: [Request, URI]
+ keywords: [request, uri, url, path, client, visitor]
+ summary: The lowercased file extension in the URI path without the dot (`.`) character.
+ description: |-
+ This corresponds to the string after the last dot in the URI path, excluding the query string.
+
+ If the first character of the last path segment is a dot and the segment does not contain other dot characters, the field value will be an empty string (`""`). Having a dot as the first character does not represent a file extension and is commonly used in UNIX-like systems to denote a hidden file or directory.
+
+ Example values:
+
+ - If the URI path is `/articles/index.html`, the field value will be `"html"`.
+ - If the URI path is `/articles/index.`, the field value will be an empty string (`""`).
+
+ Example values:
+
+ | URI path | Field value |
+ | -------------- | ----------- |
+ | `/foo` | `""` |
+ | `/foo.mp3` | `"mp3"` |
+ | `/.mp3` | `""` |
+ | `/.foo.mp3` | `"mp3"` |
+ | `/foo.tar.bz2` | `"bz2"` |
+ | `/foo.` | `""` |
+ | `/foo.MP3` | `"mp3"` |
+
+ - name: http.request.uri.query
+ data_type: String
+ categories: [Request, URI]
+ keywords: [request, uri, url, query, query string, client, visitor]
+ summary: The entire query string, without the `?` delimiter.
+ example_value: |-
+ "section=539061&expand=comments"
+
+ - name: http.user_agent
+ data_type: String
+ categories: [Request, Headers]
+ keywords: [request, header, agent, user-agent, browser, client, visitor]
+ summary: The HTTP `User-Agent` request header, which contains a characteristic string to identify the client operating system and web browser.
+ example_value: |-
+ "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36"
+
+ - name: http.request.version
+ data_type: String
+ categories: [Request]
+ keywords: [request, protocol, client, visitor]
+ summary: The version of the HTTP protocol used. Use this field when different checks are needed for different versions.
+ description: |-
+ Example values:
+
+ - `"HTTP/1.1"`
+ - `"HTTP/3"`
+
+ - name: http.x_forwarded_for
+ data_type: String
+ categories: [Request, Headers]
+ keywords: [request, header, proxy, ip, client, visitor]
+ summary: The full value of the `X-Forwarded-For` HTTP header.
+ example_value: |-
+ "203.0.113.195, 70.41.3.18"
+
+ - name: ip.src
+ data_type: IP address
+ categories: [Request]
+ keywords: [request, proxy, ip, client, visitor]
+ summary: The client TCP IP address, which may be adjusted to reflect the actual address of the client using HTTP headers such as `X-Forwarded-For` or `X-Real-IP`.
+ example_value: |-
+ 93.184.216.34
+
+ - name: ip.src.lat
+ data_type: String
+ categories: [Request, Geolocation]
+ keywords: [request, location, geolocation, client, visitor]
+ summary: The latitude associated with the client IP address.
+ example_value: |-
+ "37.78044"
+
+ - name: ip.src.lon
+ data_type: String
+ categories: [Request, Geolocation]
+ keywords: [request, location, geolocation, client, visitor]
+ summary: The longitude associated with the client IP address.
+ example_value: |-
+ "-122.39055"
+
+ - name: ip.src.city
+ data_type: String
+ categories: [Request, Geolocation]
+ keywords: [request, location, geolocation, client, visitor]
+ summary: The city associated with the client IP address.
+ example_value: |-
+ "San Francisco"
+
+ - name: ip.src.postal_code
+ data_type: String
+ categories: [Request, Geolocation]
+ keywords: [request, location, geolocation, zip, zip code, client, visitor]
+ summary: The postal code associated with the incoming request.
+ example_value: |-
+ "78701"
+
+ - name: ip.src.metro_code
+ data_type: String
+ categories: [Request, Geolocation]
+ keywords: [request, location, geolocation, dma, client, visitor]
+ summary: The metro code or Designated Market Area (DMA) code associated with the incoming request.
+ example_value: |-
+ "635"
+
+ - name: ip.src.region
+ data_type: String
+ categories: [Request, Geolocation]
+ keywords: [request, location, geolocation, state, client, visitor]
+ summary: The region name associated with the incoming request.
+ example_value: |-
+ "Texas"
+
+ - name: ip.src.region_code
+ data_type: String
+ categories: [Request, Geolocation]
+ keywords: [request, location, geolocation, state, client, visitor]
+ summary: The region code associated with the incoming request.
+ example_value: |-
+ "TX"
+
+ - name: ip.src.timezone.name
+ data_type: String
+ categories: [Request, Geolocation]
+ keywords:
+ [request, location, geolocation, time zone, clock, client, visitor]
+ summary: The name of the timezone associated with the incoming request.
+ description: |-
+ This field is only available in rewrite expressions of [Transform Rules](/rules/transform/).
+ example_value: |-
+ "America/Chicago"
+
+ - name: ip.src.asnum
+ data_type: Number
+ categories: [Request, Geolocation]
+ keywords:
+ [request, location, geolocation, asn, ip.geoip.asnum, client, visitor]
+ summary: The 16-bit or 32-bit integer representing the Autonomous System (AS) number associated with the client IP address.
+ description: |-
+ This field has the same value as the `ip.geoip.asnum` field, which is deprecated. The `ip.geoip.asnum` field is still available for new and existing rules, but you should use the `ip.src.asnum` field instead.
+
+ _GeoIP is the registered trademark of MaxMind, Inc._
+
+ - name: ip.src.continent
+ data_type: String
+ categories: [Request, Geolocation]
+ keywords:
+ [request, location, geolocation, ip.geoip.continent, client, visitor]
+ summary: The continent code associated with the client IP address.
+ description: |-
+ Values:
+
+ - `"AF"`: Africa
+ - `"AN"`: Antarctica
+ - `"AS"`: Asia
+ - `"EU"`: Europe
+ - `"NA"`: North America
+ - `"OC"`: Oceania
+ - `"SA"`: South America
+ - `"T1"`: Tor network
+
+ This field has the same value as the `ip.geoip.continent` field, which is deprecated. The `ip.geoip.continent` field is still available for new and existing rules, but you should use the `ip.src.continent` field instead.
+
+ _GeoIP is the registered trademark of MaxMind, Inc._
+
+ - name: ip.src.country
+ data_type: String
+ categories: [Request, Geolocation]
+ keywords:
+ [request, location, geolocation, ip.geoip.country, client, visitor]
+ summary: The 2-letter country code in [ISO 3166-1 Alpha 2](https://www.iso.org/obp/ui/#search/code/) format.
+ example_value: |-
+ "GB"
+ description: |-
+ For more information on the ISO 3166-1 Alpha 2 format, refer to [ISO 3166-1 Alpha 2](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2) on Wikipedia.
+
+ This field has the same value as the `ip.geoip.country` field, which is deprecated. The `ip.geoip.country` field is still available for new and existing rules, but you should use the `ip.src.country` field instead.
+
+ _GeoIP is the registered trademark of MaxMind, Inc._
+
+ - name: ip.src.subdivision_1_iso_code
+ data_type: String
+ categories: [Request, Geolocation]
+ keywords:
+ [
+ request,
+ location,
+ geolocation,
+ ip.geoip.subdivision_1_iso_code,
+ region,
+ client,
+ visitor,
+ ]
+ plan_info_label: Business or above
+ summary: The ISO 3166-2 code for the first-level region associated with the IP address.
+ example_value: |-
+ "GB-ENG"
+ description: |-
+ When the actual value is not available, this field contains an empty string.
+
+ Requires a Cloudflare Business or Enterprise plan.
+
+ For more information on the ISO 3166-2 standard and the available regions, refer to [ISO 3166-2](https://en.wikipedia.org/wiki/ISO_3166-2) on Wikipedia.
+
+ This field has the same value as the `ip.geoip.subdivision_1_iso_code` field, which is deprecated. The `ip.geoip.subdivision_1_iso_code` field is still available for new and existing rules, but you should use the `ip.src.subdivision_1_iso_code` field instead.
+
+ _GeoIP is the registered trademark of MaxMind, Inc._
+
+ - name: ip.src.subdivision_2_iso_code
+ data_type: String
+ categories: [Request, Geolocation]
+ keywords:
+ [
+ request,
+ location,
+ geolocation,
+ ip.geoip.subdivision_2_iso_code,
+ region,
+ client,
+ visitor,
+ ]
+ plan_info_label: Business or above
+ summary: The ISO 3166-2 code for the second-level region associated with the IP address.
+ example_value: |-
+ "GB-SWK"
+ description: |-
+ When the actual value is not available, this field contains an empty string.
+
+ Requires a Cloudflare Business or Enterprise plan.
+
+ For more information on the ISO 3166-2 standard and the available regions, refer to [ISO 3166-2](https://en.wikipedia.org/wiki/ISO_3166-2) on Wikipedia.
+
+ This field has the same value as the `ip.geoip.subdivision_2_iso_code` field, which is deprecated. The `ip.geoip.subdivision_2_iso_code` field is still available for new and existing rules, but you should use the `ip.src.subdivision_2_iso_code` field instead.
+
+ _GeoIP is the registered trademark of MaxMind, Inc._
+
+ - name: ip.src.is_in_european_union
+ data_type: Boolean
+ categories: [Request, Geolocation]
+ keywords:
+ [
+ request,
+ location,
+ geolocation,
+ ip.geoip.is_in_european_union,
+ country,
+ client,
+ visitor,
+ ]
+ plan_info_label: Business or above
+ summary: Whether the request originates from a country in the European Union (EU).
+ description: |-
+ Requires a Cloudflare Business or Enterprise plan.
+
+ Countries in the EU (from geolocation data):
+
+ | Country code | Country name |
+ | ------------ | --------------- |
+ | `AT` | Austria |
+ | `AX` | Åland Islands |
+ | `BE` | Belgium |
+ | `BG` | Bulgaria |
+ | `CY` | Cyprus |
+ | `CZ` | Czechia |
+ | `DE` | Germany |
+ | `DK` | Denmark |
+ | `EE` | Estonia |
+ | `ES` | Spain |
+ | `FI` | Finland |
+ | `FR` | France |
+ | `GF` | French Guiana |
+ | `GP` | Guadeloupe |
+ | `GR` | Greece |
+ | `HR` | Croatia |
+ | `HU` | Hungary |
+ | `IE` | Ireland |
+ | `IT` | Italy |
+ | `LT` | Lithuania |
+ | `LU` | Luxembourg |
+ | `LV` | Latvia |
+ | `MF` | Saint Martin |
+ | `MQ` | Martinique |
+ | `MT` | Malta |
+ | `NL` | The Netherlands |
+ | `PL` | Poland |
+ | `PT` | Portugal |
+ | `RE` | Réunion |
+ | `RO` | Romania |
+ | `SE` | Sweden |
+ | `SI` | Slovenia |
+ | `SK` | Slovakia |
+ | `YT` | Mayotte |
+
+ The EU country list was obtained from MaxMind's GeoIP2 database on 2023-12-05. For details on obtaining up-to-date country information, refer to the [MaxMind website](https://dev.maxmind.com/geoip/geolite2-free-geolocation-data).
+
+ This field has the same value as the `ip.geoip.is_in_european_union` field, which is deprecated. The `ip.geoip.is_in_european_union` field is still available for new and existing rules, but you should use the `ip.src.is_in_european_union` field instead.
+
+ _GeoIP is the registered trademark of MaxMind, Inc._
+
+ - name: raw.http.request.full_uri
+ data_type: String
+ categories: [Request, URI, Raw fields]
+ keywords: [request, uri, url, raw, client, visitor]
+ summary: The raw full URI as received by the web server without any transformation.
+ description: |-
+ The value will not include the `#fragment` part, which is not sent to web servers.
+
+ This is the raw field version of the [`http.request.full_uri`](/ruleset-engine/rules-language/fields/reference/http.request.full_uri/) field. Raw fields, prefixed with `raw.`, preserve original request values for later evaluations. These fields are immutable during the entire request evaluation workflow, and they are not affected by the actions of previously matched rules.
+
+ **Note**: This raw field may include some basic normalization done by Cloudflare's HTTP server. However, this can change in the future.
+
+ - name: raw.http.request.uri.path
+ data_type: String
+ categories: [Request, URI, Raw fields]
+ keywords: [request, uri, url, path, raw, client, visitor]
+ summary: The raw URI path and query string of the request without any transformation.
+ description: |-
+ This is the raw field version of the [`http.request.uri`](/ruleset-engine/rules-language/fields/reference/http.request.uri/) field. Raw fields, prefixed with `raw.`, preserve original request values for later evaluations. These fields are immutable during the entire request evaluation workflow, and they are not affected by the actions of previously matched rules.
+
+ **Note**: This raw field may include some basic normalization done by Cloudflare's HTTP server. However, this can change in the future.
+
+ - name: raw.http.request.uri.path.extension
+ data_type: String
+ categories: [Request, URI, Raw fields]
+ keywords: [request, uri, url, path, raw, client, visitor]
+ summary: The raw file extension in the request URI path without any transformation.
+ description: |-
+ This is the raw field version of the [`http.request.uri.path.extension`](/ruleset-engine/rules-language/fields/reference/http.request.uri.path.extension/) field. Raw fields, prefixed with `raw.`, preserve original request values for later evaluations. These fields are immutable during the entire request evaluation workflow, and they are not affected by the actions of previously matched rules.
+
+ - name: raw.http.request.uri.query
+ data_type: String
+ categories: [Request, URI, Raw fields]
+ keywords: [request, uri, url, query, query string, raw, client, visitor]
+ summary: The entire query string without the `?` delimiter and without any transformation.
+ description: |-
+ This is the raw field version of the [`http.request.uri.query`](/ruleset-engine/rules-language/fields/reference/http.request.uri.query/) field. Raw fields, prefixed with `raw.`, preserve original request values for later evaluations. These fields are immutable during the entire request evaluation workflow, and they are not affected by the actions of previously matched rules.
+
+ **Note**: This raw field may include some basic normalization done by Cloudflare's HTTP server. However, this can change in the future.
+
+ - name: ssl
+ data_type: Boolean
+ categories: [Request]
+ keywords: [request, tls, https, client, visitor]
+ summary: Returns `true` when the HTTP connection to the client is encrypted.
+
+ - name: cf.api_gateway.auth_id_present
+ data_type: Boolean
+ categories: [Request]
+ keywords: [request, session, api shield, client, visitor]
+ plan_info_label: Enterprise add-on
+ summary: Indicates whether the request contained an API session authentication token, as defined by API Shield's saved [session identifiers](/api-shield/get-started/#session-identifiers).
+
+ - name: cf.api_gateway.request_violates_schema
+ data_type: Boolean
+ categories: [Request]
+ keywords: [request, api shield, client, visitor]
+ summary: Indicates whether the request [violated the schema](/api-shield/security/schema-validation/) assigned to the respective saved endpoint.
+
+ - name: cf.api_gateway.fallthrough_detected
+ data_type: Boolean
+ categories: [Request]
+ keywords: [request, api shield, client, visitor]
+ summary: Indicates whether the request matched a saved endpoint in [Endpoint Management](/api-shield/management-and-monitoring/).
+
+ - name: cf.bot_management.verified_bot
+ data_type: Boolean
+ categories: [Request, Bots]
+ keywords: [request, bots, client, visitor]
+ plan_info_label: Enterprise add-on
+ summary: Indicates whether the request originated from a known good bot or crawler.
+ description: |-
+ Provides the same information as [`cf.client.bot`](/ruleset-engine/rules-language/fields/reference/cf.client.bot/).
+
+ Requires a Cloudflare Enterprise plan with [Bot Management](/bots/plans/bm-subscription/) enabled.
+
+ - name: cf.verified_bot_category
+ data_type: String
+ categories: [Request, Bots]
+ keywords: [request, bots, client, visitor]
+ summary: Provides the type and purpose of a verified bot.
+ description: |-
+ For more details, refer to [Verified Bot Categories](/bots/reference/verified-bot-categories/).
+
+ - name: cf.bot_management.score
+ data_type: Number
+ categories: [Request, Bots]
+ keywords: [request, bots, client, visitor]
+ plan_info_label: Enterprise add-on
+ summary: Represents the likelihood that a request originates from a bot using a score from 1–99.
+ description: |-
+ A low score indicates that the request comes from a bot or an automated agent. A high score indicates that a human issued the request.
+
+ Requires a Cloudflare Enterprise plan with [Bot Management](/bots/plans/bm-subscription/) enabled.
+
+ - name: cf.bot_management.static_resource
+ data_type: Number
+ categories: [Request, Bots]
+ keywords: [request, bots, client, visitor]
+ plan_info_label: Enterprise add-on
+ summary: Indicates whether static resources should be included when you create a rule using [`cf.bot_management.score`](/ruleset-engine/rules-language/fields/reference/cf.bot_management.score/).
+ description: |-
+ For more details, refer to [Static resource protection](/bots/reference/static-resources/).
+
+ Requires a Cloudflare Enterprise plan with [Bot Management](/bots/plans/bm-subscription/) enabled.
+
+ - name: cf.bot_management.ja3_hash
+ data_type: String
+ categories: [Request, Bots]
+ keywords: [request, bots, client, visitor]
+ plan_info_label: Enterprise add-on
+ summary: Provides an SSL/TLS fingerprint to help you identify potential bot requests.
+ description: |-
+ For more details, refer to [JA3/JA4 Fingerprint](/bots/concepts/ja3-ja4-fingerprint/).
+
+ Requires a Cloudflare Enterprise plan with [Bot Management](/bots/plans/bm-subscription/) enabled.
+
+ - name: cf.bot_management.ja4
+ data_type: String
+ categories: [Request, Bots]
+ keywords: [request, bots, client, visitor]
+ plan_info_label: Enterprise add-on
+ summary: Provides an SSL/TLS fingerprint to help you identify potential bot requests.
+ description: |-
+ For more details, refer to [JA3/JA4 Fingerprint](/bots/concepts/ja3-ja4-fingerprint/).
+
+ Requires a Cloudflare Enterprise plan with [Bot Management](/bots/plans/bm-subscription/) enabled.
+
+ - name: cf.bot_management.js_detection.passed
+ data_type: Boolean
+ categories: [Request, Bots]
+ keywords: [request, bots, client, visitor]
+ plan_info_label: Enterprise add-on
+ summary: Indicates whether the visitor has previously passed a JS Detection.
+ description: |-
+ For more details, refer to [JavaScript detections](/bots/reference/javascript-detections/).
+
+ Requires a Cloudflare Enterprise plan with [Bot Management](/bots/plans/bm-subscription/) enabled.
+
+ - name: cf.bot_management.detection_ids
+ data_type: Array
+ categories: [Request, Bots]
+ keywords: [request, bots, client, visitor]
+ plan_info_label: Enterprise add-on
+ summary: List of IDs that correlate to the Bot Management heuristic detections made on a request.
+ description: |-
+ Use this field to explicitly match a specific heuristic or to exclude a heuristic in a rule. You can have multiple heuristic detections on the same request.
+
+ Requires a Cloudflare Enterprise plan with [Bot Management](/bots/plans/bm-subscription/) enabled.
+ example_block: |-
+ any(cf.bot_management.detection_ids[*] eq 33554817)
+
+ - name: cf.client.bot
+ data_type: Boolean
+ categories: [Request, Bots]
+ keywords: [request, bots, client, visitor]
+ summary: Indicates whether the request originated from a known good bot or crawler.
+ description: |-
+ Provides the same information as [`cf.bot_management.verified_bot`](/ruleset-engine/rules-language/fields/reference/cf.bot_management.verified_bot/).
+
+ - name: cf.edge.server_ip
+ data_type: IP address
+ categories: [Request]
+ keywords: [request, cloudflare, client, visitor]
+ summary: Represents the global network's IP address to which the HTTP request has resolved.
+ description: |-
+ This field is only meaningful for [BYOIP customers](/byoip/).
+
+ - name: cf.edge.server_port
+ data_type: IP address
+ categories: [Request]
+ keywords: [request, cloudflare, client, visitor]
+ summary: Represents the port number at which the Cloudflare global network received the request.
+ description: |-
+ Use this field to filter traffic on a specific port. The value is a port number in the range 1–65535.
+
+ - name: cf.hostname.metadata
+ data_type: String
+ categories: [Request]
+ keywords: [request, cloudflare, saas, platforms, client, visitor]
+ summary: Returns the string representation of the per-hostname [custom metadata](/cloudflare-for-platforms/cloudflare-for-saas/domain-support/custom-metadata/) JSON object set by SSL for SaaS customers.
+
+ - name: cf.random_seed
+ data_type: Bytes
+ categories: [Request]
+ keywords: [request, cloudflare, client, visitor]
+ summary: Returns per-request random bytes that you can use in the [`uuidv4()`](/ruleset-engine/rules-language/functions/#uuidv4) function.
+
+ - name: cf.ray_id
+ data_type: String
+ categories: [Request]
+ keywords: [request, cloudflare, client, visitor]
+ summary: The Ray ID of the current request.
+ description: |-
+ A [Ray ID](/fundamentals/reference/cloudflare-ray-id/) is an identifier given to every request that goes through Cloudflare.
+
+ - name: cf.threat_score
+ data_type: Number
+ categories: [Request]
+ keywords: [request, cloudflare, score, client, visitor]
+ summary: Represents a Cloudflare threat score from 0–100, where 0 indicates low risk.
+ description: |-
+ Values above 10 may represent spammers or bots, and values above 40 identify bad actors on the Internet. It is rare to see values above 60. A common recommendation is to challenge requests with a score above 10 and to block those above 50.
+
+ - name: cf.tls_cipher
+ data_type: String
+ categories: [Request]
+ keywords: [request, ssl, tls, client, visitor]
+ summary: The cipher for the connection to Cloudflare.
+ example_value: |-
+ "AES128-SHA256"
+
+ - name: cf.tls_client_auth.cert_revoked
+ data_type: Boolean
+ categories: [Request, mTLS]
+ keywords: [request, ssl, mtls, client, visitor]
+ summary: Indicates whether the request presented a valid but revoked client certificate.
+ description: |-
+ When `true`, the [`cf.tls_client_auth.cert_verified`](/ruleset-engine/rules-language/fields/reference/cf.tls_client_auth.cert_verified/) field is also `true`.
+
+ This field is only filled in if the request includes a client certificate for [mTLS authentication](/ssl/client-certificates/enable-mtls/).
+
+ - name: cf.tls_client_auth.cert_verified
+ data_type: Boolean
+ categories: [Request, mTLS]
+ keywords: [request, ssl, mtls, client, visitor]
+ summary: Returns `true` when a request presents a valid client certificate.
+ description: |-
+ Also returns `true` when a request includes a valid certificate that was revoked (refer to [`cf.tls_client_auth.cert_revoked`](/ruleset-engine/rules-language/fields/reference/cf.tls_client_auth.cert_revoked/)).
+
+ This field is only filled in if the request includes a client certificate for [mTLS authentication](/ssl/client-certificates/enable-mtls/).
+
+ - name: cf.tls_client_auth.cert_presented
+ data_type: Boolean
+ categories: [Request, mTLS]
+ keywords: [request, ssl, mtls, client, visitor]
+ summary: Returns `true` when a request presents a certificate (valid or not).
+ description: |-
+ This field is only filled in if the request includes a client certificate for [mTLS authentication](/ssl/client-certificates/enable-mtls/).
+
+ - name: cf.tls_client_auth.cert_issuer_dn
+ data_type: String
+ categories: [Request, mTLS]
+ keywords: [request, ssl, mtls, client, visitor]
+ summary: The Distinguished Name (DN) of the Certificate Authority (CA) that issued the certificate included in the request.
+ description: |-
+ This field is only filled in if the request includes a client certificate for [mTLS authentication](/ssl/client-certificates/enable-mtls/).
+ example_value: |-
+ "CN=Access Testing CA,OU=TX,O=Access Testing,L=Austin,ST=Texas,C=US"
+
+ - name: cf.tls_client_auth.cert_subject_dn
+ data_type: String
+ categories: [Request, mTLS]
+ keywords: [request, ssl, mtls, client, visitor]
+ summary: The Distinguished Name (DN) of the owner (or requester) of the certificate included in the request.
+ description: |-
+ This field is only filled in if the request includes a client certificate for [mTLS authentication](/ssl/client-certificates/enable-mtls/).
+ example_value: |-
+ "CN=James Royal,OU=Access Admins,O=Access,L=Austin,ST=Texas,C=US"
+
+ - name: cf.tls_client_auth.cert_issuer_dn_rfc2253
+ data_type: String
+ categories: [Request, mTLS]
+ keywords: [request, ssl, mtls, client, visitor]
+ summary: The Distinguished Name (DN) of the Certificate Authority (CA) that issued the certificate in the request in [RFC 2253](https://datatracker.ietf.org/doc/html/rfc2253) format.
+ description: |-
+ This field is only filled in if the request includes a client certificate for [mTLS authentication](/ssl/client-certificates/enable-mtls/).
+ example_value: |-
+ "CN=Access Testing CA,OU=TX,O=Access Testing,L=Austin,ST=Texas,C=US"
+
+ - name: cf.tls_client_auth.cert_subject_dn_rfc2253
+ data_type: String
+ categories: [Request, mTLS]
+ keywords: [request, ssl, mtls, client, visitor]
+ summary: The Distinguished Name (DN) of the owner (or requester) of the certificate in the request in [RFC 2253](https://datatracker.ietf.org/doc/html/rfc2253) format.
+ description: |-
+ This field is only filled in if the request includes a client certificate for [mTLS authentication](/ssl/client-certificates/enable-mtls/).
+ example_value: |-
+ "CN=James Royal,OU=Access Admins,O=Access,L=Austin,ST=Texas,C=US"
+
+ - name: cf.tls_client_auth.cert_issuer_dn_legacy
+ data_type: String
+ categories: [Request, mTLS]
+ keywords: [request, ssl, mtls, client, visitor]
+ summary: The Distinguished Name (DN) of the Certificate Authority (CA) that issued the certificate in the request in a legacy format.
+ description: |-
+ This field is only filled in if the request includes a client certificate for [mTLS authentication](/ssl/client-certificates/enable-mtls/).
+ example_value: |-
+ "/C=US/ST=Texas/L=Austin/O=Access Testing/OU=TX/CN=Access Testing CA"
+
+ - name: cf.tls_client_auth.cert_subject_dn_legacy
+ data_type: String
+ categories: [Request, mTLS]
+ keywords: [request, ssl, mtls, client, visitor]
+ summary: The Distinguished Name (DN) of the owner (or requester) of the certificate in the request in a legacy format.
+ description: |-
+ This field is only filled in if the request includes a client certificate for [mTLS authentication](/ssl/client-certificates/enable-mtls/).
+ example_value: |-
+ "/C=US/ST=Texas/L=Austin/O=Access/OU=Access Admins/CN=James Royal"
+
+ - name: cf.tls_client_auth.cert_serial
+ data_type: String
+ categories: [Request, mTLS]
+ keywords: [request, ssl, mtls, client, visitor]
+ summary: Serial number of the certificate in the request.
+ description: |-
+ This field is only filled in if the request includes a client certificate for [mTLS authentication](/ssl/client-certificates/enable-mtls/).
+ example_value: |-
+ "527E0F20A20EA2A4146C78390F34CE7AF0878CA4"
+
+ - name: cf.tls_client_auth.cert_issuer_serial
+ data_type: String
+ categories: [Request, mTLS]
+ keywords: [request, ssl, mtls, client, visitor]
+ summary: Serial number of the direct issuer of the certificate in the request.
+ description: |-
+ This field is only filled in if the request includes a client certificate for [mTLS authentication](/ssl/client-certificates/enable-mtls/).
+ example_value: |-
+ "2688201DBA77402EA87118876F2E1B24CF8B0395"
+
+ - name: cf.tls_client_auth.cert_fingerprint_sha256
+ data_type: String
+ categories: [Request, mTLS]
+ keywords: [request, ssl, mtls, client, visitor]
+ summary: The SHA-256 fingerprint of the certificate in the request.
+ description: |-
+ This field is only filled in if the request includes a client certificate for [mTLS authentication](/ssl/client-certificates/enable-mtls/).
+ example_value: |-
+ "af363dc85bc942a892d3cee9796190fdb36d89cd588a4f1cb17c74a943439714"
+
+ - name: cf.tls_client_auth.cert_fingerprint_sha1
+ data_type: String
+ categories: [Request, mTLS]
+ keywords: [request, ssl, mtls, client, visitor]
+ summary: The SHA-1 fingerprint of the certificate in the request.
+ description: |-
+ This field is only filled in if the request includes a client certificate for [mTLS authentication](/ssl/client-certificates/enable-mtls/).
+ example_value: |-
+ "933ad5282c560ae3f482a43ecd73bc9de878a190"
+
+ - name: cf.tls_client_auth.cert_not_before
+ data_type: String
+ categories: [Request, mTLS]
+ keywords: [request, ssl, mtls, client, visitor]
+ summary: The certificate in the request is not valid before this date.
+ description: |-
+ This field is only filled in if the request includes a client certificate for [mTLS authentication](/ssl/client-certificates/enable-mtls/).
+ example_value: |-
+ "Mar 21 13:35:00 2022 GMT"
+
+ - name: cf.tls_client_auth.cert_not_after
+ data_type: String
+ categories: [Request, mTLS]
+ keywords: [request, ssl, mtls, client, visitor]
+ summary: The certificate in the request is not valid after this date.
+ description: |-
+ This field is only filled in if the request includes a client certificate for [mTLS authentication](/ssl/client-certificates/enable-mtls/).
+ example_value: |-
+ "Mar 21 13:35:00 2023 GMT"
+
+ - name: cf.tls_client_auth.cert_ski
+ data_type: String
+ categories: [Request, mTLS]
+ keywords: [request, ssl, mtls, client, visitor]
+ summary: The Subject Key Identifier (SKI) of the certificate in the request.
+ description: |-
+ This field is only filled in if the request includes a client certificate for [mTLS authentication](/ssl/client-certificates/enable-mtls/).
+ example_value: |-
+ "27846FAE6EAC4A8DAD9101B519CF1EB460242831"
+
+ - name: cf.tls_client_auth.cert_issuer_ski
+ data_type: String
+ categories: [Request, mTLS]
+ keywords: [request, ssl, mtls, client, visitor]
+ summary: The Subject Key Identifier (SKI) of the direct issuer of the certificate in the request.
+ description: |-
+ This field is only filled in if the request includes a client certificate for [mTLS authentication](/ssl/client-certificates/enable-mtls/).
+ example_value: |-
+ "8204924CF49D471E855862706D889F58F6B784D3"
+
+ - name: cf.tls_client_extensions_sha1
+ data_type: String
+ categories: [Request]
+ keywords: [request, ssl, tls, client, visitor]
+ summary: The SHA-1 fingerprint of TLS client extensions, encoded in Base64.
+ example_value: |-
+ "OWFiM2I5ZDc0YWI0YWYzZmFkMGU0ZjhlYjhiYmVkMjgxNTU5YTU2Mg=="
+
+ - name: cf.tls_client_hello_length
+ data_type: Number
+ categories: [Request]
+ keywords: [request, ssl, tls, client, visitor]
+ summary: The length of the client hello message sent in a [TLS handshake](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake).
+ description: |-
+ Specifically, the length of the bytestring of the client hello.
+ example_value: |-
+ 508
+
+ - name: cf.tls_client_random
+ data_type: String
+ categories: [Request]
+ keywords: [request, ssl, tls, client, visitor]
+ summary: The value of the 32-byte random value provided by the client in a [TLS handshake](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake), encoded in Base64.
+ description: |-
+ For more details, refer to [RFC 8446](https://datatracker.ietf.org/doc/html/rfc8446#section-4.1.2).
+ example_value: |-
+ "YWJjZA=="
+
+ - name: cf.tls_version
+ data_type: String
+ categories: [Request]
+ keywords: [request, ssl, tls, client, visitor]
+ summary: The TLS version of the connection to Cloudflare.
+ example_value: |-
+ "TLSv1.2"
+
+ - name: cf.waf.content_scan.has_obj
+ data_type: Boolean
+ categories: [Request]
+ keywords:
+ [
+ request,
+ cloudflare,
+ content scanning,
+ malicious uploads,
+ client,
+ visitor,
+ ]
+ plan_info_label: Enterprise add-on
+ summary: Indicates whether the request contains at least one content object.
+ description: |-
+ Requires a Cloudflare Enterprise plan with [malicious uploads detection](/waf/detections/malicious-uploads/).
+
+ - name: cf.waf.content_scan.has_malicious_obj
+ data_type: Boolean
+ categories: [Request]
+ keywords:
+ [
+ request,
+ cloudflare,
+ content scanning,
+ malicious uploads,
+ client,
+ visitor,
+ ]
+ plan_info_label: Enterprise add-on
+ summary: Indicates whether the request contains at least one malicious content object.
+ description: |-
+ Requires a Cloudflare Enterprise plan with [malicious uploads detection](/waf/detections/malicious-uploads/).
+
+ - name: cf.waf.content_scan.num_malicious_obj
+ data_type: Integer
+ categories: [Request]
+ keywords:
+ [
+ request,
+ cloudflare,
+ content scanning,
+ malicious uploads,
+ client,
+ visitor,
+ ]
+ plan_info_label: Enterprise add-on
+ summary: The number of malicious content objects detected in the request (zero or greater).
+ description: |-
+ Requires a Cloudflare Enterprise plan with [malicious uploads detection](/waf/detections/malicious-uploads/).
+
+ - name: cf.waf.content_scan.has_failed
+ data_type: Boolean
+ categories: [Request]
+ keywords:
+ [
+ request,
+ cloudflare,
+ content scanning,
+ malicious uploads,
+ client,
+ visitor,
+ ]
+ plan_info_label: Enterprise add-on
+ summary: Indicates whether the file scanner was unable to scan all the content objects detected in the request.
+ description: |-
+ Requires a Cloudflare Enterprise plan with [malicious uploads detection](/waf/detections/malicious-uploads/).
+ - name: cf.waf.content_scan.num_obj
+ data_type: Integer
+ categories: [Request]
+ keywords:
+ [
+ request,
+ cloudflare,
+ content scanning,
+ malicious uploads,
+ client,
+ visitor,
+ ]
+ plan_info_label: Enterprise add-on
+ summary: The number of content objects detected in the request (zero or greater).
+ description: |-
+ Requires a Cloudflare Enterprise plan with [malicious uploads detection](/waf/detections/malicious-uploads/).
+
+ - name: cf.waf.content_scan.obj_sizes
+ data_type: Array
+ categories: [Request]
+ keywords:
+ [
+ request,
+ cloudflare,
+ content scanning,
+ malicious uploads,
+ client,
+ visitor,
+ ]
+ plan_info_label: Enterprise add-on
+ summary: An array of file sizes in bytes, in the order the content objects were detected in the request.
+ description: |-
+ Requires a Cloudflare Enterprise plan with [malicious uploads detection](/waf/detections/malicious-uploads/).
+
+ - name: cf.waf.content_scan.obj_types
+ data_type: Array
+ categories: [Request]
+ keywords:
+ [
+ request,
+ cloudflare,
+ content scanning,
+ malicious uploads,
+ client,
+ visitor,
+ ]
+ plan_info_label: Enterprise add-on
+ summary: An array of file types in the order the content objects were detected in the request.
+ description: |-
+ If Cloudflare cannot determine the file type of a content object, the corresponding value in the `obj_types` array will be `application/octet-stream`.
+
+ Requires a Cloudflare Enterprise plan with [malicious uploads detection](/waf/detections/malicious-uploads/).
+
+ - name: cf.waf.content_scan.obj_results
+ data_type: Array
+ categories: [Request]
+ keywords:
+ [
+ request,
+ cloudflare,
+ content scanning,
+ malicious uploads,
+ client,
+ visitor,
+ ]
+ plan_info_label: Enterprise add-on
+ summary: An array of scan results in the order the content objects were detected in the request.
+ description: |-
+ The possible values are: `clean`, `suspicious`, `infected`, and `not scanned`.
+
+ Requires a Cloudflare Enterprise plan with [malicious uploads detection](/waf/detections/malicious-uploads/).
+
+ - name: cf.waf.score
+ data_type: Number
+ categories: [Request]
+ keywords: [request, cloudflare, attack score, waf score, client, visitor]
+ plan_info_label: Enterprise
+ summary: A global score from 1–99 that combines the score of each WAF attack vector into a single score.
+ description: |-
+ This is the standard [WAF attack score](/waf/detections/attack-score/) to detect variants of attack patterns.
+
+ Requires a Cloudflare Enterprise plan. You must also enable [attack score detection](/waf/detections/attack-score/).
+
+ - name: cf.waf.score.sqli
+ data_type: Number
+ categories: [Request]
+ keywords: [request, cloudflare, attack score, waf score, client, visitor]
+ plan_info_label: Enterprise
+ summary: An attack score from 1–99 classifying the SQL injection (SQLi) attack vector.
+ description: |-
+ Requires a Cloudflare Enterprise plan. You must also enable [attack score detection](/waf/detections/attack-score/).
+
+ - name: cf.waf.score.xss
+ data_type: Number
+ categories: [Request]
+ keywords: [request, cloudflare, attack score, waf score, client, visitor]
+ plan_info_label: Enterprise
+ summary: An attack score from 1–99 classifying the cross-site scripting (XSS) attack vector.
+ description: |-
+ Requires a Cloudflare Enterprise plan. You must also enable [attack score detection](/waf/detections/attack-score/).
+
+ - name: cf.waf.score.rce
+ data_type: Number
+ categories: [Request]
+ keywords: [request, cloudflare, attack score, waf score, client, visitor]
+ plan_info_label: Enterprise
+ summary: An attack score from 1–99 classifying the command injection or Remote Code Execution (RCE) attack vector.
+ description: |-
+ Requires a Cloudflare Enterprise plan. You must also enable [attack score detection](/waf/detections/attack-score/).
+
+ - name: cf.waf.score.class
+ data_type: String
+ categories: [Request]
+ keywords: [request, cloudflare, attack score, waf score, client, visitor]
+ plan_info_label: Business or above
+ summary: The attack score class of the current request, based on the WAF attack score.
+ description: |-
+ Can have one of the following values: `attack`, `likely_attack`, `likely_clean`, `clean`.
+
+ Requires a Cloudflare Business plan or above. You must also enable [attack score detection](/waf/detections/attack-score/).
+
+ - name: cf.waf.auth_detected
+ data_type: Boolean
+ categories: [Request]
+ keywords:
+ [
+ request,
+ cloudflare,
+ leaked credentials,
+ exposed credentials,
+ client,
+ visitor,
+ ]
+ plan_info_label: Enterprise
+ summary: Indicates whether the Cloudflare WAF detected authentication credentials in the request.
+ description: |-
+ Requires a Cloudflare Enterprise plan. You must also enable [leaked credentials detection](/waf/detections/leaked-credentials/).
+
+ - name: cf.waf.credential_check.password_leaked
+ data_type: Boolean
+ categories: [Request]
+ keywords:
+ [
+ request,
+ cloudflare,
+ leaked credentials,
+ exposed credentials,
+ client,
+ visitor,
+ ]
+ summary: Indicates whether the password detected in the request was previously leaked.
+ description: |-
+ Only available when [leaked credentials detection](/waf/detections/leaked-credentials/) is enabled.
+
+ - name: cf.waf.credential_check.username_leaked
+ data_type: Boolean
+ categories: [Request]
+ keywords:
+ [
+ request,
+ cloudflare,
+ leaked credentials,
+ exposed credentials,
+ client,
+ visitor,
+ ]
+ plan_info_label: Enterprise
+ summary: Indicates whether the username detected in the request was previously leaked.
+ description: |-
+ Requires a Cloudflare Enterprise plan. You must also enable [leaked credentials detection](/waf/detections/leaked-credentials/).
+
+ - name: cf.waf.credential_check.username_and_password_leaked
+ data_type: Boolean
+ categories: [Request]
+ keywords:
+ [
+ request,
+ cloudflare,
+ authentication,
+ leaked credentials,
+ exposed credentials,
+ client,
+ visitor,
+ ]
+ plan_info_label: Pro or above
+ summary: Indicates whether the auth credentials detected in the request (username-password pair) were previously leaked.
+ description: |-
+ Requires a Cloudflare Pro plan or above. You must also enable [leaked credentials detection](/waf/detections/leaked-credentials/).
+
+ - name: cf.waf.credential_check.username_password_similar
+ data_type: Boolean
+ categories: [Request]
+ keywords:
+ [
+ request,
+ cloudflare,
+ leaked credentials,
+ exposed credentials,
+ client,
+ visitor,
+ ]
+ plan_info_label: Enterprise
+ summary: Indicates whether a similar version of the username and password credentials detected in the request were previously leaked.
+ description: |-
+ Requires a Cloudflare Enterprise plan. You must also enable [leaked credentials detection](/waf/detections/leaked-credentials/).
+
+ - name: cf.worker.upstream_zone
+ data_type: String
+ categories: [Request]
+ keywords: [request, cloudflare, workers]
+ summary: Identifies whether a request comes from a worker or not.
+ description: |-
+ When a request comes from a worker, this field will hold the name of the zone for that worker. Otherwise, `cf.worker.upstream_zone` is empty.
+
+ - name: cf.bot_management.corporate_proxy
+ data_type: Boolean
+ categories: [Request, Bots]
+ keywords: [request, bots, proxy, client, visitor]
+ plan_info_label: Enterprise add-on
+ summary: Indicates whether the incoming request comes from an identified Enterprise-only cloud-based corporate proxy or secure web gateway.
+ description: |-
+ Requires a Cloudflare Enterprise plan with [Bot Management](/bots/plans/bm-subscription/) enabled.
+ example_block: |-
+ not cf.bot_management.verified_bot
+ and not cf.bot_management.static_resource
+ and not cf.bot_management.corporate_proxy
+ and cf.bot_management.score lt 30
+
+ - name: http.request.jwt.claims.aud
+ data_type: Map>
+ categories: [Request, JWT validation]
+ keywords: [request, jwt, api shield, client, visitor]
+ plan_info_label: Enterprise add-on
+ summary: The `aud` (audience) claim identifies the recipients that the JSON Web Token (JWT) is intended for.
+ description: |-
+ Each principal intended to process the JWT must identify itself with a value in the audience claim. In the general case, the `aud` value is an array of case-sensitive strings, each containing a `StringOrURI` value. For details, refer to the [Registered Claim Names](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1) in RFC 7519.
+
+ Requires a Cloudflare Enterprise plan with a paid add-on.
+
+ For more information on validating JSON Web Tokens, refer to [JSON Web Tokens Validation](/api-shield/security/jwt-validation/) in the API Shield documentation.
+
+ - name: http.request.jwt.claims.aud.names
+ data_type: Array
+ categories: [Request, JWT validation]
+ keywords: [request, jwt, api shield, client, visitor]
+ plan_info_label: Enterprise add-on
+ summary: The `aud` (audience) claim identifies the recipients that the JSON Web Token (JWT) is intended for.
+ description: |-
+ Each principal intended to process the JWT must identify itself with a value in the audience claim. In the general case, the `aud` value is an array of case-sensitive strings, each containing a `StringOrURI` value. For details, refer to the [Registered Claim Names](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1) in RFC 7519.
+
+ Requires a Cloudflare Enterprise plan with a paid add-on.
+
+ For more information on validating JSON Web Tokens, refer to [JSON Web Tokens Validation](/api-shield/security/jwt-validation/) in the API Shield documentation.
+
+ - name: http.request.jwt.claims.aud.values
+ data_type: Array
+ categories: [Request, JWT validation]
+ keywords: [request, jwt, api shield, client, visitor]
+ plan_info_label: Enterprise add-on
+ summary: The `aud` (audience) claim identifies the recipients that the JSON Web Token (JWT) is intended for.
+ description: |-
+ Each principal intended to process the JWT must identify itself with a value in the audience claim. In the general case, the `aud` value is an array of case-sensitive strings, each containing a `StringOrURI` value. For details, refer to the [Registered Claim Names](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1) in RFC 7519.
+
+ Requires a Cloudflare Enterprise plan with a paid add-on.
+
+ For more information on validating JSON Web Tokens, refer to [JSON Web Tokens Validation](/api-shield/security/jwt-validation/) in the API Shield documentation.
+
+ - name: http.request.jwt.claims.iat.sec
+ data_type: Map>
+ categories: [Request, JWT validation]
+ keywords: [request, jwt, api shield, client, visitor]
+ plan_info_label: Enterprise add-on
+ summary: The `iat` (issued at) claim identifies the time (number of seconds) at which the JWT was issued.
+ description: |-
+ For details, refer to the [Registered Claim Names](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1) in RFC 7519.
+
+ Requires a Cloudflare Enterprise plan with a paid add-on.
+
+ For more information on validating JSON Web Tokens, refer to [JSON Web Tokens Validation](/api-shield/security/jwt-validation/) in the API Shield documentation.
+
+ - name: http.request.jwt.claims.iat.sec.names
+ data_type: Array
+ categories: [Request, JWT validation]
+ keywords: [request, jwt, api shield, client, visitor]
+ plan_info_label: Enterprise add-on
+ summary: The `iat` (issued at) claim identifies the time (number of seconds) at which the JWT was issued.
+ description: |-
+ For details, refer to the [Registered Claim Names](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1) in RFC 7519.
+
+ Requires a Cloudflare Enterprise plan with a paid add-on.
+
+ For more information on validating JSON Web Tokens, refer to [JSON Web Tokens Validation](/api-shield/security/jwt-validation/) in the API Shield documentation.
+
+ - name: http.request.jwt.claims.iat.sec.values
+ data_type: Array
+ categories: [Request, JWT validation]
+ keywords: [request, jwt, api shield, client, visitor]
+ plan_info_label: Enterprise add-on
+ summary: The `iat` (issued at) claim identifies the time (number of seconds) at which the JWT was issued.
+ description: |-
+ For details, refer to the [Registered Claim Names](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1) in RFC 7519.
+
+ Requires a Cloudflare Enterprise plan with a paid add-on.
+
+ For more information on validating JSON Web Tokens, refer to [JSON Web Tokens Validation](/api-shield/security/jwt-validation/) in the API Shield documentation.
+
+ - name: http.request.jwt.claims.iss
+ data_type: Map>
+ categories: [Request, JWT validation]
+ keywords: [request, jwt, api shield, client, visitor]
+ plan_info_label: Enterprise add-on
+ summary: The `iss` (issuer) claim identifies the principal that issued the JWT.
+ description: |-
+ For details, refer to the [Registered Claim Names](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1) in RFC 7519.
+
+ Requires a Cloudflare Enterprise plan with a paid add-on.
+
+ For more information on validating JSON Web Tokens, refer to [JSON Web Tokens Validation](/api-shield/security/jwt-validation/) in the API Shield documentation.
+
+ - name: http.request.jwt.claims.iss.names
+ data_type: Array
+ categories: [Request, JWT validation]
+ keywords: [request, jwt, api shield, client, visitor]
+ plan_info_label: Enterprise add-on
+ summary: The `iss` (issuer) claim identifies the principal that issued the JWT.
+ description: |-
+ For details, refer to the [Registered Claim Names](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1) in RFC 7519.
+
+ Requires a Cloudflare Enterprise plan with a paid add-on.
+
+ For more information on validating JSON Web Tokens, refer to [JSON Web Tokens Validation](/api-shield/security/jwt-validation/) in the API Shield documentation.
+
+ - name: http.request.jwt.claims.iss.values
+ data_type: Array
+ categories: [Request, JWT validation]
+ keywords: [request, jwt, api shield, client, visitor]
+ plan_info_label: Enterprise add-on
+ summary: The `iss` (issuer) claim identifies the principal that issued the JWT.
+ description: |-
+ For details, refer to the [Registered Claim Names](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1) in RFC 7519.
+
+ Requires a Cloudflare Enterprise plan with a paid add-on.
+
+ For more information on validating JSON Web Tokens, refer to [JSON Web Tokens Validation](/api-shield/security/jwt-validation/) in the API Shield documentation.
+
+ - name: http.request.jwt.claims.jti
+ data_type: Map>
+ categories: [Request, JWT validation]
+ keywords: [request, jwt, api shield, client, visitor]
+ plan_info_label: Enterprise add-on
+ summary: The `jti` (JWT ID) claim provides a unique identifier for the JWT.
+ description: |-
+ For details, refer to the [Registered Claim Names](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1) in RFC 7519.
+
+ Requires a Cloudflare Enterprise plan with a paid add-on.
+
+ For more information on validating JSON Web Tokens, refer to [JSON Web Tokens Validation](/api-shield/security/jwt-validation/) in the API Shield documentation.
+
+ - name: http.request.jwt.claims.jti.names
+ data_type: Array
+ categories: [Request, JWT validation]
+ keywords: [request, jwt, api shield, client, visitor]
+ plan_info_label: Enterprise add-on
+ summary: The `jti` (JWT ID) claim provides a unique identifier for the JWT.
+ description: |-
+ For details, refer to the [Registered Claim Names](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1) in RFC 7519.
+
+ Requires a Cloudflare Enterprise plan with a paid add-on.
+
+ For more information on validating JSON Web Tokens, refer to [JSON Web Tokens Validation](/api-shield/security/jwt-validation/) in the API Shield documentation.
+
+ - name: http.request.jwt.claims.jti.values
+ data_type: Array
+ categories: [Request, JWT validation]
+ keywords: [request, jwt, api shield, client, visitor]
+ plan_info_label: Enterprise add-on
+ summary: The `jti` (JWT ID) claim provides a unique identifier for the JWT.
+ description: |-
+ For details, refer to the [Registered Claim Names](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1) in RFC 7519.
+
+ Requires a Cloudflare Enterprise plan with a paid add-on.
+
+ For more information on validating JSON Web Tokens, refer to [JSON Web Tokens Validation](/api-shield/security/jwt-validation/) in the API Shield documentation.
+
+ - name: http.request.jwt.claims.nbf.sec
+ data_type: Map>
+ categories: [Request, JWT validation]
+ keywords: [request, jwt, api shield, client, visitor]
+ plan_info_label: Enterprise add-on
+ summary: The `nbf` (not before) claim identifies the time (number of seconds) before which the JWT must not be accepted for processing.
+ description: |-
+ For details, refer to the [Registered Claim Names](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1) in RFC 7519.
+
+ Requires a Cloudflare Enterprise plan with a paid add-on.
+
+ For more information on validating JSON Web Tokens, refer to [JSON Web Tokens Validation](/api-shield/security/jwt-validation/) in the API Shield documentation.
+
+ - name: http.request.jwt.claims.nbf.sec.names
+ data_type: Array
+ categories: [Request, JWT validation]
+ keywords: [request, jwt, api shield, client, visitor]
+ plan_info_label: Enterprise add-on
+ summary: The `nbf` (not before) claim identifies the time (number of seconds) before which the JWT must not be accepted for processing.
+ description: |-
+ For details, refer to the [Registered Claim Names](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1) in RFC 7519.
+
+ Requires a Cloudflare Enterprise plan with a paid add-on.
+
+ For more information on validating JSON Web Tokens, refer to [JSON Web Tokens Validation](/api-shield/security/jwt-validation/) in the API Shield documentation.
+
+ - name: http.request.jwt.claims.nbf.sec.values
+ data_type: Array
+ categories: [Request, JWT validation]
+ keywords: [request, jwt, api shield, client, visitor]
+ plan_info_label: Enterprise add-on
+ summary: The `nbf` (not before) claim identifies the time (number of seconds) before which the JWT must not be accepted for processing.
+ description: |-
+ For details, refer to the [Registered Claim Names](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1) in RFC 7519.
+
+ Requires a Cloudflare Enterprise plan with a paid add-on.
+
+ For more information on validating JSON Web Tokens, refer to [JSON Web Tokens Validation](/api-shield/security/jwt-validation/) in the API Shield documentation.
+
+ - name: http.request.jwt.claims.sub
+ data_type: Map>
+ categories: [Request, JWT validation]
+ keywords: [request, jwt, api shield, client, visitor]
+ plan_info_label: Enterprise add-on
+ summary: The `sub` (subject) claim identifies the principal that is the subject of the JWT.
+ description: |-
+ The claims in a JWT are normally statements about the subject. For details, refer to the [Registered Claim Names](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1) in RFC 7519.
+
+ Requires a Cloudflare Enterprise plan with a paid add-on.
+
+ For more information on validating JSON Web Tokens, refer to [JSON Web Tokens Validation](/api-shield/security/jwt-validation/) in the API Shield documentation.
+
+ - name: http.request.jwt.claims.sub.names
+ data_type: Array
+ categories: [Request, JWT validation]
+ keywords: [request, jwt, api shield, client, visitor]
+ plan_info_label: Enterprise add-on
+ summary: The `sub` (subject) claim identifies the principal that is the subject of the JWT.
+ description: |-
+ The claims in a JWT are normally statements about the subject. For details, refer to the [Registered Claim Names](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1) in RFC 7519.
+
+ Requires a Cloudflare Enterprise plan with a paid add-on.
+
+ For more information on validating JSON Web Tokens, refer to [JSON Web Tokens Validation](/api-shield/security/jwt-validation/) in the API Shield documentation.
+
+ - name: http.request.jwt.claims.sub.values
+ data_type: Array
+ categories: [Request, JWT validation]
+ keywords: [request, jwt, api shield, client, visitor]
+ plan_info_label: Enterprise add-on
+ summary: The `sub` (subject) claim identifies the principal that is the subject of the JWT.
+ description: |-
+ The claims in a JWT are normally statements about the subject. For details, refer to the [Registered Claim Names](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1) in RFC 7519.
+
+ Requires a Cloudflare Enterprise plan with a paid add-on.
+
+ For more information on validating JSON Web Tokens, refer to [JSON Web Tokens Validation](/api-shield/security/jwt-validation/) in the API Shield documentation.
+
+ - name: http.request.uri.args
+ data_type: Map>
+ categories: [Request, URI]
+ keywords: [request, uri, url, arguments, query string, client, visitor]
+ summary: The HTTP URI arguments associated with a request represented as a Map (associative array).
+ description: |-
+ When an argument repeats, the array contains multiple items in the order they appear in the request.
+
+ The values are not pre-processed and retain the original case used in the request.
+
+ - **Decoding**: No decoding performed
+ - **Non-ASCII**: Preserved
+ example_value: |-
+ {"search": ["red+apples"]}
+ example_block: |-
+ any(http.request.uri.args["search"][*] == "red+apples")
+
+ - name: http.request.uri.args.names
+ data_type: Array
+ categories: [Request, URI]
+ keywords: [request, uri, url, arguments, query string, client, visitor]
+ summary: The names of the arguments in the HTTP URI query string.
+ description: |-
+ When a name repeats, the array contains multiple items in the order that they appear in the request.
+
+ The names are not pre-processed and retain the original case used in the request.
+
+ - **Decoding**: No decoding performed
+ - **Non-ASCII**: Preserved
+ example_value: |-
+ ["search"]
+ example_block: |-
+ any(http.request.uri.args.names[*] == "search")
+
+ - name: http.request.uri.args.values
+ data_type: Array
+ categories: [Request, URI]
+ keywords: [request, uri, url, arguments, query string, client, visitor]
+ summary: The values of arguments in the HTTP URI query string.
+ description: |-
+ The values are not pre-processed and retain the original case used in the request. They are in the same order as in the request.
+
+ Duplicated values are listed multiple times.
+
+ - **Decoding**: No decoding performed
+ - **Non-ASCII**: Preserved
+ example_value: |-
+ ["red+apples"]
+ example_block: |-
+ any(http.request.uri.args.values[*] == "red+apples")
+
+ - name: raw.http.request.uri.args
+ data_type: Map>
+ categories: [Request, URI, Raw fields]
+ keywords: [request, uri, url, arguments, query string, raw, client, visitor]
+ summary: The raw HTTP URI arguments associated with a request represented as a Map (associative array).
+ description: |-
+ This is the raw field version of the [`http.request.uri.args`](/ruleset-engine/rules-language/fields/reference/http.request.uri.args/) field. Raw fields, prefixed with `raw.`, preserve original request values for later evaluations. These fields are immutable during the entire request evaluation workflow, and they are not affected by the actions of previously matched rules.
+
+ - name: raw.http.request.uri.args.names
+ data_type: Array
+ categories: [Request, URI, Raw fields]
+ keywords: [request, uri, url, arguments, query string, raw, client, visitor]
+ summary: The raw names of the arguments in the HTTP URI query string.
+ description: |-
+ This is the raw field version of the [`http.request.uri.args.names`](/ruleset-engine/rules-language/fields/reference/http.request.uri.args.names/) field. Raw fields, prefixed with `raw.`, preserve original request values for later evaluations. These fields are immutable during the entire request evaluation workflow, and they are not affected by the actions of previously matched rules.
+
+ - name: raw.http.request.uri.args.values
+ data_type: Array
+ categories: [Request, URI, Raw fields]
+ keywords: [request, uri, url, arguments, query string, raw, client, visitor]
+ summary: The raw values of arguments in the HTTP URI query string.
+ description: |-
+ This is the raw field version of the [`http.request.uri.args.values`](/ruleset-engine/rules-language/fields/reference/http.request.uri.args.values/) field. Raw fields, prefixed with `raw.`, preserve original request values for later evaluations. These fields are immutable during the entire request evaluation workflow, and they are not affected by the actions of previously matched rules.
+
+ - name: http.request.headers
+ data_type: Map>
+ categories: [Request, Headers]
+ keywords: [request, client, visitor]
+ summary: The HTTP request headers represented as a Map (or associative array).
+ description: |-
+ The keys of the associative array are the names of HTTP request headers converted to lowercase.
+
+ When there are repeating headers, the array includes them in the order they appear in the request.
+
+ The request header values are not pre-processed and retain the original case used in the request.
+
+ - **Decoding**: No decoding performed
+ - **Whitespace**: Preserved
+ - **Non-ASCII**: Preserved
+ example_value: |-
+ {"content-type": ["application/json"]}
+ example_block: |-
+ any(http.request.headers["content-type"][*] == "application/json")
+
+ - name: http.request.headers.names
+ data_type: Array
+ categories: [Request, Headers]
+ keywords: [request, client, visitor]
+ summary: The names of the headers in the HTTP request.
+ description: |-
+ The names are not pre-processed and retain the original case used in the request.
+
+ The order of header names is not guaranteed but will match [`http.request.headers.values`](/ruleset-engine/rules-language/fields/reference/http.request.headers.values/).
+
+ Duplicate headers are listed multiple times.
+
+ - **Decoding**: No decoding performed
+ - **Whitespace**: Preserved
+ - **Non-ASCII**: Preserved
+
+ **Note**: In HTTP/2, the names of HTTP headers are always in lowercase. Recent versions of the `curl` tool [enable HTTP/2 by default](https://curl.se/docs/manpage.html#--http2) for HTTPS connections.
+ example_value: |-
+ ["content-type"]
+ example_block: |-
+ any(http.request.headers.names[*] == "content-type")
+
+ - name: http.request.headers.values
+ data_type: Array
+ categories: [Request, Headers]
+ keywords: [request, client, visitor]
+ summary: The values of the headers in the HTTP request.
+ description: |-
+ The values are not pre-processed and retain the original case used in the request.
+
+ The order of header values is not guaranteed but will match [`http.request.headers.names`](/ruleset-engine/rules-language/fields/reference/http.request.headers.names/).
+
+ Duplicate headers are listed multiple times.
+
+ - **Decoding**: No decoding performed
+ - **Whitespace**: Preserved
+ - **Non-ASCII**: Preserved
+
+ **Note**: In HTTP/2, the names of HTTP headers are always in lowercase. Recent versions of the `curl` tool [enable HTTP/2 by default](https://curl.se/docs/manpage.html#--http2) for HTTPS connections.
+ example_value: |-
+ Example 1: ["application/json"]
+ Example 2: ["This header value is longer than 10 bytes"]
+
+ example_block: |-
+ # Example 1: Check for specific header value.
+ any(http.request.headers.values[*] == "application/json")
+
+ # Example 2: Match requests according to the specified operator and the length/size entered for the header value.
+ any(len(http.request.headers.values[*])[*] gt 10)
+
+ - name: http.request.headers.truncated
+ data_type: Boolean
+ categories: [Request, Headers]
+ keywords: [request, client, visitor]
+ summary: Indicates whether the HTTP request contains too many headers.
+ description: |-
+ When `true`, [`http.request.headers`](/ruleset-engine/rules-language/fields/reference/http.request.headers), [`http.request.headers.names`](/ruleset-engine/rules-language/fields/reference/http.request.headers.names), and [`http.request.headers.values`](/ruleset-engine/rules-language/fields/reference/http.request.headers.values) may not contain all of the headers sent in the HTTP request.
+
+ - name: http.request.accepted_languages
+ data_type: Array
+ categories: [Request, Headers]
+ keywords: [request, client, visitor]
+ summary: List of language tags provided in the [`Accept-Language`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Language) HTTP request header.
+ description: |-
+ Language tags are sorted by weight (`;q=`, with a default weight of `1`) in descending order.
+
+ If the HTTP header is not present in the request or is empty, `http.request.accepted_languages[0]` will return a "[missing value](/ruleset-engine/rules-language/values/#notes)", which the [`concat()`](/ruleset-engine/rules-language/functions/#concat) function will handle as an empty string.
+
+ If the HTTP header includes the language tag `*` it will not be stored in the array.
+
+ **Note**: This field is only available in [Transform Rules](/rules/transform/).
+ example_block: |-
+ # Example 1: Request with header "Accept-Language: fr-CH, fr;q=0.8, en;q=0.9, de;q=0.7, *;q=0.5".
+ # In this case:
+ http.request.accepted_languages[0] ==> "fr-CH"
+ http.request.accepted_languages ==> ["fr-CH", "en", "fr", "de"]
+
+ # Example 2: Request without an `Accept-Language` HTTP header and a URI of "https://www.example.com/my-path".
+ # In this case:
+ concat("/", http.request.accepted_languages[0], http.request.uri.path) ==> "//my-path"
+
+ - name: http.request.body.raw
+ data_type: String
+ categories: [Request, Body, Raw fields]
+ keywords: [request, body, raw, client, visitor]
+ plan_info_label: Enterprise add-on
+ summary: The unaltered HTTP request body.
+ description: |-
+ When the value of [`http.request.body.truncated`](/ruleset-engine/rules-language/fields/reference/http.request.body.truncated/) is `true`, the return value may be truncated.
+
+ - **Decoding**: No decoding performed
+ - **Whitespace**: Preserved
+ - **Non-ASCII**: Preserved
+
+ Requires a Cloudflare Enterprise plan with a paid add-on.
+
+ - name: http.request.body.truncated
+ data_type: Boolean
+ categories: [Request, Body]
+ keywords: [request, body, client, visitor]
+ plan_info_label: Enterprise add-on
+ summary: Indicates whether the HTTP request body is truncated.
+ description: |-
+ When `true`, `http.request.body.*` fields may not contain all of the HTTP request body.
+
+ Requires a Cloudflare Enterprise plan with a paid add-on.
+
+ - name: http.request.body.size
+ data_type: Number
+ categories: [Request, Body]
+ keywords: [request, body, client, visitor]
+ plan_info_label: Enterprise add-on
+ summary: The total size of the HTTP request body (in bytes).
+ description: |-
+ This field may have a value larger than the one returned by `len(http.request.body.raw)`, since the [`http.request.body.raw`](/ruleset-engine/rules-language/fields/reference/http.request.body.raw/) field only considers the request body up to a maximum size that varies according to your Cloudflare plan.
+
+ Requires a Cloudflare Enterprise plan with a paid add-on.
+
+ - name: http.request.body.form
+ data_type: Map>
+ categories: [Request, Body]
+ keywords: [request, body, form, client, visitor]
+ plan_info_label: Enterprise add-on
+ summary: The HTTP request body of a form represented as a Map (or associative array).
+ description: |-
+ Populated when the `Content-Type` header is `application/x-www-form-urlencoded`.
+
+ The values are not pre-processed and retain the original case used in the request.
+
+ When a field repeats, then the array contains multiple items in the order they are in the request.
+
+ The return value may be truncated if [`http.request.body.truncated`](/ruleset-engine/rules-language/fields/reference/http.request.body.truncated) is `true`.
+
+ - **Decoding**: No decoding performed
+ - **Whitespace**: Preserved
+ - **Non-ASCII**: Preserved
+
+ Requires a Cloudflare Enterprise plan with a paid add-on.
+ example_value: |-
+ {username": ["admin"]}
+ example_block: |-
+ any(http.request.body.form["username"][*] == "admin")
+
+ - name: http.request.body.form.names
+ data_type: Array
+ categories: [Request, Body]
+ keywords: [request, body, form, client, visitor]
+ plan_info_label: Enterprise add-on
+ summary: The names of the form fields in an HTTP request.
+ description: |-
+ Populated when the `Content-Type` header is `application/x-www-form-urlencoded`.
+
+ Names are not pre-processed and retain the original case used in the request. They are listed in the same order as in the request.
+
+ Duplicate names are listed multiple times.
+
+ The return value may be truncated if [`http.request.body.truncated`](/ruleset-engine/rules-language/fields/reference/http.request.body.truncated) is `true`.
+
+ - **Decoding**: No decoding performed
+ - **Whitespace**: Preserved
+ - **Non-ASCII**: Preserved
+
+ Requires a Cloudflare Enterprise plan with a paid add-on.
+ example_value: |-
+ ["username"]
+ example_block: |-
+ any(http.request.body.form.names[*] == "username")
+
+ - name: http.request.body.form.values
+ data_type: Array
+ categories: [Request, Body]
+ keywords: [request, body, form, client, visitor]
+ plan_info_label: Enterprise add-on
+ summary: The values of the form fields in an HTTP request.
+ description: |-
+ Populated when the `Content-Type` header is `application/x-www-form-urlencoded`.
+
+ Values are not pre-processed and retain the original case used in the request. They are listed in the same order as in the request.
+
+ Duplicated values are listed multiple times.
+
+ The return value may be truncated if [`http.request.body.truncated`](/ruleset-engine/rules-language/fields/reference/http.request.body.truncated) is `true`.
+
+ - **Decoding**: No decoding performed
+ - **Whitespace**: Preserved
+ - **Non-ASCII**: Preserved
+
+ Requires a Cloudflare Enterprise plan with a paid add-on.
+ example_value: |-
+ ["admin"]
+ example_block: |-
+ any(http.request.body.form.values[*] == "admin")
+
+ - name: http.request.body.mime
+ data_type: String
+ categories: [Request, Body]
+ keywords: [request, body, client, visitor]
+ summary: The MIME type of the request detected from the request body.
+ description: |-
+ Supports the most common MIME types of the following general categories: video, audio, image, application, text.
+ example_value: |-
+ "image/jpeg"
+ example_block: |-
+ http.request.body.mime in {"image/bmp" "image/gif" "image/jpeg" "image/png" "image/tiff"}
+
+ - name: http.request.body.multipart
+ data_type: Map>
+ categories: [Request, Body]
+ keywords: [request, body, client, visitor]
+ plan_info_label: Enterprise add-on
+ summary: A Map (or associative array) representation of multipart names to multipart values in the request body.
+ description: |-
+ Requires a Cloudflare Enterprise plan with a paid add-on.
+ example_value: |-
+ {"username": ["alice_doe"], "role": ["editor"], "picture": []}
+ example_block: |-
+ any(http.request.body.multipart["role"][*] == "admin")
+
+ - name: http.request.body.multipart.names
+ data_type: Array>
+ categories: [Request, Body]
+ keywords: [request, body, client, visitor]
+ plan_info_label: Enterprise add-on
+ summary: List of multipart names for every part in the multipart body.
+ description: |-
+ Requires a Cloudflare Enterprise plan with a paid add-on.
+ example_value: |-
+ [["username"], ["picture"]]
+ example_block: |-
+ any(http.request.body.multipart.names[*][0] == "picture")
+
+ - name: http.request.body.multipart.values
+ data_type: Array
+ categories: [Request, Body]
+ keywords: [request, body, client, visitor]
+ plan_info_label: Enterprise add-on
+ summary: List of multipart values for every part in the multipart body.
+ description: |-
+ Requires a Cloudflare Enterprise plan with a paid add-on.
+ example_value: |-
+ ["alice_doe", ]
+ example_block: |-
+ any(http.request.body.multipart.values[*] == "alice_doe")
+
+ - name: http.request.body.multipart.content_types
+ data_type: Array>
+ categories: [Request, Body]
+ keywords: [request, body, client, visitor]
+ plan_info_label: Enterprise add-on
+ summary: List of `Content-Type` headers for each part in the multipart body.
+ description: |-
+ Requires a Cloudflare Enterprise plan with a paid add-on.
+ example_value: |-
+ [["text/plain"], ["image/jpeg"]]
+ example_block: |-
+ any(http.request.body.multipart.content_types[*][0] == "application/octet-stream")
+
+ - name: http.request.body.multipart.content_dispositions
+ data_type: Array>
+ categories: [Request, Body]
+ keywords: [request, body, client, visitor]
+ plan_info_label: Enterprise add-on
+ summary: List of `Content-Disposition` headers for each part in the multipart body.
+ description: |-
+ Requires a Cloudflare Enterprise plan with a paid add-on.
+ example_value: |-
+ [["form-data; name=\"username\""], ["form-data; name=\"picture\""]]
+ example_block: |-
+ any(http.request.body.multipart.content_dispositions[*][0] in {"form-data; name=\"username\"" "form-data; name=\"picture\""})
+
+ - name: http.request.body.multipart.content_transfer_encodings
+ data_type: Array>
+ categories: [Request, Body]
+ keywords: [request, body, client, visitor]
+ plan_info_label: Enterprise add-on
+ summary: List of `Content-Transfer-Encoding` headers for each part in the multipart body.
+ description: |-
+ Requires a Cloudflare Enterprise plan with a paid add-on.
+ example_value: |-
+ [["quoted-printable"], ["base64"]]
+ example_block: |-
+ any(http.request.body.multipart.content_transfer_encodings[*][0] == "binary")
+
+ - name: http.request.body.multipart.filenames
+ data_type: Array>
+ categories: [Request, Body]
+ keywords: [request, body, client, visitor]
+ plan_info_label: Enterprise add-on
+ summary: List of filenames for each part in the multipart body.
+ description: |-
+ Requires a Cloudflare Enterprise plan with a paid add-on.
+ example_value: |-
+ [["file1.txt"], ["photo.jpg"]]
+ example_block: |-
+ any(http.request.body.multipart.filenames[*][0] in {"token.txt" "password.txt"})
+
+ - name: http.response.code
+ data_type: Integer
+ categories: [Response]
+ keywords: [response]
+ summary: The HTTP status code returned to the client, either set by a Cloudflare product or returned by the origin server.
+ example_value: |-
+ 403
+
+ - name: http.response.headers
+ data_type: Map>
+ categories: [Response, Headers]
+ keywords: [response]
+ summary: The HTTP response headers represented as a Map (or associative array).
+ description: |-
+ When there are repeating headers, the array includes them in the order they appear in the response. The keys convert to lowercase.
+
+ - **Decoding**: No decoding performed
+ - **Whitespace**: Preserved
+ - **Non-ASCII**: Preserved
+ example_value: |-
+ {"server": ["nginx"]}
+ example_block: |-
+ any(http.response.headers["server"][*] == "nginx")
+
+ - name: http.response.headers.names
+ data_type: Array
+ categories: [Response, Headers]
+ keywords: [response]
+ summary: The names of the headers in the HTTP response.
+ description: |-
+ The names are not pre-processed and retain the original case used in the response.
+
+ The order of header names is not guaranteed but will match [`http.response.headers.values`](/ruleset-engine/rules-language/fields/reference/http.response.headers.values/).
+
+ Duplicate headers are listed multiple times.
+
+ - **Decoding**: No decoding performed
+ - **Whitespace**: Preserved
+ - **Non-ASCII**: Preserved
+ example_value: |-
+ ["content-type"]
+ example_block: |-
+ any(http.response.headers.names[*] == "content-type")
+
+ - name: http.response.headers.values
+ data_type: Array
+ categories: [Response, Headers]
+ keywords: [response]
+ summary: The values of the headers in the HTTP response.
+ description: |-
+ The values are not pre-processed and retain the original case used in the response.
+
+ The order of header values is not guaranteed but will match [`http.response.headers.names`](/ruleset-engine/rules-language/fields/reference/http.response.headers.names/).
+
+ Duplicate headers are listed multiple times.
+
+ - **Decoding**: No decoding performed
+ - **Whitespace**: Preserved
+ - **Non-ASCII**: Preserved
+ example_value: |-
+ Example 1: ["application/json"]
+ Example 2: ["This header value is longer than 10 bytes"]
+ example_block: |-
+ # Example 1: Check for specific header value.
+ any(http.response.headers.values[*] == "application/json")
+
+ # Example 2: Match requests according to the specified operator and the length/size entered for the header value.
+ any(len(http.response.headers.values[*])[*] gt 10)
+
+ - name: http.response.content_type.media_type
+ data_type: String
+ categories: [Response, Headers]
+ keywords: [response]
+ summary: The lowercased content type (including subtype and suffix) without any extra parameters, based on the response's `Content-Type` header.
+ description: |-
+ The field value will not include parameters such as `charset`.
+
+ Example values:
+
+ | Content-Type header | Field value |
+ | --------------------------------------- | ------------------- |
+ | `text/html` | `"text/html"` |
+ | `text/html; charset=utf-8` | `"text/html"` |
+ | `text/html+extra` | `"text/html+extra"` |
+ | `text/html+extra; charset=utf-8` | `"text/html+extra"` |
+ | `text/HTML` | `"text/html"` |
+ | `text/html; charset=utf-8; other=value` | `"text/html"` |
+
+ - name: cf.response.1xxx_code
+ data_type: Integer
+ categories: [Response]
+ keywords: [response, cloudflare]
+ summary: Contains the specific code for 1XXX Cloudflare errors.
+ description: |-
+ Use this field to differentiate between 1XXX errors associated with the same HTTP status code. The default value is `0`.
+
+ For a list of 1XXX errors, refer to [Troubleshooting Cloudflare 1XXX errors](/support/troubleshooting/cloudflare-errors/troubleshooting-cloudflare-1xxx-errors/).
+
+ **Note**: This field is only available in [HTTP response header modifications](/rules/transform/response-header-modification/) and [Custom Error Responses](/rules/custom-error-responses/).
+ example_value: |-
+ 1020
+
+ - name: cf.response.error_type
+ data_type: String
+ categories: [Response]
+ keywords: [response, cloudflare]
+ summary: A string with the type of error in the response being returned.
+ description: |-
+ The default value is an empty string (`""`).
+
+ The available values are the following:
+
+ - `"managed_challenge"`
+ - `"iuam"`
+ - `"legacy_challenge"`
+ - `"ip_ban"`
+ - `"waf"`
+ - `"5xx"`
+ - `"1xxx"`
+ - `"always_online"`
+ - `"country_challenge"`
+ - `"ratelimit"`
+
+ You can use this field to customize the response for a specific type of error (for example, all 1XXX errors or all WAF block actions).
+
+ **Note**: This field is only available in [HTTP response header modifications](/rules/transform/response-header-modification/) and [Custom Error Responses](/rules/custom-error-responses/).
diff --git a/src/content/partials/bots/firewall-variables.mdx b/src/content/partials/bots/firewall-variables.mdx
index f77466304824b8d..23c583cf25ab014 100644
--- a/src/content/partials/bots/firewall-variables.mdx
+++ b/src/content/partials/bots/firewall-variables.mdx
@@ -2,7 +2,7 @@
{}
---
-Bot Management provides access to several [new variables](/ruleset-engine/rules-language/fields/dynamic-fields/) within the expression builder of Ruleset Engine-based products such as [WAF custom rules](/waf/custom-rules/).
+Bot Management provides access to several [new variables](/ruleset-engine/rules-language/fields/reference/) within the expression builder of Ruleset Engine-based products such as [WAF custom rules](/waf/custom-rules/).
- **Bot Score** (`cf.bot_management.score`): An integer between 1-99 that indicates [Cloudflare's level of certainty](/bots/concepts/bot-score/) that a request comes from a bot.
- **Verified Bot** (`cf.bot_management.verified_bot`): A boolean value that is true if the request comes from a good bot, like Google or Bing. Most customers choose to allow this traffic. For more details, see [Traffic from known bots](/waf/troubleshooting/faq/#how-does-the-waf-handle-traffic-from-known-bots).
diff --git a/src/content/partials/rules/transform/header-modification-fields.mdx b/src/content/partials/rules/transform/header-modification-fields.mdx
index a65f6dc490d559a..4f9bb6e21049a63 100644
--- a/src/content/partials/rules/transform/header-modification-fields.mdx
+++ b/src/content/partials/rules/transform/header-modification-fields.mdx
@@ -40,11 +40,11 @@
- `ip.src.subdivision_2_iso_code`
- `ssl`
-Refer to [Fields](/ruleset-engine/rules-language/fields/) for reference information on these fields.
+Refer to [Fields](/ruleset-engine/rules-language/fields/reference/) for reference information on these fields.
:::caution[Important]
-- To obtain the value of an HTTP request header using the [`http.request.headers`](/ruleset-engine/rules-language/fields/http-request-header/#httprequestheaders) field, specify the header name in **lowercase**. For example, to get the first value of the `Accept-Encoding` request header in an expression, use: `http.request.headers["accept-encoding"][0]`.
+- To obtain the value of an HTTP request header using the [`http.request.headers`](/ruleset-engine/rules-language/fields/reference/http.request.headers/) field, specify the header name in **lowercase**. For example, to get the first value of the `Accept-Encoding` request header in an expression, use: `http.request.headers["accept-encoding"][0]`.
- Use the `to_string()` function to get the string representation of a non-string value like an Integer value. For example, `to_string(cf.bot_management.score)`.
diff --git a/src/content/partials/rules/transform/transform-phase-fields.mdx b/src/content/partials/rules/transform/transform-phase-fields.mdx
index 146cbb3a5d1f0a9..9fecbb468afc30c 100644
--- a/src/content/partials/rules/transform/transform-phase-fields.mdx
+++ b/src/content/partials/rules/transform/transform-phase-fields.mdx
@@ -39,11 +39,11 @@
- `ip.src.subdivision_2_iso_code`
- `ssl`
-Refer to [Fields](/ruleset-engine/rules-language/fields/) for reference information on these fields.
+Refer to [Fields](/ruleset-engine/rules-language/fields/reference/) for reference information on these fields.
:::caution[Important]
-- To obtain the value of an HTTP request header using the [`http.request.headers`](/ruleset-engine/rules-language/fields/http-request-header/#httprequestheaders) field, specify the header name in **lowercase**. For example, to get the first value of the `Accept-Encoding` request header in an expression, use: `http.request.headers["accept-encoding"][0]`.
+- To obtain the value of an HTTP request header using the [`http.request.headers`](/ruleset-engine/rules-language/fields/reference/http.request.headers/) field, specify the header name in **lowercase**. For example, to get the first value of the `Accept-Encoding` request header in an expression, use: `http.request.headers["accept-encoding"][0]`.
- Use the `to_string()` function to get the string representation of a non-string value like an Integer value.
diff --git a/src/content/partials/waf/rate-limiting-availability-by-plan.mdx b/src/content/partials/waf/rate-limiting-availability-by-plan.mdx
index b92a6605381df8c..81eddbfed8cdf3c 100644
--- a/src/content/partials/waf/rate-limiting-availability-by-plan.mdx
+++ b/src/content/partials/waf/rate-limiting-availability-by-plan.mdx
@@ -4,7 +4,7 @@
| Feature | Free | Pro | Business | Enterprise with app security | Enterprise with Advanced Rate Limiting |
| ------------------------------------------- | -------------------------------------------------------------------------------------------------------- | ---------------------------------------------- | ----------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
-| Available fields in rule expression | Path, [Verified Bot](/ruleset-engine/rules-language/fields/dynamic-fields/#cfbot_managementverified_bot) | Host, URI, Path, Full URI, Query, Verified Bot | Host, URI, Path, Full URI, Query, Method, Source IP, User Agent, Verified Bot | [Standard fields](/ruleset-engine/rules-language/fields/standard-fields/), [request header fields](/ruleset-engine/rules-language/fields/http-request-header/), [dynamic fields](/ruleset-engine/rules-language/fields/dynamic-fields/) (including Verified Bot), other Bot Management fields1 | [Standard fields](/ruleset-engine/rules-language/fields/standard-fields/), [request header fields](/ruleset-engine/rules-language/fields/http-request-header/), [dynamic fields](/ruleset-engine/rules-language/fields/dynamic-fields/) (including Verified Bot), other Bot Management fields1, [request body fields](/ruleset-engine/rules-language/fields/http-request-body/)2 |
+| Available fields in rule expression | Path, [Verified Bot](/ruleset-engine/rules-language/fields/reference/cf.bot_management.verified_bot/) | Host, URI, Path, Full URI, Query, Verified Bot | Host, URI, Path, Full URI, Query, Method, Source IP, User Agent, Verified Bot | General request fields, request header fields, Verified Bot, Bot Management fields1 | General request fields, request header fields, Verified Bot, Bot Management fields1, request body fields2 |
| Counting characteristics | IP | IP | IP | IP, IP with NAT support | IP, IP with NAT support, Query, Host, Headers, Cookie, ASN, Country, Path, JA3/JA4 Fingerprint1, JSON field value2, Body2, Form input value2, Custom |
| Available fields in counting expression | N/A | N/A | All rule expression fields, Response code, Response headers | All rule expression fields, Response code, Response headers | All rule expression fields, Response code, Response headers |
| Counting model | Number of requests | Number of requests | Number of requests | Number of requests | Number of requests, [complexity score](/waf/rate-limiting-rules/request-rate/#complexity-based-rate-limiting) |
diff --git a/src/pages/ruleset-engine/rules-language/fields/reference/[name].astro b/src/pages/ruleset-engine/rules-language/fields/reference/[name].astro
new file mode 100644
index 000000000000000..5c7e835587ad5e0
--- /dev/null
+++ b/src/pages/ruleset-engine/rules-language/fields/reference/[name].astro
@@ -0,0 +1,125 @@
+---
+import type { GetStaticPaths, MarkdownHeading } from "astro";
+import { marked } from "marked";
+import { getEntry } from "astro:content";
+import StarlightPage, {
+ type StarlightPageProps,
+} from "@astrojs/starlight/components/StarlightPage.astro";
+import { Code, Aside, Type } from "~/components";
+import FieldBadges from "~/components/fields/FieldBadges.jsx";
+
+export const getStaticPaths = (async () => {
+ const fields = await getEntry("fields", "index");
+
+ return fields.data.entries.map((entry) => {
+ return {
+ params: {
+ name: entry.name,
+ },
+ props: { field: entry },
+ };
+ });
+}) satisfies GetStaticPaths;
+
+const { name } = Astro.params;
+const { field } = Astro.props;
+
+// disable conversion of relative links to absolute links
+// set in /src/pages/changelog/index/index.xml.ts
+marked.use({ walkTokens: null });
+
+let CodeExamples = null;
+const description = field.description;
+
+// Strong type coercion needed due to Starlight's component override for hideTitle
+const starlightPageProps = {
+ frontmatter: {
+ title: field.name,
+ description: field.summary,
+ },
+ hideTitle: true,
+} as StarlightPageProps;
+---
+
+
+