From cf1a4f78849e9634552f6ead8b87d53f11e4459c Mon Sep 17 00:00:00 2001
From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com>
Date: Thu, 5 Dec 2024 14:35:21 +0000
Subject: [PATCH 01/45] [Ruleset Engine] Fields reference PoC

---
 src/components/FieldCatalog.jsx               | 193 ++++++++++++++++++
 src/components/models/FieldBadges.jsx         |  16 ++
 src/content/config.ts                         |   6 +
 .../rules-language/fields/reference/index.mdx |   9 +
 src/content/fields/index.yaml                 |  71 +++++++
 .../fields/reference/[name].astro             | 172 ++++++++++++++++
 .../fields/reference/index.astro              |  20 ++
 src/schemas/fields.ts                         |  18 ++
 src/schemas/index.ts                          |   1 +
 9 files changed, 506 insertions(+)
 create mode 100644 src/components/FieldCatalog.jsx
 create mode 100644 src/components/models/FieldBadges.jsx
 create mode 100644 src/content/docs/ruleset-engine/rules-language/fields/reference/index.mdx
 create mode 100644 src/content/fields/index.yaml
 create mode 100644 src/pages/ruleset-engine/rules-language/fields/reference/[name].astro
 create mode 100644 src/pages/ruleset-engine/rules-language/fields/reference/index.astro
 create mode 100644 src/schemas/fields.ts

diff --git a/src/components/FieldCatalog.jsx b/src/components/FieldCatalog.jsx
new file mode 100644
index 000000000000000..66159ec32afa676
--- /dev/null
+++ b/src/components/FieldCatalog.jsx
@@ -0,0 +1,193 @@
+import { useState } from "react";
+// import ModelInfo from "./fields/ModelInfo";
+// import ModelBadges from "./fields/ModelBadges";
+// import { authorData } from "./fields/data";
+import { marked } from "marked";
+
+const FieldCatalog = ({ fields }) => {
+	const [filters, setFilters] = useState({
+		search: "",
+		categories: [],
+		keywords: [],
+		// capabilities: [],
+	});
+	const mapped = fields; //fields.map((field) => ({
+	// 	field: {
+	// 		...field,
+	// 	},
+	// 	field_display_name: field.name,
+	// }));
+
+	const categories = [
+		...new Set(fields.map((field) => field.categories).flat()),
+	];
+	const keywords = [...new Set(fields.map((field) => field.keywords).flat())];
+	// const capabilities = [
+	// 	...new Set(
+	// 		fields
+	// 			.map((model) =>
+	// 				model.properties
+	// 					.flatMap(({ property_id, value }) => {
+	// 						if (property_id === "lora" && value === "true") {
+	// 							return "LoRA";
+	// 						}
+
+	// 						if (property_id === "function_calling" && value === "true") {
+	// 							return "Function calling";
+	// 						}
+	// 					})
+	// 					.filter((p) => Boolean(p)),
+	// 			)
+	// 			.flat(),
+	// 	),
+	// ];
+
+	// apply filters to the fields list
+	const fieldList = mapped.filter(({ field }) => {
+		// if (filters.authors.length > 0) {
+		// 	if (!filters.authors.includes(field.name.split("/")[1])) {
+		// 		return false;
+		// 	}
+		// }
+
+		// if (filters.tasks.length > 0) {
+		// 	if (!filters.tasks.includes(field.task.name)) {
+		// 		return false;
+		// 	}
+		// }
+
+		// if (filters.capabilities.length > 0) {
+		// 	if (!field.capabilities.some((c) => filters.capabilities.includes(c))) {
+		// 		return false;
+		// 	}
+		// }
+
+		// if (filters.search) {
+		// 	if (!field.name.toLowerCase().includes(filters.search.toLowerCase())) {
+		// 		return false;
+		// 	}
+		// }
+
+		return true;
+	});
+
+	return (
+		<div className="md:flex">
+			<div className="md:w-1/4 w-full mr-8">
+				<input
+					type="text"
+					className="w-full mb-8 rounded-md bg-white dark:bg-black border-2 border-gray-200 dark:border-gray-700 px-2 py-2"
+					placeholder="Search fields"
+					value={filters.search}
+					onChange={(e) => setFilters({ ...filters, search: e.target.value })}
+				/>
+
+				<div className="!mb-8 md:block hidden">
+					<span className="uppercase text-gray-600 dark:text-gray-200 text-sm font-bold">
+						▼ Categories
+					</span>
+
+					{categories.map((category) => (
+						<label key={category} className="block !my-2">
+							<input
+								type="checkbox"
+								className="mr-2"
+								value={category}
+								onClick={(e) => {
+									if (e.target.checked) {
+										setFilters({
+											...filters,
+											categories: [...filters.categories, e.target.value],
+										});
+									} else {
+										setFilters({
+											...filters,
+											categories: filters.categories.filter(
+												(f) => f !== e.target.value,
+											),
+										});
+									}
+								}}
+							/>{" "}
+							{category}
+						</label>
+					))}
+				</div>
+
+				<div className="!mb-8 md:block hidden">
+					<span className="uppercase text-gray-600 dark:text-gray-200 text-sm font-bold">
+						▼ Keywords
+					</span>
+
+					{keywords.map((keyword) => (
+						<label key={keyword} className="block !my-2">
+							<input
+								type="checkbox"
+								value={keyword}
+								className="mr-2"
+								onClick={(e) => {
+									if (e.target.checked) {
+										setFilters({
+											...filters,
+											keywords: [...filters.keywords, e.target.value],
+										});
+									} else {
+										setFilters({
+											...filters,
+											keywords: filters.keywords.filter(
+												(f) => f !== e.target.value,
+											),
+										});
+									}
+								}}
+							/>{" "}
+							{keyword}
+						</label>
+					))}
+				</div>
+			</div>
+
+			<div className="flex md:w-3/4 w-full gap-[1%] items-stretch self-start flex-wrap !mt-0">
+				{fieldList.length === 0 && (
+					<div className="border bg-gray-50 dark:bg-gray-800 dark:border-gray-500 rounded-md w-full flex-col flex align-middle justify-center text-center py-6">
+						<span className="text-lg !font-bold">No fields found</span>
+						<p>
+							Try a different search term, or broaden your search by removing
+							filters.
+						</p>
+					</div>
+				)}
+				{fieldList.map((field) => {
+					// removed lg:w-[48%] from anchor classes below
+					return (
+						<a
+							key={field.name}
+							className="p-3 border-gray-200 dark:border-gray-700 border-solid border rounded-md w-full block !text-inherit no-underline self-start hover:bg-gray-50 dark:hover:bg-black mb-3"
+							href={`/ruleset-engine/rules-language/fields/reference/${field.name}`}
+						>
+							<div className="-mb-1 flex items-center">
+								<span className="font-semibold text-lg text-ellipsis overflow-hidden whitespace-nowrap">
+									{field.name}
+								</span>
+							</div>
+							{/* <div className="text-xs !m-0">
+								<ModelInfo model={field.model} />
+							</div> */}
+							<p
+								className="!mt-2 line-clamp-2 text-sm leading-6"
+								dangerouslySetInnerHTML={{
+									__html: marked.parseInline(field.summary),
+								}}
+							/>
+							{/* <div className="text-xs !mt-2">
+								<ModelBadges model={model.model} />
+							</div> */}
+						</a>
+					);
+				})}
+			</div>
+		</div>
+	);
+};
+
+export default FieldCatalog;
diff --git a/src/components/models/FieldBadges.jsx b/src/components/models/FieldBadges.jsx
new file mode 100644
index 000000000000000..9068931207ee57f
--- /dev/null
+++ b/src/components/models/FieldBadges.jsx
@@ -0,0 +1,16 @@
+const FieldBadges = ({ badges }) => {
+	return (
+		<ul className="list-none m-0 p-0 inline-flex items-center gap-2 text-xs">
+			{badges.map((badge) => (
+				<li
+					key={badge}
+					className="bg-gray-100 dark:bg-gray-700 px-2 py-1 rounded-md block !mt-0"
+				>
+					{badge}
+				</li>
+			))}
+		</ul>
+	);
+};
+
+export default FieldBadges;
diff --git a/src/content/config.ts b/src/content/config.ts
index 60cccf2337838d5..9c81d5096e367c8 100644
--- a/src/content/config.ts
+++ b/src/content/config.ts
@@ -1,5 +1,6 @@
 import { z, defineCollection } from "astro:content";
 import { docsSchema, i18nSchema } from "@astrojs/starlight/schema";
+import { file } from "astro/loaders";
 import {
 	appsSchema,
 	changelogsSchema,
@@ -12,6 +13,7 @@ import {
 	learningPathsSchema,
 	videosSchema,
 	workersAiSchema,
+	fieldsSchema,
 } from "~/schemas";
 
 const partialSchema = z.object({
@@ -66,6 +68,10 @@ export const collections = {
 		schema: workersAiSchema,
 		type: "data",
 	}),
+	fields: defineCollection({
+		schema: fieldsSchema,
+		type: "data",
+	}),
 	videos: defineCollection({
 		schema: videosSchema,
 		type: "data",
diff --git a/src/content/docs/ruleset-engine/rules-language/fields/reference/index.mdx b/src/content/docs/ruleset-engine/rules-language/fields/reference/index.mdx
new file mode 100644
index 000000000000000..cab4bf3a07a0b54
--- /dev/null
+++ b/src/content/docs/ruleset-engine/rules-language/fields/reference/index.mdx
@@ -0,0 +1,9 @@
+---
+pcx_content_type: navigation
+title: Fields reference
+hideChildren: true
+---
+
+import FieldCatalog from "~/pages/ruleset-engine/rules-language/fields/reference/index.astro";
+
+<FieldCatalog />
diff --git a/src/content/fields/index.yaml b/src/content/fields/index.yaml
new file mode 100644
index 000000000000000..810344d5d0beee9
--- /dev/null
+++ b/src/content/fields/index.yaml
@@ -0,0 +1,71 @@
+entries:
+  - name: http.cookie
+    data_type: String
+    categories: [Request, Headers]
+    keywords: [request, cookie, header, client, visitor]
+    summary: The entire cookie as a string.
+    example_value: |-
+      session=8521F670545D7865F79C3D7BEDC29CCE;-background=light
+
+  - name: http.host
+    data_type: String
+    categories: [Request, URI]
+    keywords: [request, uri, url, domain, source, visitor]
+    summary: The hostname used in the full request URI.
+    example_value: |-
+      www.example.org
+
+  - name: http.request.full_uri
+    data_type: String
+    categories: [Request, URI]
+    keywords: [request, uri, url, source, visitor]
+    summary: The full URI as received by the web server.
+    description: |-
+      The value will not include the `#fragment` part, which is not sent to web servers.
+    example_value: |-
+      https://www.example.org/articles/index?section=539061&expand=comments
+
+  - name: http.request.method
+    data_type: String
+    categories: [Request, URI]
+    keywords: [request, source, visitor]
+    summary: The HTTP method, returned as a string of uppercase characters.
+    example_value: |-
+      GET
+
+  - name: http.request.cookies
+    data_type: Map<Array<String>>
+    categories: [Request, Headers]
+    keywords: [request, header, source, visitor]
+    summary: The `Cookie` HTTP header associated with a request represented as a Map (associative array).
+    description: |-
+      The cookie names are URL decoded. If two cookies have the same name after decoding, their value arrays are merged.
+
+      The cookie values are not pre-processed and retain the original case used in the request.
+    example_value: |-
+      { "app": ["test"] }
+    example_block: |-
+      any(http.request.cookies["app"][*] == "test")
+
+  - name: http.referer
+    data_type: String
+    categories: [Request, Headers]
+    keywords: [request, header, referer, referrer, client, visitor]
+    summary: The HTTP `Referer` request header, which contains the address of the web page that linked to the currently requested page.
+    example_value: |-
+      Referer: https://developer.example.org/en-US/docs/Web/JavaScript
+
+  - name: test.request.body.multipart.content_transfer_encodings
+    data_type: "Array<Array<String>>"
+    categories: [Request, Body]
+    keywords: [request, body, payload, form, multipart, upload, source, visitor]
+    summary: One liner here.
+    description: |-
+      This is a longer description, possibly using [Markdown](/).
+    plan_info_label: ENT
+    plan_info_description: Enterprise plan
+    example_value: |-
+      "asdfasdfuhaoweuqhre must keep quotes!"
+    example_block: |-
+      func(a, b)    # correct
+      a func b      # incorrect
diff --git a/src/pages/ruleset-engine/rules-language/fields/reference/[name].astro b/src/pages/ruleset-engine/rules-language/fields/reference/[name].astro
new file mode 100644
index 000000000000000..2d64893f6d6ae4b
--- /dev/null
+++ b/src/pages/ruleset-engine/rules-language/fields/reference/[name].astro
@@ -0,0 +1,172 @@
+---
+import type { GetStaticPaths, MarkdownHeading } from "astro";
+import { marked } from "marked";
+import { getEntry } from "astro:content";
+import StarlightPage, {
+	type StarlightPageProps,
+} from "@astrojs/starlight/components/StarlightPage.astro";
+import { Code, Aside, Type } from "~/components";
+import FieldBadges from "~/components/models/FieldBadges.jsx";
+
+export const getStaticPaths = (async () => {
+	const fields = await getEntry("fields", "index");
+
+	return fields.data.entries.map((entry) => {
+		return {
+			params: {
+				name: entry.name,
+			},
+			props: { field: entry },
+		};
+	});
+}) satisfies GetStaticPaths;
+
+const { name } = Astro.params;
+const { field } = Astro.props;
+
+let CodeExamples = null;
+// switch (field.task.name) {
+// 	case "Text Generation":
+// 		CodeExamples = TextGenerationCode;
+// 		break;
+// 	case "Automatic Speech Recognition":
+// 		CodeExamples = AutomaticSpeechRecognitionCode;
+// 		break;
+// 	case "Image Classification":
+// 		CodeExamples = ImageClassificationCode;
+// 		break;
+// 	case "Object Detection":
+// 		CodeExamples = ObjectDetectionCode;
+// 		break;
+// 	case "Image-to-Text":
+// 		CodeExamples = ImageToTextCode;
+// 		break;
+// 	case "Text-to-Image":
+// 		CodeExamples = TextToImageCode;
+// 		break;
+// 	case "Translation":
+// 		CodeExamples = TranslationCode;
+// 		break;
+// 	case "Summarization":
+// 		CodeExamples = SummarizationCode;
+// 		break;
+// 	case "Text Embedding":
+// 		CodeExamples = TextEmbeddingCode;
+// 		break;
+// 	case "Text Classification":
+// 		CodeExamples = TextClassificationCode;
+// 		break;
+// }
+
+// // Overrides
+// if (field.name === "@cf/runwayml/stable-diffusion-v1-5-img2img") {
+// 	CodeExamples = StableDiffusionV15Img2ImgCode;
+// }
+
+// if (field.name === "@cf/runwayml/stable-diffusion-v1-5-inpainting") {
+// 	CodeExamples = StableDiffusionV15InpaintingCode;
+// }
+
+// if (field.name === "@cf/black-forest-labs/flux-1-schnell") {
+// 	CodeExamples = Flux1Schnell;
+// }
+
+const description = field.description;
+
+// Strong type coercion needed due to Starlight's component override for hideTitle
+const starlightPageProps = {
+	frontmatter: {
+		title: field.name,
+		description: field.summary,
+	},
+	// headings: [
+	// 	hasPlayground
+	// 		? { depth: 2, slug: "Playground", text: "Playground" }
+	// 		: false,
+	// 	CodeExamples ? { depth: 2, slug: "Usage", text: "Usage" } : false,
+	// 	{ depth: 2, slug: "Parameters", text: "Parameters" },
+	// 	{ depth: 3, slug: "Input", text: "Input" },
+	// 	{ depth: 3, slug: "Output", text: "Output" },
+	// 	{ depth: 2, slug: "API Schemas", text: "API Schemas" },
+	// ].filter((v) => Boolean(v)) as MarkdownHeading[],
+	hideTitle: true,
+} as StarlightPageProps;
+---
+
+<StarlightPage {...starlightPageProps}>
+	<div class="flex align-center">
+		<div>
+			<h1
+				id="_top"
+				class="!-mt-4 !mb-2 !leading-none !text-2xl !font-bold flex items-center"
+			>
+				{name}
+			</h1>
+		</div>
+	</div>
+
+	<code>{field.name}</code>
+	<Type text={field.data_type} />
+
+	<p class="mt-3" set:html={marked.parseInline(field.summary)} />
+
+	{
+		description && (
+			<>
+				<div set:html={marked.parse(description)} />
+			</>
+		)
+	}
+
+	{
+		field.name === "@cf/meta/llama-3.2-11b-vision-instruct" && (
+			<Aside>
+				<p>
+					To use Llama 3.2 11b Vision Instruct, you need to agree to the{" "}
+					<a href="https://github.com/meta-llama/llama-models/blob/main/models/llama3_2/LICENSE">
+						Meta License
+					</a>{" "}
+					and{" "}
+					<a href="https://github.com/meta-llama/llama-models/blob/main/models/llama3_2/USE_POLICY.md">
+						Acceptable Use Policy
+					</a>
+					. To do so, please send an initial request to
+					<code>@cf/meta/llama-3.2-11b-vision-instruct</code> with
+					<code>"prompt" : "agree"</code>. After that, you'll be able to use the
+					model as normal.
+				</p>
+				<Code
+					code={`curl https://api.cloudflare.com/client/v4/accounts/$CLOUDFLARE_ACCOUNT_ID/ai/run/@cf/meta/llama-3.2-11b-vision-instruct \\
+   -X POST \\
+   -H "Authorization: Bearer $CLOUDFLARE_AUTH_TOKEN" \\
+   -d '{ "prompt": "agree"}'`}
+					lang="sh"
+				/>
+			</Aside>
+		)
+	}
+
+	{
+		field.example_value && (
+			<>
+				<p id="example-value">Example value:</p>
+				<Code code={field.example_value} lang="txt" />
+			</>
+		)
+	}
+
+	{
+		field.example_block && (
+			<>
+				<p id="example-block">Example:</p>
+				<Code code={field.example_block} lang="txt" />
+			</>
+		)
+	}
+
+	<div class="!mt-8">
+		<span class="text-xs"
+			>Categories: <FieldBadges badges={field.categories} /></span
+		>
+	</div>
+</StarlightPage>
diff --git a/src/pages/ruleset-engine/rules-language/fields/reference/index.astro b/src/pages/ruleset-engine/rules-language/fields/reference/index.astro
new file mode 100644
index 000000000000000..7eddd950244a731
--- /dev/null
+++ b/src/pages/ruleset-engine/rules-language/fields/reference/index.astro
@@ -0,0 +1,20 @@
+---
+import { getEntry } from "astro:content";
+import StarlightPage from "@astrojs/starlight/components/StarlightPage.astro";
+import FieldCatalog from "~/components/FieldCatalog.jsx";
+
+const fieldData = await getEntry("fields", "index");
+const fields = fieldData.data.entries;
+---
+
+<StarlightPage
+	frontmatter={{ title: "Fields reference", tableOfContents: false }}
+>
+	<FieldCatalog fields={fields} client:load />
+</StarlightPage>
+
+<style>
+	:root {
+		--sl-content-width: 1350px !important;
+	}
+</style>
diff --git a/src/schemas/fields.ts b/src/schemas/fields.ts
new file mode 100644
index 000000000000000..685a47521378ef1
--- /dev/null
+++ b/src/schemas/fields.ts
@@ -0,0 +1,18 @@
+import { z } from "astro:schema";
+
+export const fieldsSchema = z.object({
+	entries: z
+		.object({
+			name: z.string(),
+			data_type: z.string(),
+			categories: z.array(z.string()).optional(),
+			keywords: z.array(z.string()).optional(),
+			summary: z.string(),
+			description: z.string().optional(),
+			plan_info_label: z.string().optional(),
+			plan_info_description: z.string().optional(),
+			example_value: z.string().optional(),
+			example_block: z.string().optional(),
+		})
+		.array(),
+});
diff --git a/src/schemas/index.ts b/src/schemas/index.ts
index 3288e0e47cda269..8aacec8a5058a72 100644
--- a/src/schemas/index.ts
+++ b/src/schemas/index.ts
@@ -2,6 +2,7 @@ export * from "./apps";
 export * from "./base";
 export * from "./changelogs";
 export * from "./compatibility-flags";
+export * from "./fields";
 export * from "./glossary";
 export * from "./learning-paths";
 export * from "./notifications";

From eef4f30e1f54b722740abb06f35b92a5ac87e589 Mon Sep 17 00:00:00 2001
From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com>
Date: Fri, 6 Dec 2024 19:26:52 +0000
Subject: [PATCH 02/45] Add search (text, categories)

---
 src/components/FieldCatalog.jsx | 33 +++++++++++++++++++++------------
 src/content/fields/index.yaml   |  2 +-
 2 files changed, 22 insertions(+), 13 deletions(-)

diff --git a/src/components/FieldCatalog.jsx b/src/components/FieldCatalog.jsx
index 66159ec32afa676..a70f2cb25cc867f 100644
--- a/src/components/FieldCatalog.jsx
+++ b/src/components/FieldCatalog.jsx
@@ -43,12 +43,12 @@ const FieldCatalog = ({ fields }) => {
 	// ];
 
 	// apply filters to the fields list
-	const fieldList = mapped.filter(({ field }) => {
-		// if (filters.authors.length > 0) {
-		// 	if (!filters.authors.includes(field.name.split("/")[1])) {
-		// 		return false;
-		// 	}
-		// }
+	const fieldList = mapped.filter((field) => {
+		if (filters.categories.length > 0) {
+			if (!field.categories?.some((c) => filters.categories.includes(c))) {
+				return false;
+			}
+		}
 
 		// if (filters.tasks.length > 0) {
 		// 	if (!filters.tasks.includes(field.task.name)) {
@@ -62,11 +62,20 @@ const FieldCatalog = ({ fields }) => {
 		// 	}
 		// }
 
-		// if (filters.search) {
-		// 	if (!field.name.toLowerCase().includes(filters.search.toLowerCase())) {
-		// 		return false;
-		// 	}
-		// }
+		if (filters.search) {
+			// search keywords
+			let keywordFound = field.keywords?.some(
+				(kw) => kw.indexOf(filters.search) >= 0,
+			);
+
+			if (
+				!field.name.toLowerCase().includes(filters.search.toLowerCase()) &&
+				!field.summary.toLowerCase().includes(filters.search.toLowerCase()) &&
+				!keywordFound
+			) {
+				return false;
+			}
+		}
 
 		return true;
 	});
@@ -162,7 +171,7 @@ const FieldCatalog = ({ fields }) => {
 					return (
 						<a
 							key={field.name}
-							className="p-3 border-gray-200 dark:border-gray-700 border-solid border rounded-md w-full block !text-inherit no-underline self-start hover:bg-gray-50 dark:hover:bg-black mb-3"
+							className="p-3 border-gray-200 dark:border-gray-700 border-solid border rounded-md lg:w-[48%] w-full block !text-inherit no-underline self-start hover:bg-gray-50 dark:hover:bg-black mb-3"
 							href={`/ruleset-engine/rules-language/fields/reference/${field.name}`}
 						>
 							<div className="-mb-1 flex items-center">
diff --git a/src/content/fields/index.yaml b/src/content/fields/index.yaml
index 810344d5d0beee9..ce19246d7c6b86b 100644
--- a/src/content/fields/index.yaml
+++ b/src/content/fields/index.yaml
@@ -27,7 +27,7 @@ entries:
 
   - name: http.request.method
     data_type: String
-    categories: [Request, URI]
+    categories: [Request]
     keywords: [request, source, visitor]
     summary: The HTTP method, returned as a string of uppercase characters.
     example_value: |-

From f8e4e45b986cdc4f27918e5b9cad7ea1608cb062 Mon Sep 17 00:00:00 2001
From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com>
Date: Mon, 9 Dec 2024 12:25:52 +0000
Subject: [PATCH 03/45] Add geolocation field

---
 src/content/fields/index.yaml | 51 +++++++++++++++++++++++++++++++++++
 1 file changed, 51 insertions(+)

diff --git a/src/content/fields/index.yaml b/src/content/fields/index.yaml
index ce19246d7c6b86b..bf6945b6f21c896 100644
--- a/src/content/fields/index.yaml
+++ b/src/content/fields/index.yaml
@@ -55,6 +55,57 @@ entries:
     example_value: |-
       Referer: https://developer.example.org/en-US/docs/Web/JavaScript
 
+  - name: ip.src.is_in_european_union
+    data_type: Boolean
+    categories: [Request, Geolocation]
+    keywords: [request, location, europe, country, maxmind, source, visitor]
+    summary: Returns `true` when the request originates from a country in the European Union (EU).
+    description: |-
+      <details><summary><p>Countries in the EU (from geolocation data)</p></summary>
+
+      | Country code | Country name    |
+      | ------------ | --------------- |
+      | `AT`         | Austria         |
+      | `AX`         | Åland Islands   |
+      | `BE`         | Belgium         |
+      | `BG`         | Bulgaria        |
+      | `CY`         | Cyprus          |
+      | `CZ`         | Czechia         |
+      | `DE`         | Germany         |
+      | `DK`         | Denmark         |
+      | `EE`         | Estonia         |
+      | `ES`         | Spain           |
+      | `FI`         | Finland         |
+      | `FR`         | France          |
+      | `GF`         | French Guiana   |
+      | `GP`         | Guadeloupe      |
+      | `GR`         | Greece          |
+      | `HR`         | Croatia         |
+      | `HU`         | Hungary         |
+      | `IE`         | Ireland         |
+      | `IT`         | Italy           |
+      | `LT`         | Lithuania       |
+      | `LU`         | Luxembourg      |
+      | `LV`         | Latvia          |
+      | `MF`         | Saint Martin    |
+      | `MQ`         | Martinique      |
+      | `MT`         | Malta           |
+      | `NL`         | The Netherlands |
+      | `PL`         | Poland          |
+      | `PT`         | Portugal        |
+      | `RE`         | Réunion         |
+      | `RO`         | Romania         |
+      | `SE`         | Sweden          |
+      | `SI`         | Slovenia        |
+      | `SK`         | Slovakia        |
+      | `YT`         | Mayotte         |
+
+      The EU country list was obtained from MaxMind's GeoIP2 database on 2023-12-05. For details on obtaining up-to-date country information, refer to the [MaxMind website](https://dev.maxmind.com/geoip/geolite2-free-geolocation-data).
+
+      </details>
+
+      This field has the same value as the `ip.geoip.is_in_european_union` field, which is deprecated. The `ip.geoip.is_in_european_union` field is still available for new and existing rules, but you should use the `ip.src.is_in_european_union` field instead.
+
   - name: test.request.body.multipart.content_transfer_encodings
     data_type: "Array<Array<String>>"
     categories: [Request, Body]

From dadadcfd790ed750b2a53136394e1f556b8721bc Mon Sep 17 00:00:00 2001
From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com>
Date: Mon, 9 Dec 2024 15:30:45 +0000
Subject: [PATCH 04/45] Small changes to fields

---
 src/content/fields/index.yaml | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/src/content/fields/index.yaml b/src/content/fields/index.yaml
index bf6945b6f21c896..8632674c6343e55 100644
--- a/src/content/fields/index.yaml
+++ b/src/content/fields/index.yaml
@@ -10,7 +10,7 @@ entries:
   - name: http.host
     data_type: String
     categories: [Request, URI]
-    keywords: [request, uri, url, domain, source, visitor]
+    keywords: [request, uri, url, domain, client, visitor]
     summary: The hostname used in the full request URI.
     example_value: |-
       www.example.org
@@ -18,7 +18,7 @@ entries:
   - name: http.request.full_uri
     data_type: String
     categories: [Request, URI]
-    keywords: [request, uri, url, source, visitor]
+    keywords: [request, uri, url, client, visitor]
     summary: The full URI as received by the web server.
     description: |-
       The value will not include the `#fragment` part, which is not sent to web servers.
@@ -28,7 +28,7 @@ entries:
   - name: http.request.method
     data_type: String
     categories: [Request]
-    keywords: [request, source, visitor]
+    keywords: [request, client, visitor]
     summary: The HTTP method, returned as a string of uppercase characters.
     example_value: |-
       GET
@@ -36,7 +36,7 @@ entries:
   - name: http.request.cookies
     data_type: Map<Array<String>>
     categories: [Request, Headers]
-    keywords: [request, header, source, visitor]
+    keywords: [request, header, client, visitor]
     summary: The `Cookie` HTTP header associated with a request represented as a Map (associative array).
     description: |-
       The cookie names are URL decoded. If two cookies have the same name after decoding, their value arrays are merged.
@@ -58,7 +58,7 @@ entries:
   - name: ip.src.is_in_european_union
     data_type: Boolean
     categories: [Request, Geolocation]
-    keywords: [request, location, europe, country, maxmind, source, visitor]
+    keywords: [request, geolocation, europe, country, maxmind, client, visitor]
     summary: Returns `true` when the request originates from a country in the European Union (EU).
     description: |-
       <details><summary><p>Countries in the EU (from geolocation data)</p></summary>
@@ -109,7 +109,7 @@ entries:
   - name: test.request.body.multipart.content_transfer_encodings
     data_type: "Array<Array<String>>"
     categories: [Request, Body]
-    keywords: [request, body, payload, form, multipart, upload, source, visitor]
+    keywords: [request, body, payload, form, multipart, upload, client, visitor]
     summary: One liner here.
     description: |-
       This is a longer description, possibly using [Markdown](/).

From 7e6eba90528861e7c6f680db04855b1c0eb0e99f Mon Sep 17 00:00:00 2001
From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com>
Date: Mon, 9 Dec 2024 17:52:23 +0000
Subject: [PATCH 05/45] Remove Keywords filter

---
 src/components/FieldCatalog.jsx | 32 --------------------------------
 1 file changed, 32 deletions(-)

diff --git a/src/components/FieldCatalog.jsx b/src/components/FieldCatalog.jsx
index a70f2cb25cc867f..91dc2c94e758dfd 100644
--- a/src/components/FieldCatalog.jsx
+++ b/src/components/FieldCatalog.jsx
@@ -122,38 +122,6 @@ const FieldCatalog = ({ fields }) => {
 						</label>
 					))}
 				</div>
-
-				<div className="!mb-8 md:block hidden">
-					<span className="uppercase text-gray-600 dark:text-gray-200 text-sm font-bold">
-						▼ Keywords
-					</span>
-
-					{keywords.map((keyword) => (
-						<label key={keyword} className="block !my-2">
-							<input
-								type="checkbox"
-								value={keyword}
-								className="mr-2"
-								onClick={(e) => {
-									if (e.target.checked) {
-										setFilters({
-											...filters,
-											keywords: [...filters.keywords, e.target.value],
-										});
-									} else {
-										setFilters({
-											...filters,
-											keywords: filters.keywords.filter(
-												(f) => f !== e.target.value,
-											),
-										});
-									}
-								}}
-							/>{" "}
-							{keyword}
-						</label>
-					))}
-				</div>
 			</div>
 
 			<div className="flex md:w-3/4 w-full gap-[1%] items-stretch self-start flex-wrap !mt-0">

From 90e3791dd7ff232e5300c6cebf702a75e19325f8 Mon Sep 17 00:00:00 2001
From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com>
Date: Mon, 30 Dec 2024 18:32:44 +0000
Subject: [PATCH 06/45] Add more fields

---
 src/content/fields/index.yaml | 278 +++++++++++++++++++++++++++++++++-
 1 file changed, 273 insertions(+), 5 deletions(-)

diff --git a/src/content/fields/index.yaml b/src/content/fields/index.yaml
index 8632674c6343e55..a0ee2d0655e08a4 100644
--- a/src/content/fields/index.yaml
+++ b/src/content/fields/index.yaml
@@ -47,18 +47,256 @@ entries:
     example_block: |-
       any(http.request.cookies["app"][*] == "test")
 
-  - name: http.referer
+  - name: http.request.timestamp.sec
+    data_type: Integer
+    categories: [Request]
+    keywords: [request, timestamp, client, visitor]
+    summary: The timestamp when Cloudflare received the request, expressed as UNIX time in seconds.
+    description: |-
+      The field value is 10 digits long.
+
+      When validating HMAC tokens in an expression, pass this field as the `currentTimestamp` argument to the [`is_timed_hmac_valid_v0()`](/ruleset-engine/rules-language/functions/#hmac-validation) validation function.
+
+      To obtain the timestamp milliseconds, use the [`http.request.timestamp.msec`](/ruleset-engine/rules-language/fields/reference/http.request.timestamp.msec/) field.
+    example_value: |-
+      1484063137
+
+  - name: http.request.timestamp.msec
+    data_type: Integer
+    categories: [Request]
+    keywords: [request, timestamp, client, visitor]
+    summary: The millisecond when Cloudflare received the request, between 0 and 999.
+    description: |-
+      To obtain the complete timestamp, use both [`http.request.timestamp.sec`](/ruleset-engine/rules-language/fields/reference/http.request.timestamp.sec/) and [`http.request.timestamp.msec`](/ruleset-engine/rules-language/fields/reference/http.request.timestamp.msec/) fields.
+    example_value: |-
+      857
+
+  - name: http.request.uri
+    data_type: String
+    categories: [Request, URI]
+    keywords: [request, uri, url, path, query, query string, client, visitor]
+    summary: The URI path and query string of the request.
+    example_value: |-
+      /articles/index?section=539061&expand=comments
+
+  - name: http.request.uri.path
+    data_type: String
+    categories: [Request, URI]
+    keywords: [request, uri, url, path, client, visitor]
+    summary: The URI path of the request.
+    example_value: |-
+      /articles/index
+
+  - name: http.request.uri.path.extension
+    data_type: String
+    categories: [Request, URI]
+    keywords: [request, uri, url, path, client, visitor]
+    summary: The lowercased file extension in the URI path without the dot (`.`) character.
+    description: |-
+      This corresponds to the string after the last dot in the URI path, excluding the query string.
+
+      If the first character of the last path segment is a dot and the segment does not contain other dot characters, the field value will be an empty string (`""`). Having a dot as the first character does not represent a file extension and is commonly used in UNIX-like systems to denote a hidden file or directory.
+
+      Example values:
+
+      - If the URI path is `/articles/index.html`, the field value will be `html`.
+      - If the URI path is `/articles/index.`, the field value will be an empty string (`""`).
+
+      <details><summary><p>Example values</p></summary>
+
+      | URI path       | Field value |
+      | -------------- | ----------- |
+      | `/foo`         | `""`        |
+      | `/foo.mp3`     | `"mp3"`     |
+      | `/.mp3`        | `""`        |
+      | `/.foo.mp3`    | `"mp3"`     |
+      | `/foo.tar.bz2` | `"bz2"`     |
+      | `/foo.`        | `""`        |
+      | `/foo.MP3`     | `"mp3"`     |
+
+      </details>
+
+  - name: http.request.uri.query
+    data_type: String
+    categories: [Request, URI]
+    keywords: [request, uri, url, query, query string, client, visitor]
+    summary: The entire query string, without the `?` delimiter.
+    example_value: |-
+      section=539061&expand=comments
+
+  - name: http.user_agent
     data_type: String
     categories: [Request, Headers]
-    keywords: [request, header, referer, referrer, client, visitor]
-    summary: The HTTP `Referer` request header, which contains the address of the web page that linked to the currently requested page.
+    keywords: [request, header, agent, user-agent, browser, client, visitor]
+    summary: The HTTP `User-Agent` request header, which contains a characteristic string to identify the client operating system and web browser.
     example_value: |-
-      Referer: https://developer.example.org/en-US/docs/Web/JavaScript
+      Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36
+
+  - name: http.request.version
+    data_type: String
+    categories: [Request]
+    keywords: [request, protocol, client, visitor]
+    summary: The version of the HTTP protocol used. Use this field when different checks are needed for different versions.
+    description: |-
+      Example values:
+
+      - `HTTP/1.1`
+      - `HTTP/3`
+
+  - name: http.x_forwarded_for
+    data_type: String
+    categories: [Request, Headers]
+    keywords: [request, header, proxy, ip, client, visitor]
+    summary: The full `X-Forwarded-For` HTTP header.
+    example_value: |-
+      203.0.113.195, 70.41.3.18
+
+  - name: ip.src
+    data_type: IP address
+    categories: [Request]
+    keywords: [request, proxy, ip, client, visitor]
+    summary: The client TCP IP address, which may be adjusted to reflect the actual address of the client using HTTP headers such as `X-Forwarded-For` or `X-Real-IP`.
+    example_value: |-
+      93.184.216.34
+
+  - name: ip.src.lat
+    data_type: String
+    categories: [Request, Geolocation]
+    keywords: [request, location, geolocation, client, visitor]
+    summary: The latitude associated with the client IP address.
+    example_value: |-
+      37.78044
+
+  - name: ip.src.lon
+    data_type: String
+    categories: [Request, Geolocation]
+    keywords: [request, location, geolocation, client, visitor]
+    summary: The longitude associated with the client IP address.
+    example_value: |-
+      -122.39055
+
+  - name: ip.src.city
+    data_type: String
+    categories: [Request, Geolocation]
+    keywords: [request, location, geolocation, client, visitor]
+    summary: The city associated with the client IP address.
+    example_value: |-
+      San Francisco
+
+  - name: ip.src.postal_code
+    data_type: String
+    categories: [Request, Geolocation]
+    keywords: [request, location, geolocation, zip, zip code, client, visitor]
+    summary: The postal code associated with the incoming request.
+    example_value: |-
+      78701
+
+  - name: ip.src.metro_code
+    data_type: String
+    categories: [Request, Geolocation]
+    keywords: [request, location, geolocation, dma, client, visitor]
+    summary: The metro code or Designated Market Area (DMA) code associated with the incoming request.
+    example_value: |-
+      635
+
+  - name: ip.src.region
+    data_type: String
+    categories: [Request, Geolocation]
+    keywords: [request, location, geolocation, state, client, visitor]
+    summary: The region name associated with the incoming request.
+    example_value: |-
+      Texas
+
+  - name: ip.src.region_code
+    data_type: String
+    categories: [Request, Geolocation]
+    keywords: [request, location, geolocation, state, client, visitor]
+    summary: The region code associated with the incoming request.
+    example_value: |-
+      TX
+
+  - name: ip.src.timezone.name
+    data_type: String
+    categories: [Request, Geolocation]
+    keywords:
+      [request, location, geolocation, time zone, clock, client, visitor]
+    summary: The name of the timezone associated with the incoming request.
+    description: |-
+      This field is only available in rewrite expressions of [Transform Rules](/rules/transform/).
+    example_value: |-
+      America/Chicago
+
+  - name: ip.src.asnum
+    data_type: Number
+    categories: [Request, Geolocation]
+    keywords: [request, location, geolocation, asn, client, visitor]
+    summary: The 16-bit or 32-bit integer representing the Autonomous System (AS) number associated with the client IP address.
+    description: |-
+      This field has the same value as the `ip.geoip.asnum` field, which is deprecated. The `ip.geoip.asnum` field is still available for new and existing rules, but you should use the `ip.src.asnum` field instead.
+
+  - name: ip.src.continent
+    data_type: String
+    categories: [Request, Geolocation]
+    keywords: [request, location, geolocation, client, visitor]
+    summary: The continent code associated with the client IP address.
+    description: |-
+      Values:
+
+      - **AF**: Africa
+      - **AN**: Antarctica
+      - **AS**: Asia
+      - **EU**: Europe
+      - **NA**: North America
+      - **OC**: Oceania
+      - **SA**: South America
+      - **T1**: Tor network
+
+      This field has the same value as the `ip.geoip.continent` field, which is deprecated. The `ip.geoip.continent` field is still available for new and existing rules, but you should use the `ip.src.continent` field instead.
+
+  - name: ip.src.country
+    data_type: String
+    categories: [Request, Geolocation]
+    keywords: [request, location, geolocation, client, visitor]
+    summary: The 2-letter country code in [ISO 3166-1 Alpha 2](https://www.iso.org/obp/ui/#search/code/) format.
+    example_value: |-
+      GB
+    description: |-
+      For more information on the ISO 3166-1 Alpha 2 format, refer to [ISO 3166-1 Alpha 2](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2) on Wikipedia.
+
+      This field has the same value as the `ip.geoip.country` field, which is deprecated. The `ip.geoip.country` field is still available for new and existing rules, but you should use the `ip.src.country` field instead.
+
+  - name: ip.src.subdivision_1_iso_code
+    data_type: String
+    categories: [Request, Geolocation]
+    keywords: [request, location, geolocation, region, client, visitor]
+    summary: The ISO 3166-2 code for the first-level region associated with the IP address.
+    example_value: |-
+      GB-ENG
+    description: |-
+      When the actual value is not available, this field contains an empty string.
+
+      For more information on the ISO 3166-2 standard and the available regions, refer to [ISO 3166-2](https://en.wikipedia.org/wiki/ISO_3166-2) on Wikipedia.
+
+      This field has the same value as the `ip.geoip.subdivision_1_iso_code` field, which is deprecated. The `ip.geoip.subdivision_1_iso_code` field is still available for new and existing rules, but you should use the `ip.src.subdivision_1_iso_code` field instead.
+
+  - name: ip.src.subdivision_2_iso_code
+    data_type: String
+    categories: [Request, Geolocation]
+    keywords: [request, location, geolocation, region, client, visitor]
+    summary: The ISO 3166-2 code for the second-level region associated with the IP address.
+    example_value: |-
+      GB-SWK
+    description: |-
+      When the actual value is not available, this field contains an empty string.
+
+      For more information on the ISO 3166-2 standard and the available regions, refer to [ISO 3166-2](https://en.wikipedia.org/wiki/ISO_3166-2) on Wikipedia.
+
+      This field has the same value as the `ip.geoip.subdivision_2_iso_code` field, which is deprecated. The `ip.geoip.subdivision_2_iso_code` field is still available for new and existing rules, but you should use the `ip.src.subdivision_2_iso_code` field instead.
 
   - name: ip.src.is_in_european_union
     data_type: Boolean
     categories: [Request, Geolocation]
-    keywords: [request, geolocation, europe, country, maxmind, client, visitor]
+    keywords: [request, location, geolocation, country, client, visitor]
     summary: Returns `true` when the request originates from a country in the European Union (EU).
     description: |-
       <details><summary><p>Countries in the EU (from geolocation data)</p></summary>
@@ -106,6 +344,36 @@ entries:
 
       This field has the same value as the `ip.geoip.is_in_european_union` field, which is deprecated. The `ip.geoip.is_in_european_union` field is still available for new and existing rules, but you should use the `ip.src.is_in_european_union` field instead.
 
+  - name: http.request.full_uri
+    data_type: String
+    categories: [Request, URI, Raw fields]
+    keywords: [request, uri, url, raw, client, visitor]
+    summary: The raw full URI as received by the web server without any transformation.
+    description: |-
+      The value will not include the `#fragment` part, which is not sent to web servers.
+
+      This is the raw field version of the [`http.request.full_uri`](/ruleset-engine/rules-language/fields/reference/http.request.full_uri/) field. Raw fields, prefixed with `raw.`, preserve original request values for later evaluations. These fields are immutable during the entire request evaluation workflow, and they are not affected by the actions of previously matched rules.
+
+      **Note:** This raw field may include some basic normalization done by Cloudflare's HTTP server. However, this can change in the future.
+
+  - name: http.request.full_uri
+    data_type: String
+    categories: [Request, URI, Raw fields]
+    keywords: [request, uri, url, path, query, raw, client, visitor]
+    summary: The raw URI path and query string of the request without any transformation.
+    description: |-
+      This is the raw field version of the [`http.request.uri`](/ruleset-engine/rules-language/fields/reference/http.request.uri/) field. Raw fields, prefixed with `raw.`, preserve original request values for later evaluations. These fields are immutable during the entire request evaluation workflow, and they are not affected by the actions of previously matched rules.
+
+      **Note:** This raw field may include some basic normalization done by Cloudflare's HTTP server. However, this can change in the future.
+
+  - name: http.referer
+    data_type: String
+    categories: [Request, Headers]
+    keywords: [request, header, referer, referrer, client, visitor]
+    summary: The HTTP `Referer` request header, which contains the address of the web page that linked to the currently requested page.
+    example_value: |-
+      Referer: https://developer.example.org/en-US/docs/Web/JavaScript
+
   - name: test.request.body.multipart.content_transfer_encodings
     data_type: "Array<Array<String>>"
     categories: [Request, Body]

From 79e3a7cfe60c23f97c449eb175c6ba3dd56de9ec Mon Sep 17 00:00:00 2001
From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com>
Date: Mon, 30 Dec 2024 18:50:22 +0000
Subject: [PATCH 07/45] Fix fields

---
 src/content/fields/index.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/content/fields/index.yaml b/src/content/fields/index.yaml
index a0ee2d0655e08a4..a119ad83ad137f6 100644
--- a/src/content/fields/index.yaml
+++ b/src/content/fields/index.yaml
@@ -344,7 +344,7 @@ entries:
 
       This field has the same value as the `ip.geoip.is_in_european_union` field, which is deprecated. The `ip.geoip.is_in_european_union` field is still available for new and existing rules, but you should use the `ip.src.is_in_european_union` field instead.
 
-  - name: http.request.full_uri
+  - name: raw.http.request.full_uri
     data_type: String
     categories: [Request, URI, Raw fields]
     keywords: [request, uri, url, raw, client, visitor]
@@ -356,7 +356,7 @@ entries:
 
       **Note:** This raw field may include some basic normalization done by Cloudflare's HTTP server. However, this can change in the future.
 
-  - name: http.request.full_uri
+  - name: raw.http.request.uri.path
     data_type: String
     categories: [Request, URI, Raw fields]
     keywords: [request, uri, url, path, query, raw, client, visitor]

From 3149aaf7b2bfa23cedb3e35a86d714e539a705f3 Mon Sep 17 00:00:00 2001
From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com>
Date: Tue, 31 Dec 2024 11:39:37 +0000
Subject: [PATCH 08/45] Add more fields

---
 src/content/fields/index.yaml | 621 +++++++++++++++++++++++++++++++++-
 1 file changed, 615 insertions(+), 6 deletions(-)

diff --git a/src/content/fields/index.yaml b/src/content/fields/index.yaml
index a119ad83ad137f6..6e410f4c94cbdbc 100644
--- a/src/content/fields/index.yaml
+++ b/src/content/fields/index.yaml
@@ -15,6 +15,14 @@ entries:
     example_value: |-
       www.example.org
 
+  - name: http.referer
+    data_type: String
+    categories: [Request, Headers]
+    keywords: [request, header, referer, referrer, client, visitor]
+    summary: The HTTP `Referer` request header, which contains the address of the web page that linked to the currently requested page.
+    example_value: |-
+      Referer: https://developer.example.org/en-US/docs/Web/JavaScript
+
   - name: http.request.full_uri
     data_type: String
     categories: [Request, URI]
@@ -359,20 +367,621 @@ entries:
   - name: raw.http.request.uri.path
     data_type: String
     categories: [Request, URI, Raw fields]
-    keywords: [request, uri, url, path, query, raw, client, visitor]
+    keywords: [request, uri, url, path, raw, client, visitor]
     summary: The raw URI path and query string of the request without any transformation.
     description: |-
       This is the raw field version of the [`http.request.uri`](/ruleset-engine/rules-language/fields/reference/http.request.uri/) field. Raw fields, prefixed with `raw.`, preserve original request values for later evaluations. These fields are immutable during the entire request evaluation workflow, and they are not affected by the actions of previously matched rules.
 
       **Note:** This raw field may include some basic normalization done by Cloudflare's HTTP server. However, this can change in the future.
 
-  - name: http.referer
+  - name: raw.http.request.uri.path.extension
     data_type: String
-    categories: [Request, Headers]
-    keywords: [request, header, referer, referrer, client, visitor]
-    summary: The HTTP `Referer` request header, which contains the address of the web page that linked to the currently requested page.
+    categories: [Request, URI, Raw fields]
+    keywords: [request, uri, url, path, raw, client, visitor]
+    summary: The raw file extension in the request URI path without any transformation.
+    description: |-
+      This is the raw field version of the [`http.request.uri.path.extension`](/ruleset-engine/rules-language/fields/reference/http.request.uri.path.extension/) field. Raw fields, prefixed with `raw.`, preserve original request values for later evaluations. These fields are immutable during the entire request evaluation workflow, and they are not affected by the actions of previously matched rules.
+
+  - name: raw.http.request.uri.query
+    data_type: String
+    categories: [Request, URI, Raw fields]
+    keywords: [request, uri, url, query, query string, raw, client, visitor]
+    summary: The entire query string without the `?` delimiter and without any transformation.
+    description: |-
+      This is the raw field version of the [`http.request.uri.query`](/ruleset-engine/rules-language/fields/reference/http.request.uri.query/) field. Raw fields, prefixed with `raw.`, preserve original request values for later evaluations. These fields are immutable during the entire request evaluation workflow, and they are not affected by the actions of previously matched rules.
+
+      **Note:** This raw field may include some basic normalization done by Cloudflare's HTTP server. However, this can change in the future.
+
+  - name: ssl
+    data_type: Boolean
+    categories: [Request]
+    keywords: [request, tls, https, client, visitor]
+    summary: Returns `true` when the HTTP connection to the client is encrypted.
+
+  - name: cf.bot_management.verified_bot
+    data_type: Boolean
+    categories: [Request, Bots]
+    keywords: [request, bots, client, visitor]
+    summary: When `true`, this field indicates the request originated from a known good bot or crawler.
+    description: |-
+      Provides the same information as [`cf.client.bot`](/ruleset-engine/rules-language/fields/reference/cf.client.bot/).
+
+      Requires a Cloudflare Enterprise plan with [Bot Management](/bots/plans/bm-subscription/) enabled.
+
+  - name: cf.verified_bot_category
+    data_type: String
+    categories: [Request, Bots]
+    keywords: [request, bots, client, visitor]
+    summary: Provides the type and purpose of a verified bot.
+    description: |-
+      For more details, refer to [Verified Bot Categories](/bots/reference/verified-bot-categories/).
+
+  - name: cf.bot_management.score
+    data_type: Number
+    categories: [Request, Bots]
+    keywords: [request, bots, client, visitor]
+    summary: Represents the likelihood that a request originates from a bot using a score from 1–99.
+    description: |-
+      A low score indicates that the request comes from a bot or an automated agent. A high score indicates that a human issued the request.
+
+      Requires a Cloudflare Enterprise plan with [Bot Management](/bots/plans/bm-subscription/) enabled.
+
+  - name: cf.bot_management.static_resource
+    data_type: Number
+    categories: [Request, Bots]
+    keywords: [request, bots, client, visitor]
+    summary: Indicates whether static resources should be included when you create a rule using [`cf.bot_management.score`](/ruleset-engine/rules-language/fields/reference/cf.bot_management.score/).
+    description: |-
+      For more details, refer to [Static resource protection](/bots/reference/static-resources/).
+
+      Requires a Cloudflare Enterprise plan with [Bot Management](/bots/plans/bm-subscription/) enabled.
+
+  - name: cf.bot_management.ja3_hash
+    data_type: String
+    categories: [Request, Bots]
+    keywords: [request, bots, client, visitor]
+    summary: Provides an SSL/TLS fingerprint to help you identify potential bot requests.
+    description: |-
+      For more details, refer to [JA3/JA4 Fingerprint](/bots/concepts/ja3-ja4-fingerprint/).
+
+      Requires a Cloudflare Enterprise plan with [Bot Management](/bots/plans/bm-subscription/) enabled.
+
+  - name: cf.bot_management.ja4
+    data_type: String
+    categories: [Request, Bots]
+    keywords: [request, bots, client, visitor]
+    summary: Provides an SSL/TLS fingerprint to help you identify potential bot requests.
+    description: |-
+      For more details, refer to [JA3/JA4 Fingerprint](/bots/concepts/ja3-ja4-fingerprint/).
+
+      Requires a Cloudflare Enterprise plan with [Bot Management](/bots/plans/bm-subscription/) enabled.
+
+  - name: cf.bot_management.js_detection.passed
+    data_type: Boolean
+    categories: [Request, Bots]
+    keywords: [request, bots, client, visitor]
+    summary: Indicates whether the visitor has previously passed a JS Detection.
+    description: |-
+      For more details, refer to [JavaScript detections](/bots/reference/javascript-detections/).
+
+      Requires a Cloudflare Enterprise plan with [Bot Management](/bots/plans/bm-subscription/) enabled.
+
+  - name: cf.bot_management.detection_ids
+    data_type: Array<Number>
+    categories: [Request, Bots]
+    keywords: [request, bots, client, visitor]
+    summary: List of IDs that correlate to the Bot Management heuristic detections made on a request.
+    description: |-
+      Use this field to explicitly match a specific heuristic or to exclude a heuristic in a rule. You can have multiple heuristic detections on the same request.
+
+      Requires a Cloudflare Enterprise plan with [Bot Management](/bots/plans/bm-subscription/) enabled.
+    example_block: |-
+      any(cf.bot_management.detection_ids[*] eq 33554817)
+
+  - name: cf.client.bot
+    data_type: Boolean
+    categories: [Request, Bots]
+    keywords: [request, bots, client, visitor]
+    summary: When `true`, this field indicates the request originated from a known good bot or crawler.
+    description: |-
+      Provides the same information as [`cf.bot_management.verified_bot`](/ruleset-engine/rules-language/fields/reference/cf.bot_management.verified_bot/).
+
+  - name: cf.edge.server_ip
+    data_type: IP address
+    categories: [Request]
+    keywords: [request, cloudflare, client, visitor]
+    summary: Represents the global network's IP address to which the HTTP request has resolved.
+    description: |-
+      This field is only meaningful for [BYOIP customers](/byoip/).
+
+  - name: cf.edge.server_port
+    data_type: IP address
+    categories: [Request]
+    keywords: [request, cloudflare, client, visitor]
+    summary: Represents the port number at which the Cloudflare global network received the request.
+    description: |-
+      Use this field to filter traffic on a specific port. The value is a port number in the range 1–65535.
+
+  - name: cf.hostname.metadata
+    data_type: String
+    categories: [Request]
+    keywords: [request, cloudflare, saas, platforms, client, visitor]
+    summary: Returns the string representation of the per-hostname [custom metadata](/cloudflare-for-platforms/cloudflare-for-saas/domain-support/custom-metadata/) JSON object set by SSL for SaaS customers.
+
+  - name: cf.random_seed
+    data_type: Bytes
+    categories: [Request]
+    keywords: [request, cloudflare, client, visitor]
+    summary: Returns per-request random bytes that you can use in the [`uuidv4()`](/ruleset-engine/rules-language/functions/#uuidv4) function.
+
+  - name: cf.ray_id
+    data_type: String
+    categories: [Request]
+    keywords: [request, cloudflare, client, visitor]
+    summary: The Ray ID of the current request.
+    description: |-
+      A [Ray ID](/fundamentals/reference/cloudflare-ray-id/) is an identifier given to every request that goes through Cloudflare.
+
+  - name: cf.threat_score
+    data_type: Number
+    categories: [Request]
+    keywords: [request, cloudflare, score, client, visitor]
+    summary: Represents a Cloudflare threat score from 0–100, where 0 indicates low risk.
+    description: |-
+      Values above 10 may represent spammers or bots, and values above 40 identify bad actors on the Internet. It is rare to see values above 60. A common recommendation is to challenge requests with a score above 10 and to block those above 50.
+
+  - name: cf.tls_cipher
+    data_type: String
+    categories: [Request]
+    keywords: [request, ssl, tls, client, visitor]
+    summary: The cipher for the connection to Cloudflare.
     example_value: |-
-      Referer: https://developer.example.org/en-US/docs/Web/JavaScript
+      "AES128-SHA256"
+
+  - name: cf.tls_client_auth.cert_revoked
+    data_type: Boolean
+    categories: [Request]
+    keywords: [request, ssl, tls, client, visitor]
+    summary: Returns `true` when a request presents a valid but revoked client certificate.
+    description: |-
+      When `true`, the [`cf.tls_client_auth.cert_verified`](/ruleset-engine/rules-language/fields/reference/cf.tls_client_auth.cert_verified/) field is also `true`.
+
+  - name: cf.tls_client_auth.cert_verified
+    data_type: Boolean
+    categories: [Request]
+    keywords: [request, ssl, tls, client, visitor]
+    summary: Returns `true` when a request presents a valid client certificate.
+    description: |-
+      Also returns `true` when a request includes a valid certificate that was revoked (refer to [`cf.tls_client_auth.cert_revoked`](/ruleset-engine/rules-language/fields/reference/cf.tls_client_auth.cert_revoked/)).
+
+  - name: cf.tls_client_auth.cert_presented
+    data_type: Boolean
+    categories: [Request]
+    keywords: [request, ssl, tls, client, visitor]
+    summary: Returns `true` when a request presents a certificate (valid or not).
+
+  - name: cf.tls_client_auth.cert_issuer_dn
+    data_type: String
+    categories: [Request]
+    keywords: [request, ssl, tls, client, visitor]
+    summary: The Distinguished Name (DN) of the Certificate Authority (CA) that issued the certificate included in the request.
+    example_value: |-
+      "CN=Access Testing CA,OU=TX,O=Access Testing,L=Austin,ST=Texas,C=US"
+
+  - name: cf.tls_client_auth.cert_subject_dn
+    data_type: String
+    categories: [Request]
+    keywords: [request, ssl, tls, client, visitor]
+    summary: The Distinguished Name (DN) of the owner (or requester) of the certificate included in the request.
+    example_value: |-
+      "CN=James Royal,OU=Access Admins,O=Access,L=Austin,ST=Texas,C=US"
+
+  - name: cf.tls_client_auth.cert_issuer_dn_rfc2253
+    data_type: String
+    categories: [Request]
+    keywords: [request, ssl, tls, client, visitor]
+    summary: The Distinguished Name (DN) of the Certificate Authority (CA) that issued the certificate in the request in [RFC 2253](https://datatracker.ietf.org/doc/html/rfc2253) format.
+    example_value: |-
+      "CN=Access Testing CA,OU=TX,O=Access Testing,L=Austin,ST=Texas,C=US"
+
+  - name: cf.tls_client_auth.cert_subject_dn_rfc2253
+    data_type: String
+    categories: [Request]
+    keywords: [request, ssl, tls, client, visitor]
+    summary: The Distinguished Name (DN) of the owner (or requester) of the certificate in the request in [RFC 2253](https://datatracker.ietf.org/doc/html/rfc2253) format.
+    example_value: |-
+      "CN=James Royal,OU=Access Admins,O=Access,L=Austin,ST=Texas,C=US"
+
+  - name: cf.tls_client_auth.cert_issuer_dn_legacy
+    data_type: String
+    categories: [Request]
+    keywords: [request, ssl, tls, client, visitor]
+    summary: The Distinguished Name (DN) of the Certificate Authority (CA) that issued the certificate in the request in a legacy format.
+    example_value: |-
+      "/C=US/ST=Texas/L=Austin/O=Access Testing/OU=TX/CN=Access Testing CA"
+
+  - name: cf.tls_client_auth.cert_subject_dn_legacy
+    data_type: String
+    categories: [Request]
+    keywords: [request, ssl, tls, client, visitor]
+    summary: The Distinguished Name (DN) of the owner (or requester) of the certificate in the request in a legacy format.
+    example_value: |-
+      "/C=US/ST=Texas/L=Austin/O=Access/OU=Access Admins/CN=James Royal"
+
+  - name: cf.tls_client_auth.cert_serial
+    data_type: String
+    categories: [Request]
+    keywords: [request, ssl, tls, client, visitor]
+    summary: Serial number of the certificate in the request.
+    example_value: |-
+      "527E0F20A20EA2A4146C78390F34CE7AF0878CA4"
+
+  - name: cf.tls_client_auth.cert_issuer_serial
+    data_type: String
+    categories: [Request]
+    keywords: [request, ssl, tls, client, visitor]
+    summary: Serial number of the direct issuer of the certificate in the request.
+    example_value: |-
+      "2688201DBA77402EA87118876F2E1B24CF8B0395"
+
+  - name: cf.tls_client_auth.cert_fingerprint_sha256
+    data_type: String
+    categories: [Request]
+    keywords: [request, ssl, tls, client, visitor]
+    summary: The SHA-256 fingerprint of the certificate in the request.
+    example_value: |-
+      "af363dc85bc942a892d3cee9796190fdb36d89cd588a4f1cb17c74a943439714"
+
+  - name: cf.tls_client_auth.cert_fingerprint_sha1
+    data_type: String
+    categories: [Request]
+    keywords: [request, ssl, tls, client, visitor]
+    summary: The SHA-1 fingerprint of the certificate in the request.
+    example_value: |-
+      "933ad5282c560ae3f482a43ecd73bc9de878a190"
+
+  - name: cf.tls_client_auth.cert_not_before
+    data_type: String
+    categories: [Request]
+    keywords: [request, ssl, tls, client, visitor]
+    summary: The certificate in the request is not valid before this date.
+    example_value: |-
+      "Mar 21 13:35:00 2022 GMT"
+
+  - name: cf.tls_client_auth.cert_not_after
+    data_type: String
+    categories: [Request]
+    keywords: [request, ssl, tls, client, visitor]
+    summary: The certificate in the request is not valid after this date.
+    example_value: |-
+      "Mar 21 13:35:00 2023 GMT"
+
+  - name: cf.tls_client_auth.cert_ski
+    data_type: String
+    categories: [Request]
+    keywords: [request, ssl, tls, client, visitor]
+    summary: The Subject Key Identifier (SKI) of the certificate in the request.
+    example_value: |-
+      "27846FAE6EAC4A8DAD9101B519CF1EB460242831"
+
+  - name: cf.tls_client_auth.cert_issuer_ski
+    data_type: String
+    categories: [Request]
+    keywords: [request, ssl, tls, client, visitor]
+    summary: The Subject Key Identifier (SKI) of the direct issuer of the certificate in the request.
+    example_value: |-
+      "8204924CF49D471E855862706D889F58F6B784D3"
+
+  - name: cf.tls_client_extensions_sha1
+    data_type: String
+    categories: [Request]
+    keywords: [request, ssl, tls, client, visitor]
+    summary: The SHA-1 fingerprint of TLS client extensions, encoded in Base64.
+    example_value: |-
+      "OWFiM2I5ZDc0YWI0YWYzZmFkMGU0ZjhlYjhiYmVkMjgxNTU5YTU2Mg=="
+
+  - name: cf.tls_client_hello_length
+    data_type: Number
+    categories: [Request]
+    keywords: [request, ssl, tls, client, visitor]
+    summary: The length of the client hello message sent in a [TLS handshake](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake).
+    description: |-
+      Specifically, the length of the bytestring of the client hello.
+    example_value: |-
+      508
+
+  - name: cf.tls_client_random
+    data_type: String
+    categories: [Request]
+    keywords: [request, ssl, tls, client, visitor]
+    summary: The value of the 32-byte random value provided by the client in a [TLS handshake](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake), encoded in Base64.
+    description: |-
+      For more details, refer to [RFC 8446](https://datatracker.ietf.org/doc/html/rfc8446#section-4.1.2).
+    example_value: |-
+      "YWJjZA=="
+
+  - name: cf.tls_version
+    data_type: String
+    categories: [Request]
+    keywords: [request, ssl, tls, client, visitor]
+    summary: The TLS version of the connection to Cloudflare.
+    example_value: |-
+      "TLSv1.2"
+
+  - name: cf.waf.content_scan.has_obj
+    data_type: Boolean
+    categories: [Request]
+    keywords:
+      [
+        request,
+        cloudflare,
+        content scanning,
+        malicious uploads,
+        client,
+        visitor,
+      ]
+    summary: When `true`, the request contains at least one content object.
+    description: |-
+      For more details, refer to [Malicious uploads detection](/waf/detections/malicious-uploads/).
+
+  - name: cf.waf.content_scan.has_malicious_obj
+    data_type: Boolean
+    categories: [Request]
+    keywords:
+      [
+        request,
+        cloudflare,
+        content scanning,
+        malicious uploads,
+        client,
+        visitor,
+      ]
+    summary: When `true`, the request contains at least one malicious content object.
+    description: |-
+      For more details, refer to [Malicious uploads detection](/waf/detections/malicious-uploads/).
+
+  - name: cf.waf.content_scan.num_malicious_obj
+    data_type: Integer
+    categories: [Request]
+    keywords:
+      [
+        request,
+        cloudflare,
+        content scanning,
+        malicious uploads,
+        client,
+        visitor,
+      ]
+    summary: The number of malicious content objects detected in the request (zero or greater).
+    description: |-
+      For more details, refer to [Malicious uploads detection](/waf/detections/malicious-uploads/).
+
+  - name: cf.waf.content_scan.has_failed
+    data_type: Boolean
+    categories: [Request]
+    keywords:
+      [
+        request,
+        cloudflare,
+        content scanning,
+        malicious uploads,
+        client,
+        visitor,
+      ]
+    summary: When `true`, the file scanner was unable to scan all the content objects detected in the request.
+    description: |-
+      For more details, refer to [Malicious uploads detection](/waf/detections/malicious-uploads/).
+
+  - name: cf.waf.content_scan.num_obj
+    data_type: Integer
+    categories: [Request]
+    keywords:
+      [
+        request,
+        cloudflare,
+        content scanning,
+        malicious uploads,
+        client,
+        visitor,
+      ]
+    summary: The number of content objects detected in the request (zero or greater).
+    description: |-
+      For more details, refer to [Malicious uploads detection](/waf/detections/malicious-uploads/).
+
+  - name: cf.waf.content_scan.obj_sizes
+    data_type: Array<Integer>
+    categories: [Request]
+    keywords:
+      [
+        request,
+        cloudflare,
+        content scanning,
+        malicious uploads,
+        client,
+        visitor,
+      ]
+    summary: An array of file sizes in bytes, in the order the content objects were detected in the request.
+    description: |-
+      For more details, refer to [Malicious uploads detection](/waf/detections/malicious-uploads/).
+
+  - name: cf.waf.content_scan.obj_types
+    data_type: Array<String>
+    categories: [Request]
+    keywords:
+      [
+        request,
+        cloudflare,
+        content scanning,
+        malicious uploads,
+        client,
+        visitor,
+      ]
+    summary: An array of file types in the order the content objects were detected in the request.
+    description: |-
+      If Cloudflare cannot determine the file type of a content object, the corresponding value in the `obj_types` array will be `application/octet-stream`.
+
+      For more details, refer to [Malicious uploads detection](/waf/detections/malicious-uploads/).
+
+  - name: cf.waf.content_scan.obj_results
+    data_type: Array<String>
+    categories: [Request]
+    keywords:
+      [
+        request,
+        cloudflare,
+        content scanning,
+        malicious uploads,
+        client,
+        visitor,
+      ]
+    summary: An array of scan results in the order the content objects were detected in the request.
+    description: |-
+      The possible values are: `clean`, `suspicious`, `infected`, and `not scanned`.
+
+      For more details, refer to [Malicious uploads detection](/waf/detections/malicious-uploads/).
+
+  - name: cf.waf.score
+    data_type: Number
+    categories: [Request]
+    keywords: [request, cloudflare, attack score, waf score, client, visitor]
+    summary: A global score from `1` to `99` that combines the score of each WAF attack vector into a single score.
+    description: |-
+      This is the standard [WAF attack score](/waf/detections/attack-score/) to detect variants of attack patterns.
+
+  - name: cf.waf.score.sqli
+    data_type: Number
+    categories: [Request]
+    keywords: [request, cloudflare, attack score, waf score, client, visitor]
+    summary: An attack score from `1` to `99` classifying the SQL injection (SQLi) attack vector.
+    description: |-
+      For more details, refer to [WAF attack score](/waf/detections/attack-score/).
+
+  - name: cf.waf.score.xss
+    data_type: Number
+    categories: [Request]
+    keywords: [request, cloudflare, attack score, waf score, client, visitor]
+    summary: An attack score from `1` to `99` classifying the cross-site scripting (XSS) attack vector.
+    description: |-
+      For more details, refer to [WAF attack score](/waf/detections/attack-score/).
+
+  - name: cf.waf.score.rce
+    data_type: Number
+    categories: [Request]
+    keywords: [request, cloudflare, attack score, waf score, client, visitor]
+    summary: An attack score from `1` to `99` classifying the command injection or Remote Code Execution (RCE) attack vector.
+    description: |-
+      For more details, refer to [WAF attack score](/waf/detections/attack-score/).
+
+  - name: cf.waf.score.class
+    data_type: String
+    categories: [Request]
+    keywords: [request, cloudflare, attack score, waf score, client, visitor]
+    summary: The attack score class of the current request, based on the WAF attack score.
+    description: |-
+      Can have one of the following values: `attack`, `likely_attack`, `likely_clean`, `clean`.
+
+      For more details, refer to [WAF attack score](/waf/detections/attack-score/).
+
+  - name: cf.waf.auth_detected
+    data_type: Boolean
+    categories: [Request]
+    keywords:
+      [
+        request,
+        cloudflare,
+        leaked credentials,
+        exposed credentials,
+        client,
+        visitor,
+      ]
+    summary: When `true`, the Cloudflare WAF detected authentication credentials in the request.
+    description: |-
+      Only available when [leaked credentials detection](/waf/detections/leaked-credentials/) is enabled.
+
+  - name: cf.waf.credential_check.password_leaked
+    data_type: Boolean
+    categories: [Request]
+    keywords:
+      [
+        request,
+        cloudflare,
+        leaked credentials,
+        exposed credentials,
+        client,
+        visitor,
+      ]
+    summary: When `true`, the password detected in the request was previously leaked.
+    description: |-
+      Only available when [leaked credentials detection](/waf/detections/leaked-credentials/) is enabled.
+
+  - name: cf.waf.credential_check.username_leaked
+    data_type: Boolean
+    categories: [Request]
+    keywords:
+      [
+        request,
+        cloudflare,
+        leaked credentials,
+        exposed credentials,
+        client,
+        visitor,
+      ]
+    summary: When `true`, the username detected in the request was previously leaked.
+    description: |-
+      Only available when [leaked credentials detection](/waf/detections/leaked-credentials/) is enabled.
+
+  - name: cf.waf.credential_check.username_and_password_leaked
+    data_type: Boolean
+    categories: [Request]
+    keywords:
+      [
+        request,
+        cloudflare,
+        leaked credentials,
+        exposed credentials,
+        client,
+        visitor,
+      ]
+    summary: When `true`, the authentication credentials detected in the request (username and password pair) were previously leaked.
+    description: |-
+      Only available when [leaked credentials detection](/waf/detections/leaked-credentials/) is enabled.
+
+  - name: cf.waf.credential_check.username_password_similar
+    data_type: Boolean
+    categories: [Request]
+    keywords:
+      [
+        request,
+        cloudflare,
+        leaked credentials,
+        exposed credentials,
+        client,
+        visitor,
+      ]
+    summary: When `true`, a similar version of the username and password credentials detected in the request were previously leaked.
+    description: |-
+      Only available when [leaked credentials detection](/waf/detections/leaked-credentials/) is enabled.
+
+  - name: cf.worker.upstream_zone
+    data_type: String
+    categories: [Request]
+    keywords: [request, cloudflare, workers]
+    summary: Identifies whether a request comes from a worker or not.
+    description: |-
+      When a request comes from a worker, this field will hold the name of the zone for that worker. Otherwise, `cf.worker.upstream_zone` is empty.
+
+  - name: cf.bot_management.corporate_proxy
+    data_type: Boolean
+    categories: [Request, Bots]
+    keywords: [request, bots, proxy, client, visitor]
+    summary: When `true`, the incoming request comes from an identified Enterprise-only cloud-based corporate proxy or secure web gateway.
+    description: |-
+      Requires a Cloudflare Enterprise plan with [Bot Management](/bots/plans/bm-subscription/) enabled.
+    example_block: |-
+      not cf.bot_management.verified_bot
+      and not cf.bot_management.static_resource
+      and not cf.bot_management.corporate_proxy
+      and cf.bot_management.score lt 30
 
   - name: test.request.body.multipart.content_transfer_encodings
     data_type: "Array<Array<String>>"

From 81330705d06dec62b2e9aedd5aa357d4d008ab0a Mon Sep 17 00:00:00 2001
From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com>
Date: Tue, 31 Dec 2024 12:13:14 +0000
Subject: [PATCH 09/45] Add JWT validation fields

---
 src/content/fields/index.yaml | 180 ++++++++++++++++++++++++++++++++++
 1 file changed, 180 insertions(+)

diff --git a/src/content/fields/index.yaml b/src/content/fields/index.yaml
index 6e410f4c94cbdbc..7aa50fad83b0e6d 100644
--- a/src/content/fields/index.yaml
+++ b/src/content/fields/index.yaml
@@ -983,6 +983,186 @@ entries:
       and not cf.bot_management.corporate_proxy
       and cf.bot_management.score lt 30
 
+  - name: http.request.jwt.claims.aud
+    data_type: Map<Array<String>>
+    categories: [Request, JWT validation]
+    keywords: [request, jwt, api shield, client, visitor]
+    summary: The `aud` (audience) claim identifies the recipients that the JSON Web Token (JWT) is intended for.
+    description: |-
+      Each principal intended to process the JWT must identify itself with a value in the audience claim. In the general case, the `aud` value is an array of case-sensitive strings, each containing a `StringOrURI` value. For details, refer to the [Registered Claim Names](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1) in RFC 7519.
+
+      For more information on validating JSON Web Tokens, refer to [JSON Web Tokens Validation](/api-shield/security/jwt-validation/) in the API Shield documentation.
+
+  - name: http.request.jwt.claims.aud.names
+    data_type: Array<String>
+    categories: [Request, JWT validation]
+    keywords: [request, jwt, api shield, client, visitor]
+    summary: The `aud` (audience) claim identifies the recipients that the JSON Web Token (JWT) is intended for.
+    description: |-
+      Each principal intended to process the JWT must identify itself with a value in the audience claim. In the general case, the `aud` value is an array of case-sensitive strings, each containing a `StringOrURI` value. For details, refer to the [Registered Claim Names](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1) in RFC 7519.
+
+      For more information on validating JSON Web Tokens, refer to [JSON Web Tokens Validation](/api-shield/security/jwt-validation/) in the API Shield documentation.
+
+  - name: http.request.jwt.claims.aud.values
+    data_type: Array<String>
+    categories: [Request, JWT validation]
+    keywords: [request, jwt, api shield, client, visitor]
+    summary: The `aud` (audience) claim identifies the recipients that the JSON Web Token (JWT) is intended for.
+    description: |-
+      Each principal intended to process the JWT must identify itself with a value in the audience claim. In the general case, the `aud` value is an array of case-sensitive strings, each containing a `StringOrURI` value. For details, refer to the [Registered Claim Names](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1) in RFC 7519.
+
+      For more information on validating JSON Web Tokens, refer to [JSON Web Tokens Validation](/api-shield/security/jwt-validation/) in the API Shield documentation.
+
+  - name: http.request.jwt.claims.iat.sec
+    data_type: Map<Array<Integer>>
+    categories: [Request, JWT validation]
+    keywords: [request, jwt, api shield, client, visitor]
+    summary: The `iat` (issued at) claim identifies the time (number of seconds) at which the JWT was issued.
+    description: |-
+      For details, refer to the [Registered Claim Names](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1) in RFC 7519.
+
+      For more information on validating JSON Web Tokens, refer to [JSON Web Tokens Validation](/api-shield/security/jwt-validation/) in the API Shield documentation.
+
+  - name: http.request.jwt.claims.iat.sec.names
+    data_type: Array<String>
+    categories: [Request, JWT validation]
+    keywords: [request, jwt, api shield, client, visitor]
+    summary: The `iat` (issued at) claim identifies the time (number of seconds) at which the JWT was issued.
+    description: |-
+      For details, refer to the [Registered Claim Names](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1) in RFC 7519.
+
+      For more information on validating JSON Web Tokens, refer to [JSON Web Tokens Validation](/api-shield/security/jwt-validation/) in the API Shield documentation.
+
+  - name: http.request.jwt.claims.iat.sec.values
+    data_type: Array<Integer>
+    categories: [Request, JWT validation]
+    keywords: [request, jwt, api shield, client, visitor]
+    summary: The `iat` (issued at) claim identifies the time (number of seconds) at which the JWT was issued.
+    description: |-
+      For details, refer to the [Registered Claim Names](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1) in RFC 7519.
+
+      For more information on validating JSON Web Tokens, refer to [JSON Web Tokens Validation](/api-shield/security/jwt-validation/) in the API Shield documentation.
+
+  - name: http.request.jwt.claims.iss
+    data_type: Map<Array<String>>
+    categories: [Request, JWT validation]
+    keywords: [request, jwt, api shield, client, visitor]
+    summary: The `iss` (issuer) claim identifies the principal that issued the JWT.
+    description: |-
+      For details, refer to the [Registered Claim Names](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1) in RFC 7519.
+
+      For more information on validating JSON Web Tokens, refer to [JSON Web Tokens Validation](/api-shield/security/jwt-validation/) in the API Shield documentation.
+
+  - name: http.request.jwt.claims.iss.names
+    data_type: Array<String>
+    categories: [Request, JWT validation]
+    keywords: [request, jwt, api shield, client, visitor]
+    summary: The `iss` (issuer) claim identifies the principal that issued the JWT.
+    description: |-
+      For details, refer to the [Registered Claim Names](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1) in RFC 7519.
+
+      For more information on validating JSON Web Tokens, refer to [JSON Web Tokens Validation](/api-shield/security/jwt-validation/) in the API Shield documentation.
+
+  - name: http.request.jwt.claims.iss.values
+    data_type: Array<String>
+    categories: [Request, JWT validation]
+    keywords: [request, jwt, api shield, client, visitor]
+    summary: The `iss` (issuer) claim identifies the principal that issued the JWT.
+    description: |-
+      For details, refer to the [Registered Claim Names](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1) in RFC 7519.
+
+      For more information on validating JSON Web Tokens, refer to [JSON Web Tokens Validation](/api-shield/security/jwt-validation/) in the API Shield documentation.
+
+  - name: http.request.jwt.claims.jti
+    data_type: Map<Array<String>>
+    categories: [Request, JWT validation]
+    keywords: [request, jwt, api shield, client, visitor]
+    summary: The `jti` (JWT ID) claim provides a unique identifier for the JWT.
+    description: |-
+      For details, refer to the [Registered Claim Names](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1) in RFC 7519.
+
+      For more information on validating JSON Web Tokens, refer to [JSON Web Tokens Validation](/api-shield/security/jwt-validation/) in the API Shield documentation.
+
+  - name: http.request.jwt.claims.jti.names
+    data_type: Array<String>
+    categories: [Request, JWT validation]
+    keywords: [request, jwt, api shield, client, visitor]
+    summary: The `jti` (JWT ID) claim provides a unique identifier for the JWT.
+    description: |-
+      For details, refer to the [Registered Claim Names](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1) in RFC 7519.
+
+      For more information on validating JSON Web Tokens, refer to [JSON Web Tokens Validation](/api-shield/security/jwt-validation/) in the API Shield documentation.
+
+  - name: http.request.jwt.claims.jti.values
+    data_type: Array<String>
+    categories: [Request, JWT validation]
+    keywords: [request, jwt, api shield, client, visitor]
+    summary: The `jti` (JWT ID) claim provides a unique identifier for the JWT.
+    description: |-
+      For details, refer to the [Registered Claim Names](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1) in RFC 7519.
+
+      For more information on validating JSON Web Tokens, refer to [JSON Web Tokens Validation](/api-shield/security/jwt-validation/) in the API Shield documentation.
+
+  - name: http.request.jwt.claims.nbf.sec
+    data_type: Map<Array<Integer>>
+    categories: [Request, JWT validation]
+    keywords: [request, jwt, api shield, client, visitor]
+    summary: The `nbf` (not before) claim identifies the time (number of seconds) before which the JWT must not be accepted for processing.
+    description: |-
+      For details, refer to the [Registered Claim Names](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1) in RFC 7519.
+
+      For more information on validating JSON Web Tokens, refer to [JSON Web Tokens Validation](/api-shield/security/jwt-validation/) in the API Shield documentation.
+
+  - name: http.request.jwt.claims.nbf.sec.names
+    data_type: Array<String>
+    categories: [Request, JWT validation]
+    keywords: [request, jwt, api shield, client, visitor]
+    summary: The `nbf` (not before) claim identifies the time (number of seconds) before which the JWT must not be accepted for processing.
+    description: |-
+      For details, refer to the [Registered Claim Names](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1) in RFC 7519.
+
+      For more information on validating JSON Web Tokens, refer to [JSON Web Tokens Validation](/api-shield/security/jwt-validation/) in the API Shield documentation.
+
+  - name: http.request.jwt.claims.nbf.sec.values
+    data_type: Array<Integer>
+    categories: [Request, JWT validation]
+    keywords: [request, jwt, api shield, client, visitor]
+    summary: The `nbf` (not before) claim identifies the time (number of seconds) before which the JWT must not be accepted for processing.
+    description: |-
+      For details, refer to the [Registered Claim Names](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1) in RFC 7519.
+
+      For more information on validating JSON Web Tokens, refer to [JSON Web Tokens Validation](/api-shield/security/jwt-validation/) in the API Shield documentation.
+
+  - name: http.request.jwt.claims.sub
+    data_type: Map<Array<String>>
+    categories: [Request, JWT validation]
+    keywords: [request, jwt, api shield, client, visitor]
+    summary: The `sub` (subject) claim identifies the principal that is the subject of the JWT.
+    description: |-
+      The claims in a JWT are normally statements about the subject. For details, refer to the [Registered Claim Names](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1) in RFC 7519.
+
+      For more information on validating JSON Web Tokens, refer to [JSON Web Tokens Validation](/api-shield/security/jwt-validation/) in the API Shield documentation.
+
+  - name: http.request.jwt.claims.sub.names
+    data_type: Array<String>
+    categories: [Request, JWT validation]
+    keywords: [request, jwt, api shield, client, visitor]
+    summary: The `sub` (subject) claim identifies the principal that is the subject of the JWT.
+    description: |-
+      The claims in a JWT are normally statements about the subject. For details, refer to the [Registered Claim Names](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1) in RFC 7519.
+
+      For more information on validating JSON Web Tokens, refer to [JSON Web Tokens Validation](/api-shield/security/jwt-validation/) in the API Shield documentation.
+
+  - name: http.request.jwt.claims.sub.values
+    data_type: Array<String>
+    categories: [Request, JWT validation]
+    keywords: [request, jwt, api shield, client, visitor]
+    summary: The `sub` (subject) claim identifies the principal that is the subject of the JWT.
+    description: |-
+      The claims in a JWT are normally statements about the subject. For details, refer to the [Registered Claim Names](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1) in RFC 7519.
+
+      For more information on validating JSON Web Tokens, refer to [JSON Web Tokens Validation](/api-shield/security/jwt-validation/) in the API Shield documentation.
+
   - name: test.request.body.multipart.content_transfer_encodings
     data_type: "Array<Array<String>>"
     categories: [Request, Body]

From decf46d4a3fd166172c0af81e0616f2295f801b9 Mon Sep 17 00:00:00 2001
From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com>
Date: Tue, 31 Dec 2024 12:36:35 +0000
Subject: [PATCH 10/45] Add field requirements

---
 src/content/fields/index.yaml | 68 ++++++++++++++++++++++++++---------
 1 file changed, 52 insertions(+), 16 deletions(-)

diff --git a/src/content/fields/index.yaml b/src/content/fields/index.yaml
index 7aa50fad83b0e6d..0a18b0caa916803 100644
--- a/src/content/fields/index.yaml
+++ b/src/content/fields/index.yaml
@@ -546,6 +546,8 @@ entries:
     description: |-
       When `true`, the [`cf.tls_client_auth.cert_verified`](/ruleset-engine/rules-language/fields/reference/cf.tls_client_auth.cert_verified/) field is also `true`.
 
+      This field is only filled in if the request includes a client certificate for [mTLS authentication](/ssl/client-certificates/enable-mtls/).
+
   - name: cf.tls_client_auth.cert_verified
     data_type: Boolean
     categories: [Request]
@@ -554,17 +556,23 @@ entries:
     description: |-
       Also returns `true` when a request includes a valid certificate that was revoked (refer to [`cf.tls_client_auth.cert_revoked`](/ruleset-engine/rules-language/fields/reference/cf.tls_client_auth.cert_revoked/)).
 
+      This field is only filled in if the request includes a client certificate for [mTLS authentication](/ssl/client-certificates/enable-mtls/).
+
   - name: cf.tls_client_auth.cert_presented
     data_type: Boolean
     categories: [Request]
     keywords: [request, ssl, tls, client, visitor]
     summary: Returns `true` when a request presents a certificate (valid or not).
+    description: |-
+      This field is only filled in if the request includes a client certificate for [mTLS authentication](/ssl/client-certificates/enable-mtls/).
 
   - name: cf.tls_client_auth.cert_issuer_dn
     data_type: String
     categories: [Request]
     keywords: [request, ssl, tls, client, visitor]
     summary: The Distinguished Name (DN) of the Certificate Authority (CA) that issued the certificate included in the request.
+    description: |-
+      This field is only filled in if the request includes a client certificate for [mTLS authentication](/ssl/client-certificates/enable-mtls/).
     example_value: |-
       "CN=Access Testing CA,OU=TX,O=Access Testing,L=Austin,ST=Texas,C=US"
 
@@ -573,6 +581,8 @@ entries:
     categories: [Request]
     keywords: [request, ssl, tls, client, visitor]
     summary: The Distinguished Name (DN) of the owner (or requester) of the certificate included in the request.
+    description: |-
+      This field is only filled in if the request includes a client certificate for [mTLS authentication](/ssl/client-certificates/enable-mtls/).
     example_value: |-
       "CN=James Royal,OU=Access Admins,O=Access,L=Austin,ST=Texas,C=US"
 
@@ -581,6 +591,8 @@ entries:
     categories: [Request]
     keywords: [request, ssl, tls, client, visitor]
     summary: The Distinguished Name (DN) of the Certificate Authority (CA) that issued the certificate in the request in [RFC 2253](https://datatracker.ietf.org/doc/html/rfc2253) format.
+    description: |-
+      This field is only filled in if the request includes a client certificate for [mTLS authentication](/ssl/client-certificates/enable-mtls/).
     example_value: |-
       "CN=Access Testing CA,OU=TX,O=Access Testing,L=Austin,ST=Texas,C=US"
 
@@ -589,6 +601,8 @@ entries:
     categories: [Request]
     keywords: [request, ssl, tls, client, visitor]
     summary: The Distinguished Name (DN) of the owner (or requester) of the certificate in the request in [RFC 2253](https://datatracker.ietf.org/doc/html/rfc2253) format.
+    description: |-
+      This field is only filled in if the request includes a client certificate for [mTLS authentication](/ssl/client-certificates/enable-mtls/).
     example_value: |-
       "CN=James Royal,OU=Access Admins,O=Access,L=Austin,ST=Texas,C=US"
 
@@ -597,6 +611,8 @@ entries:
     categories: [Request]
     keywords: [request, ssl, tls, client, visitor]
     summary: The Distinguished Name (DN) of the Certificate Authority (CA) that issued the certificate in the request in a legacy format.
+    description: |-
+      This field is only filled in if the request includes a client certificate for [mTLS authentication](/ssl/client-certificates/enable-mtls/).
     example_value: |-
       "/C=US/ST=Texas/L=Austin/O=Access Testing/OU=TX/CN=Access Testing CA"
 
@@ -605,6 +621,8 @@ entries:
     categories: [Request]
     keywords: [request, ssl, tls, client, visitor]
     summary: The Distinguished Name (DN) of the owner (or requester) of the certificate in the request in a legacy format.
+    description: |-
+      This field is only filled in if the request includes a client certificate for [mTLS authentication](/ssl/client-certificates/enable-mtls/).
     example_value: |-
       "/C=US/ST=Texas/L=Austin/O=Access/OU=Access Admins/CN=James Royal"
 
@@ -613,6 +631,8 @@ entries:
     categories: [Request]
     keywords: [request, ssl, tls, client, visitor]
     summary: Serial number of the certificate in the request.
+    description: |-
+      This field is only filled in if the request includes a client certificate for [mTLS authentication](/ssl/client-certificates/enable-mtls/).
     example_value: |-
       "527E0F20A20EA2A4146C78390F34CE7AF0878CA4"
 
@@ -621,6 +641,8 @@ entries:
     categories: [Request]
     keywords: [request, ssl, tls, client, visitor]
     summary: Serial number of the direct issuer of the certificate in the request.
+    description: |-
+      This field is only filled in if the request includes a client certificate for [mTLS authentication](/ssl/client-certificates/enable-mtls/).
     example_value: |-
       "2688201DBA77402EA87118876F2E1B24CF8B0395"
 
@@ -629,6 +651,8 @@ entries:
     categories: [Request]
     keywords: [request, ssl, tls, client, visitor]
     summary: The SHA-256 fingerprint of the certificate in the request.
+    description: |-
+      This field is only filled in if the request includes a client certificate for [mTLS authentication](/ssl/client-certificates/enable-mtls/).
     example_value: |-
       "af363dc85bc942a892d3cee9796190fdb36d89cd588a4f1cb17c74a943439714"
 
@@ -637,6 +661,8 @@ entries:
     categories: [Request]
     keywords: [request, ssl, tls, client, visitor]
     summary: The SHA-1 fingerprint of the certificate in the request.
+    description: |-
+      This field is only filled in if the request includes a client certificate for [mTLS authentication](/ssl/client-certificates/enable-mtls/).
     example_value: |-
       "933ad5282c560ae3f482a43ecd73bc9de878a190"
 
@@ -645,6 +671,8 @@ entries:
     categories: [Request]
     keywords: [request, ssl, tls, client, visitor]
     summary: The certificate in the request is not valid before this date.
+    description: |-
+      This field is only filled in if the request includes a client certificate for [mTLS authentication](/ssl/client-certificates/enable-mtls/).
     example_value: |-
       "Mar 21 13:35:00 2022 GMT"
 
@@ -653,6 +681,8 @@ entries:
     categories: [Request]
     keywords: [request, ssl, tls, client, visitor]
     summary: The certificate in the request is not valid after this date.
+    description: |-
+      This field is only filled in if the request includes a client certificate for [mTLS authentication](/ssl/client-certificates/enable-mtls/).
     example_value: |-
       "Mar 21 13:35:00 2023 GMT"
 
@@ -661,6 +691,8 @@ entries:
     categories: [Request]
     keywords: [request, ssl, tls, client, visitor]
     summary: The Subject Key Identifier (SKI) of the certificate in the request.
+    description: |-
+      This field is only filled in if the request includes a client certificate for [mTLS authentication](/ssl/client-certificates/enable-mtls/).
     example_value: |-
       "27846FAE6EAC4A8DAD9101B519CF1EB460242831"
 
@@ -669,6 +701,8 @@ entries:
     categories: [Request]
     keywords: [request, ssl, tls, client, visitor]
     summary: The Subject Key Identifier (SKI) of the direct issuer of the certificate in the request.
+    description: |-
+      This field is only filled in if the request includes a client certificate for [mTLS authentication](/ssl/client-certificates/enable-mtls/).
     example_value: |-
       "8204924CF49D471E855862706D889F58F6B784D3"
 
@@ -722,7 +756,7 @@ entries:
       ]
     summary: When `true`, the request contains at least one content object.
     description: |-
-      For more details, refer to [Malicious uploads detection](/waf/detections/malicious-uploads/).
+      Requires a Cloudflare Enterprise plan with [malicious uploads detection](/waf/detections/malicious-uploads/) enabled.
 
   - name: cf.waf.content_scan.has_malicious_obj
     data_type: Boolean
@@ -738,7 +772,7 @@ entries:
       ]
     summary: When `true`, the request contains at least one malicious content object.
     description: |-
-      For more details, refer to [Malicious uploads detection](/waf/detections/malicious-uploads/).
+      Requires a Cloudflare Enterprise plan with [malicious uploads detection](/waf/detections/malicious-uploads/) enabled.
 
   - name: cf.waf.content_scan.num_malicious_obj
     data_type: Integer
@@ -754,7 +788,7 @@ entries:
       ]
     summary: The number of malicious content objects detected in the request (zero or greater).
     description: |-
-      For more details, refer to [Malicious uploads detection](/waf/detections/malicious-uploads/).
+      Requires a Cloudflare Enterprise plan with [malicious uploads detection](/waf/detections/malicious-uploads/) enabled.
 
   - name: cf.waf.content_scan.has_failed
     data_type: Boolean
@@ -770,7 +804,7 @@ entries:
       ]
     summary: When `true`, the file scanner was unable to scan all the content objects detected in the request.
     description: |-
-      For more details, refer to [Malicious uploads detection](/waf/detections/malicious-uploads/).
+      Requires a Cloudflare Enterprise plan with [malicious uploads detection](/waf/detections/malicious-uploads/) enabled.
 
   - name: cf.waf.content_scan.num_obj
     data_type: Integer
@@ -786,7 +820,7 @@ entries:
       ]
     summary: The number of content objects detected in the request (zero or greater).
     description: |-
-      For more details, refer to [Malicious uploads detection](/waf/detections/malicious-uploads/).
+      Requires a Cloudflare Enterprise plan with [malicious uploads detection](/waf/detections/malicious-uploads/) enabled.
 
   - name: cf.waf.content_scan.obj_sizes
     data_type: Array<Integer>
@@ -802,7 +836,7 @@ entries:
       ]
     summary: An array of file sizes in bytes, in the order the content objects were detected in the request.
     description: |-
-      For more details, refer to [Malicious uploads detection](/waf/detections/malicious-uploads/).
+      Requires a Cloudflare Enterprise plan with [malicious uploads detection](/waf/detections/malicious-uploads/) enabled.
 
   - name: cf.waf.content_scan.obj_types
     data_type: Array<String>
@@ -820,7 +854,7 @@ entries:
     description: |-
       If Cloudflare cannot determine the file type of a content object, the corresponding value in the `obj_types` array will be `application/octet-stream`.
 
-      For more details, refer to [Malicious uploads detection](/waf/detections/malicious-uploads/).
+      Requires a Cloudflare Enterprise plan with [malicious uploads detection](/waf/detections/malicious-uploads/) enabled.
 
   - name: cf.waf.content_scan.obj_results
     data_type: Array<String>
@@ -838,7 +872,7 @@ entries:
     description: |-
       The possible values are: `clean`, `suspicious`, `infected`, and `not scanned`.
 
-      For more details, refer to [Malicious uploads detection](/waf/detections/malicious-uploads/).
+      Requires a Cloudflare Enterprise plan with [malicious uploads detection](/waf/detections/malicious-uploads/) enabled.
 
   - name: cf.waf.score
     data_type: Number
@@ -848,13 +882,15 @@ entries:
     description: |-
       This is the standard [WAF attack score](/waf/detections/attack-score/) to detect variants of attack patterns.
 
+      Requires a Cloudflare Enterprise plan with [attack score detection](/waf/detections/attack-score/) enabled.
+
   - name: cf.waf.score.sqli
     data_type: Number
     categories: [Request]
     keywords: [request, cloudflare, attack score, waf score, client, visitor]
     summary: An attack score from `1` to `99` classifying the SQL injection (SQLi) attack vector.
     description: |-
-      For more details, refer to [WAF attack score](/waf/detections/attack-score/).
+      Requires a Cloudflare Enterprise plan with [attack score detection](/waf/detections/attack-score/) enabled.
 
   - name: cf.waf.score.xss
     data_type: Number
@@ -862,7 +898,7 @@ entries:
     keywords: [request, cloudflare, attack score, waf score, client, visitor]
     summary: An attack score from `1` to `99` classifying the cross-site scripting (XSS) attack vector.
     description: |-
-      For more details, refer to [WAF attack score](/waf/detections/attack-score/).
+      Requires a Cloudflare Enterprise plan with [attack score detection](/waf/detections/attack-score/) enabled.
 
   - name: cf.waf.score.rce
     data_type: Number
@@ -870,7 +906,7 @@ entries:
     keywords: [request, cloudflare, attack score, waf score, client, visitor]
     summary: An attack score from `1` to `99` classifying the command injection or Remote Code Execution (RCE) attack vector.
     description: |-
-      For more details, refer to [WAF attack score](/waf/detections/attack-score/).
+      Requires a Cloudflare Enterprise plan with [attack score detection](/waf/detections/attack-score/) enabled.
 
   - name: cf.waf.score.class
     data_type: String
@@ -880,7 +916,7 @@ entries:
     description: |-
       Can have one of the following values: `attack`, `likely_attack`, `likely_clean`, `clean`.
 
-      For more details, refer to [WAF attack score](/waf/detections/attack-score/).
+      Requires a Cloudflare Business plan (or above) with [attack score detection](/waf/detections/attack-score/) enabled.
 
   - name: cf.waf.auth_detected
     data_type: Boolean
@@ -896,7 +932,7 @@ entries:
       ]
     summary: When `true`, the Cloudflare WAF detected authentication credentials in the request.
     description: |-
-      Only available when [leaked credentials detection](/waf/detections/leaked-credentials/) is enabled.
+      Requires a Cloudflare Enterprise plan with [leaked credentials detection](/waf/detections/leaked-credentials/) enabled.
 
   - name: cf.waf.credential_check.password_leaked
     data_type: Boolean
@@ -928,7 +964,7 @@ entries:
       ]
     summary: When `true`, the username detected in the request was previously leaked.
     description: |-
-      Only available when [leaked credentials detection](/waf/detections/leaked-credentials/) is enabled.
+      Requires a Cloudflare Enterprise plan with [leaked credentials detection](/waf/detections/leaked-credentials/) enabled.
 
   - name: cf.waf.credential_check.username_and_password_leaked
     data_type: Boolean
@@ -944,7 +980,7 @@ entries:
       ]
     summary: When `true`, the authentication credentials detected in the request (username and password pair) were previously leaked.
     description: |-
-      Only available when [leaked credentials detection](/waf/detections/leaked-credentials/) is enabled.
+      Requires a Cloudflare Pro plan (or above) with [leaked credentials detection](/waf/detections/leaked-credentials/) enabled.
 
   - name: cf.waf.credential_check.username_password_similar
     data_type: Boolean
@@ -960,7 +996,7 @@ entries:
       ]
     summary: When `true`, a similar version of the username and password credentials detected in the request were previously leaked.
     description: |-
-      Only available when [leaked credentials detection](/waf/detections/leaked-credentials/) is enabled.
+      Requires a Cloudflare Enterprise plan with [leaked credentials detection](/waf/detections/leaked-credentials/) enabled.
 
   - name: cf.worker.upstream_zone
     data_type: String

From ad9797eb744a57595f087f4d71d9e14fced56908 Mon Sep 17 00:00:00 2001
From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com>
Date: Tue, 31 Dec 2024 15:12:27 +0000
Subject: [PATCH 11/45] Add request header fields

---
 src/content/fields/index.yaml | 176 ++++++++++++++++++++++++++++++++++
 1 file changed, 176 insertions(+)

diff --git a/src/content/fields/index.yaml b/src/content/fields/index.yaml
index 0a18b0caa916803..0476e8765a98e3b 100644
--- a/src/content/fields/index.yaml
+++ b/src/content/fields/index.yaml
@@ -1199,6 +1199,182 @@ entries:
 
       For more information on validating JSON Web Tokens, refer to [JSON Web Tokens Validation](/api-shield/security/jwt-validation/) in the API Shield documentation.
 
+  - name: http.request.uri.args
+    data_type: Map<Array<String>>
+    categories: [Request, URI]
+    keywords: [request, uri, url, arguments, query string, client, visitor]
+    summary: The HTTP URI arguments associated with a request represented as a Map (associative array).
+    description: |-
+      When an argument repeats, the array contains multiple items in the order they appear in the request.
+
+      The values are not pre-processed and retain the original case used in the request.
+
+      - **Decoding:** No decoding performed
+      - **Non-ASCII:** Preserved
+    example_value: |-
+      {"search": ["red+apples"]}
+    example_block: |-
+      any(http.request.uri.args["search"][*] == "red+apples")
+
+  - name: http.request.uri.args.names
+    data_type: Array<String>
+    categories: [Request, URI]
+    keywords: [request, uri, url, arguments, query string, client, visitor]
+    summary: The names of the arguments in the HTTP URI query string.
+    description: |-
+      When a name repeats, the array contains multiple items in the order that they appear in the request.
+
+      The names are not pre-processed and retain the original case used in the request.
+
+      - **Decoding:** No decoding performed
+      - **Non-ASCII:** Preserved
+    example_value: |-
+      ["search"]
+    example_block: |-
+      any(http.request.uri.args.names[*] == "search")
+
+  - name: http.request.uri.args.values
+    data_type: Array<String>
+    categories: [Request, URI]
+    keywords: [request, uri, url, arguments, query string, client, visitor]
+    summary: The values of arguments in the HTTP URI query string.
+    description: |-
+      The values are not pre-processed and retain the original case used in the request. They are in the same order as in the request.
+
+      Duplicated values are listed multiple times.
+
+      - **Decoding:** No decoding performed
+      - **Non-ASCII:** Preserved
+    example_value: |-
+      ["red+apples"]
+    example_block: |-
+      any(http.request.uri.args.values[*] == "red+apples")
+
+  - name: raw.http.request.uri.args
+    data_type: Map<Array<String>>
+    categories: [Request, URI, Raw fields]
+    keywords: [request, uri, url, arguments, query string, raw, client, visitor]
+    summary: The raw HTTP URI arguments associated with a request represented as a Map (associative array).
+    description: |-
+      This is the raw field version of the [`http.request.uri.args`](/ruleset-engine/rules-language/fields/reference/http.request.uri.args/) field. Raw fields, prefixed with `raw.`, preserve original request values for later evaluations. These fields are immutable during the entire request evaluation workflow, and they are not affected by the actions of previously matched rules.
+
+  - name: raw.http.request.uri.args.names
+    data_type: Array<String>
+    categories: [Request, URI, Raw fields]
+    keywords: [request, uri, url, arguments, query string, raw, client, visitor]
+    summary: The raw names of the arguments in the HTTP URI query string.
+    description: |-
+      This is the raw field version of the [`http.request.uri.args.names`](/ruleset-engine/rules-language/fields/reference/http.request.uri.args.names/) field. Raw fields, prefixed with `raw.`, preserve original request values for later evaluations. These fields are immutable during the entire request evaluation workflow, and they are not affected by the actions of previously matched rules.
+
+  - name: raw.http.request.uri.args.values
+    data_type: Array<String>
+    categories: [Request, URI, Raw fields]
+    keywords: [request, uri, url, arguments, query string, raw, client, visitor]
+    summary: The raw values of arguments in the HTTP URI query string.
+    description: |-
+      This is the raw field version of the [`http.request.uri.args.values`](/ruleset-engine/rules-language/fields/reference/http.request.uri.args.values/) field. Raw fields, prefixed with `raw.`, preserve original request values for later evaluations. These fields are immutable during the entire request evaluation workflow, and they are not affected by the actions of previously matched rules.
+
+  - name: http.request.headers
+    data_type: Map<Array<String>>
+    categories: [Request, Headers]
+    keywords: [request, client, visitor]
+    summary: The HTTP request headers represented as a Map (or associative array).
+    description: |-
+      The keys of the associative array are the names of HTTP request headers converted to lowercase.
+
+      When there are repeating headers, the array includes them in the order they appear in the request.
+
+      The request header values are not pre-processed and retain the original case used in the request.
+
+      - **Decoding:** No decoding performed
+      - **Whitespace:** Preserved
+      - **Non-ASCII:** Preserved
+    example_value: |-
+      {"content-type": ["application/json"]}
+    example_block: |-
+      any(http.request.headers["content-type"][*] == "application/json")
+
+  - name: http.request.headers.names
+    data_type: Array<String>
+    categories: [Request, Headers]
+    keywords: [request, client, visitor]
+    summary: The names of the headers in the HTTP request.
+    description: |-
+      The names are not pre-processed and retain the original case used in the request.
+
+      The order of header names is not guaranteed but will match [`http.request.headers.values`](/ruleset-engine/rules-language/fields/reference/http.request.headers.values/).
+
+      Duplicate headers are listed multiple times.
+
+      - **Decoding:** No decoding performed
+      - **Whitespace:** Preserved
+      - **Non-ASCII:** Preserved
+
+      **Note:** In HTTP/2, the names of HTTP headers are always in lowercase. Recent versions of the `curl` tool [enable HTTP/2 by default](https://curl.se/docs/manpage.html#--http2) for HTTPS connections.
+    example_value: |-
+      ["content-type"]
+    example_block: |-
+      any(http.request.headers.names[*] == "content-type")
+
+  - name: http.request.headers.values
+    data_type: Array<String>
+    categories: [Request, Headers]
+    keywords: [request, client, visitor]
+    summary: The values of the headers in the HTTP request.
+    description: |-
+      The values are not pre-processed and retain the original case used in the request.
+
+      The order of header values is not guaranteed but will match [`http.request.headers.names`](/ruleset-engine/rules-language/fields/reference/http.request.headers.names/).
+
+      Duplicate headers are listed multiple times.
+
+      - **Decoding:** No decoding performed
+      - **Whitespace:** Preserved
+      - **Non-ASCII:** Preserved
+
+      **Note:** In HTTP/2, the names of HTTP headers are always in lowercase. Recent versions of the `curl` tool [enable HTTP/2 by default](https://curl.se/docs/manpage.html#--http2) for HTTPS connections.
+    example_value: |-
+      # Example 1: ["application/json"]
+      # Example 2: ["This header value is longer than 10 bytes"]
+
+    example_block: |-
+      # Example 1: Check for specific header value.
+      any(http.request.headers.values[*] == "application/json")
+
+      # Example 2: Match requests according to the specified operator and the length/size entered for the header value.
+      any(len(http.request.headers.values[*])[*] gt 10)
+
+  - name: http.request.headers.truncated
+    data_type: Boolean
+    categories: [Request, Headers]
+    keywords: [request, client, visitor]
+    summary: Indicates whether the HTTP request contains too many headers.
+    description: |-
+      When `true`, [`http.request.headers`](/ruleset-engine/rules-language/fields/reference/http.request.headers), [`http.request.headers.names`](/ruleset-engine/rules-language/fields/reference/http.request.headers.names), and [`http.request.headers.values`](/ruleset-engine/rules-language/fields/reference/http.request.headers.values) may not contain all of the headers sent in the HTTP request.
+
+  - name: http.request.accepted_languages
+    data_type: Array<String>
+    categories: [Request, Headers]
+    keywords: [request, client, visitor]
+    summary: List of language tags provided in the [`Accept-Language`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Language) HTTP request header.
+    description: |-
+      Language tags are sorted by weight (`;q=<weight>`, with a default weight of `1`) in descending order.
+
+      If the HTTP header is not present in the request or is empty, `http.request.accepted_languages[0]` will return a "[missing value](/ruleset-engine/rules-language/values/#notes)", which the [`concat()`](/ruleset-engine/rules-language/functions/#concat) function will handle as an empty string.
+
+      If the HTTP header includes the language tag `*` it will not be stored in the array.
+    example_block: |-
+      # Example 1: Request with header "Accept-Language: fr-CH, fr;q=0.8, en;q=0.9, de;q=0.7, *;q=0.5".
+      # In this case:
+      http.request.accepted_languages[0] == "fr-CH"
+      http.request.accepted_languages == ["fr-CH", "en", "fr", "de"]
+
+      # Example 2: Request without an `Accept-Language` HTTP header and a URI of "https://www.example.com/my-path".
+      # In this case:
+      concat("/", http.request.accepted_languages[0], http.request.uri.path) == "//my-path"
+
+      **Note:** This field is only available in [Transform Rules](/rules/transform/).
+
   - name: test.request.body.multipart.content_transfer_encodings
     data_type: "Array<Array<String>>"
     categories: [Request, Body]

From 3c455c78bbf66f5a56efd4fad0c22eb851fc6a66 Mon Sep 17 00:00:00 2001
From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com>
Date: Tue, 31 Dec 2024 17:35:06 +0000
Subject: [PATCH 12/45] Add request body fields

---
 src/content/fields/index.yaml | 178 +++++++++++++++++++++++++++++++++-
 1 file changed, 177 insertions(+), 1 deletion(-)

diff --git a/src/content/fields/index.yaml b/src/content/fields/index.yaml
index 0476e8765a98e3b..ccbd8133205e3ff 100644
--- a/src/content/fields/index.yaml
+++ b/src/content/fields/index.yaml
@@ -1375,7 +1375,183 @@ entries:
 
       **Note:** This field is only available in [Transform Rules](/rules/transform/).
 
-  - name: test.request.body.multipart.content_transfer_encodings
+  - name: http.request.body.raw
+    data_type: String
+    categories: [Request, Body, Raw fields]
+    keywords: [request, body, raw, client, visitor]
+    summary: The unaltered HTTP request body.
+    description: |-
+      When the value of [`http.request.body.truncated`](/ruleset-engine/rules-language/fields/reference/http.request.body.truncated/) is `true`, the return value may be truncated.
+
+      - **Decoding:** No decoding performed
+      - **Whitespace:** Preserved
+      - **Non-ASCII:** Preserved
+
+      Requires a Cloudflare Enterprise plan with a paid add-on.
+
+  - name: http.request.body.truncated
+    data_type: Boolean
+    categories: [Request, Body]
+    keywords: [request, body, client, visitor]
+    summary: Indicates whether the HTTP request body is truncated.
+    description: |-
+      When `true`, `http.request.body.*` fields may not contain all of the HTTP request body.
+
+      Requires a Cloudflare Enterprise plan with a paid add-on.
+
+  - name: http.request.body.size
+    data_type: Number
+    categories: [Request, Body]
+    keywords: [request, body, client, visitor]
+    summary: The total size of the HTTP request body (in bytes).
+    description: |-
+      This field may have a value larger than the one returned by `len(http.request.body.raw)`, since the [`http.request.body.raw`](/ruleset-engine/rules-language/fields/reference/http.request.body.raw/) field only considers the request body up to a maximum size that varies according to your Cloudflare plan.
+
+      Requires a Cloudflare Enterprise plan with a paid add-on.
+
+  - name: http.request.body.form
+    data_type: Map<Array<String>>
+    categories: [Request, Body]
+    keywords: [request, body, form, client, visitor]
+    summary: The HTTP request body of a form represented as a Map (or associative array).
+    description: |-
+      Populated when the `Content-Type` header is `application/x-www-form-urlencoded`.
+
+      The values are not pre-processed and retain the original case used in the request.
+
+      When a field repeats, then the array contains multiple items in the order they are in the request.
+
+      The return value may be truncated if [`http.request.body.truncated`](/ruleset-engine/rules-language/fields/reference/http.request.body.truncated) is `true`.
+
+      - **Decoding:** No decoding performed
+      - **Whitespace:** Preserved
+      - **Non-ASCII:** Preserved
+
+      Requires a Cloudflare Enterprise plan with a paid add-on.
+    example_value: |-
+      {username": ["admin"]}
+    example_block: |-
+      any(http.request.body.form["username"][*] == "admin")
+
+  - name: http.request.body.form.names
+    data_type: Array<String>
+    categories: [Request, Body]
+    keywords: [request, body, form, client, visitor]
+    summary: The names of the form fields in an HTTP request.
+    description: |-
+      Populated when the `Content-Type` header is `application/x-www-form-urlencoded`.
+
+      Names are not pre-processed and retain the original case used in the request. They are listed in the same order as in the request.
+
+      Duplicate names are listed multiple times.
+
+      The return value may be truncated if [`http.request.body.truncated`](/ruleset-engine/rules-language/fields/reference/http.request.body.truncated) is `true`.
+
+      - **Decoding:** No decoding performed
+      - **Whitespace:** Preserved
+      - **Non-ASCII:** Preserved
+
+      Requires a Cloudflare Enterprise plan with a paid add-on.
+    example_value: |-
+      ["username"]
+    example_block: |-
+      any(http.request.body.form.names[*] == "username")
+
+  - name: http.request.body.form.values
+    data_type: Array<String>
+    categories: [Request, Body]
+    keywords: [request, body, form, client, visitor]
+    summary: The values of the form fields in an HTTP request
+    description: |-
+      Populated when the `Content-Type` header is `application/x-www-form-urlencoded`.
+
+      Values are not pre-processed and retain the original case used in the request. They are listed in the same order as in the request.
+
+      Duplicated values are listed multiple times.
+
+      The return value may be truncated if [`http.request.body.truncated`](/ruleset-engine/rules-language/fields/reference/http.request.body.truncated) is `true`.
+
+      - **Decoding:** No decoding performed
+      - **Whitespace:** Preserved
+      - **Non-ASCII:** Preserved
+
+      Requires a Cloudflare Enterprise plan with a paid add-on.
+    example_value: |-
+      ["admin"]
+    example_block: |-
+      any(http.request.body.form.values[*] == "admin")
+
+  - name: http.request.body.mime
+    data_type: String
+    categories: [Request, Body]
+    keywords: [request, body, client, visitor]
+    summary: The MIME type of the request detected from the request body.
+    description: |-
+      Supports the most common MIME types of the following general categories: video, audio, image, application, text.
+    example_value: |-
+      "image/jpeg"
+
+  - name: http.request.body.multipart
+    data_type: Map<Array<String>>
+    categories: [Request, Body]
+    keywords: [request, body, client, visitor]
+    summary: A Map (or associative array) representation of multipart names to multipart values in the request body.
+    example_value: |-
+      {"username": ["alice_doe"], "picture": [<binary_content_of_file>]}
+
+  - name: http.request.body.multipart.names
+    data_type: Array<Array<String>>
+    categories: [Request, Body]
+    keywords: [request, body, client, visitor]
+    summary: List of multipart names for every part in the multipart body.
+    example_value: |-
+      [["username"], ["picture"]]
+    example_block: |-
+      any(http.request.body.multipart.names[*][0] == "picture")
+
+  - name: http.request.body.multipart.values
+    data_type: Array<String>
+    categories: [Request, Body]
+    keywords: [request, body, client, visitor]
+    summary: List of multipart values for every part in the multipart body.
+    example_value: |-
+      ["alice_doe", <binary_content_of_file>]
+
+  - name: http.request.body.multipart.content_types
+    data_type: Array<Array<String>>
+    categories: [Request, Body]
+    keywords: [request, body, client, visitor]
+    summary: List of `Content-Type` headers for each part in the multipart body.
+    example_value: |-
+      [["text/plain"], ["image/jpeg"]]
+    example_block: |-
+      any(http.request.body.multipart.content_types[*][0] == "application/octet-stream")
+
+  - name: http.request.body.multipart.content_dispositions
+    data_type: Array<Array<String>>
+    categories: [Request, Body]
+    keywords: [request, body, client, visitor]
+    summary: List of `Content-Disposition` headers for each part in the multipart body.
+    example_value: |-
+      [["form-data; name=\"username\"], ["form-data;name=\"picture\"]]
+
+  - name: http.request.body.multipart.content_transfer_encodings
+    data_type: Array<Array<String>>
+    categories: [Request, Body]
+    keywords: [request, body, client, visitor]
+    summary: List of `Content-Transfer-Encoding` headers for each part in the multipart body.
+    example_value: |-
+      [["quoted-printable"], ["quoted-printable"]]
+
+  - name: http.request.body.multipart.filenames
+    data_type: Array<Array<String>>
+    categories: [Request, Body]
+    keywords: [request, body, client, visitor]
+    summary: List of filenames for each part in the multipart body.
+    example_value: |-
+      [["file1.txt"], ["photo.jpg"]]
+
+  - name: TEST.request.body.multipart.content_transfer_encodings
     data_type: "Array<Array<String>>"
     categories: [Request, Body]
     keywords: [request, body, payload, form, multipart, upload, client, visitor]

From daa74ac92298559f507ca9d32c40e126b49002ae Mon Sep 17 00:00:00 2001
From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com>
Date: Thu, 2 Jan 2025 10:37:15 +0000
Subject: [PATCH 13/45] Disable conversion of relative links to absolute links

---
 .../rules-language/fields/reference/[name].astro              | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/src/pages/ruleset-engine/rules-language/fields/reference/[name].astro b/src/pages/ruleset-engine/rules-language/fields/reference/[name].astro
index 2d64893f6d6ae4b..0d91a96b45df523 100644
--- a/src/pages/ruleset-engine/rules-language/fields/reference/[name].astro
+++ b/src/pages/ruleset-engine/rules-language/fields/reference/[name].astro
@@ -24,6 +24,10 @@ export const getStaticPaths = (async () => {
 const { name } = Astro.params;
 const { field } = Astro.props;
 
+// disable conversion of relative links to absolute links
+// set in /src/pages/changelog/index/index.xml.ts
+marked.use({ walkTokens: null });
+
 let CodeExamples = null;
 // switch (field.task.name) {
 // 	case "Text Generation":

From 7622de55e8cb98b1c76964dae8c9553ef49790bc Mon Sep 17 00:00:00 2001
From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com>
Date: Thu, 2 Jan 2025 11:56:27 +0000
Subject: [PATCH 14/45] Add note about body fields

---
 .../fields/reference/[name].astro             | 61 ++++++++++---------
 1 file changed, 33 insertions(+), 28 deletions(-)

diff --git a/src/pages/ruleset-engine/rules-language/fields/reference/[name].astro b/src/pages/ruleset-engine/rules-language/fields/reference/[name].astro
index 0d91a96b45df523..2153209a1f6a26e 100644
--- a/src/pages/ruleset-engine/rules-language/fields/reference/[name].astro
+++ b/src/pages/ruleset-engine/rules-language/fields/reference/[name].astro
@@ -122,34 +122,6 @@ const starlightPageProps = {
 		)
 	}
 
-	{
-		field.name === "@cf/meta/llama-3.2-11b-vision-instruct" && (
-			<Aside>
-				<p>
-					To use Llama 3.2 11b Vision Instruct, you need to agree to the{" "}
-					<a href="https://github.com/meta-llama/llama-models/blob/main/models/llama3_2/LICENSE">
-						Meta License
-					</a>{" "}
-					and{" "}
-					<a href="https://github.com/meta-llama/llama-models/blob/main/models/llama3_2/USE_POLICY.md">
-						Acceptable Use Policy
-					</a>
-					. To do so, please send an initial request to
-					<code>@cf/meta/llama-3.2-11b-vision-instruct</code> with
-					<code>"prompt" : "agree"</code>. After that, you'll be able to use the
-					model as normal.
-				</p>
-				<Code
-					code={`curl https://api.cloudflare.com/client/v4/accounts/$CLOUDFLARE_ACCOUNT_ID/ai/run/@cf/meta/llama-3.2-11b-vision-instruct \\
-   -X POST \\
-   -H "Authorization: Bearer $CLOUDFLARE_AUTH_TOKEN" \\
-   -d '{ "prompt": "agree"}'`}
-					lang="sh"
-				/>
-			</Aside>
-		)
-	}
-
 	{
 		field.example_value && (
 			<>
@@ -168,6 +140,39 @@ const starlightPageProps = {
 		)
 	}
 
+	{
+		field.name.startsWith("http.request.body") &&
+			!(field.name === "http.request.body.size") && (
+				<Aside type="caution">
+					<p>
+						All <code>http.request.body.*</code> fields (except{" "}
+						<a href="/ruleset-engine/rules-language/fields/reference/http.request.body.size/">
+							<code>http.request.body.size</code>
+						</a>
+						) handle a given maximum body size, which varies per plan. For
+						Enterprise customers, the maximum body size analyzed by Cloudflare
+						is 128 KB; for lower Cloudflare plans, the maximum size is lower.
+						You cannot define expressions that rely on request body data beyond
+						the maximum size set for your plan. If the request body is larger,
+						the body fields will contain a truncated value and the{" "}
+						<a href="/ruleset-engine/rules-language/fields/reference/http.request.body.truncated/">
+							<code>http.request.body.truncated</code>
+						</a>{" "}
+						field will be set to <code>true</code>. The{" "}
+						<a href="/ruleset-engine/rules-language/fields/reference/http.request.body.size/">
+							<code>http.request.body.size</code>
+						</a>{" "}
+						field will contain the full size of the request without any
+						truncation.
+					</p>
+					<p>
+						The maximum body size applies only to the values of HTTP body fields
+						— the origin server will still receive the complete request body.
+					</p>
+				</Aside>
+			)
+	}
+
 	<div class="!mt-8">
 		<span class="text-xs"
 			>Categories: <FieldBadges badges={field.categories} /></span

From 47a35b24338c2371d05788a6da4e267e35e1aa66 Mon Sep 17 00:00:00 2001
From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com>
Date: Thu, 2 Jan 2025 11:56:49 +0000
Subject: [PATCH 15/45] Order fields and categories in field catalog

---
 src/components/FieldCatalog.jsx | 24 +++++++++++++++++++++---
 1 file changed, 21 insertions(+), 3 deletions(-)

diff --git a/src/components/FieldCatalog.jsx b/src/components/FieldCatalog.jsx
index 91dc2c94e758dfd..035b27efd9de881 100644
--- a/src/components/FieldCatalog.jsx
+++ b/src/components/FieldCatalog.jsx
@@ -11,7 +11,10 @@ const FieldCatalog = ({ fields }) => {
 		keywords: [],
 		// capabilities: [],
 	});
-	const mapped = fields; //fields.map((field) => ({
+	const mapped = fields.sort((f1, f2) => {
+		return f1.name < f2.name ? -1 : 1;
+	});
+	//fields.map((field) => ({
 	// 	field: {
 	// 		...field,
 	// 	},
@@ -19,9 +22,24 @@ const FieldCatalog = ({ fields }) => {
 	// }));
 
 	const categories = [
-		...new Set(fields.map((field) => field.categories).flat()),
+		...new Set(
+			fields
+				.map((field) => field.categories)
+				.flat()
+				.sort(),
+		),
 	];
-	const keywords = [...new Set(fields.map((field) => field.keywords).flat())];
+
+	// Not used in FieldCatalog
+	// const keywords = [
+	// 	...new Set(
+	// 		fields
+	// 			.map((field) => field.keywords)
+	// 			.flat()
+	// 			.sort(),
+	// 	),
+	// ];
+
 	// const capabilities = [
 	// 	...new Set(
 	// 		fields

From 4a68d2ebc5d4ee5e0c8534fea5b31842d1d99b21 Mon Sep 17 00:00:00 2001
From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com>
Date: Thu, 2 Jan 2025 11:57:40 +0000
Subject: [PATCH 16/45] Don't use details in individual field pages

---
 src/content/fields/index.yaml | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)

diff --git a/src/content/fields/index.yaml b/src/content/fields/index.yaml
index ccbd8133205e3ff..80ff6ef5f478d34 100644
--- a/src/content/fields/index.yaml
+++ b/src/content/fields/index.yaml
@@ -110,7 +110,7 @@ entries:
       - If the URI path is `/articles/index.html`, the field value will be `html`.
       - If the URI path is `/articles/index.`, the field value will be an empty string (`""`).
 
-      <details><summary><p>Example values</p></summary>
+      Example values:
 
       | URI path       | Field value |
       | -------------- | ----------- |
@@ -122,8 +122,6 @@ entries:
       | `/foo.`        | `""`        |
       | `/foo.MP3`     | `"mp3"`     |
 
-      </details>
-
   - name: http.request.uri.query
     data_type: String
     categories: [Request, URI]
@@ -307,7 +305,7 @@ entries:
     keywords: [request, location, geolocation, country, client, visitor]
     summary: Returns `true` when the request originates from a country in the European Union (EU).
     description: |-
-      <details><summary><p>Countries in the EU (from geolocation data)</p></summary>
+      Countries in the EU (from geolocation data):
 
       | Country code | Country name    |
       | ------------ | --------------- |
@@ -348,8 +346,6 @@ entries:
 
       The EU country list was obtained from MaxMind's GeoIP2 database on 2023-12-05. For details on obtaining up-to-date country information, refer to the [MaxMind website](https://dev.maxmind.com/geoip/geolite2-free-geolocation-data).
 
-      </details>
-
       This field has the same value as the `ip.geoip.is_in_european_union` field, which is deprecated. The `ip.geoip.is_in_european_union` field is still available for new and existing rules, but you should use the `ip.src.is_in_european_union` field instead.
 
   - name: raw.http.request.full_uri

From 234d0aa49fae96d5c424fe35f0982ae8ea28d0aa Mon Sep 17 00:00:00 2001
From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com>
Date: Thu, 2 Jan 2025 11:58:02 +0000
Subject: [PATCH 17/45] Add response fields

---
 src/content/fields/index.yaml | 127 ++++++++++++++++++++++++++++++++++
 1 file changed, 127 insertions(+)

diff --git a/src/content/fields/index.yaml b/src/content/fields/index.yaml
index 80ff6ef5f478d34..c4a93167e8ac6ac 100644
--- a/src/content/fields/index.yaml
+++ b/src/content/fields/index.yaml
@@ -1547,6 +1547,133 @@ entries:
     example_value: |-
       [["file1.txt"], ["photo.jpg"]]
 
+  - name: http.response.code
+    data_type: Integer
+    categories: [Response]
+    keywords: [response]
+    summary: The HTTP status code returned to the client, either set by a Cloudflare product or returned by the origin server.
+    example_value: |-
+      403
+
+  - name: http.response.headers
+    data_type: Map<Array<String>>
+    categories: [Response, Headers]
+    keywords: [response]
+    summary: The HTTP response headers represented as a Map (or associative array).
+    description: |-
+      When there are repeating headers, the array includes them in the order they appear in the response. The keys convert to lowercase.
+
+      - **Decoding**: No decoding performed
+      - **Whitespace**: Preserved
+      - **Non-ASCII**: Preserved
+    example_value: |-
+      {"server": ["nginx"]}
+    example_block: |-
+      any(http.response.headers["server"][*] == "nginx")
+
+  - name: http.response.headers.names
+    data_type: Array<String>
+    categories: [Response, Headers]
+    keywords: [response]
+    summary: The names of the headers in the HTTP response.
+    description: |-
+      The names are not pre-processed and retain the original case used in the response.
+
+      The order of header names is not guaranteed but will match [`http.response.headers.values`](/ruleset-engine/rules-language/fields/reference/http.response.headers.values/).
+
+      Duplicate headers are listed multiple times.
+
+      - **Decoding**: No decoding performed
+      - **Whitespace**: Preserved
+      - **Non-ASCII**: Preserved
+    example_value: |-
+      ["content-type"]
+    example_block: |-
+      any(http.response.headers.names[*] == "content-type")
+
+  - name: http.response.headers.values
+    data_type: Array<String>
+    categories: [Response, Headers]
+    keywords: [response]
+    summary: The values of the headers in the HTTP response.
+    description: |-
+      The values are not pre-processed and retain the original case used in the response.
+
+      The order of header values is not guaranteed but will match [`http.response.headers.names`](/ruleset-engine/rules-language/fields/reference/http.response.headers.names/).
+
+      Duplicate headers are listed multiple times.
+
+      - **Decoding**: No decoding performed
+      - **Whitespace**: Preserved
+      - **Non-ASCII**: Preserved
+    example_value: |-
+      Example 1: ["application/json"]
+      Example 2: ["This header value is longer than 10 bytes"]
+    example_block: |-
+      # Example 1: Check for specific header value.
+      any(http.response.headers.values[*] == "application/json")
+
+      # Example 2: Match requests according to the specified operator and the length/size entered for the header value.
+      any(len(http.response.headers.values[*])[*] gt 10)
+
+  - name: http.response.content_type.media_type
+    data_type: String
+    categories: [Response, Headers]
+    keywords: [response]
+    summary: The lowercased content type (including subtype and suffix) without any extra parameters, based on the response's `Content-Type` header.
+    description: |-
+      The field value will not include parameters such as `charset`.
+
+      Example values:
+
+      | Content-Type header                     | Field value         |
+      | --------------------------------------- | ------------------- |
+      | `text/html`                             | `"text/html"`       |
+      | `text/html; charset=utf-8`              | `"text/html"`       |
+      | `text/html+extra`                       | `"text/html+extra"` |
+      | `text/html+extra; charset=utf-8`        | `"text/html+extra"` |
+      | `text/HTML`                             | `"text/html"`       |
+      | `text/html; charset=utf-8; other=value` | `"text/html"`       |
+
+  - name: cf.response.1xxx_code
+    data_type: Integer
+    categories: [Response]
+    keywords: [response, cloudflare]
+    summary: Contains the specific code for 1XXX Cloudflare errors.
+    description: |-
+      Use this field to differentiate between 1XXX errors associated with the same HTTP status code. The default value is `0`.
+
+      For a list of 1XXX errors, refer to [Troubleshooting Cloudflare 1XXX errors](/support/troubleshooting/cloudflare-errors/troubleshooting-cloudflare-1xxx-errors/).
+
+      **Note**: This field is only available in [HTTP response header modifications](/rules/transform/response-header-modification/) and [Custom Error Responses](/rules/custom-error-responses/).
+    example_value: |-
+      1020
+
+  - name: cf.response.error_type
+    data_type: String
+    categories: [Response]
+    keywords: [response, cloudflare]
+    summary: A string with the type of error in the response being returned.
+    description: |-
+      The default value is an empty string (`""`).
+
+      The available values are the following:
+
+      - `managed_challenge`
+      - `iuam`
+      - `legacy_challenge`
+      - `ip_ban`
+      - `waf`
+      - `5xx`
+      - `1xxx`
+      - `always_online`
+      - `country_challenge`
+      - `ratelimit`
+
+      You can use this field to customize the response for a specific type of error (for example, all 1XXX errors or all WAF block actions).
+
+      **Note**: This field is only available in [HTTP response header modifications](/rules/transform/response-header-modification/) and [Custom Error Responses](/rules/custom-error-responses/).
+
   - name: TEST.request.body.multipart.content_transfer_encodings
     data_type: "Array<Array<String>>"
     categories: [Request, Body]

From 3d581096f623cff3519ef6a6de670ce623db4dc2 Mon Sep 17 00:00:00 2001
From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com>
Date: Thu, 2 Jan 2025 12:14:13 +0000
Subject: [PATCH 18/45] Move test field to the end of the list

---
 src/content/fields/index.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/content/fields/index.yaml b/src/content/fields/index.yaml
index c4a93167e8ac6ac..1ab8911b6b863b3 100644
--- a/src/content/fields/index.yaml
+++ b/src/content/fields/index.yaml
@@ -1674,7 +1674,7 @@ entries:
 
       **Note**: This field is only available in [HTTP response header modifications](/rules/transform/response-header-modification/) and [Custom Error Responses](/rules/custom-error-responses/).
 
-  - name: TEST.request.body.multipart.content_transfer_encodings
+  - name: zTEST.request.body.multipart.content_transfer_encodings
     data_type: "Array<Array<String>>"
     categories: [Request, Body]
     keywords: [request, body, payload, form, multipart, upload, client, visitor]

From 8c0ff01c923094c7e86b3d59a206747dbed71d84 Mon Sep 17 00:00:00 2001
From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com>
Date: Thu, 2 Jan 2025 12:33:41 +0000
Subject: [PATCH 19/45] Update geolocation fields

---
 src/content/fields/index.yaml | 54 +++++++++++++++++++++++++++++++----
 1 file changed, 48 insertions(+), 6 deletions(-)

diff --git a/src/content/fields/index.yaml b/src/content/fields/index.yaml
index 1ab8911b6b863b3..64db2a65064f9f0 100644
--- a/src/content/fields/index.yaml
+++ b/src/content/fields/index.yaml
@@ -235,15 +235,19 @@ entries:
   - name: ip.src.asnum
     data_type: Number
     categories: [Request, Geolocation]
-    keywords: [request, location, geolocation, asn, client, visitor]
+    keywords:
+      [request, location, geolocation, asn, ip.geoip.asnum, client, visitor]
     summary: The 16-bit or 32-bit integer representing the Autonomous System (AS) number associated with the client IP address.
     description: |-
       This field has the same value as the `ip.geoip.asnum` field, which is deprecated. The `ip.geoip.asnum` field is still available for new and existing rules, but you should use the `ip.src.asnum` field instead.
 
+      _GeoIP is the registered trademark of MaxMind, Inc._
+
   - name: ip.src.continent
     data_type: String
     categories: [Request, Geolocation]
-    keywords: [request, location, geolocation, client, visitor]
+    keywords:
+      [request, location, geolocation, ip.geoip.continent, client, visitor]
     summary: The continent code associated with the client IP address.
     description: |-
       Values:
@@ -259,10 +263,13 @@ entries:
 
       This field has the same value as the `ip.geoip.continent` field, which is deprecated. The `ip.geoip.continent` field is still available for new and existing rules, but you should use the `ip.src.continent` field instead.
 
+      _GeoIP is the registered trademark of MaxMind, Inc._
+
   - name: ip.src.country
     data_type: String
     categories: [Request, Geolocation]
-    keywords: [request, location, geolocation, client, visitor]
+    keywords:
+      [request, location, geolocation, ip.geoip.country, client, visitor]
     summary: The 2-letter country code in [ISO 3166-1 Alpha 2](https://www.iso.org/obp/ui/#search/code/) format.
     example_value: |-
       GB
@@ -271,10 +278,21 @@ entries:
 
       This field has the same value as the `ip.geoip.country` field, which is deprecated. The `ip.geoip.country` field is still available for new and existing rules, but you should use the `ip.src.country` field instead.
 
+      _GeoIP is the registered trademark of MaxMind, Inc._
+
   - name: ip.src.subdivision_1_iso_code
     data_type: String
     categories: [Request, Geolocation]
-    keywords: [request, location, geolocation, region, client, visitor]
+    keywords:
+      [
+        request,
+        location,
+        geolocation,
+        ip.geoip.subdivision_1_iso_code,
+        region,
+        client,
+        visitor,
+      ]
     summary: The ISO 3166-2 code for the first-level region associated with the IP address.
     example_value: |-
       GB-ENG
@@ -285,10 +303,21 @@ entries:
 
       This field has the same value as the `ip.geoip.subdivision_1_iso_code` field, which is deprecated. The `ip.geoip.subdivision_1_iso_code` field is still available for new and existing rules, but you should use the `ip.src.subdivision_1_iso_code` field instead.
 
+      _GeoIP is the registered trademark of MaxMind, Inc._
+
   - name: ip.src.subdivision_2_iso_code
     data_type: String
     categories: [Request, Geolocation]
-    keywords: [request, location, geolocation, region, client, visitor]
+    keywords:
+      [
+        request,
+        location,
+        geolocation,
+        ip.geoip.subdivision_2_iso_code,
+        region,
+        client,
+        visitor,
+      ]
     summary: The ISO 3166-2 code for the second-level region associated with the IP address.
     example_value: |-
       GB-SWK
@@ -299,10 +328,21 @@ entries:
 
       This field has the same value as the `ip.geoip.subdivision_2_iso_code` field, which is deprecated. The `ip.geoip.subdivision_2_iso_code` field is still available for new and existing rules, but you should use the `ip.src.subdivision_2_iso_code` field instead.
 
+      _GeoIP is the registered trademark of MaxMind, Inc._
+
   - name: ip.src.is_in_european_union
     data_type: Boolean
     categories: [Request, Geolocation]
-    keywords: [request, location, geolocation, country, client, visitor]
+    keywords:
+      [
+        request,
+        location,
+        geolocation,
+        ip.geoip.is_in_european_union,
+        country,
+        client,
+        visitor,
+      ]
     summary: Returns `true` when the request originates from a country in the European Union (EU).
     description: |-
       Countries in the EU (from geolocation data):
@@ -348,6 +388,8 @@ entries:
 
       This field has the same value as the `ip.geoip.is_in_european_union` field, which is deprecated. The `ip.geoip.is_in_european_union` field is still available for new and existing rules, but you should use the `ip.src.is_in_european_union` field instead.
 
+      _GeoIP is the registered trademark of MaxMind, Inc._
+
   - name: raw.http.request.full_uri
     data_type: String
     categories: [Request, URI, Raw fields]

From 152571b7a6f1f0cb2ed30515bad9cb340088e9e4 Mon Sep 17 00:00:00 2001
From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com>
Date: Thu, 2 Jan 2025 12:36:18 +0000
Subject: [PATCH 20/45] Update formatting

---
 src/content/fields/index.yaml | 67 ++++++++++++++++++-----------------
 1 file changed, 34 insertions(+), 33 deletions(-)

diff --git a/src/content/fields/index.yaml b/src/content/fields/index.yaml
index 64db2a65064f9f0..ca5242196a3cc8f 100644
--- a/src/content/fields/index.yaml
+++ b/src/content/fields/index.yaml
@@ -400,7 +400,7 @@ entries:
 
       This is the raw field version of the [`http.request.full_uri`](/ruleset-engine/rules-language/fields/reference/http.request.full_uri/) field. Raw fields, prefixed with `raw.`, preserve original request values for later evaluations. These fields are immutable during the entire request evaluation workflow, and they are not affected by the actions of previously matched rules.
 
-      **Note:** This raw field may include some basic normalization done by Cloudflare's HTTP server. However, this can change in the future.
+      **Note**: This raw field may include some basic normalization done by Cloudflare's HTTP server. However, this can change in the future.
 
   - name: raw.http.request.uri.path
     data_type: String
@@ -410,7 +410,7 @@ entries:
     description: |-
       This is the raw field version of the [`http.request.uri`](/ruleset-engine/rules-language/fields/reference/http.request.uri/) field. Raw fields, prefixed with `raw.`, preserve original request values for later evaluations. These fields are immutable during the entire request evaluation workflow, and they are not affected by the actions of previously matched rules.
 
-      **Note:** This raw field may include some basic normalization done by Cloudflare's HTTP server. However, this can change in the future.
+      **Note**: This raw field may include some basic normalization done by Cloudflare's HTTP server. However, this can change in the future.
 
   - name: raw.http.request.uri.path.extension
     data_type: String
@@ -428,7 +428,7 @@ entries:
     description: |-
       This is the raw field version of the [`http.request.uri.query`](/ruleset-engine/rules-language/fields/reference/http.request.uri.query/) field. Raw fields, prefixed with `raw.`, preserve original request values for later evaluations. These fields are immutable during the entire request evaluation workflow, and they are not affected by the actions of previously matched rules.
 
-      **Note:** This raw field may include some basic normalization done by Cloudflare's HTTP server. However, this can change in the future.
+      **Note**: This raw field may include some basic normalization done by Cloudflare's HTTP server. However, this can change in the future.
 
   - name: ssl
     data_type: Boolean
@@ -1247,8 +1247,8 @@ entries:
 
       The values are not pre-processed and retain the original case used in the request.
 
-      - **Decoding:** No decoding performed
-      - **Non-ASCII:** Preserved
+      - **Decoding**: No decoding performed
+      - **Non-ASCII**: Preserved
     example_value: |-
       {"search": ["red+apples"]}
     example_block: |-
@@ -1264,8 +1264,8 @@ entries:
 
       The names are not pre-processed and retain the original case used in the request.
 
-      - **Decoding:** No decoding performed
-      - **Non-ASCII:** Preserved
+      - **Decoding**: No decoding performed
+      - **Non-ASCII**: Preserved
     example_value: |-
       ["search"]
     example_block: |-
@@ -1281,8 +1281,8 @@ entries:
 
       Duplicated values are listed multiple times.
 
-      - **Decoding:** No decoding performed
-      - **Non-ASCII:** Preserved
+      - **Decoding**: No decoding performed
+      - **Non-ASCII**: Preserved
     example_value: |-
       ["red+apples"]
     example_block: |-
@@ -1324,9 +1324,9 @@ entries:
 
       The request header values are not pre-processed and retain the original case used in the request.
 
-      - **Decoding:** No decoding performed
-      - **Whitespace:** Preserved
-      - **Non-ASCII:** Preserved
+      - **Decoding**: No decoding performed
+      - **Whitespace**: Preserved
+      - **Non-ASCII**: Preserved
     example_value: |-
       {"content-type": ["application/json"]}
     example_block: |-
@@ -1344,11 +1344,11 @@ entries:
 
       Duplicate headers are listed multiple times.
 
-      - **Decoding:** No decoding performed
-      - **Whitespace:** Preserved
-      - **Non-ASCII:** Preserved
+      - **Decoding**: No decoding performed
+      - **Whitespace**: Preserved
+      - **Non-ASCII**: Preserved
 
-      **Note:** In HTTP/2, the names of HTTP headers are always in lowercase. Recent versions of the `curl` tool [enable HTTP/2 by default](https://curl.se/docs/manpage.html#--http2) for HTTPS connections.
+      **Note**: In HTTP/2, the names of HTTP headers are always in lowercase. Recent versions of the `curl` tool [enable HTTP/2 by default](https://curl.se/docs/manpage.html#--http2) for HTTPS connections.
     example_value: |-
       ["content-type"]
     example_block: |-
@@ -1366,11 +1366,11 @@ entries:
 
       Duplicate headers are listed multiple times.
 
-      - **Decoding:** No decoding performed
-      - **Whitespace:** Preserved
-      - **Non-ASCII:** Preserved
+      - **Decoding**: No decoding performed
+      - **Whitespace**: Preserved
+      - **Non-ASCII**: Preserved
 
-      **Note:** In HTTP/2, the names of HTTP headers are always in lowercase. Recent versions of the `curl` tool [enable HTTP/2 by default](https://curl.se/docs/manpage.html#--http2) for HTTPS connections.
+      **Note**: In HTTP/2, the names of HTTP headers are always in lowercase. Recent versions of the `curl` tool [enable HTTP/2 by default](https://curl.se/docs/manpage.html#--http2) for HTTPS connections.
     example_value: |-
       # Example 1: ["application/json"]
       # Example 2: ["This header value is longer than 10 bytes"]
@@ -1411,19 +1411,20 @@ entries:
       # In this case:
       concat("/", http.request.accepted_languages[0], http.request.uri.path) == "//my-path"
 
-      **Note:** This field is only available in [Transform Rules](/rules/transform/).
+      **Note**: This field is only available in [Transform Rules](/rules/transform/).
 
   - name: http.request.body.raw
     data_type: String
     categories: [Request, Body, Raw fields]
     keywords: [request, body, raw, client, visitor]
+    plan_info_label: Enterprise add-on
     summary: The unaltered HTTP request body.
     description: |-
       When the value of [`http.request.body.truncated`](/ruleset-engine/rules-language/fields/reference/http.request.body.truncated/) is `true`, the return value may be truncated.
 
-      - **Decoding:** No decoding performed
-      - **Whitespace:** Preserved
-      - **Non-ASCII:** Preserved
+      - **Decoding**: No decoding performed
+      - **Whitespace**: Preserved
+      - **Non-ASCII**: Preserved
 
       Requires a Cloudflare Enterprise plan with a paid add-on.
 
@@ -1461,9 +1462,9 @@ entries:
 
       The return value may be truncated if [`http.request.body.truncated`](/ruleset-engine/rules-language/fields/reference/http.request.body.truncated) is `true`.
 
-      - **Decoding:** No decoding performed
-      - **Whitespace:** Preserved
-      - **Non-ASCII:** Preserved
+      - **Decoding**: No decoding performed
+      - **Whitespace**: Preserved
+      - **Non-ASCII**: Preserved
 
       Requires a Cloudflare Enterprise plan with a paid add-on.
     example_value: |-
@@ -1485,9 +1486,9 @@ entries:
 
       The return value may be truncated if [`http.request.body.truncated`](/ruleset-engine/rules-language/fields/reference/http.request.body.truncated) is `true`.
 
-      - **Decoding:** No decoding performed
-      - **Whitespace:** Preserved
-      - **Non-ASCII:** Preserved
+      - **Decoding**: No decoding performed
+      - **Whitespace**: Preserved
+      - **Non-ASCII**: Preserved
 
       Requires a Cloudflare Enterprise plan with a paid add-on.
     example_value: |-
@@ -1509,9 +1510,9 @@ entries:
 
       The return value may be truncated if [`http.request.body.truncated`](/ruleset-engine/rules-language/fields/reference/http.request.body.truncated) is `true`.
 
-      - **Decoding:** No decoding performed
-      - **Whitespace:** Preserved
-      - **Non-ASCII:** Preserved
+      - **Decoding**: No decoding performed
+      - **Whitespace**: Preserved
+      - **Non-ASCII**: Preserved
 
       Requires a Cloudflare Enterprise plan with a paid add-on.
     example_value: |-

From 5db1607c0e6ddca5b1e585290033ec7f59e9e72a Mon Sep 17 00:00:00 2001
From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com>
Date: Thu, 2 Jan 2025 16:55:28 +0000
Subject: [PATCH 21/45] Move FieldBadges file

---
 .../{models => fields}/FieldBadges.jsx        |  0
 .../fields/reference/[name].astro             | 48 +------------------
 2 files changed, 1 insertion(+), 47 deletions(-)
 rename src/components/{models => fields}/FieldBadges.jsx (100%)

diff --git a/src/components/models/FieldBadges.jsx b/src/components/fields/FieldBadges.jsx
similarity index 100%
rename from src/components/models/FieldBadges.jsx
rename to src/components/fields/FieldBadges.jsx
diff --git a/src/pages/ruleset-engine/rules-language/fields/reference/[name].astro b/src/pages/ruleset-engine/rules-language/fields/reference/[name].astro
index 2153209a1f6a26e..161090f787e61e7 100644
--- a/src/pages/ruleset-engine/rules-language/fields/reference/[name].astro
+++ b/src/pages/ruleset-engine/rules-language/fields/reference/[name].astro
@@ -6,7 +6,7 @@ import StarlightPage, {
 	type StarlightPageProps,
 } from "@astrojs/starlight/components/StarlightPage.astro";
 import { Code, Aside, Type } from "~/components";
-import FieldBadges from "~/components/models/FieldBadges.jsx";
+import FieldBadges from "~/components/fields/FieldBadges.jsx";
 
 export const getStaticPaths = (async () => {
 	const fields = await getEntry("fields", "index");
@@ -29,52 +29,6 @@ const { field } = Astro.props;
 marked.use({ walkTokens: null });
 
 let CodeExamples = null;
-// switch (field.task.name) {
-// 	case "Text Generation":
-// 		CodeExamples = TextGenerationCode;
-// 		break;
-// 	case "Automatic Speech Recognition":
-// 		CodeExamples = AutomaticSpeechRecognitionCode;
-// 		break;
-// 	case "Image Classification":
-// 		CodeExamples = ImageClassificationCode;
-// 		break;
-// 	case "Object Detection":
-// 		CodeExamples = ObjectDetectionCode;
-// 		break;
-// 	case "Image-to-Text":
-// 		CodeExamples = ImageToTextCode;
-// 		break;
-// 	case "Text-to-Image":
-// 		CodeExamples = TextToImageCode;
-// 		break;
-// 	case "Translation":
-// 		CodeExamples = TranslationCode;
-// 		break;
-// 	case "Summarization":
-// 		CodeExamples = SummarizationCode;
-// 		break;
-// 	case "Text Embedding":
-// 		CodeExamples = TextEmbeddingCode;
-// 		break;
-// 	case "Text Classification":
-// 		CodeExamples = TextClassificationCode;
-// 		break;
-// }
-
-// // Overrides
-// if (field.name === "@cf/runwayml/stable-diffusion-v1-5-img2img") {
-// 	CodeExamples = StableDiffusionV15Img2ImgCode;
-// }
-
-// if (field.name === "@cf/runwayml/stable-diffusion-v1-5-inpainting") {
-// 	CodeExamples = StableDiffusionV15InpaintingCode;
-// }
-
-// if (field.name === "@cf/black-forest-labs/flux-1-schnell") {
-// 	CodeExamples = Flux1Schnell;
-// }
-
 const description = field.description;
 
 // Strong type coercion needed due to Starlight's component override for hideTitle

From b449e9d6208237a896d3a3008c985be38450142a Mon Sep 17 00:00:00 2001
From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com>
Date: Thu, 2 Jan 2025 16:56:32 +0000
Subject: [PATCH 22/45] Show plan requirement in FieldCatalog

---
 src/components/FieldCatalog.jsx |  15 ++--
 src/content/fields/index.yaml   | 120 ++++++++++++++++++++++++++++++--
 2 files changed, 124 insertions(+), 11 deletions(-)

diff --git a/src/components/FieldCatalog.jsx b/src/components/FieldCatalog.jsx
index 035b27efd9de881..b1804b6aa99215d 100644
--- a/src/components/FieldCatalog.jsx
+++ b/src/components/FieldCatalog.jsx
@@ -1,7 +1,5 @@
 import { useState } from "react";
-// import ModelInfo from "./fields/ModelInfo";
-// import ModelBadges from "./fields/ModelBadges";
-// import { authorData } from "./fields/data";
+import FieldBadges from "./fields/FieldBadges";
 import { marked } from "marked";
 
 const FieldCatalog = ({ fields }) => {
@@ -157,7 +155,7 @@ const FieldCatalog = ({ fields }) => {
 					return (
 						<a
 							key={field.name}
-							className="p-3 border-gray-200 dark:border-gray-700 border-solid border rounded-md lg:w-[48%] w-full block !text-inherit no-underline self-start hover:bg-gray-50 dark:hover:bg-black mb-3"
+							className="p-3 border-gray-200 dark:border-gray-700 border-solid border rounded-md lg:w-[48%] w-full block !text-inherit no-underline self-stretch hover:bg-gray-50 dark:hover:bg-black mb-3"
 							href={`/ruleset-engine/rules-language/fields/reference/${field.name}`}
 						>
 							<div className="-mb-1 flex items-center">
@@ -174,9 +172,12 @@ const FieldCatalog = ({ fields }) => {
 									__html: marked.parseInline(field.summary),
 								}}
 							/>
-							{/* <div className="text-xs !mt-2">
-								<ModelBadges model={model.model} />
-							</div> */}
+
+							{field.plan_info_label && (
+								<div className="text-xs !mt-2">
+									<FieldBadges badges={[field.plan_info_label]} />
+								</div>
+							)}
 						</a>
 					);
 				})}
diff --git a/src/content/fields/index.yaml b/src/content/fields/index.yaml
index ca5242196a3cc8f..c68d2fa9d0dec2e 100644
--- a/src/content/fields/index.yaml
+++ b/src/content/fields/index.yaml
@@ -45,8 +45,11 @@ entries:
     data_type: Map<Array<String>>
     categories: [Request, Headers]
     keywords: [request, header, client, visitor]
+    plan_info_label: Pro
     summary: The `Cookie` HTTP header associated with a request represented as a Map (associative array).
     description: |-
+      Requires a Cloudflare Pro, Business, or Enterprise plan.
+
       The cookie names are URL decoded. If two cookies have the same name after decoding, their value arrays are merged.
 
       The cookie values are not pre-processed and retain the original case used in the request.
@@ -293,12 +296,15 @@ entries:
         client,
         visitor,
       ]
+    plan_info_label: Business
     summary: The ISO 3166-2 code for the first-level region associated with the IP address.
     example_value: |-
       GB-ENG
     description: |-
       When the actual value is not available, this field contains an empty string.
 
+      Requires a Cloudflare Business or Enterprise plan.
+
       For more information on the ISO 3166-2 standard and the available regions, refer to [ISO 3166-2](https://en.wikipedia.org/wiki/ISO_3166-2) on Wikipedia.
 
       This field has the same value as the `ip.geoip.subdivision_1_iso_code` field, which is deprecated. The `ip.geoip.subdivision_1_iso_code` field is still available for new and existing rules, but you should use the `ip.src.subdivision_1_iso_code` field instead.
@@ -318,12 +324,15 @@ entries:
         client,
         visitor,
       ]
+    plan_info_label: Business
     summary: The ISO 3166-2 code for the second-level region associated with the IP address.
     example_value: |-
       GB-SWK
     description: |-
       When the actual value is not available, this field contains an empty string.
 
+      Requires a Cloudflare Business or Enterprise plan.
+
       For more information on the ISO 3166-2 standard and the available regions, refer to [ISO 3166-2](https://en.wikipedia.org/wiki/ISO_3166-2) on Wikipedia.
 
       This field has the same value as the `ip.geoip.subdivision_2_iso_code` field, which is deprecated. The `ip.geoip.subdivision_2_iso_code` field is still available for new and existing rules, but you should use the `ip.src.subdivision_2_iso_code` field instead.
@@ -343,8 +352,11 @@ entries:
         client,
         visitor,
       ]
+    plan_info_label: Business
     summary: Returns `true` when the request originates from a country in the European Union (EU).
     description: |-
+      Requires a Cloudflare Business or Enterprise plan.
+
       Countries in the EU (from geolocation data):
 
       | Country code | Country name    |
@@ -440,6 +452,7 @@ entries:
     data_type: Boolean
     categories: [Request, Bots]
     keywords: [request, bots, client, visitor]
+    plan_info_label: Enterprise add-on
     summary: When `true`, this field indicates the request originated from a known good bot or crawler.
     description: |-
       Provides the same information as [`cf.client.bot`](/ruleset-engine/rules-language/fields/reference/cf.client.bot/).
@@ -458,6 +471,7 @@ entries:
     data_type: Number
     categories: [Request, Bots]
     keywords: [request, bots, client, visitor]
+    plan_info_label: Enterprise add-on
     summary: Represents the likelihood that a request originates from a bot using a score from 1–99.
     description: |-
       A low score indicates that the request comes from a bot or an automated agent. A high score indicates that a human issued the request.
@@ -468,6 +482,7 @@ entries:
     data_type: Number
     categories: [Request, Bots]
     keywords: [request, bots, client, visitor]
+    plan_info_label: Enterprise add-on
     summary: Indicates whether static resources should be included when you create a rule using [`cf.bot_management.score`](/ruleset-engine/rules-language/fields/reference/cf.bot_management.score/).
     description: |-
       For more details, refer to [Static resource protection](/bots/reference/static-resources/).
@@ -478,6 +493,7 @@ entries:
     data_type: String
     categories: [Request, Bots]
     keywords: [request, bots, client, visitor]
+    plan_info_label: Enterprise add-on
     summary: Provides an SSL/TLS fingerprint to help you identify potential bot requests.
     description: |-
       For more details, refer to [JA3/JA4 Fingerprint](/bots/concepts/ja3-ja4-fingerprint/).
@@ -488,6 +504,7 @@ entries:
     data_type: String
     categories: [Request, Bots]
     keywords: [request, bots, client, visitor]
+    plan_info_label: Enterprise add-on
     summary: Provides an SSL/TLS fingerprint to help you identify potential bot requests.
     description: |-
       For more details, refer to [JA3/JA4 Fingerprint](/bots/concepts/ja3-ja4-fingerprint/).
@@ -498,6 +515,7 @@ entries:
     data_type: Boolean
     categories: [Request, Bots]
     keywords: [request, bots, client, visitor]
+    plan_info_label: Enterprise add-on
     summary: Indicates whether the visitor has previously passed a JS Detection.
     description: |-
       For more details, refer to [JavaScript detections](/bots/reference/javascript-detections/).
@@ -508,6 +526,7 @@ entries:
     data_type: Array<Number>
     categories: [Request, Bots]
     keywords: [request, bots, client, visitor]
+    plan_info_label: Enterprise add-on
     summary: List of IDs that correlate to the Bot Management heuristic detections made on a request.
     description: |-
       Use this field to explicitly match a specific heuristic or to exclude a heuristic in a rule. You can have multiple heuristic detections on the same request.
@@ -792,6 +811,7 @@ entries:
         client,
         visitor,
       ]
+    plan_info_label: Enterprise add-on
     summary: When `true`, the request contains at least one content object.
     description: |-
       Requires a Cloudflare Enterprise plan with [malicious uploads detection](/waf/detections/malicious-uploads/) enabled.
@@ -808,6 +828,7 @@ entries:
         client,
         visitor,
       ]
+    plan_info_label: Enterprise add-on
     summary: When `true`, the request contains at least one malicious content object.
     description: |-
       Requires a Cloudflare Enterprise plan with [malicious uploads detection](/waf/detections/malicious-uploads/) enabled.
@@ -824,6 +845,7 @@ entries:
         client,
         visitor,
       ]
+    plan_info_label: Enterprise add-on
     summary: The number of malicious content objects detected in the request (zero or greater).
     description: |-
       Requires a Cloudflare Enterprise plan with [malicious uploads detection](/waf/detections/malicious-uploads/) enabled.
@@ -840,6 +862,7 @@ entries:
         client,
         visitor,
       ]
+    plan_info_label: Enterprise add-on
     summary: When `true`, the file scanner was unable to scan all the content objects detected in the request.
     description: |-
       Requires a Cloudflare Enterprise plan with [malicious uploads detection](/waf/detections/malicious-uploads/) enabled.
@@ -856,6 +879,7 @@ entries:
         client,
         visitor,
       ]
+    plan_info_label: Enterprise add-on
     summary: The number of content objects detected in the request (zero or greater).
     description: |-
       Requires a Cloudflare Enterprise plan with [malicious uploads detection](/waf/detections/malicious-uploads/) enabled.
@@ -872,6 +896,7 @@ entries:
         client,
         visitor,
       ]
+    plan_info_label: Enterprise add-on
     summary: An array of file sizes in bytes, in the order the content objects were detected in the request.
     description: |-
       Requires a Cloudflare Enterprise plan with [malicious uploads detection](/waf/detections/malicious-uploads/) enabled.
@@ -888,6 +913,7 @@ entries:
         client,
         visitor,
       ]
+    plan_info_label: Enterprise add-on
     summary: An array of file types in the order the content objects were detected in the request.
     description: |-
       If Cloudflare cannot determine the file type of a content object, the corresponding value in the `obj_types` array will be `application/octet-stream`.
@@ -906,6 +932,7 @@ entries:
         client,
         visitor,
       ]
+    plan_info_label: Enterprise add-on
     summary: An array of scan results in the order the content objects were detected in the request.
     description: |-
       The possible values are: `clean`, `suspicious`, `infected`, and `not scanned`.
@@ -968,9 +995,10 @@ entries:
         client,
         visitor,
       ]
+    plan_info_label: Enterprise
     summary: When `true`, the Cloudflare WAF detected authentication credentials in the request.
     description: |-
-      Requires a Cloudflare Enterprise plan with [leaked credentials detection](/waf/detections/leaked-credentials/) enabled.
+      Requires a Cloudflare Enterprise plan. You must also enable [leaked credentials detection](/waf/detections/leaked-credentials/).
 
   - name: cf.waf.credential_check.password_leaked
     data_type: Boolean
@@ -1000,9 +1028,10 @@ entries:
         client,
         visitor,
       ]
+    plan_info_label: Enterprise
     summary: When `true`, the username detected in the request was previously leaked.
     description: |-
-      Requires a Cloudflare Enterprise plan with [leaked credentials detection](/waf/detections/leaked-credentials/) enabled.
+      Requires a Cloudflare Enterprise plan. You must also enable [leaked credentials detection](/waf/detections/leaked-credentials/).
 
   - name: cf.waf.credential_check.username_and_password_leaked
     data_type: Boolean
@@ -1016,9 +1045,10 @@ entries:
         client,
         visitor,
       ]
+    plan_info_label: Pro
     summary: When `true`, the authentication credentials detected in the request (username and password pair) were previously leaked.
     description: |-
-      Requires a Cloudflare Pro plan (or above) with [leaked credentials detection](/waf/detections/leaked-credentials/) enabled.
+      Requires a Cloudflare Pro plan (or above). You must also enable [leaked credentials detection](/waf/detections/leaked-credentials/).
 
   - name: cf.waf.credential_check.username_password_similar
     data_type: Boolean
@@ -1032,9 +1062,10 @@ entries:
         client,
         visitor,
       ]
+    plan_info_label: Enterprise
     summary: When `true`, a similar version of the username and password credentials detected in the request were previously leaked.
     description: |-
-      Requires a Cloudflare Enterprise plan with [leaked credentials detection](/waf/detections/leaked-credentials/) enabled.
+      Requires a Cloudflare Enterprise plan. You must also enable [leaked credentials detection](/waf/detections/leaked-credentials/).
 
   - name: cf.worker.upstream_zone
     data_type: String
@@ -1048,6 +1079,7 @@ entries:
     data_type: Boolean
     categories: [Request, Bots]
     keywords: [request, bots, proxy, client, visitor]
+    plan_info_label: Enterprise add-on
     summary: When `true`, the incoming request comes from an identified Enterprise-only cloud-based corporate proxy or secure web gateway.
     description: |-
       Requires a Cloudflare Enterprise plan with [Bot Management](/bots/plans/bm-subscription/) enabled.
@@ -1061,180 +1093,234 @@ entries:
     data_type: Map<Array<String>>
     categories: [Request, JWT validation]
     keywords: [request, jwt, api shield, client, visitor]
+    plan_info_label: Enterprise add-on
     summary: The `aud` (audience) claim identifies the recipients that the JSON Web Token (JWT) is intended for.
     description: |-
       Each principal intended to process the JWT must identify itself with a value in the audience claim. In the general case, the `aud` value is an array of case-sensitive strings, each containing a `StringOrURI` value. For details, refer to the [Registered Claim Names](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1) in RFC 7519.
 
+      Requires a Cloudflare Enterprise plan with a paid add-on.
+
       For more information on validating JSON Web Tokens, refer to [JSON Web Tokens Validation](/api-shield/security/jwt-validation/) in the API Shield documentation.
 
   - name: http.request.jwt.claims.aud.names
     data_type: Array<String>
     categories: [Request, JWT validation]
     keywords: [request, jwt, api shield, client, visitor]
+    plan_info_label: Enterprise add-on
     summary: The `aud` (audience) claim identifies the recipients that the JSON Web Token (JWT) is intended for.
     description: |-
       Each principal intended to process the JWT must identify itself with a value in the audience claim. In the general case, the `aud` value is an array of case-sensitive strings, each containing a `StringOrURI` value. For details, refer to the [Registered Claim Names](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1) in RFC 7519.
 
+      Requires a Cloudflare Enterprise plan with a paid add-on.
+
       For more information on validating JSON Web Tokens, refer to [JSON Web Tokens Validation](/api-shield/security/jwt-validation/) in the API Shield documentation.
 
   - name: http.request.jwt.claims.aud.values
     data_type: Array<String>
     categories: [Request, JWT validation]
     keywords: [request, jwt, api shield, client, visitor]
+    plan_info_label: Enterprise add-on
     summary: The `aud` (audience) claim identifies the recipients that the JSON Web Token (JWT) is intended for.
     description: |-
       Each principal intended to process the JWT must identify itself with a value in the audience claim. In the general case, the `aud` value is an array of case-sensitive strings, each containing a `StringOrURI` value. For details, refer to the [Registered Claim Names](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1) in RFC 7519.
 
+      Requires a Cloudflare Enterprise plan with a paid add-on.
+
       For more information on validating JSON Web Tokens, refer to [JSON Web Tokens Validation](/api-shield/security/jwt-validation/) in the API Shield documentation.
 
   - name: http.request.jwt.claims.iat.sec
     data_type: Map<Array<Integer>>
     categories: [Request, JWT validation]
     keywords: [request, jwt, api shield, client, visitor]
+    plan_info_label: Enterprise add-on
     summary: The `iat` (issued at) claim identifies the time (number of seconds) at which the JWT was issued.
     description: |-
       For details, refer to the [Registered Claim Names](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1) in RFC 7519.
 
+      Requires a Cloudflare Enterprise plan with a paid add-on.
+
       For more information on validating JSON Web Tokens, refer to [JSON Web Tokens Validation](/api-shield/security/jwt-validation/) in the API Shield documentation.
 
   - name: http.request.jwt.claims.iat.sec.names
     data_type: Array<String>
     categories: [Request, JWT validation]
     keywords: [request, jwt, api shield, client, visitor]
+    plan_info_label: Enterprise add-on
     summary: The `iat` (issued at) claim identifies the time (number of seconds) at which the JWT was issued.
     description: |-
       For details, refer to the [Registered Claim Names](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1) in RFC 7519.
 
+      Requires a Cloudflare Enterprise plan with a paid add-on.
+
       For more information on validating JSON Web Tokens, refer to [JSON Web Tokens Validation](/api-shield/security/jwt-validation/) in the API Shield documentation.
 
   - name: http.request.jwt.claims.iat.sec.values
     data_type: Array<Integer>
     categories: [Request, JWT validation]
     keywords: [request, jwt, api shield, client, visitor]
+    plan_info_label: Enterprise add-on
     summary: The `iat` (issued at) claim identifies the time (number of seconds) at which the JWT was issued.
     description: |-
       For details, refer to the [Registered Claim Names](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1) in RFC 7519.
 
+      Requires a Cloudflare Enterprise plan with a paid add-on.
+
       For more information on validating JSON Web Tokens, refer to [JSON Web Tokens Validation](/api-shield/security/jwt-validation/) in the API Shield documentation.
 
   - name: http.request.jwt.claims.iss
     data_type: Map<Array<String>>
     categories: [Request, JWT validation]
     keywords: [request, jwt, api shield, client, visitor]
+    plan_info_label: Enterprise add-on
     summary: The `iss` (issuer) claim identifies the principal that issued the JWT.
     description: |-
       For details, refer to the [Registered Claim Names](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1) in RFC 7519.
 
+      Requires a Cloudflare Enterprise plan with a paid add-on.
+
       For more information on validating JSON Web Tokens, refer to [JSON Web Tokens Validation](/api-shield/security/jwt-validation/) in the API Shield documentation.
 
   - name: http.request.jwt.claims.iss.names
     data_type: Array<String>
     categories: [Request, JWT validation]
     keywords: [request, jwt, api shield, client, visitor]
+    plan_info_label: Enterprise add-on
     summary: The `iss` (issuer) claim identifies the principal that issued the JWT.
     description: |-
       For details, refer to the [Registered Claim Names](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1) in RFC 7519.
 
+      Requires a Cloudflare Enterprise plan with a paid add-on.
+
       For more information on validating JSON Web Tokens, refer to [JSON Web Tokens Validation](/api-shield/security/jwt-validation/) in the API Shield documentation.
 
   - name: http.request.jwt.claims.iss.values
     data_type: Array<String>
     categories: [Request, JWT validation]
     keywords: [request, jwt, api shield, client, visitor]
+    plan_info_label: Enterprise add-on
     summary: The `iss` (issuer) claim identifies the principal that issued the JWT.
     description: |-
       For details, refer to the [Registered Claim Names](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1) in RFC 7519.
 
+      Requires a Cloudflare Enterprise plan with a paid add-on.
+
       For more information on validating JSON Web Tokens, refer to [JSON Web Tokens Validation](/api-shield/security/jwt-validation/) in the API Shield documentation.
 
   - name: http.request.jwt.claims.jti
     data_type: Map<Array<String>>
     categories: [Request, JWT validation]
     keywords: [request, jwt, api shield, client, visitor]
+    plan_info_label: Enterprise add-on
     summary: The `jti` (JWT ID) claim provides a unique identifier for the JWT.
     description: |-
       For details, refer to the [Registered Claim Names](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1) in RFC 7519.
 
+      Requires a Cloudflare Enterprise plan with a paid add-on.
+
       For more information on validating JSON Web Tokens, refer to [JSON Web Tokens Validation](/api-shield/security/jwt-validation/) in the API Shield documentation.
 
   - name: http.request.jwt.claims.jti.names
     data_type: Array<String>
     categories: [Request, JWT validation]
     keywords: [request, jwt, api shield, client, visitor]
+    plan_info_label: Enterprise add-on
     summary: The `jti` (JWT ID) claim provides a unique identifier for the JWT.
     description: |-
       For details, refer to the [Registered Claim Names](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1) in RFC 7519.
 
+      Requires a Cloudflare Enterprise plan with a paid add-on.
+
       For more information on validating JSON Web Tokens, refer to [JSON Web Tokens Validation](/api-shield/security/jwt-validation/) in the API Shield documentation.
 
   - name: http.request.jwt.claims.jti.values
     data_type: Array<String>
     categories: [Request, JWT validation]
     keywords: [request, jwt, api shield, client, visitor]
+    plan_info_label: Enterprise add-on
     summary: The `jti` (JWT ID) claim provides a unique identifier for the JWT.
     description: |-
       For details, refer to the [Registered Claim Names](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1) in RFC 7519.
 
+      Requires a Cloudflare Enterprise plan with a paid add-on.
+
       For more information on validating JSON Web Tokens, refer to [JSON Web Tokens Validation](/api-shield/security/jwt-validation/) in the API Shield documentation.
 
   - name: http.request.jwt.claims.nbf.sec
     data_type: Map<Array<Integer>>
     categories: [Request, JWT validation]
     keywords: [request, jwt, api shield, client, visitor]
+    plan_info_label: Enterprise add-on
     summary: The `nbf` (not before) claim identifies the time (number of seconds) before which the JWT must not be accepted for processing.
     description: |-
       For details, refer to the [Registered Claim Names](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1) in RFC 7519.
 
+      Requires a Cloudflare Enterprise plan with a paid add-on.
+
       For more information on validating JSON Web Tokens, refer to [JSON Web Tokens Validation](/api-shield/security/jwt-validation/) in the API Shield documentation.
 
   - name: http.request.jwt.claims.nbf.sec.names
     data_type: Array<String>
     categories: [Request, JWT validation]
     keywords: [request, jwt, api shield, client, visitor]
+    plan_info_label: Enterprise add-on
     summary: The `nbf` (not before) claim identifies the time (number of seconds) before which the JWT must not be accepted for processing.
     description: |-
       For details, refer to the [Registered Claim Names](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1) in RFC 7519.
 
+      Requires a Cloudflare Enterprise plan with a paid add-on.
+
       For more information on validating JSON Web Tokens, refer to [JSON Web Tokens Validation](/api-shield/security/jwt-validation/) in the API Shield documentation.
 
   - name: http.request.jwt.claims.nbf.sec.values
     data_type: Array<Integer>
     categories: [Request, JWT validation]
     keywords: [request, jwt, api shield, client, visitor]
+    plan_info_label: Enterprise add-on
     summary: The `nbf` (not before) claim identifies the time (number of seconds) before which the JWT must not be accepted for processing.
     description: |-
       For details, refer to the [Registered Claim Names](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1) in RFC 7519.
 
+      Requires a Cloudflare Enterprise plan with a paid add-on.
+
       For more information on validating JSON Web Tokens, refer to [JSON Web Tokens Validation](/api-shield/security/jwt-validation/) in the API Shield documentation.
 
   - name: http.request.jwt.claims.sub
     data_type: Map<Array<String>>
     categories: [Request, JWT validation]
     keywords: [request, jwt, api shield, client, visitor]
+    plan_info_label: Enterprise add-on
     summary: The `sub` (subject) claim identifies the principal that is the subject of the JWT.
     description: |-
       The claims in a JWT are normally statements about the subject. For details, refer to the [Registered Claim Names](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1) in RFC 7519.
 
+      Requires a Cloudflare Enterprise plan with a paid add-on.
+
       For more information on validating JSON Web Tokens, refer to [JSON Web Tokens Validation](/api-shield/security/jwt-validation/) in the API Shield documentation.
 
   - name: http.request.jwt.claims.sub.names
     data_type: Array<String>
     categories: [Request, JWT validation]
     keywords: [request, jwt, api shield, client, visitor]
+    plan_info_label: Enterprise add-on
     summary: The `sub` (subject) claim identifies the principal that is the subject of the JWT.
     description: |-
       The claims in a JWT are normally statements about the subject. For details, refer to the [Registered Claim Names](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1) in RFC 7519.
 
+      Requires a Cloudflare Enterprise plan with a paid add-on.
+
       For more information on validating JSON Web Tokens, refer to [JSON Web Tokens Validation](/api-shield/security/jwt-validation/) in the API Shield documentation.
 
   - name: http.request.jwt.claims.sub.values
     data_type: Array<String>
     categories: [Request, JWT validation]
     keywords: [request, jwt, api shield, client, visitor]
+    plan_info_label: Enterprise add-on
     summary: The `sub` (subject) claim identifies the principal that is the subject of the JWT.
     description: |-
       The claims in a JWT are normally statements about the subject. For details, refer to the [Registered Claim Names](https://datatracker.ietf.org/doc/html/rfc7519#section-4.1) in RFC 7519.
 
+      Requires a Cloudflare Enterprise plan with a paid add-on.
+
       For more information on validating JSON Web Tokens, refer to [JSON Web Tokens Validation](/api-shield/security/jwt-validation/) in the API Shield documentation.
 
   - name: http.request.uri.args
@@ -1432,6 +1518,7 @@ entries:
     data_type: Boolean
     categories: [Request, Body]
     keywords: [request, body, client, visitor]
+    plan_info_label: Enterprise add-on
     summary: Indicates whether the HTTP request body is truncated.
     description: |-
       When `true`, `http.request.body.*` fields may not contain all of the HTTP request body.
@@ -1442,6 +1529,7 @@ entries:
     data_type: Number
     categories: [Request, Body]
     keywords: [request, body, client, visitor]
+    plan_info_label: Enterprise add-on
     summary: The total size of the HTTP request body (in bytes).
     description: |-
       This field may have a value larger than the one returned by `len(http.request.body.raw)`, since the [`http.request.body.raw`](/ruleset-engine/rules-language/fields/reference/http.request.body.raw/) field only considers the request body up to a maximum size that varies according to your Cloudflare plan.
@@ -1452,6 +1540,7 @@ entries:
     data_type: Map<Array<String>>
     categories: [Request, Body]
     keywords: [request, body, form, client, visitor]
+    plan_info_label: Enterprise add-on
     summary: The HTTP request body of a form represented as a Map (or associative array).
     description: |-
       Populated when the `Content-Type` header is `application/x-www-form-urlencoded`.
@@ -1476,6 +1565,7 @@ entries:
     data_type: Array<String>
     categories: [Request, Body]
     keywords: [request, body, form, client, visitor]
+    plan_info_label: Enterprise add-on
     summary: The names of the form fields in an HTTP request.
     description: |-
       Populated when the `Content-Type` header is `application/x-www-form-urlencoded`.
@@ -1500,6 +1590,7 @@ entries:
     data_type: Array<String>
     categories: [Request, Body]
     keywords: [request, body, form, client, visitor]
+    plan_info_label: Enterprise add-on
     summary: The values of the form fields in an HTTP request
     description: |-
       Populated when the `Content-Type` header is `application/x-www-form-urlencoded`.
@@ -1534,7 +1625,10 @@ entries:
     data_type: Map<Array<String>>
     categories: [Request, Body]
     keywords: [request, body, client, visitor]
+    plan_info_label: Enterprise add-on
     summary: A Map (or associative array) representation of multipart names to multipart values in the request body.
+    description: |-
+      Requires a Cloudflare Enterprise plan with a paid add-on.
     example_value: |-
       {"username": ["alice_doe"], "picture": [<binary_content_of_file>]}
 
@@ -1542,7 +1636,10 @@ entries:
     data_type: Array<Array<String>>
     categories: [Request, Body]
     keywords: [request, body, client, visitor]
+    plan_info_label: Enterprise add-on
     summary: List of multipart names for every part in the multipart body.
+    description: |-
+      Requires a Cloudflare Enterprise plan with a paid add-on.
     example_value: |-
       [["username"], ["picture"]]
     example_block: |-
@@ -1552,7 +1649,10 @@ entries:
     data_type: Array<String>
     categories: [Request, Body]
     keywords: [request, body, client, visitor]
+    plan_info_label: Enterprise add-on
     summary: List of multipart values for every part in the multipart body.
+    description: |-
+      Requires a Cloudflare Enterprise plan with a paid add-on.
     example_value: |-
       ["alice_doe", <binary_content_of_file>]
 
@@ -1560,7 +1660,10 @@ entries:
     data_type: Array<Array<String>>
     categories: [Request, Body]
     keywords: [request, body, client, visitor]
+    plan_info_label: Enterprise add-on
     summary: List of `Content-Type` headers for each part in the multipart body.
+    description: |-
+      Requires a Cloudflare Enterprise plan with a paid add-on.
     example_value: |-
       [["text/plain"], ["image/jpeg"]]
     example_block: |-
@@ -1570,7 +1673,10 @@ entries:
     data_type: Array<Array<String>>
     categories: [Request, Body]
     keywords: [request, body, client, visitor]
+    plan_info_label: Enterprise add-on
     summary: List of `Content-Disposition` headers for each part in the multipart body.
+    description: |-
+      Requires a Cloudflare Enterprise plan with a paid add-on.
     example_value: |-
       [["form-data; name=\"username\"], ["form-data;name=\"picture\"]]
 
@@ -1578,7 +1684,10 @@ entries:
     data_type: Array<Array<String>>
     categories: [Request, Body]
     keywords: [request, body, client, visitor]
+    plan_info_label: Enterprise add-on
     summary: List of `Content-Transfer-Encoding` headers for each part in the multipart body.
+    description: |-
+      Requires a Cloudflare Enterprise plan with a paid add-on.
     example_value: |-
       [["quoted-printable"], ["quoted-printable"]]
 
@@ -1586,7 +1695,10 @@ entries:
     data_type: Array<Array<String>>
     categories: [Request, Body]
     keywords: [request, body, client, visitor]
+    plan_info_label: Enterprise add-on
     summary: List of filenames for each part in the multipart body.
+    description: |-
+      Requires a Cloudflare Enterprise plan with a paid add-on.
     example_value: |-
       [["file1.txt"], ["photo.jpg"]]
 

From 37823e5aca3e42d16b48a165da17469798b6ccb7 Mon Sep 17 00:00:00 2001
From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com>
Date: Thu, 2 Jan 2025 17:10:25 +0000
Subject: [PATCH 23/45] Small updates to field content

---
 src/content/fields/index.yaml | 63 ++++++++++++++++-------------------
 1 file changed, 28 insertions(+), 35 deletions(-)

diff --git a/src/content/fields/index.yaml b/src/content/fields/index.yaml
index c68d2fa9d0dec2e..b4066299c2c38c1 100644
--- a/src/content/fields/index.yaml
+++ b/src/content/fields/index.yaml
@@ -76,7 +76,7 @@ entries:
     data_type: Integer
     categories: [Request]
     keywords: [request, timestamp, client, visitor]
-    summary: The millisecond when Cloudflare received the request, between 0 and 999.
+    summary: The millisecond when Cloudflare received the request, between 0–999.
     description: |-
       To obtain the complete timestamp, use both [`http.request.timestamp.sec`](/ruleset-engine/rules-language/fields/reference/http.request.timestamp.sec/) and [`http.request.timestamp.msec`](/ruleset-engine/rules-language/fields/reference/http.request.timestamp.msec/) fields.
     example_value: |-
@@ -453,7 +453,7 @@ entries:
     categories: [Request, Bots]
     keywords: [request, bots, client, visitor]
     plan_info_label: Enterprise add-on
-    summary: When `true`, this field indicates the request originated from a known good bot or crawler.
+    summary: Indicates whether the request originated from a known good bot or crawler.
     description: |-
       Provides the same information as [`cf.client.bot`](/ruleset-engine/rules-language/fields/reference/cf.client.bot/).
 
@@ -539,7 +539,7 @@ entries:
     data_type: Boolean
     categories: [Request, Bots]
     keywords: [request, bots, client, visitor]
-    summary: When `true`, this field indicates the request originated from a known good bot or crawler.
+    summary: Indicates whether the request originated from a known good bot or crawler.
     description: |-
       Provides the same information as [`cf.bot_management.verified_bot`](/ruleset-engine/rules-language/fields/reference/cf.bot_management.verified_bot/).
 
@@ -599,7 +599,7 @@ entries:
     data_type: Boolean
     categories: [Request]
     keywords: [request, ssl, tls, client, visitor]
-    summary: Returns `true` when a request presents a valid but revoked client certificate.
+    summary: Indicates whether the request presented a valid but revoked client certificate.
     description: |-
       When `true`, the [`cf.tls_client_auth.cert_verified`](/ruleset-engine/rules-language/fields/reference/cf.tls_client_auth.cert_verified/) field is also `true`.
 
@@ -812,10 +812,9 @@ entries:
         visitor,
       ]
     plan_info_label: Enterprise add-on
-    summary: When `true`, the request contains at least one content object.
+    summary: Indicates whether the request contains at least one content object.
     description: |-
-      Requires a Cloudflare Enterprise plan with [malicious uploads detection](/waf/detections/malicious-uploads/) enabled.
-
+      Requires a Cloudflare Enterprise plan with [malicious uploads detection](/waf/detections/malicious-uploads/).
   - name: cf.waf.content_scan.has_malicious_obj
     data_type: Boolean
     categories: [Request]
@@ -829,10 +828,9 @@ entries:
         visitor,
       ]
     plan_info_label: Enterprise add-on
-    summary: When `true`, the request contains at least one malicious content object.
+    summary: Indicates whether the request contains at least one malicious content object.
     description: |-
-      Requires a Cloudflare Enterprise plan with [malicious uploads detection](/waf/detections/malicious-uploads/) enabled.
-
+      Requires a Cloudflare Enterprise plan with [malicious uploads detection](/waf/detections/malicious-uploads/).
   - name: cf.waf.content_scan.num_malicious_obj
     data_type: Integer
     categories: [Request]
@@ -848,8 +846,7 @@ entries:
     plan_info_label: Enterprise add-on
     summary: The number of malicious content objects detected in the request (zero or greater).
     description: |-
-      Requires a Cloudflare Enterprise plan with [malicious uploads detection](/waf/detections/malicious-uploads/) enabled.
-
+      Requires a Cloudflare Enterprise plan with [malicious uploads detection](/waf/detections/malicious-uploads/).
   - name: cf.waf.content_scan.has_failed
     data_type: Boolean
     categories: [Request]
@@ -863,10 +860,9 @@ entries:
         visitor,
       ]
     plan_info_label: Enterprise add-on
-    summary: When `true`, the file scanner was unable to scan all the content objects detected in the request.
+    summary: Indicates whether the file scanner was unable to scan all the content objects detected in the request.
     description: |-
-      Requires a Cloudflare Enterprise plan with [malicious uploads detection](/waf/detections/malicious-uploads/) enabled.
-
+      Requires a Cloudflare Enterprise plan with [malicious uploads detection](/waf/detections/malicious-uploads/).
   - name: cf.waf.content_scan.num_obj
     data_type: Integer
     categories: [Request]
@@ -882,8 +878,7 @@ entries:
     plan_info_label: Enterprise add-on
     summary: The number of content objects detected in the request (zero or greater).
     description: |-
-      Requires a Cloudflare Enterprise plan with [malicious uploads detection](/waf/detections/malicious-uploads/) enabled.
-
+      Requires a Cloudflare Enterprise plan with [malicious uploads detection](/waf/detections/malicious-uploads/).
   - name: cf.waf.content_scan.obj_sizes
     data_type: Array<Integer>
     categories: [Request]
@@ -899,8 +894,7 @@ entries:
     plan_info_label: Enterprise add-on
     summary: An array of file sizes in bytes, in the order the content objects were detected in the request.
     description: |-
-      Requires a Cloudflare Enterprise plan with [malicious uploads detection](/waf/detections/malicious-uploads/) enabled.
-
+      Requires a Cloudflare Enterprise plan with [malicious uploads detection](/waf/detections/malicious-uploads/).
   - name: cf.waf.content_scan.obj_types
     data_type: Array<String>
     categories: [Request]
@@ -918,8 +912,7 @@ entries:
     description: |-
       If Cloudflare cannot determine the file type of a content object, the corresponding value in the `obj_types` array will be `application/octet-stream`.
 
-      Requires a Cloudflare Enterprise plan with [malicious uploads detection](/waf/detections/malicious-uploads/) enabled.
-
+      Requires a Cloudflare Enterprise plan with [malicious uploads detection](/waf/detections/malicious-uploads/).
   - name: cf.waf.content_scan.obj_results
     data_type: Array<String>
     categories: [Request]
@@ -937,13 +930,12 @@ entries:
     description: |-
       The possible values are: `clean`, `suspicious`, `infected`, and `not scanned`.
 
-      Requires a Cloudflare Enterprise plan with [malicious uploads detection](/waf/detections/malicious-uploads/) enabled.
-
+      Requires a Cloudflare Enterprise plan with [malicious uploads detection](/waf/detections/malicious-uploads/).
   - name: cf.waf.score
     data_type: Number
     categories: [Request]
     keywords: [request, cloudflare, attack score, waf score, client, visitor]
-    summary: A global score from `1` to `99` that combines the score of each WAF attack vector into a single score.
+    summary: A global score from 1–99 that combines the score of each WAF attack vector into a single score.
     description: |-
       This is the standard [WAF attack score](/waf/detections/attack-score/) to detect variants of attack patterns.
 
@@ -953,7 +945,7 @@ entries:
     data_type: Number
     categories: [Request]
     keywords: [request, cloudflare, attack score, waf score, client, visitor]
-    summary: An attack score from `1` to `99` classifying the SQL injection (SQLi) attack vector.
+    summary: An attack score from 1–99 classifying the SQL injection (SQLi) attack vector.
     description: |-
       Requires a Cloudflare Enterprise plan with [attack score detection](/waf/detections/attack-score/) enabled.
 
@@ -961,7 +953,7 @@ entries:
     data_type: Number
     categories: [Request]
     keywords: [request, cloudflare, attack score, waf score, client, visitor]
-    summary: An attack score from `1` to `99` classifying the cross-site scripting (XSS) attack vector.
+    summary: An attack score from 1–99 classifying the cross-site scripting (XSS) attack vector.
     description: |-
       Requires a Cloudflare Enterprise plan with [attack score detection](/waf/detections/attack-score/) enabled.
 
@@ -969,7 +961,7 @@ entries:
     data_type: Number
     categories: [Request]
     keywords: [request, cloudflare, attack score, waf score, client, visitor]
-    summary: An attack score from `1` to `99` classifying the command injection or Remote Code Execution (RCE) attack vector.
+    summary: An attack score from 1–99 classifying the command injection or Remote Code Execution (RCE) attack vector.
     description: |-
       Requires a Cloudflare Enterprise plan with [attack score detection](/waf/detections/attack-score/) enabled.
 
@@ -996,7 +988,7 @@ entries:
         visitor,
       ]
     plan_info_label: Enterprise
-    summary: When `true`, the Cloudflare WAF detected authentication credentials in the request.
+    summary: Indicates whether the Cloudflare WAF detected authentication credentials in the request.
     description: |-
       Requires a Cloudflare Enterprise plan. You must also enable [leaked credentials detection](/waf/detections/leaked-credentials/).
 
@@ -1012,7 +1004,7 @@ entries:
         client,
         visitor,
       ]
-    summary: When `true`, the password detected in the request was previously leaked.
+    summary: Indicates whether the password detected in the request was previously leaked.
     description: |-
       Only available when [leaked credentials detection](/waf/detections/leaked-credentials/) is enabled.
 
@@ -1029,7 +1021,7 @@ entries:
         visitor,
       ]
     plan_info_label: Enterprise
-    summary: When `true`, the username detected in the request was previously leaked.
+    summary: Indicates whether the username detected in the request was previously leaked.
     description: |-
       Requires a Cloudflare Enterprise plan. You must also enable [leaked credentials detection](/waf/detections/leaked-credentials/).
 
@@ -1040,13 +1032,14 @@ entries:
       [
         request,
         cloudflare,
+        authentication,
         leaked credentials,
         exposed credentials,
         client,
         visitor,
       ]
     plan_info_label: Pro
-    summary: When `true`, the authentication credentials detected in the request (username and password pair) were previously leaked.
+    summary: Indicates whether the auth credentials detected in the request (username-password pair) were previously leaked.
     description: |-
       Requires a Cloudflare Pro plan (or above). You must also enable [leaked credentials detection](/waf/detections/leaked-credentials/).
 
@@ -1063,7 +1056,7 @@ entries:
         visitor,
       ]
     plan_info_label: Enterprise
-    summary: When `true`, a similar version of the username and password credentials detected in the request were previously leaked.
+    summary: Indicates whether a similar version of the username and password credentials detected in the request were previously leaked.
     description: |-
       Requires a Cloudflare Enterprise plan. You must also enable [leaked credentials detection](/waf/detections/leaked-credentials/).
 
@@ -1080,7 +1073,7 @@ entries:
     categories: [Request, Bots]
     keywords: [request, bots, proxy, client, visitor]
     plan_info_label: Enterprise add-on
-    summary: When `true`, the incoming request comes from an identified Enterprise-only cloud-based corporate proxy or secure web gateway.
+    summary: Indicates whether the incoming request comes from an identified Enterprise-only cloud-based corporate proxy or secure web gateway.
     description: |-
       Requires a Cloudflare Enterprise plan with [Bot Management](/bots/plans/bm-subscription/) enabled.
     example_block: |-
@@ -1458,8 +1451,8 @@ entries:
 
       **Note**: In HTTP/2, the names of HTTP headers are always in lowercase. Recent versions of the `curl` tool [enable HTTP/2 by default](https://curl.se/docs/manpage.html#--http2) for HTTPS connections.
     example_value: |-
-      # Example 1: ["application/json"]
-      # Example 2: ["This header value is longer than 10 bytes"]
+      Example 1: ["application/json"]
+      Example 2: ["This header value is longer than 10 bytes"]
 
     example_block: |-
       # Example 1: Check for specific header value.

From 7205cd42c67f8eeea40eb528d2d9db7a9ee56baf Mon Sep 17 00:00:00 2001
From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com>
Date: Thu, 2 Jan 2025 17:57:16 +0000
Subject: [PATCH 24/45] Catalog: Add tooltip with name & data type

---
 src/components/FieldCatalog.jsx | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/src/components/FieldCatalog.jsx b/src/components/FieldCatalog.jsx
index b1804b6aa99215d..b9618c6212f7f10 100644
--- a/src/components/FieldCatalog.jsx
+++ b/src/components/FieldCatalog.jsx
@@ -156,10 +156,13 @@ const FieldCatalog = ({ fields }) => {
 						<a
 							key={field.name}
 							className="p-3 border-gray-200 dark:border-gray-700 border-solid border rounded-md lg:w-[48%] w-full block !text-inherit no-underline self-stretch hover:bg-gray-50 dark:hover:bg-black mb-3"
-							href={`/ruleset-engine/rules-language/fields/reference/${field.name}`}
+							href={`/ruleset-engine/rules-language/fields/reference/${field.name}/`}
 						>
 							<div className="-mb-1 flex items-center">
-								<span className="font-semibold text-lg text-ellipsis overflow-hidden whitespace-nowrap">
+								<span
+									className="font-semibold text-lg text-ellipsis overflow-hidden whitespace-nowrap"
+									title={`${field.name}: ${field.data_type}`}
+								>
 									{field.name}
 								</span>
 							</div>

From 177ff4643462c6540e43653931cd5d9775bb3e7e Mon Sep 17 00:00:00 2001
From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com>
Date: Thu, 2 Jan 2025 17:58:10 +0000
Subject: [PATCH 25/45] Adjust required plans

---
 src/content/fields/index.yaml | 29 +++++++++++++++++------------
 1 file changed, 17 insertions(+), 12 deletions(-)

diff --git a/src/content/fields/index.yaml b/src/content/fields/index.yaml
index b4066299c2c38c1..049cdce26892353 100644
--- a/src/content/fields/index.yaml
+++ b/src/content/fields/index.yaml
@@ -45,7 +45,7 @@ entries:
     data_type: Map<Array<String>>
     categories: [Request, Headers]
     keywords: [request, header, client, visitor]
-    plan_info_label: Pro
+    plan_info_label: Pro or above
     summary: The `Cookie` HTTP header associated with a request represented as a Map (associative array).
     description: |-
       Requires a Cloudflare Pro, Business, or Enterprise plan.
@@ -296,7 +296,7 @@ entries:
         client,
         visitor,
       ]
-    plan_info_label: Business
+    plan_info_label: Business or above
     summary: The ISO 3166-2 code for the first-level region associated with the IP address.
     example_value: |-
       GB-ENG
@@ -324,7 +324,7 @@ entries:
         client,
         visitor,
       ]
-    plan_info_label: Business
+    plan_info_label: Business or above
     summary: The ISO 3166-2 code for the second-level region associated with the IP address.
     example_value: |-
       GB-SWK
@@ -352,8 +352,8 @@ entries:
         client,
         visitor,
       ]
-    plan_info_label: Business
-    summary: Returns `true` when the request originates from a country in the European Union (EU).
+    plan_info_label: Business or above
+    summary: Whether the request originates from a country in the European Union (EU).
     description: |-
       Requires a Cloudflare Business or Enterprise plan.
 
@@ -935,45 +935,50 @@ entries:
     data_type: Number
     categories: [Request]
     keywords: [request, cloudflare, attack score, waf score, client, visitor]
+    plan_info_label: Enterprise
     summary: A global score from 1–99 that combines the score of each WAF attack vector into a single score.
     description: |-
       This is the standard [WAF attack score](/waf/detections/attack-score/) to detect variants of attack patterns.
 
-      Requires a Cloudflare Enterprise plan with [attack score detection](/waf/detections/attack-score/) enabled.
+      Requires a Cloudflare Enterprise plan. You must also enable [attack score detection](/waf/detections/attack-score/).
 
   - name: cf.waf.score.sqli
     data_type: Number
     categories: [Request]
     keywords: [request, cloudflare, attack score, waf score, client, visitor]
+    plan_info_label: Enterprise
     summary: An attack score from 1–99 classifying the SQL injection (SQLi) attack vector.
     description: |-
-      Requires a Cloudflare Enterprise plan with [attack score detection](/waf/detections/attack-score/) enabled.
+      Requires a Cloudflare Enterprise plan. You must also enable [attack score detection](/waf/detections/attack-score/).
 
   - name: cf.waf.score.xss
     data_type: Number
     categories: [Request]
     keywords: [request, cloudflare, attack score, waf score, client, visitor]
+    plan_info_label: Enterprise
     summary: An attack score from 1–99 classifying the cross-site scripting (XSS) attack vector.
     description: |-
-      Requires a Cloudflare Enterprise plan with [attack score detection](/waf/detections/attack-score/) enabled.
+      Requires a Cloudflare Enterprise plan. You must also enable [attack score detection](/waf/detections/attack-score/).
 
   - name: cf.waf.score.rce
     data_type: Number
     categories: [Request]
     keywords: [request, cloudflare, attack score, waf score, client, visitor]
+    plan_info_label: Enterprise
     summary: An attack score from 1–99 classifying the command injection or Remote Code Execution (RCE) attack vector.
     description: |-
-      Requires a Cloudflare Enterprise plan with [attack score detection](/waf/detections/attack-score/) enabled.
+      Requires a Cloudflare Enterprise plan. You must also enable [attack score detection](/waf/detections/attack-score/).
 
   - name: cf.waf.score.class
     data_type: String
     categories: [Request]
     keywords: [request, cloudflare, attack score, waf score, client, visitor]
+    plan_info_label: Business or above
     summary: The attack score class of the current request, based on the WAF attack score.
     description: |-
       Can have one of the following values: `attack`, `likely_attack`, `likely_clean`, `clean`.
 
-      Requires a Cloudflare Business plan (or above) with [attack score detection](/waf/detections/attack-score/) enabled.
+      Requires a Cloudflare Business plan or above. You must also enable [attack score detection](/waf/detections/attack-score/).
 
   - name: cf.waf.auth_detected
     data_type: Boolean
@@ -1038,10 +1043,10 @@ entries:
         client,
         visitor,
       ]
-    plan_info_label: Pro
+    plan_info_label: Pro or above
     summary: Indicates whether the auth credentials detected in the request (username-password pair) were previously leaked.
     description: |-
-      Requires a Cloudflare Pro plan (or above). You must also enable [leaked credentials detection](/waf/detections/leaked-credentials/).
+      Requires a Cloudflare Pro plan or above. You must also enable [leaked credentials detection](/waf/detections/leaked-credentials/).
 
   - name: cf.waf.credential_check.username_password_similar
     data_type: Boolean

From f9df7ea0ad09d971e47eada611e16e4c5cc344b9 Mon Sep 17 00:00:00 2001
From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com>
Date: Thu, 2 Jan 2025 18:04:47 +0000
Subject: [PATCH 26/45] Remove commented code

---
 src/components/FieldCatalog.jsx               | 52 -------------------
 .../fields/reference/[name].astro             | 10 ----
 2 files changed, 62 deletions(-)

diff --git a/src/components/FieldCatalog.jsx b/src/components/FieldCatalog.jsx
index b9618c6212f7f10..7191e6efba768d3 100644
--- a/src/components/FieldCatalog.jsx
+++ b/src/components/FieldCatalog.jsx
@@ -7,17 +7,10 @@ const FieldCatalog = ({ fields }) => {
 		search: "",
 		categories: [],
 		keywords: [],
-		// capabilities: [],
 	});
 	const mapped = fields.sort((f1, f2) => {
 		return f1.name < f2.name ? -1 : 1;
 	});
-	//fields.map((field) => ({
-	// 	field: {
-	// 		...field,
-	// 	},
-	// 	field_display_name: field.name,
-	// }));
 
 	const categories = [
 		...new Set(
@@ -28,36 +21,6 @@ const FieldCatalog = ({ fields }) => {
 		),
 	];
 
-	// Not used in FieldCatalog
-	// const keywords = [
-	// 	...new Set(
-	// 		fields
-	// 			.map((field) => field.keywords)
-	// 			.flat()
-	// 			.sort(),
-	// 	),
-	// ];
-
-	// const capabilities = [
-	// 	...new Set(
-	// 		fields
-	// 			.map((model) =>
-	// 				model.properties
-	// 					.flatMap(({ property_id, value }) => {
-	// 						if (property_id === "lora" && value === "true") {
-	// 							return "LoRA";
-	// 						}
-
-	// 						if (property_id === "function_calling" && value === "true") {
-	// 							return "Function calling";
-	// 						}
-	// 					})
-	// 					.filter((p) => Boolean(p)),
-	// 			)
-	// 			.flat(),
-	// 	),
-	// ];
-
 	// apply filters to the fields list
 	const fieldList = mapped.filter((field) => {
 		if (filters.categories.length > 0) {
@@ -66,18 +29,6 @@ const FieldCatalog = ({ fields }) => {
 			}
 		}
 
-		// if (filters.tasks.length > 0) {
-		// 	if (!filters.tasks.includes(field.task.name)) {
-		// 		return false;
-		// 	}
-		// }
-
-		// if (filters.capabilities.length > 0) {
-		// 	if (!field.capabilities.some((c) => filters.capabilities.includes(c))) {
-		// 		return false;
-		// 	}
-		// }
-
 		if (filters.search) {
 			// search keywords
 			let keywordFound = field.keywords?.some(
@@ -166,9 +117,6 @@ const FieldCatalog = ({ fields }) => {
 									{field.name}
 								</span>
 							</div>
-							{/* <div className="text-xs !m-0">
-								<ModelInfo model={field.model} />
-							</div> */}
 							<p
 								className="!mt-2 line-clamp-2 text-sm leading-6"
 								dangerouslySetInnerHTML={{
diff --git a/src/pages/ruleset-engine/rules-language/fields/reference/[name].astro b/src/pages/ruleset-engine/rules-language/fields/reference/[name].astro
index 161090f787e61e7..3ed1f2dce365d5b 100644
--- a/src/pages/ruleset-engine/rules-language/fields/reference/[name].astro
+++ b/src/pages/ruleset-engine/rules-language/fields/reference/[name].astro
@@ -37,16 +37,6 @@ const starlightPageProps = {
 		title: field.name,
 		description: field.summary,
 	},
-	// headings: [
-	// 	hasPlayground
-	// 		? { depth: 2, slug: "Playground", text: "Playground" }
-	// 		: false,
-	// 	CodeExamples ? { depth: 2, slug: "Usage", text: "Usage" } : false,
-	// 	{ depth: 2, slug: "Parameters", text: "Parameters" },
-	// 	{ depth: 3, slug: "Input", text: "Input" },
-	// 	{ depth: 3, slug: "Output", text: "Output" },
-	// 	{ depth: 2, slug: "API Schemas", text: "API Schemas" },
-	// ].filter((v) => Boolean(v)) as MarkdownHeading[],
 	hideTitle: true,
 } as StarlightPageProps;
 ---

From 4417c4853117f01bfeaaacff007af85bbf7028ea Mon Sep 17 00:00:00 2001
From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com>
Date: Fri, 3 Jan 2025 12:21:35 +0000
Subject: [PATCH 27/45] Remove unused property from fields schema

Also removed test field.
---
 src/content/fields/index.yaml | 15 ---------------
 src/schemas/fields.ts         |  1 -
 2 files changed, 16 deletions(-)

diff --git a/src/content/fields/index.yaml b/src/content/fields/index.yaml
index 049cdce26892353..3b1cae7c955eed7 100644
--- a/src/content/fields/index.yaml
+++ b/src/content/fields/index.yaml
@@ -1826,18 +1826,3 @@ entries:
       You can use this field to customize the response for a specific type of error (for example, all 1XXX errors or all WAF block actions).
 
       **Note**: This field is only available in [HTTP response header modifications](/rules/transform/response-header-modification/) and [Custom Error Responses](/rules/custom-error-responses/).
-
-  - name: zTEST.request.body.multipart.content_transfer_encodings
-    data_type: "Array<Array<String>>"
-    categories: [Request, Body]
-    keywords: [request, body, payload, form, multipart, upload, client, visitor]
-    summary: One liner here.
-    description: |-
-      This is a longer description, possibly using [Markdown](/).
-    plan_info_label: ENT
-    plan_info_description: Enterprise plan
-    example_value: |-
-      "asdfasdfuhaoweuqhre must keep quotes!"
-    example_block: |-
-      func(a, b)    # correct
-      a func b      # incorrect
diff --git a/src/schemas/fields.ts b/src/schemas/fields.ts
index 685a47521378ef1..13da40948a6f4de 100644
--- a/src/schemas/fields.ts
+++ b/src/schemas/fields.ts
@@ -10,7 +10,6 @@ export const fieldsSchema = z.object({
 			summary: z.string(),
 			description: z.string().optional(),
 			plan_info_label: z.string().optional(),
-			plan_info_description: z.string().optional(),
 			example_value: z.string().optional(),
 			example_block: z.string().optional(),
 		})

From e66ebd1451d5857b324332d72ec61edb307586ff Mon Sep 17 00:00:00 2001
From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com>
Date: Tue, 7 Jan 2025 11:32:01 +0000
Subject: [PATCH 28/45] Update CSS based on ModelCatalog changes

---
 src/components/FieldCatalog.jsx | 19 +++++++++----------
 1 file changed, 9 insertions(+), 10 deletions(-)

diff --git a/src/components/FieldCatalog.jsx b/src/components/FieldCatalog.jsx
index 7191e6efba768d3..f6cd87cf7a10f32 100644
--- a/src/components/FieldCatalog.jsx
+++ b/src/components/FieldCatalog.jsx
@@ -49,22 +49,22 @@ const FieldCatalog = ({ fields }) => {
 
 	return (
 		<div className="md:flex">
-			<div className="md:w-1/4 w-full mr-8">
+			<div className="mr-8 w-full md:w-1/4">
 				<input
 					type="text"
-					className="w-full mb-8 rounded-md bg-white dark:bg-black border-2 border-gray-200 dark:border-gray-700 px-2 py-2"
+					className="mb-8 w-full rounded-md border-2 border-gray-200 bg-white px-2 py-2 dark:border-gray-700 dark:bg-gray-800"
 					placeholder="Search fields"
 					value={filters.search}
 					onChange={(e) => setFilters({ ...filters, search: e.target.value })}
 				/>
 
-				<div className="!mb-8 md:block hidden">
-					<span className="uppercase text-gray-600 dark:text-gray-200 text-sm font-bold">
+				<div className="!mb-8 hidden md:block">
+					<span className="text-sm font-bold uppercase text-gray-600 dark:text-gray-200">
 						▼ Categories
 					</span>
 
 					{categories.map((category) => (
-						<label key={category} className="block !my-2">
+						<label key={category} className="!my-2 block">
 							<input
 								type="checkbox"
 								className="mr-2"
@@ -91,9 +91,9 @@ const FieldCatalog = ({ fields }) => {
 				</div>
 			</div>
 
-			<div className="flex md:w-3/4 w-full gap-[1%] items-stretch self-start flex-wrap !mt-0">
+			<div className="!mt-0 flex w-full flex-wrap items-stretch gap-[1%] self-start md:w-3/4">
 				{fieldList.length === 0 && (
-					<div className="border bg-gray-50 dark:bg-gray-800 dark:border-gray-500 rounded-md w-full flex-col flex align-middle justify-center text-center py-6">
+					<div className="flex w-full flex-col justify-center rounded-md border bg-gray-50 py-6 text-center align-middle dark:border-gray-500 dark:bg-gray-800">
 						<span className="text-lg !font-bold">No fields found</span>
 						<p>
 							Try a different search term, or broaden your search by removing
@@ -102,11 +102,10 @@ const FieldCatalog = ({ fields }) => {
 					</div>
 				)}
 				{fieldList.map((field) => {
-					// removed lg:w-[48%] from anchor classes below
 					return (
 						<a
 							key={field.name}
-							className="p-3 border-gray-200 dark:border-gray-700 border-solid border rounded-md lg:w-[48%] w-full block !text-inherit no-underline self-stretch hover:bg-gray-50 dark:hover:bg-black mb-3"
+							className="mb-3 block w-full self-start rounded-md border border-solid border-gray-200 p-3 !text-inherit no-underline hover:bg-gray-50 dark:border-gray-700 dark:hover:bg-gray-800 lg:w-[48%]"
 							href={`/ruleset-engine/rules-language/fields/reference/${field.name}/`}
 						>
 							<div className="-mb-1 flex items-center">
@@ -125,7 +124,7 @@ const FieldCatalog = ({ fields }) => {
 							/>
 
 							{field.plan_info_label && (
-								<div className="text-xs !mt-2">
+								<div className="!mt-2 text-xs">
 									<FieldBadges badges={[field.plan_info_label]} />
 								</div>
 							)}

From 06439b8ec5fb11e1122151f6075a4d224155d0a3 Mon Sep 17 00:00:00 2001
From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com>
Date: Tue, 7 Jan 2025 11:55:15 +0000
Subject: [PATCH 29/45] Fix field description

---
 src/content/fields/index.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/content/fields/index.yaml b/src/content/fields/index.yaml
index 3b1cae7c955eed7..72f3d586013408f 100644
--- a/src/content/fields/index.yaml
+++ b/src/content/fields/index.yaml
@@ -1485,6 +1485,8 @@ entries:
       If the HTTP header is not present in the request or is empty, `http.request.accepted_languages[0]` will return a "[missing value](/ruleset-engine/rules-language/values/#notes)", which the [`concat()`](/ruleset-engine/rules-language/functions/#concat) function will handle as an empty string.
 
       If the HTTP header includes the language tag `*` it will not be stored in the array.
+
+      **Note**: This field is only available in [Transform Rules](/rules/transform/).
     example_block: |-
       # Example 1: Request with header "Accept-Language: fr-CH, fr;q=0.8, en;q=0.9, de;q=0.7, *;q=0.5".
       # In this case:
@@ -1495,8 +1497,6 @@ entries:
       # In this case:
       concat("/", http.request.accepted_languages[0], http.request.uri.path) == "//my-path"
 
-      **Note**: This field is only available in [Transform Rules](/rules/transform/).
-
   - name: http.request.body.raw
     data_type: String
     categories: [Request, Body, Raw fields]

From d77926089b38af553c1d984d61e554a10110dcd5 Mon Sep 17 00:00:00 2001
From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com>
Date: Tue, 7 Jan 2025 11:59:56 +0000
Subject: [PATCH 30/45] Stretch items vertically

---
 src/components/FieldCatalog.jsx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/components/FieldCatalog.jsx b/src/components/FieldCatalog.jsx
index f6cd87cf7a10f32..3cca0cc65027dda 100644
--- a/src/components/FieldCatalog.jsx
+++ b/src/components/FieldCatalog.jsx
@@ -105,7 +105,7 @@ const FieldCatalog = ({ fields }) => {
 					return (
 						<a
 							key={field.name}
-							className="mb-3 block w-full self-start rounded-md border border-solid border-gray-200 p-3 !text-inherit no-underline hover:bg-gray-50 dark:border-gray-700 dark:hover:bg-gray-800 lg:w-[48%]"
+							className="mb-3 block w-full self-stretch rounded-md border border-solid border-gray-200 p-3 !text-inherit no-underline hover:bg-gray-50 dark:border-gray-700 dark:hover:bg-gray-800 lg:w-[48%]"
 							href={`/ruleset-engine/rules-language/fields/reference/${field.name}/`}
 						>
 							<div className="-mb-1 flex items-center">

From 410a22c9d245d12bb0228256046e08e015b73c1b Mon Sep 17 00:00:00 2001
From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com>
Date: Tue, 7 Jan 2025 18:38:42 +0000
Subject: [PATCH 31/45] Add "mTLS" category

---
 src/content/fields/index.yaml | 68 +++++++++++++++++------------------
 1 file changed, 34 insertions(+), 34 deletions(-)

diff --git a/src/content/fields/index.yaml b/src/content/fields/index.yaml
index 72f3d586013408f..13ea97991808834 100644
--- a/src/content/fields/index.yaml
+++ b/src/content/fields/index.yaml
@@ -597,8 +597,8 @@ entries:
 
   - name: cf.tls_client_auth.cert_revoked
     data_type: Boolean
-    categories: [Request]
-    keywords: [request, ssl, tls, client, visitor]
+    categories: [Request, mTLS]
+    keywords: [request, ssl, mtls, client, visitor]
     summary: Indicates whether the request presented a valid but revoked client certificate.
     description: |-
       When `true`, the [`cf.tls_client_auth.cert_verified`](/ruleset-engine/rules-language/fields/reference/cf.tls_client_auth.cert_verified/) field is also `true`.
@@ -607,8 +607,8 @@ entries:
 
   - name: cf.tls_client_auth.cert_verified
     data_type: Boolean
-    categories: [Request]
-    keywords: [request, ssl, tls, client, visitor]
+    categories: [Request, mTLS]
+    keywords: [request, ssl, mtls, client, visitor]
     summary: Returns `true` when a request presents a valid client certificate.
     description: |-
       Also returns `true` when a request includes a valid certificate that was revoked (refer to [`cf.tls_client_auth.cert_revoked`](/ruleset-engine/rules-language/fields/reference/cf.tls_client_auth.cert_revoked/)).
@@ -617,16 +617,16 @@ entries:
 
   - name: cf.tls_client_auth.cert_presented
     data_type: Boolean
-    categories: [Request]
-    keywords: [request, ssl, tls, client, visitor]
+    categories: [Request, mTLS]
+    keywords: [request, ssl, mtls, client, visitor]
     summary: Returns `true` when a request presents a certificate (valid or not).
     description: |-
       This field is only filled in if the request includes a client certificate for [mTLS authentication](/ssl/client-certificates/enable-mtls/).
 
   - name: cf.tls_client_auth.cert_issuer_dn
     data_type: String
-    categories: [Request]
-    keywords: [request, ssl, tls, client, visitor]
+    categories: [Request, mTLS]
+    keywords: [request, ssl, mtls, client, visitor]
     summary: The Distinguished Name (DN) of the Certificate Authority (CA) that issued the certificate included in the request.
     description: |-
       This field is only filled in if the request includes a client certificate for [mTLS authentication](/ssl/client-certificates/enable-mtls/).
@@ -635,8 +635,8 @@ entries:
 
   - name: cf.tls_client_auth.cert_subject_dn
     data_type: String
-    categories: [Request]
-    keywords: [request, ssl, tls, client, visitor]
+    categories: [Request, mTLS]
+    keywords: [request, ssl, mtls, client, visitor]
     summary: The Distinguished Name (DN) of the owner (or requester) of the certificate included in the request.
     description: |-
       This field is only filled in if the request includes a client certificate for [mTLS authentication](/ssl/client-certificates/enable-mtls/).
@@ -645,8 +645,8 @@ entries:
 
   - name: cf.tls_client_auth.cert_issuer_dn_rfc2253
     data_type: String
-    categories: [Request]
-    keywords: [request, ssl, tls, client, visitor]
+    categories: [Request, mTLS]
+    keywords: [request, ssl, mtls, client, visitor]
     summary: The Distinguished Name (DN) of the Certificate Authority (CA) that issued the certificate in the request in [RFC 2253](https://datatracker.ietf.org/doc/html/rfc2253) format.
     description: |-
       This field is only filled in if the request includes a client certificate for [mTLS authentication](/ssl/client-certificates/enable-mtls/).
@@ -655,8 +655,8 @@ entries:
 
   - name: cf.tls_client_auth.cert_subject_dn_rfc2253
     data_type: String
-    categories: [Request]
-    keywords: [request, ssl, tls, client, visitor]
+    categories: [Request, mTLS]
+    keywords: [request, ssl, mtls, client, visitor]
     summary: The Distinguished Name (DN) of the owner (or requester) of the certificate in the request in [RFC 2253](https://datatracker.ietf.org/doc/html/rfc2253) format.
     description: |-
       This field is only filled in if the request includes a client certificate for [mTLS authentication](/ssl/client-certificates/enable-mtls/).
@@ -665,8 +665,8 @@ entries:
 
   - name: cf.tls_client_auth.cert_issuer_dn_legacy
     data_type: String
-    categories: [Request]
-    keywords: [request, ssl, tls, client, visitor]
+    categories: [Request, mTLS]
+    keywords: [request, ssl, mtls, client, visitor]
     summary: The Distinguished Name (DN) of the Certificate Authority (CA) that issued the certificate in the request in a legacy format.
     description: |-
       This field is only filled in if the request includes a client certificate for [mTLS authentication](/ssl/client-certificates/enable-mtls/).
@@ -675,8 +675,8 @@ entries:
 
   - name: cf.tls_client_auth.cert_subject_dn_legacy
     data_type: String
-    categories: [Request]
-    keywords: [request, ssl, tls, client, visitor]
+    categories: [Request, mTLS]
+    keywords: [request, ssl, mtls, client, visitor]
     summary: The Distinguished Name (DN) of the owner (or requester) of the certificate in the request in a legacy format.
     description: |-
       This field is only filled in if the request includes a client certificate for [mTLS authentication](/ssl/client-certificates/enable-mtls/).
@@ -685,8 +685,8 @@ entries:
 
   - name: cf.tls_client_auth.cert_serial
     data_type: String
-    categories: [Request]
-    keywords: [request, ssl, tls, client, visitor]
+    categories: [Request, mTLS]
+    keywords: [request, ssl, mtls, client, visitor]
     summary: Serial number of the certificate in the request.
     description: |-
       This field is only filled in if the request includes a client certificate for [mTLS authentication](/ssl/client-certificates/enable-mtls/).
@@ -695,8 +695,8 @@ entries:
 
   - name: cf.tls_client_auth.cert_issuer_serial
     data_type: String
-    categories: [Request]
-    keywords: [request, ssl, tls, client, visitor]
+    categories: [Request, mTLS]
+    keywords: [request, ssl, mtls, client, visitor]
     summary: Serial number of the direct issuer of the certificate in the request.
     description: |-
       This field is only filled in if the request includes a client certificate for [mTLS authentication](/ssl/client-certificates/enable-mtls/).
@@ -705,8 +705,8 @@ entries:
 
   - name: cf.tls_client_auth.cert_fingerprint_sha256
     data_type: String
-    categories: [Request]
-    keywords: [request, ssl, tls, client, visitor]
+    categories: [Request, mTLS]
+    keywords: [request, ssl, mtls, client, visitor]
     summary: The SHA-256 fingerprint of the certificate in the request.
     description: |-
       This field is only filled in if the request includes a client certificate for [mTLS authentication](/ssl/client-certificates/enable-mtls/).
@@ -715,8 +715,8 @@ entries:
 
   - name: cf.tls_client_auth.cert_fingerprint_sha1
     data_type: String
-    categories: [Request]
-    keywords: [request, ssl, tls, client, visitor]
+    categories: [Request, mTLS]
+    keywords: [request, ssl, mtls, client, visitor]
     summary: The SHA-1 fingerprint of the certificate in the request.
     description: |-
       This field is only filled in if the request includes a client certificate for [mTLS authentication](/ssl/client-certificates/enable-mtls/).
@@ -725,8 +725,8 @@ entries:
 
   - name: cf.tls_client_auth.cert_not_before
     data_type: String
-    categories: [Request]
-    keywords: [request, ssl, tls, client, visitor]
+    categories: [Request, mTLS]
+    keywords: [request, ssl, mtls, client, visitor]
     summary: The certificate in the request is not valid before this date.
     description: |-
       This field is only filled in if the request includes a client certificate for [mTLS authentication](/ssl/client-certificates/enable-mtls/).
@@ -735,8 +735,8 @@ entries:
 
   - name: cf.tls_client_auth.cert_not_after
     data_type: String
-    categories: [Request]
-    keywords: [request, ssl, tls, client, visitor]
+    categories: [Request, mTLS]
+    keywords: [request, ssl, mtls, client, visitor]
     summary: The certificate in the request is not valid after this date.
     description: |-
       This field is only filled in if the request includes a client certificate for [mTLS authentication](/ssl/client-certificates/enable-mtls/).
@@ -745,8 +745,8 @@ entries:
 
   - name: cf.tls_client_auth.cert_ski
     data_type: String
-    categories: [Request]
-    keywords: [request, ssl, tls, client, visitor]
+    categories: [Request, mTLS]
+    keywords: [request, ssl, mtls, client, visitor]
     summary: The Subject Key Identifier (SKI) of the certificate in the request.
     description: |-
       This field is only filled in if the request includes a client certificate for [mTLS authentication](/ssl/client-certificates/enable-mtls/).
@@ -755,8 +755,8 @@ entries:
 
   - name: cf.tls_client_auth.cert_issuer_ski
     data_type: String
-    categories: [Request]
-    keywords: [request, ssl, tls, client, visitor]
+    categories: [Request, mTLS]
+    keywords: [request, ssl, mtls, client, visitor]
     summary: The Subject Key Identifier (SKI) of the direct issuer of the certificate in the request.
     description: |-
       This field is only filled in if the request includes a client certificate for [mTLS authentication](/ssl/client-certificates/enable-mtls/).

From 27493dbc58397aef322180978934b5e12c6995c5 Mon Sep 17 00:00:00 2001
From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com>
Date: Fri, 10 Jan 2025 12:09:40 +0000
Subject: [PATCH 32/45] Add expression example for
 multipart.content_dispositions

---
 src/content/fields/index.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/src/content/fields/index.yaml b/src/content/fields/index.yaml
index 13ea97991808834..7d63a11c88ee6a2 100644
--- a/src/content/fields/index.yaml
+++ b/src/content/fields/index.yaml
@@ -1677,6 +1677,8 @@ entries:
       Requires a Cloudflare Enterprise plan with a paid add-on.
     example_value: |-
       [["form-data; name=\"username\"], ["form-data;name=\"picture\"]]
+    example_block: |-
+      any(http.request.body.multipart.content_dispositions[*][0] in {"form-data; name=\"username\"" "form-data;name=\"picture\""})
 
   - name: http.request.body.multipart.content_transfer_encodings
     data_type: Array<Array<String>>

From e82ae129363dbb26043c6784cd47d545f4f9adf8 Mon Sep 17 00:00:00 2001
From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com>
Date: Fri, 10 Jan 2025 17:58:54 +0000
Subject: [PATCH 33/45] Rename Example >> Example usage

---
 .../rules-language/fields/reference/[name].astro            | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/pages/ruleset-engine/rules-language/fields/reference/[name].astro b/src/pages/ruleset-engine/rules-language/fields/reference/[name].astro
index 3ed1f2dce365d5b..5c7e835587ad5e0 100644
--- a/src/pages/ruleset-engine/rules-language/fields/reference/[name].astro
+++ b/src/pages/ruleset-engine/rules-language/fields/reference/[name].astro
@@ -42,11 +42,11 @@ const starlightPageProps = {
 ---
 
 <StarlightPage {...starlightPageProps}>
-	<div class="flex align-center">
+	<div class="align-center flex">
 		<div>
 			<h1
 				id="_top"
-				class="!-mt-4 !mb-2 !leading-none !text-2xl !font-bold flex items-center"
+				class="!-mt-4 !mb-2 flex items-center !text-2xl !font-bold !leading-none"
 			>
 				{name}
 			</h1>
@@ -78,7 +78,7 @@ const starlightPageProps = {
 	{
 		field.example_block && (
 			<>
-				<p id="example-block">Example:</p>
+				<p id="example-block">Example usage:</p>
 				<Code code={field.example_block} lang="txt" />
 			</>
 		)

From c0c9bea8ef4971dbeb5e5269f6d2618e1d1e42ff Mon Sep 17 00:00:00 2001
From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com>
Date: Fri, 10 Jan 2025 18:13:06 +0000
Subject: [PATCH 34/45] Quote string examples; add some example usages

---
 src/content/fields/index.yaml | 117 +++++++++++++++++++---------------
 1 file changed, 67 insertions(+), 50 deletions(-)

diff --git a/src/content/fields/index.yaml b/src/content/fields/index.yaml
index 7d63a11c88ee6a2..1e5b579d5218fd3 100644
--- a/src/content/fields/index.yaml
+++ b/src/content/fields/index.yaml
@@ -5,7 +5,7 @@ entries:
     keywords: [request, cookie, header, client, visitor]
     summary: The entire cookie as a string.
     example_value: |-
-      session=8521F670545D7865F79C3D7BEDC29CCE;-background=light
+      "session=8521F670545D7865F79C3D7BEDC29CCE;-background=light"
 
   - name: http.host
     data_type: String
@@ -13,7 +13,7 @@ entries:
     keywords: [request, uri, url, domain, client, visitor]
     summary: The hostname used in the full request URI.
     example_value: |-
-      www.example.org
+      "www.example.org"
 
   - name: http.referer
     data_type: String
@@ -21,7 +21,7 @@ entries:
     keywords: [request, header, referer, referrer, client, visitor]
     summary: The HTTP `Referer` request header, which contains the address of the web page that linked to the currently requested page.
     example_value: |-
-      Referer: https://developer.example.org/en-US/docs/Web/JavaScript
+      "https://developer.example.org/en-US/docs/Web/JavaScript"
 
   - name: http.request.full_uri
     data_type: String
@@ -31,7 +31,7 @@ entries:
     description: |-
       The value will not include the `#fragment` part, which is not sent to web servers.
     example_value: |-
-      https://www.example.org/articles/index?section=539061&expand=comments
+      "https://www.example.org/articles/index?section=539061&expand=comments"
 
   - name: http.request.method
     data_type: String
@@ -39,7 +39,7 @@ entries:
     keywords: [request, client, visitor]
     summary: The HTTP method, returned as a string of uppercase characters.
     example_value: |-
-      GET
+      "GET"
 
   - name: http.request.cookies
     data_type: Map<Array<String>>
@@ -88,7 +88,7 @@ entries:
     keywords: [request, uri, url, path, query, query string, client, visitor]
     summary: The URI path and query string of the request.
     example_value: |-
-      /articles/index?section=539061&expand=comments
+      "/articles/index?section=539061&expand=comments"
 
   - name: http.request.uri.path
     data_type: String
@@ -96,7 +96,7 @@ entries:
     keywords: [request, uri, url, path, client, visitor]
     summary: The URI path of the request.
     example_value: |-
-      /articles/index
+      "/articles/index"
 
   - name: http.request.uri.path.extension
     data_type: String
@@ -110,7 +110,7 @@ entries:
 
       Example values:
 
-      - If the URI path is `/articles/index.html`, the field value will be `html`.
+      - If the URI path is `/articles/index.html`, the field value will be `"html"`.
       - If the URI path is `/articles/index.`, the field value will be an empty string (`""`).
 
       Example values:
@@ -131,7 +131,7 @@ entries:
     keywords: [request, uri, url, query, query string, client, visitor]
     summary: The entire query string, without the `?` delimiter.
     example_value: |-
-      section=539061&expand=comments
+      "section=539061&expand=comments"
 
   - name: http.user_agent
     data_type: String
@@ -139,7 +139,7 @@ entries:
     keywords: [request, header, agent, user-agent, browser, client, visitor]
     summary: The HTTP `User-Agent` request header, which contains a characteristic string to identify the client operating system and web browser.
     example_value: |-
-      Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36
+      "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36"
 
   - name: http.request.version
     data_type: String
@@ -149,16 +149,16 @@ entries:
     description: |-
       Example values:
 
-      - `HTTP/1.1`
-      - `HTTP/3`
+      - `"HTTP/1.1"`
+      - `"HTTP/3"`
 
   - name: http.x_forwarded_for
     data_type: String
     categories: [Request, Headers]
     keywords: [request, header, proxy, ip, client, visitor]
-    summary: The full `X-Forwarded-For` HTTP header.
+    summary: The full value of the `X-Forwarded-For` HTTP header.
     example_value: |-
-      203.0.113.195, 70.41.3.18
+      "203.0.113.195, 70.41.3.18"
 
   - name: ip.src
     data_type: IP address
@@ -174,7 +174,7 @@ entries:
     keywords: [request, location, geolocation, client, visitor]
     summary: The latitude associated with the client IP address.
     example_value: |-
-      37.78044
+      "37.78044"
 
   - name: ip.src.lon
     data_type: String
@@ -182,7 +182,7 @@ entries:
     keywords: [request, location, geolocation, client, visitor]
     summary: The longitude associated with the client IP address.
     example_value: |-
-      -122.39055
+      "-122.39055"
 
   - name: ip.src.city
     data_type: String
@@ -190,7 +190,7 @@ entries:
     keywords: [request, location, geolocation, client, visitor]
     summary: The city associated with the client IP address.
     example_value: |-
-      San Francisco
+      "San Francisco"
 
   - name: ip.src.postal_code
     data_type: String
@@ -198,7 +198,7 @@ entries:
     keywords: [request, location, geolocation, zip, zip code, client, visitor]
     summary: The postal code associated with the incoming request.
     example_value: |-
-      78701
+      "78701"
 
   - name: ip.src.metro_code
     data_type: String
@@ -206,7 +206,7 @@ entries:
     keywords: [request, location, geolocation, dma, client, visitor]
     summary: The metro code or Designated Market Area (DMA) code associated with the incoming request.
     example_value: |-
-      635
+      "635"
 
   - name: ip.src.region
     data_type: String
@@ -214,7 +214,7 @@ entries:
     keywords: [request, location, geolocation, state, client, visitor]
     summary: The region name associated with the incoming request.
     example_value: |-
-      Texas
+      "Texas"
 
   - name: ip.src.region_code
     data_type: String
@@ -222,7 +222,7 @@ entries:
     keywords: [request, location, geolocation, state, client, visitor]
     summary: The region code associated with the incoming request.
     example_value: |-
-      TX
+      "TX"
 
   - name: ip.src.timezone.name
     data_type: String
@@ -233,7 +233,7 @@ entries:
     description: |-
       This field is only available in rewrite expressions of [Transform Rules](/rules/transform/).
     example_value: |-
-      America/Chicago
+      "America/Chicago"
 
   - name: ip.src.asnum
     data_type: Number
@@ -255,14 +255,14 @@ entries:
     description: |-
       Values:
 
-      - **AF**: Africa
-      - **AN**: Antarctica
-      - **AS**: Asia
-      - **EU**: Europe
-      - **NA**: North America
-      - **OC**: Oceania
-      - **SA**: South America
-      - **T1**: Tor network
+      - `"AF"`: Africa
+      - `"AN"`: Antarctica
+      - `"AS"`: Asia
+      - `"EU"`: Europe
+      - `"NA"`: North America
+      - `"OC"`: Oceania
+      - `"SA"`: South America
+      - `"T1"`: Tor network
 
       This field has the same value as the `ip.geoip.continent` field, which is deprecated. The `ip.geoip.continent` field is still available for new and existing rules, but you should use the `ip.src.continent` field instead.
 
@@ -275,7 +275,7 @@ entries:
       [request, location, geolocation, ip.geoip.country, client, visitor]
     summary: The 2-letter country code in [ISO 3166-1 Alpha 2](https://www.iso.org/obp/ui/#search/code/) format.
     example_value: |-
-      GB
+      "GB"
     description: |-
       For more information on the ISO 3166-1 Alpha 2 format, refer to [ISO 3166-1 Alpha 2](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2) on Wikipedia.
 
@@ -299,7 +299,7 @@ entries:
     plan_info_label: Business or above
     summary: The ISO 3166-2 code for the first-level region associated with the IP address.
     example_value: |-
-      GB-ENG
+      "GB-ENG"
     description: |-
       When the actual value is not available, this field contains an empty string.
 
@@ -327,7 +327,7 @@ entries:
     plan_info_label: Business or above
     summary: The ISO 3166-2 code for the second-level region associated with the IP address.
     example_value: |-
-      GB-SWK
+      "GB-SWK"
     description: |-
       When the actual value is not available, this field contains an empty string.
 
@@ -815,6 +815,7 @@ entries:
     summary: Indicates whether the request contains at least one content object.
     description: |-
       Requires a Cloudflare Enterprise plan with [malicious uploads detection](/waf/detections/malicious-uploads/).
+
   - name: cf.waf.content_scan.has_malicious_obj
     data_type: Boolean
     categories: [Request]
@@ -831,6 +832,7 @@ entries:
     summary: Indicates whether the request contains at least one malicious content object.
     description: |-
       Requires a Cloudflare Enterprise plan with [malicious uploads detection](/waf/detections/malicious-uploads/).
+
   - name: cf.waf.content_scan.num_malicious_obj
     data_type: Integer
     categories: [Request]
@@ -847,6 +849,7 @@ entries:
     summary: The number of malicious content objects detected in the request (zero or greater).
     description: |-
       Requires a Cloudflare Enterprise plan with [malicious uploads detection](/waf/detections/malicious-uploads/).
+
   - name: cf.waf.content_scan.has_failed
     data_type: Boolean
     categories: [Request]
@@ -879,6 +882,7 @@ entries:
     summary: The number of content objects detected in the request (zero or greater).
     description: |-
       Requires a Cloudflare Enterprise plan with [malicious uploads detection](/waf/detections/malicious-uploads/).
+
   - name: cf.waf.content_scan.obj_sizes
     data_type: Array<Integer>
     categories: [Request]
@@ -895,6 +899,7 @@ entries:
     summary: An array of file sizes in bytes, in the order the content objects were detected in the request.
     description: |-
       Requires a Cloudflare Enterprise plan with [malicious uploads detection](/waf/detections/malicious-uploads/).
+
   - name: cf.waf.content_scan.obj_types
     data_type: Array<String>
     categories: [Request]
@@ -913,6 +918,7 @@ entries:
       If Cloudflare cannot determine the file type of a content object, the corresponding value in the `obj_types` array will be `application/octet-stream`.
 
       Requires a Cloudflare Enterprise plan with [malicious uploads detection](/waf/detections/malicious-uploads/).
+
   - name: cf.waf.content_scan.obj_results
     data_type: Array<String>
     categories: [Request]
@@ -931,6 +937,7 @@ entries:
       The possible values are: `clean`, `suspicious`, `infected`, and `not scanned`.
 
       Requires a Cloudflare Enterprise plan with [malicious uploads detection](/waf/detections/malicious-uploads/).
+
   - name: cf.waf.score
     data_type: Number
     categories: [Request]
@@ -1490,12 +1497,12 @@ entries:
     example_block: |-
       # Example 1: Request with header "Accept-Language: fr-CH, fr;q=0.8, en;q=0.9, de;q=0.7, *;q=0.5".
       # In this case:
-      http.request.accepted_languages[0] == "fr-CH"
-      http.request.accepted_languages == ["fr-CH", "en", "fr", "de"]
+      http.request.accepted_languages[0] ==> "fr-CH"
+      http.request.accepted_languages    ==> ["fr-CH", "en", "fr", "de"]
 
       # Example 2: Request without an `Accept-Language` HTTP header and a URI of "https://www.example.com/my-path".
       # In this case:
-      concat("/", http.request.accepted_languages[0], http.request.uri.path) == "//my-path"
+      concat("/", http.request.accepted_languages[0], http.request.uri.path) ==> "//my-path"
 
   - name: http.request.body.raw
     data_type: String
@@ -1618,6 +1625,8 @@ entries:
       Supports the most common MIME types of the following general categories: video, audio, image, application, text.
     example_value: |-
       "image/jpeg"
+    example_block: |-
+      http.request.body.mime in {"image/bmp" "image/gif" "image/jpeg" "image/png" "image/tiff"}
 
   - name: http.request.body.multipart
     data_type: Map<Array<String>>
@@ -1628,7 +1637,9 @@ entries:
     description: |-
       Requires a Cloudflare Enterprise plan with a paid add-on.
     example_value: |-
-      {"username": ["alice_doe"], "picture": [<binary_content_of_file>]}
+      {"username": ["alice_doe"], "role": ["editor"], "picture": [<binary_content_of_file>]}
+    example_block: |-
+      any(http.request.body.multipart["role"][*] == "admin")
 
   - name: http.request.body.multipart.names
     data_type: Array<Array<String>>
@@ -1653,6 +1664,8 @@ entries:
       Requires a Cloudflare Enterprise plan with a paid add-on.
     example_value: |-
       ["alice_doe", <binary_content_of_file>]
+    example_block: |-
+      any(http.request.body.multipart.values[*] == "alice_doe")
 
   - name: http.request.body.multipart.content_types
     data_type: Array<Array<String>>
@@ -1676,9 +1689,9 @@ entries:
     description: |-
       Requires a Cloudflare Enterprise plan with a paid add-on.
     example_value: |-
-      [["form-data; name=\"username\"], ["form-data;name=\"picture\"]]
+      [["form-data; name=\"username\""], ["form-data; name=\"picture\""]]
     example_block: |-
-      any(http.request.body.multipart.content_dispositions[*][0] in {"form-data; name=\"username\"" "form-data;name=\"picture\""})
+      any(http.request.body.multipart.content_dispositions[*][0] in {"form-data; name=\"username\"" "form-data; name=\"picture\""})
 
   - name: http.request.body.multipart.content_transfer_encodings
     data_type: Array<Array<String>>
@@ -1689,7 +1702,9 @@ entries:
     description: |-
       Requires a Cloudflare Enterprise plan with a paid add-on.
     example_value: |-
-      [["quoted-printable"], ["quoted-printable"]]
+      [["quoted-printable"], ["base64"]]
+    example_block: |-
+      any(http.request.body.multipart.content_transfer_encodings[*][0] == "binary")
 
   - name: http.request.body.multipart.filenames
     data_type: Array<Array<String>>
@@ -1701,6 +1716,8 @@ entries:
       Requires a Cloudflare Enterprise plan with a paid add-on.
     example_value: |-
       [["file1.txt"], ["photo.jpg"]]
+    example_block: |-
+      any(http.request.body.multipart.filenames[*][0] in {"token.txt" "password.txt"})
 
   - name: http.response.code
     data_type: Integer
@@ -1814,16 +1831,16 @@ entries:
 
       The available values are the following:
 
-      - `managed_challenge`
-      - `iuam`
-      - `legacy_challenge`
-      - `ip_ban`
-      - `waf`
-      - `5xx`
-      - `1xxx`
-      - `always_online`
-      - `country_challenge`
-      - `ratelimit`
+      - `"managed_challenge"`
+      - `"iuam"`
+      - `"legacy_challenge"`
+      - `"ip_ban"`
+      - `"waf"`
+      - `"5xx"`
+      - `"1xxx"`
+      - `"always_online"`
+      - `"country_challenge"`
+      - `"ratelimit"`
 
       You can use this field to customize the response for a specific type of error (for example, all 1XXX errors or all WAF block actions).
 

From b6d4d0e5bd7738a5d994eb1e691b5d446000a30b Mon Sep 17 00:00:00 2001
From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com>
Date: Tue, 14 Jan 2025 17:58:34 +0000
Subject: [PATCH 35/45] Update field links (scripted)

---
 .../jwt-validation/transform-rules.mdx        |   2 +-
 src/content/docs/bots/troubleshooting.mdx     |   2 +-
 .../domain-support/custom-metadata.mdx        |   2 +-
 .../basic-tasks/trace-request/how-to.mdx      |   4 +-
 .../reference/http-request-headers.mdx        |   2 +-
 .../mtls/mtls-app-security/index.mdx          |   2 +-
 .../mtls-app-security/related-features.mdx    |  15 +-
 .../load-balancing-rules/reference.mdx        | 372 ++++++++++++------
 .../docs/rules/compression-rules/index.mdx    |  10 +-
 .../custom-error-responses/create-api.mdx     |   4 +-
 .../rules/reference/page-rules-migration.mdx  |   2 +-
 .../managed-transforms/reference.mdx          |  54 +--
 .../rules-language/functions.mdx              |   2 +-
 .../ruleset-engine/rules-language/values.mdx  |   2 +-
 .../allow-traffic-from-specific-countries.mdx |   2 +-
 .../allow-traffic-from-verified-bots.mdx      |   2 +-
 .../block-traffic-from-specific-countries.mdx |   2 +-
 .../use-cases/challenge-bad-bots.mdx          |   6 +-
 .../exempt-partners-hotlink-protection.mdx    |   2 +-
 .../use-cases/require-specific-cookie.mdx     |   2 +-
 .../use-cases/require-specific-http-ports.mdx |   2 +-
 .../use-cases/stop-rudy-attacks.mdx           |   2 +-
 .../update-rules-customers-partners.mdx       |  10 +-
 .../docs/waf/detections/attack-score.mdx      |  10 +-
 .../detections/leaked-credentials/index.mdx   |  20 +-
 .../detections/malicious-uploads/index.mdx    |  16 +-
 .../rate-limiting-rules/best-practices.mdx    |   2 +-
 .../transform/header-modification-fields.mdx  |   4 +-
 .../transform/transform-phase-fields.mdx      |   4 +-
 .../rate-limiting-availability-by-plan.mdx    |   2 +-
 30 files changed, 339 insertions(+), 224 deletions(-)

diff --git a/src/content/docs/api-shield/security/jwt-validation/transform-rules.mdx b/src/content/docs/api-shield/security/jwt-validation/transform-rules.mdx
index 7da05e4ffff6617..bdf9e5d2f2546b4 100644
--- a/src/content/docs/api-shield/security/jwt-validation/transform-rules.mdx
+++ b/src/content/docs/api-shield/security/jwt-validation/transform-rules.mdx
@@ -34,4 +34,4 @@ As an example, to send the header `x-send-jwt-claim-user` request header to the
 4. Enter a rule name and a filter expression, if applicable.
 5. Choose **Set dynamic**.
 6. Set the header name.
-7. Set the value to `lookup_json_string(http.request.jwt.claims["<TOKEN_CONFIGURATION_ID>"][0], "claim_name")`, where `<TOKEN_CONFIGURATION_ID>` is your token configuration ID found in JWT Validation and `claim_name` is the [JWT claim](/ruleset-engine/rules-language/fields/dynamic-fields/#json-web-tokens-validation-claims) you want to add to the header.
\ No newline at end of file
+7. Set the value to `lookup_json_string(http.request.jwt.claims["<TOKEN_CONFIGURATION_ID>"][0], "claim_name")`, where `<TOKEN_CONFIGURATION_ID>` is your token configuration ID found in JWT Validation and `claim_name` is the [JWT claim](/ruleset-engine/rules-language/fields/reference/http.request.jwt.claims/) you want to add to the header.
\ No newline at end of file
diff --git a/src/content/docs/bots/troubleshooting.mdx b/src/content/docs/bots/troubleshooting.mdx
index 396c7f2787c1f64..b059d584bf73d0d 100644
--- a/src/content/docs/bots/troubleshooting.mdx
+++ b/src/content/docs/bots/troubleshooting.mdx
@@ -90,7 +90,7 @@ Cloudflare has built an allowlist of good, automated bots, e.g. Google Search En
 
 This allowlist is large based on reverse DNS verification, meaning that the IPs we allow really match the requesting service. In addition to this, Cloudflare uses multiple validation methods including ASN blocks and public lists. If none of these validation types are available for a customer, we use internal Cloudflare data and machine learning to identify legitimate IP addresses from good bots.
 
-To allow traffic from good bots, use the [Verified Bot](/ruleset-engine/rules-language/fields/dynamic-fields/#cfbot_managementverified_bot) field in your WAF custom rule.
+To allow traffic from good bots, use the [Verified Bot](/ruleset-engine/rules-language/fields/reference/cf.bot_management.verified_bot/) field in your WAF custom rule.
 
 ---
 
diff --git a/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/domain-support/custom-metadata.mdx b/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/domain-support/custom-metadata.mdx
index 842a4efdbe41c09..8c78e1237a358b7 100644
--- a/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/domain-support/custom-metadata.mdx
+++ b/src/content/docs/cloudflare-for-platforms/cloudflare-for-saas/domain-support/custom-metadata.mdx
@@ -83,7 +83,7 @@ export default {
 
 ## Accessing custom metadata in a rule expression
 
-Use the [`cf.hostname.metadata`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfhostnamemetadata) field to access the metadata object in rule expressions. To obtain the different values from the JSON object, use the [`lookup_json_string`](/ruleset-engine/rules-language/functions/#lookup_json_string) function.
+Use the [`cf.hostname.metadata`](/ruleset-engine/rules-language/fields/reference/cf.hostname.metadata/) field to access the metadata object in rule expressions. To obtain the different values from the JSON object, use the [`lookup_json_string`](/ruleset-engine/rules-language/functions/#lookup_json_string) function.
 
 The following rule expression defines that there will be a rule match if the `security_tag` value in custom metadata contains the value `low`:
 
diff --git a/src/content/docs/fundamentals/basic-tasks/trace-request/how-to.mdx b/src/content/docs/fundamentals/basic-tasks/trace-request/how-to.mdx
index 1138daf13fee7a7..0e200fa91bb1851 100644
--- a/src/content/docs/fundamentals/basic-tasks/trace-request/how-to.mdx
+++ b/src/content/docs/fundamentals/basic-tasks/trace-request/how-to.mdx
@@ -34,9 +34,9 @@ import { GlossaryTooltip } from "~/components"
    * **Protocol** (HTTP protocol version)
    * **Request headers**
    * **Cookies**
-   * **Geolocation** (request source [country](/ruleset-engine/rules-language/fields/standard-fields/#ipsrccountry), [region](/ruleset-engine/rules-language/fields/standard-fields/#ipsrcregion), and [city](/ruleset-engine/rules-language/fields/standard-fields/#ipsrccity))
+   * **Geolocation** (request source [country](/ruleset-engine/rules-language/fields/reference/ip.src.country/), [region](/ruleset-engine/rules-language/fields/reference/ip.src.region/), and [city](/ruleset-engine/rules-language/fields/reference/ip.src.city/))
    * [**Bot score**](/bots/concepts/bot-score/)
-   * <GlossaryTooltip term="threat score" link="/ruleset-engine/rules-language/fields/dynamic-fields/#cfthreat_score">**Threat score**</GlossaryTooltip>
+   * <GlossaryTooltip term="threat score" link="/ruleset-engine/rules-language/fields/reference/cf.threat_score/">**Threat score**</GlossaryTooltip>
    * **Request body** (for `POST`, `PUT`, and `PATCH` requests)
    * **Skip challenge** (skips a Cloudflare-issued [challenge](/waf/reference/cloudflare-challenges/), if any, allowing the trace to continue)
 
diff --git a/src/content/docs/fundamentals/reference/http-request-headers.mdx b/src/content/docs/fundamentals/reference/http-request-headers.mdx
index 3bb2535ee54cb76..c820ec5847abeda 100644
--- a/src/content/docs/fundamentals/reference/http-request-headers.mdx
+++ b/src/content/docs/fundamentals/reference/http-request-headers.mdx
@@ -134,7 +134,7 @@ The intended purpose of this header is to provide a means for recipients (for ex
 
 :::note
 
-When configuring WAF custom rules, do not match on this header. These rules are applied before Cloudflare adds the `CF-Worker` header. Instead, use the [`cf.worker.upstream_zone`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfworkerupstream_zone) dynamic field, which contains the same value and exists for the same purpose.
+When configuring WAF custom rules, do not match on this header. These rules are applied before Cloudflare adds the `CF-Worker` header. Instead, use the [`cf.worker.upstream_zone`](/ruleset-engine/rules-language/fields/reference/cf.worker.upstream_zone/) dynamic field, which contains the same value and exists for the same purpose.
 
 :::
 
diff --git a/src/content/docs/learning-paths/mtls/mtls-app-security/index.mdx b/src/content/docs/learning-paths/mtls/mtls-app-security/index.mdx
index b53d48e341a3d7f..df5bb0b5d6f9d3c 100644
--- a/src/content/docs/learning-paths/mtls/mtls-app-security/index.mdx
+++ b/src/content/docs/learning-paths/mtls/mtls-app-security/index.mdx
@@ -63,7 +63,7 @@ Use the values from the previous step.
 
 mTLS is verified and checked in the [Cloudflare WAF phase](/waf/reference/phases/). This is done by creating WAF [Custom Rules](/waf/custom-rules/) using the dynamic fields.
 
-All Client Certificate details can be found in the [`cf.tls_*`](/ruleset-engine/rules-language/fields/dynamic-fields/#cftls_cipher) dynamic fields in the [Cloudflare Ruleset Engine](/ruleset-engine/).
+All Client Certificate details can be found in the [`cf.tls_*`](/ruleset-engine/rules-language/fields/reference/) fields in the [Cloudflare Ruleset Engine](/ruleset-engine/).
 
 Example WAF Custom Rule with action block:
 
diff --git a/src/content/docs/learning-paths/mtls/mtls-app-security/related-features.mdx b/src/content/docs/learning-paths/mtls/mtls-app-security/related-features.mdx
index 6f5b2ea5345a781..fea150e35a38ece 100644
--- a/src/content/docs/learning-paths/mtls/mtls-app-security/related-features.mdx
+++ b/src/content/docs/learning-paths/mtls/mtls-app-security/related-features.mdx
@@ -13,7 +13,7 @@ To make it easier to differentiate between Client Certificates, you can generate
 
 In cases of noticing excessive traffic, anomalous traffic (strange sequences of requests), or generally too many attack attempts registered from specific devices using your Client Certificates, it is best to [revoke](/ssl/client-certificates/revoke-client-certificate/) those.
 
-Additionally, ensure to have a WAF [Custom Rule](/waf/custom-rules/) in place to block [revoked](/api-shield/security/mtls/configure/#check-for-revoked-certificates) Client Certificates. Review the available [`cf.tls_*`](/ruleset-engine/rules-language/fields/dynamic-fields/#cftls_cipher) dynamic fields.
+Additionally, ensure to have a WAF [Custom Rule](/waf/custom-rules/) in place to block [revoked](/api-shield/security/mtls/configure/#check-for-revoked-certificates) Client Certificates. Review the available [`cf.tls_*`](/ruleset-engine/rules-language/fields/reference/) fields.
 
 Example WAF Custom Rule with action block:
 
@@ -47,7 +47,7 @@ Each Enterprise account can upload up to five CAs, though this can be increased.
 
 ## Client Certificate Deployment
 
-There are different ways to safely and securely deploy Client Certificates across devices. 
+There are different ways to safely and securely deploy Client Certificates across devices.
 
 Some of the most used methods are [embedding](/ssl/client-certificates/configure-your-mobile-app-or-iot-device/#3-embed-the-client-certificate-in-your-mobile-app) the Client Certificate into an application and allowing user devices to download and install that app, or use mobile device management (MDM) to distribute certificates across devices, or to allow user devices to directly download and install the Client Certificate into a device's Certificate Store.
 
@@ -60,6 +60,7 @@ In complex microservices environments, you can leverage Service Mesh to automate
 It is generally recommended to [customize the cipher suites](/ssl/edge-certificates/additional-options/cipher-suites/customize-cipher-suites/) of your Cloudflare [Edge Certificates](/ssl/edge-certificates/). This only applies to the Edge Certificates, not Client Certificates.
 
 The recommended TLS versions for mTLS are:
+
 - TLS 1.2: still broadly compatible and secure.
 - TLS 1.3: preferred for new implementations due to its enhanced security and efficiency.
 
@@ -99,7 +100,7 @@ Contact your account team for more information.
 [Revoked](/api-shield/security/mtls/configure/#check-for-revoked-certificates) Client Certificates are not automatically blocked unless you have an active WAF Custom Rule specifically checking for and blocking them. This check only applies to Client Certificates issued by the Cloudflare-managed CA. Cloudflare currently does not check certificate revocation lists (CRL) for CAs that have been uploaded by the customer ([BYO CA](/ssl/client-certificates/byo-ca/)). One can opt for Workers to manage a custom business logic and block revoked Client Certificates. See the [Workers section](/learning-paths/mtls/mtls-workers/) for more information.
 :::
 
-In order to effectively implement mTLS with Cloudflare, it is strongly recommended to properly configure the [Cloudflare WAF](/waf/). Review the available [`cf.tls_*`](/ruleset-engine/rules-language/fields/dynamic-fields/#cftls_cipher) dynamic fields.
+In order to effectively implement mTLS with Cloudflare, it is strongly recommended to properly configure the [Cloudflare WAF](/waf/). Review the available [`cf.tls_*`](/ruleset-engine/rules-language/fields/reference/) fields.
 
 Example WAF Custom Rule with action block:
 
@@ -111,7 +112,7 @@ Example WAF Custom Rule with action block:
 
 This expression will check if the request is coming from one of the hostnames and will block the request if the Client Certificate is either not verified or revoked.
 
-Another example WAF Custom Rule with action block, using the [cf.tls_client_auth.cert_fingerprint_sha256](/ruleset-engine/rules-language/fields/dynamic-fields/#cftls_client_authcert_fingerprint_sha256) field, for a specific Client Certificate (replace `ADD_STRING_OF_CLIENT_CERT_SHA256_FINGERPRINT`):
+Another example WAF Custom Rule with action block, using the [`cf.tls_client_auth.cert_fingerprint_sha256`](/ruleset-engine/rules-language/fields/reference/cf.tls_client_auth.cert_fingerprint_sha256/) field, for a specific Client Certificate (replace `ADD_STRING_OF_CLIENT_CERT_SHA256_FINGERPRINT`):
 
 ![Example expression of a WAF Custom Rule with action block using the cf.tls_client_auth.cert_fingerprint_sha256 field](~/assets/images/learning-paths/mtls/waf-client-certificates-fingerprint.png)
 
@@ -119,7 +120,7 @@ Another example WAF Custom Rule with action block, using the [cf.tls_client_auth
 (http.request.uri.path in {"/headers"} and http.host in {"mtls.example.com" "mtls2.example.com"} and not cf.tls_client_auth.cert_verified and cf.tls_client_auth.cert_fingerprint_sha256 ne "ADD_STRING_OF_CLIENT_CERT_SHA256_FINGERPRINT")
 ```
 
-Here is another example of a WAF custom rule to associate a serial number with a hostname: 
+Here is another example of a WAF custom rule to associate a serial number with a hostname:
 
 ![Example expression of a WAF Custom Rule to associate a serial number with a hostname](~/assets/images/learning-paths/mtls/waf-custom-rule.png)
 
@@ -127,11 +128,12 @@ Here is another example of a WAF custom rule to associate a serial number with a
 (http.host in {"mtls.example.com" "mtls2.example.com"} and cf.tls_client_auth.cert_serial ne "ADD_STRING_OF_CLIENT_CERT_SERIAL")
 ```
 
-This expression will check for a specific [Client Certificate serial number](/ruleset-engine/rules-language/fields/dynamic-fields/#cftls_client_authcert_serial) linked to specific hostnames, allowing for more granular control. 
+This expression will check for a specific [Client Certificate serial number](/ruleset-engine/rules-language/fields/reference/cf.tls_client_auth.cert_serial/) linked to specific hostnames, allowing for more granular control.
 
 ## Rate Limiting by Client Certificates
 
 By enabling [forwarding a certificate](/ssl/client-certificates/enable-mtls/#cloudflare-api) via the Cloudflare API, the first request of an mTLS connection will include the following headers:
+
 - `Cf-Client-Cert-Der-Base64` (raw certificate in DER format, encoded as base64)
 - `Cf-Client-Cert-Sha256` (SHA256 fingerprint of the certificate)
 
@@ -156,6 +158,5 @@ In addition to mTLS, customers can purchase [API Shield](/api-shield/) features,
 
 Cloudflare Workers can provide details around the Client Certificate, such as returning information via headers to the client or to the origin server. Learn more in the [mTLS with Workers section](/learning-paths/mtls/mtls-workers/) below.
 
-
 :::note
 Snippets do not support any [Bindings](/workers/runtime-apis/bindings/) and do not work with mTLS. However, you can [validate JSON web tokens (JWT)](/rules/snippets/examples/jwt-validation/).
diff --git a/src/content/docs/load-balancing/additional-options/load-balancing-rules/reference.mdx b/src/content/docs/load-balancing/additional-options/load-balancing-rules/reference.mdx
index 7e966f8b242a5e4..616a0df0e72c978 100644
--- a/src/content/docs/load-balancing/additional-options/load-balancing-rules/reference.mdx
+++ b/src/content/docs/load-balancing/additional-options/load-balancing-rules/reference.mdx
@@ -3,7 +3,6 @@ pcx_content_type: reference
 title: Supported fields and operators
 sidebar:
   order: 51
-
 ---
 
 The fields that are supported by load balancing rules depend on whether Cloudflare proxies the traffic going through your load balancer or not.
@@ -29,50 +28,99 @@ Consider the following table to know how the fields available in the [Expression
 Regardless of your traffic [proxy status](/load-balancing/understand-basics/proxy-modes/), Load Balancing rules can access values for the following fields:
 
 <table style="width:100%">
-  <thead>
-    <tr>
-      <th style="width:40%">Field</th>
-      <th style="width:20%">Name in Expression Builder</th>
-      <th>Description</th>
-    </tr>
-  </thead>
-  <tbody>
-    <tr id="field-cf-load-balancer-name">
-      <td valign="top"><code>cf.load_balancer.name</code><br />`Bytes`</td>
-      <td><code>Load Balancer Name</code></td>
-      <td>
-        <p>Represents the name of the load balancer executing these rules.</p>
-         <p>
-         Example value:
-         <br /><code class="InlineCode">lb.example.com</code>
-        </p>
-      </td>
-    </tr>
-    <tr id="field-cf-load-balancer-region">
-      <td valign="top"><code>cf.load_balancer.region</code><br />`Bytes`</td>
-      <td><code>Load Balancer Region</code></td>
-      <td>
-        <p>Provides the <a href="/load-balancing/reference/region-mapping-api/#list-of-load-balancer-regions">region name</a> of the data center processing the request.</p>
-         <p>
-         Example value:
-         <br /><code class="InlineCode">ENAM</code>
-        </p>
-      </td>
-    </tr>
-    <tr id="field-ip-src">
-      <td valign="top"><code>ip.src</code><br />`IP address`</td>
-      <td><code>IP Source Address</code></td>
-      <td>
-        <p>If proxied, this field provides the client TCP IP address, which may be adjusted to reflect the actual address of the client by using HTTP headers such as <code>X-Forwarded-For</code> or <code>X-Real-IP</code>.</p>
-        <p>If unproxied (DNS-only), this field provides the ECS source address, if available. If not available, it provides the client resolver IP address.</p>
-        <p><strong>Deprecation Warning:</strong> In the future, this field will always be set to the client resolver IP address for unproxied requests. To check for the presence of ECS and use the ECS IP, see the fields <a href="#field-dns-rr-opt-client"><code>dns.rr.opt.client</code></a> and <a href="#field-dns-rr-opt-client-addr"><code>dns.rr.opt.client.addr</code></a>, respectively.</p>
-         <p>
-         Example value:
-         <br /><code class="InlineCode">1.2.3.4</code>
-        </p>
-      </td>
-    </tr>
-  </tbody>
+	<thead>
+		<tr>
+			<th style="width:40%">Field</th>
+			<th style="width:20%">Name in Expression Builder</th>
+			<th>Description</th>
+		</tr>
+	</thead>
+	<tbody>
+		<tr id="field-cf-load-balancer-name">
+			<td valign="top">
+				<code>cf.load_balancer.name</code>
+				<br />
+				`Bytes`
+			</td>
+			<td>
+				<code>Load Balancer Name</code>
+			</td>
+			<td>
+				<p>Represents the name of the load balancer executing these rules.</p>
+				<p>
+					Example value:
+					<br />
+					<code class="InlineCode">lb.example.com</code>
+				</p>
+			</td>
+		</tr>
+		<tr id="field-cf-load-balancer-region">
+			<td valign="top">
+				<code>cf.load_balancer.region</code>
+				<br />
+				`Bytes`
+			</td>
+			<td>
+				<code>Load Balancer Region</code>
+			</td>
+			<td>
+				<p>
+					Provides the{" "}
+					<a href="/load-balancing/reference/region-mapping-api/#list-of-load-balancer-regions">
+						region name
+					</a>{" "}
+					of the data center processing the request.
+				</p>
+				<p>
+					Example value:
+					<br />
+					<code class="InlineCode">ENAM</code>
+				</p>
+			</td>
+		</tr>
+		<tr id="field-ip-src">
+			<td valign="top">
+				<code>ip.src</code>
+				<br />
+				`IP address`
+			</td>
+			<td>
+				<code>IP Source Address</code>
+			</td>
+			<td>
+				<p>
+					If proxied, this field provides the client TCP IP address, which may
+					be adjusted to reflect the actual address of the client by using HTTP
+					headers such as <code>X-Forwarded-For</code> or <code>X-Real-IP</code>
+					.
+				</p>
+				<p>
+					If unproxied (DNS-only), this field provides the ECS source address,
+					if available. If not available, it provides the client resolver IP
+					address.
+				</p>
+				<p>
+					<strong>Deprecation Warning:</strong> In the future, this field will
+					always be set to the client resolver IP address for unproxied
+					requests. To check for the presence of ECS and use the ECS IP, see the
+					fields{" "}
+					<a href="#field-dns-rr-opt-client">
+						<code>dns.rr.opt.client</code>
+					</a>{" "}
+					and{" "}
+					<a href="#field-dns-rr-opt-client-addr">
+						<code>dns.rr.opt.client.addr</code>
+					</a>
+					, respectively.
+				</p>
+				<p>
+					Example value:
+					<br />
+					<code class="InlineCode">1.2.3.4</code>
+				</p>
+			</td>
+		</tr>
+	</tbody>
 </table>
 
 ## Proxied-only fields
@@ -91,7 +139,7 @@ Many of these fields are referenced from the [Rules language documentation](/rul
   </thead>
   <tbody>
     <tr id="field-http-cookie">
-      <td valign="top"><a href="/ruleset-engine/rules-language/fields/standard-fields/#httpcookie"><code>http.cookie</code></a><br />`String`</td>
+      <td valign="top"><a href="/ruleset-engine/rules-language/fields/reference/http.cookie/"><code>http.cookie</code></a><br />`String`</td>
       <td>(<a href="/load-balancing/additional-options/load-balancing-rules/expressions/#expression-editor">Manual entry only</a>)</td>
       <td>
         <p>Represents the entire cookie as a string.</p>
@@ -102,7 +150,7 @@ Many of these fields are referenced from the [Rules language documentation](/rul
       </td>
     </tr>
     <tr id="field-http-host">
-      <td valign="top"><a href="/ruleset-engine/rules-language/fields/standard-fields/#httphost"><code>http.host</code></a><br />`String`</td>
+      <td valign="top"><a href="/ruleset-engine/rules-language/fields/reference/http.host/"><code>http.host</code></a><br />`String`</td>
       <td>(<a href="/load-balancing/additional-options/load-balancing-rules/expressions/#expression-editor">Manual entry only</a>)</td>
       <td>
         <p>Represents the hostname used in the full request URI.</p>
@@ -113,7 +161,7 @@ Many of these fields are referenced from the [Rules language documentation](/rul
       </td>
     </tr>
     <tr id="field-http-referer">
-      <td valign="top"><a href="/ruleset-engine/rules-language/fields/standard-fields/#httpreferer"><code>http.referer</code></a><br />`String`</td>
+      <td valign="top"><a href="/ruleset-engine/rules-language/fields/reference/http.referer/"><code>http.referer</code></a><br />`String`</td>
       <td>(<a href="/load-balancing/additional-options/load-balancing-rules/expressions/#expression-editor">Manual entry only</a>)</td>
       <td>
         <p>Represents the HTTP Referer request header, which contains the address of the web page that linked to the currently requested page.</p>
@@ -124,7 +172,7 @@ Many of these fields are referenced from the [Rules language documentation](/rul
       </td>
     </tr>
     <tr id="field-http-request-headers">
-      <td valign="top"><a href="/ruleset-engine/rules-language/fields/http-request-header/"><code>http.request.headers</code></a><br />`Map<Array<String>>`</td>
+      <td valign="top"><a href="/ruleset-engine/rules-language/fields/reference/http.request.headers/"><code>http.request.headers</code></a><br />`Map<Array<String>>`</td>
       <td><code>Header</code></td>
       <td>
         <p>Represents HTTP request headers as a Map (or associative array).</p>
@@ -146,7 +194,7 @@ Many of these fields are referenced from the [Rules language documentation](/rul
       </td>
     </tr>
     <tr id="field-http-request-method">
-      <td valign="top"><a href="/ruleset-engine/rules-language/fields/standard-fields/#httprequestmethod"><code>http.request.method</code></a><br />`String`</td>
+      <td valign="top"><a href="/ruleset-engine/rules-language/fields/reference/http.request.method/"><code>http.request.method</code></a><br />`String`</td>
       <td><code>Request Method</code></td>
       <td>
         <p>Represents the HTTP method, returned as a string of uppercase characters.</p>
@@ -157,7 +205,7 @@ Many of these fields are referenced from the [Rules language documentation](/rul
       </td>
     </tr>
     <tr id="field-http-request-timestamp-sec">
-      <td valign="top"><a href="/ruleset-engine/rules-language/fields/standard-fields/#httprequesttimestampsec"><code>http.request.timestamp.sec</code></a><br />`Integer`</td>
+      <td valign="top"><a href="/ruleset-engine/rules-language/fields/reference/http.request.timestamp.sec/"><code>http.request.timestamp.sec</code></a><br />`Integer`</td>
       <td><code>Timestamp</code></td>
       <td>
         <p>Represents the timestamp when Cloudflare received the request, expressed as Unix time in seconds. This value is 10 digits long.</p>
@@ -168,7 +216,7 @@ Many of these fields are referenced from the [Rules language documentation](/rul
       </td>
     </tr>
     <tr id="field-http-request-uri">
-      <td valign="top"><a href="/ruleset-engine/rules-language/fields/standard-fields/#httprequesturi"><code>http.request.uri</code></a><br />`String`</td>
+      <td valign="top"><a href="/ruleset-engine/rules-language/fields/reference/http.request.uri/"><code>http.request.uri</code></a><br />`String`</td>
       <td><code>URI</code></td>
       <td>
         <p>Represents the URI path and query string of the request.</p>
@@ -179,7 +227,7 @@ Many of these fields are referenced from the [Rules language documentation](/rul
       </td>
     </tr>
     <tr id="field-http-request-uri-args">
-      <td valign="top"><a href="/ruleset-engine/rules-language/fields/uri/"><code>http.request.uri.args</code></a><br />`Map<Array<String>>`</td>
+      <td valign="top"><a href="/ruleset-engine/rules-language/fields/reference/http.request.uri.args/"><code>http.request.uri.args</code></a><br />`Map<Array<String>>`</td>
       <td>(<a href="/load-balancing/additional-options/load-balancing-rules/expressions/#expression-editor">Manual entry only</a>)</td>
       <td>
         <p>Represents the HTTP URI arguments associated with a request as a Map (associative array).</p>
@@ -202,7 +250,7 @@ Many of these fields are referenced from the [Rules language documentation](/rul
       </td>
     </tr>
     <tr id="field-http-request-uri-args-names">
-      <td valign="top"><a href="/ruleset-engine/rules-language/fields/uri/#httprequesturiargsnames"><code>http.request.uri.args.names</code></a><br />`Array<String>`</td>
+      <td valign="top"><a href="/ruleset-engine/rules-language/fields/reference/http.request.uri.args.names/"><code>http.request.uri.args.names</code></a><br />`Array<String>`</td>
       <td>(<a href="/load-balancing/additional-options/load-balancing-rules/expressions/#expression-editor">Manual entry only</a>)</td>
       <td>
         <p>Represents the names of the arguments in the HTTP URI query string. The names are not pre-processed and retain the original case used in the request.</p>
@@ -222,7 +270,7 @@ Many of these fields are referenced from the [Rules language documentation](/rul
       </td>
     </tr>
     <tr id="field-http-request-uri-args-values">
-      <td valign="top"><a href="/ruleset-engine/rules-language/fields/uri/#httprequesturiargsvalues"><code>http.request.uri.args.values</code></a><br />`Array<String>`</td>
+      <td valign="top"><a href="/ruleset-engine/rules-language/fields/reference/http.request.uri.args.values/"><code>http.request.uri.args.values</code></a><br />`Array<String>`</td>
       <td>(<a href="/load-balancing/additional-options/load-balancing-rules/expressions/#expression-editor">Manual entry only</a>)</td>
       <td>
         <p>Represents the values of arguments in the HTTP URI query string. The values are not pre-processed and retain the original case used in the request. They are in the same order as in the request.</p>
@@ -242,7 +290,7 @@ Many of these fields are referenced from the [Rules language documentation](/rul
       </td>
     </tr>
     <tr id="field-http-request-uri-path">
-      <td valign="top"><a href="/ruleset-engine/rules-language/fields/standard-fields/#httprequesturipath"><code>http.request.uri.path</code></a><br />`String`</td>
+      <td valign="top"><a href="/ruleset-engine/rules-language/fields/reference/http.request.uri.path/"><code>http.request.uri.path</code></a><br />`String`</td>
       <td><code>URI Path</code></td>
       <td>
         <p>Represents the URI path of the request.</p>
@@ -253,7 +301,7 @@ Many of these fields are referenced from the [Rules language documentation](/rul
       </td>
     </tr>
     <tr id="field-http-request-uri-query">
-      <td valign="top"><a href="/ruleset-engine/rules-language/fields/standard-fields/#httprequesturiquery"><code>http.request.uri.query</code></a><br />`String`</td>
+      <td valign="top"><a href="/ruleset-engine/rules-language/fields/reference/http.request.uri.query/"><code>http.request.uri.query</code></a><br />`String`</td>
       <td><code>URI Query</code></td>
       <td>
         <p>Represents the entire query string, without the <code class="InlineCode">?</code> delimiter.</p>
@@ -264,7 +312,7 @@ Many of these fields are referenced from the [Rules language documentation](/rul
       </td>
     </tr>
     <tr id="field-http-request-version">
-      <td valign="top"><a href="/ruleset-engine/rules-language/fields/standard-fields/#httprequestversion"><code>http.request.version</code></a><br />`String`</td>
+      <td valign="top"><a href="/ruleset-engine/rules-language/fields/reference/http.request.version/"><code>http.request.version</code></a><br />`String`</td>
       <td><code>HTTP Version</code></td>
       <td>
         <p>Represents the version of the HTTP protocol used. Use this field when you require different checks for different versions.</p>
@@ -285,82 +333,148 @@ Many of these fields are referenced from the [Rules language documentation](/rul
 If your traffic is not proxied through Cloudflare, you have access to all the fields listed under [Fields supported regardless of proxy](#fields-supported-regardless-of-proxy) in addition to the following fields:
 
 <table style="width:100%">
-  <thead>
-    <tr>
-      <th style="width:40%">Field</th>
-      <th style="width:20%">Name in Expression Builder</th>
-      <th>Description</th>
-    </tr>
-  </thead>
-  <tbody>
-    <tr id="field-dns-qry-name">
-      <td valign="top"><code>dns.qry.name</code><br />`Bytes`</td>
-      <td><code>Query Name</code></td>
-      <td>
-        <p>Represents the query name asked.</p>
-         <p>
-         Example value:
-         <br /><code class="InlineCode">example.com.</code>
-         </p>
-      </td>
-    </tr>
-    <tr id="field-dns-qry-name-len">
-      <td valign="top"><code class>dns.qry.name.len</code><br />`Integer`</td>
-      <td><code>Query Name Length</code></td>
-      <td>
-        <p>Represents the length in bytes of the query name.</p>
-         <p>
-         Example value:
-         <br /><code class="InlineCode">123</code>
-         </p>
-      </td>
-    </tr>
-    <tr id="field-dns-qry-qu">
-      <td valign="top"><code>dns.qry.qu</code><br />`Boolean`</td>
-      <td><code>Question</code></td>
-      <td>
-        <p>When <code>true</code>, this field indicates that the received DNS message was a question.</p>
-      </td>
-    </tr>
-    <tr id="field-dns-qry-type">
-      <td valign="top"><code>dns.qry.type</code><br />`Integer`</td>
-      <td><code>Query Type</code></td>
-      <td>
-        <p>Represents the numeric value of the <a href= "https://en.wikipedia.org/wiki/List_of_DNS_record_types">DNS query type</a>.</p>
-        <p>Example Values:</p>
-          <ul>
-              <li><code class="InlineCode">1</code>&nbsp;(A record)</li>
-              <li><code class="InlineCode">28</code>&nbsp;(AAAA record)</li>
-          </ul>
-      </td>
-    </tr>
-    <tr id="field-dns-rr-opt-client">
-      <td valign="top"><code class>dns.rr.opt.client</code><br />`Boolean`</td>
-       <td>(<a href="/load-balancing/additional-options/load-balancing-rules/expressions/#expression-editor">Manual entry only</a>)</td>
-      <td>
-        <p>When <code>true</code>, this field indicates that the EDNS Client Subnet (ECS) address was sent with the DNS request.</p>
-      </td>
-    </tr>
-    <tr id="field-dns-rr-opt-client-addr">
-      <td valign="top"><code class>dns.rr.opt.client.addr</code><br />`String`</td>
-      <td>(<a href="/load-balancing/additional-options/load-balancing-rules/expressions/#expression-editor">Manual entry only</a>)</td>
-      <td>
-        <p>If present, this field represents the ECS address sent with the DNS request.</p>
-         <p>
-         Example value:
-         <br /><code class="InlineCode">1.2.3.0</code>
-         </p>
-      </td>
-    </tr>
-  </tbody>
+	<thead>
+		<tr>
+			<th style="width:40%">Field</th>
+			<th style="width:20%">Name in Expression Builder</th>
+			<th>Description</th>
+		</tr>
+	</thead>
+	<tbody>
+		<tr id="field-dns-qry-name">
+			<td valign="top">
+				<code>dns.qry.name</code>
+				<br />
+				`Bytes`
+			</td>
+			<td>
+				<code>Query Name</code>
+			</td>
+			<td>
+				<p>Represents the query name asked.</p>
+				<p>
+					Example value:
+					<br />
+					<code class="InlineCode">example.com.</code>
+				</p>
+			</td>
+		</tr>
+		<tr id="field-dns-qry-name-len">
+			<td valign="top">
+				<code class>dns.qry.name.len</code>
+				<br />
+				`Integer`
+			</td>
+			<td>
+				<code>Query Name Length</code>
+			</td>
+			<td>
+				<p>Represents the length in bytes of the query name.</p>
+				<p>
+					Example value:
+					<br />
+					<code class="InlineCode">123</code>
+				</p>
+			</td>
+		</tr>
+		<tr id="field-dns-qry-qu">
+			<td valign="top">
+				<code>dns.qry.qu</code>
+				<br />
+				`Boolean`
+			</td>
+			<td>
+				<code>Question</code>
+			</td>
+			<td>
+				<p>
+					When <code>true</code>, this field indicates that the received DNS
+					message was a question.
+				</p>
+			</td>
+		</tr>
+		<tr id="field-dns-qry-type">
+			<td valign="top">
+				<code>dns.qry.type</code>
+				<br />
+				`Integer`
+			</td>
+			<td>
+				<code>Query Type</code>
+			</td>
+			<td>
+				<p>
+					Represents the numeric value of the{" "}
+					<a href="https://en.wikipedia.org/wiki/List_of_DNS_record_types">
+						DNS query type
+					</a>
+					.
+				</p>
+				<p>Example Values:</p>
+				<ul>
+					<li>
+						<code class="InlineCode">1</code>&nbsp;(A record)
+					</li>
+					<li>
+						<code class="InlineCode">28</code>&nbsp;(AAAA record)
+					</li>
+				</ul>
+			</td>
+		</tr>
+		<tr id="field-dns-rr-opt-client">
+			<td valign="top">
+				<code class>dns.rr.opt.client</code>
+				<br />
+				`Boolean`
+			</td>
+			<td>
+				(
+				<a href="/load-balancing/additional-options/load-balancing-rules/expressions/#expression-editor">
+					Manual entry only
+				</a>
+				)
+			</td>
+			<td>
+				<p>
+					When <code>true</code>, this field indicates that the EDNS Client
+					Subnet (ECS) address was sent with the DNS request.
+				</p>
+			</td>
+		</tr>
+		<tr id="field-dns-rr-opt-client-addr">
+			<td valign="top">
+				<code class>dns.rr.opt.client.addr</code>
+				<br />
+				`String`
+			</td>
+			<td>
+				(
+				<a href="/load-balancing/additional-options/load-balancing-rules/expressions/#expression-editor">
+					Manual entry only
+				</a>
+				)
+			</td>
+			<td>
+				<p>
+					If present, this field represents the ECS address sent with the DNS
+					request.
+				</p>
+				<p>
+					Example value:
+					<br />
+					<code class="InlineCode">1.2.3.0</code>
+				</p>
+			</td>
+		</tr>
+	</tbody>
 </table>
 
 ## Operators and grouping symbols
 
-* **Comparison operators** specify how values defined in an expression must relate to the actual HTTP request value for the expression to return true.
+- **Comparison operators** specify how values defined in an expression must relate to the actual HTTP request value for the expression to return true.
 
-* **Logical operators** combine two expressions to form a compound expression and use order of precedence to determine how an expression is evaluated.
+- **Logical operators** combine two expressions to form a compound expression and use order of precedence to determine how an expression is evaluated.
 
-* **Grouping symbols** allow you to organize expressions, enforce operator precedence, and nest expressions.
+- **Grouping symbols** allow you to organize expressions, enforce operator precedence, and nest expressions.
 
 For examples and usage, refer to [Operators and grouping symbols](/ruleset-engine/rules-language/operators/) in the Rules language documentation.
diff --git a/src/content/docs/rules/compression-rules/index.mdx b/src/content/docs/rules/compression-rules/index.mdx
index 8dd59ca5a92647a..c9e836c6760e60f 100644
--- a/src/content/docs/rules/compression-rules/index.mdx
+++ b/src/content/docs/rules/compression-rules/index.mdx
@@ -39,11 +39,11 @@ Compression Rules are available in all Cloudflare plans. Users in the Free plan
 
 The following fields are commonly used in expressions of compression rules:
 
-| Field in [Expression Builder](/ruleset-engine/rules-language/expressions/edit-expressions/#expression-builder) | Field name                                                                                                                                 |
-| -------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------ |
-| _Media Type_                                                                                                   | [`http.response.content_type.media_type`](/ruleset-engine/rules-language/fields/http-request-response/#httpresponsecontent_typemedia_type) |
-| _File extension_                                                                                               | [`http.request.uri.path.extension`](/ruleset-engine/rules-language/fields/standard-fields/#httprequesturipathextension)                    |
-| N/A                                                                                                            | [`raw.http.request.uri.path.extension`](/ruleset-engine/rules-language/fields/standard-fields/#rawhttprequesturipathextension)             |
+| Field in [Expression Builder](/ruleset-engine/rules-language/expressions/edit-expressions/#expression-builder) | Field name                                                                                                                        |
+| -------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------- |
+| _Media Type_                                                                                                   | [`http.response.content_type.media_type`](/ruleset-engine/rules-language/fields/reference/http.response.content_type.media_type/) |
+| _File extension_                                                                                               | [`http.request.uri.path.extension`](/ruleset-engine/rules-language/fields/reference/http.request.uri.path.extension/)             |
+| N/A                                                                                                            | [`raw.http.request.uri.path.extension`](/ruleset-engine/rules-language/fields/reference/raw.http.request.uri.path.extension/)     |
 
 ## Important remarks
 
diff --git a/src/content/docs/rules/custom-error-responses/create-api.mdx b/src/content/docs/rules/custom-error-responses/create-api.mdx
index e7845e10e0ee68f..460cb04715190e0 100644
--- a/src/content/docs/rules/custom-error-responses/create-api.mdx
+++ b/src/content/docs/rules/custom-error-responses/create-api.mdx
@@ -33,9 +33,9 @@ Follow this workflow to create a custom error response rule for a given zone via
 
 The examples in this section use the following fields in their rule expressions:
 
-- [`http.response.code`](/ruleset-engine/rules-language/fields/http-request-response/#httpresponsecode): Represents the HTTP status code returned to the client, either set by a Cloudflare product or returned by the origin server. Use this field to customize the error response for error codes returned by the origin server or by a Cloudflare product such as a Worker.
+- [`http.response.code`](/ruleset-engine/rules-language/fields/reference/http.response.code/): Represents the HTTP status code returned to the client, either set by a Cloudflare product or returned by the origin server. Use this field to customize the error response for error codes returned by the origin server or by a Cloudflare product such as a Worker.
 
-- [`cf.response.1xxx_code`](/ruleset-engine/rules-language/fields/http-request-response/#cfresponse1xxx_code): Contains the specific error code for Cloudflare-generated errors. This field will only work for Cloudflare-generated errors such as [52x](/support/troubleshooting/cloudflare-errors/troubleshooting-cloudflare-5xx-errors/) and [1xxx](/support/troubleshooting/cloudflare-errors/troubleshooting-cloudflare-1xxx-errors/).
+- [`cf.response.1xxx_code`](/ruleset-engine/rules-language/fields/reference/cf.response.1xxx_code/): Contains the specific error code for Cloudflare-generated errors. This field will only work for Cloudflare-generated errors such as [52x](/support/troubleshooting/cloudflare-errors/troubleshooting-cloudflare-5xx-errors/) and [1xxx](/support/troubleshooting/cloudflare-errors/troubleshooting-cloudflare-1xxx-errors/).
 
 ### Custom JSON response for all 5xx errors
 
diff --git a/src/content/docs/rules/reference/page-rules-migration.mdx b/src/content/docs/rules/reference/page-rules-migration.mdx
index 2de656a697bfa93..f67d13639cef858 100644
--- a/src/content/docs/rules/reference/page-rules-migration.mdx
+++ b/src/content/docs/rules/reference/page-rules-migration.mdx
@@ -49,7 +49,7 @@ The evaluation and execution order of Rules features is different from Page Rule
 
 Modern Rules use filter expressions instead of URL patterns. These expressions, built with the Rules language, allow greater precision by leveraging [fields](/ruleset-engine/rules-language/fields/), [functions](/ruleset-engine/rules-language/functions/), and [operators](/ruleset-engine/rules-language/operators/).
 
-The following example demonstrates the use of the [`http.request.full_uri`](/ruleset-engine/rules-language/fields/standard-fields/#httprequestfull_uri) field and the `wildcard` operator for [wildcard matching](/ruleset-engine/rules-language/operators/#wildcard-matching):
+The following example demonstrates the use of the [`http.request.full_uri`](/ruleset-engine/rules-language/fields/reference/http.request.full_uri/) field and the `wildcard` operator for [wildcard matching](/ruleset-engine/rules-language/operators/#wildcard-matching):
 
 <Example>
 A **Page Rules URL** like:
diff --git a/src/content/docs/rules/transform/managed-transforms/reference.mdx b/src/content/docs/rules/transform/managed-transforms/reference.mdx
index aba1c6ef9f7522f..cffcacd98514851 100644
--- a/src/content/docs/rules/transform/managed-transforms/reference.mdx
+++ b/src/content/docs/rules/transform/managed-transforms/reference.mdx
@@ -38,38 +38,38 @@ Adds HTTP headers with bot-related values to the request sent to the origin serv
 
 Adds HTTP headers with [Mutual TLS](/api-shield/security/mtls/) (mTLS) client authentication values to the request sent to the origin server:
 
-- `cf-cert-revoked`: Value from the [`cf.tls_client_auth.cert_revoked`](/ruleset-engine/rules-language/fields/dynamic-fields/#cftls_client_authcert_revoked) field.
-- `cf-cert-verified`: Value from the [`cf.tls_client_auth.cert_verified`](/ruleset-engine/rules-language/fields/dynamic-fields/#cftls_client_authcert_verified) field.
-- `cf-cert-presented`: Value from the [`cf.tls_client_auth.cert_presented`](/ruleset-engine/rules-language/fields/dynamic-fields/#cftls_client_authcert_presented) field.
-- `cf-cert-issuer-dn`: Value from the [`cf.tls_client_auth.cert_issuer_dn`](/ruleset-engine/rules-language/fields/dynamic-fields/#cftls_client_authcert_issuer_dn) field.
-- `cf-cert-subject-dn`: Value from the [`cf.tls_client_auth.cert_subject_dn`](/ruleset-engine/rules-language/fields/dynamic-fields/#cftls_client_authcert_subject_dn) field.
-- `cf-cert-issuer-dn-rfc2253`: Value from the [`cf.tls_client_auth.cert_issuer_dn_rfc2253`](/ruleset-engine/rules-language/fields/dynamic-fields/#cftls_client_authcert_issuer_dn_rfc2253) field.
-- `cf-cert-subject-dn-rfc2253`: Value from the [`cf.tls_client_auth.cert_subject_dn_rfc2253`](/ruleset-engine/rules-language/fields/dynamic-fields/#cftls_client_authcert_subject_dn_rfc2253) field.
-- `cf-cert-issuer-dn-legacy`: Value from the [`cf.tls_client_auth.cert_issuer_dn_legacy`](/ruleset-engine/rules-language/fields/dynamic-fields/#cftls_client_authcert_issuer_dn_legacy) field.
-- `cf-cert-subject-dn-legacy`: Value from the [`cf.tls_client_auth.cert_subject_dn_legacy`](/ruleset-engine/rules-language/fields/dynamic-fields/#cftls_client_authcert_subject_dn_legacy) field.
-- `cf-cert-serial`: Value from the [`cf.tls_client_auth.cert_serial`](/ruleset-engine/rules-language/fields/dynamic-fields/#cftls_client_authcert_serial) field.
-- `cf-cert-issuer-serial`: Value from the [`cf.tls_client_auth.cert_issuer_serial`](/ruleset-engine/rules-language/fields/dynamic-fields/#cftls_client_authcert_issuer_serial) field.
-- `cf-cert-fingerprint-sha256`: Value from the [`cf.tls_client_auth.cert_fingerprint_sha256`](/ruleset-engine/rules-language/fields/dynamic-fields/#cftls_client_authcert_fingerprint_sha256) field.
-- `cf-cert-fingerprint-sha1`: Value from the [`cf.tls_client_auth.cert_fingerprint_sha1`](/ruleset-engine/rules-language/fields/dynamic-fields/#cftls_client_authcert_fingerprint_sha1) field.
-- `cf-cert-not-before`: Value from the [`cf.tls_client_auth.cert_not_before`](/ruleset-engine/rules-language/fields/dynamic-fields/#cftls_client_authcert_not_before) field.
-- `cf-cert-not-after`: Value from the [`cf.tls_client_auth.cert_not_after`](/ruleset-engine/rules-language/fields/dynamic-fields/#cftls_client_authcert_not_after) field.
-- `cf-cert-ski`: Value from the [`cf.tls_client_auth.cert_ski`](/ruleset-engine/rules-language/fields/dynamic-fields/#cftls_client_authcert_ski) field.
-- `cf-cert-issuer-ski`: Value from the [`cf.tls_client_auth.cert_issuer_ski`](/ruleset-engine/rules-language/fields/dynamic-fields/#cftls_client_authcert_issuer_ski) field.
+- `cf-cert-revoked`: Value from the [`cf.tls_client_auth.cert_revoked`](/ruleset-engine/rules-language/fields/reference/cf.tls_client_auth.cert_revoked/) field.
+- `cf-cert-verified`: Value from the [`cf.tls_client_auth.cert_verified`](/ruleset-engine/rules-language/fields/reference/cf.tls_client_auth.cert_verified/) field.
+- `cf-cert-presented`: Value from the [`cf.tls_client_auth.cert_presented`](/ruleset-engine/rules-language/fields/reference/cf.tls_client_auth.cert_presented/) field.
+- `cf-cert-issuer-dn`: Value from the [`cf.tls_client_auth.cert_issuer_dn`](/ruleset-engine/rules-language/fields/reference/cf.tls_client_auth.cert_issuer_dn/) field.
+- `cf-cert-subject-dn`: Value from the [`cf.tls_client_auth.cert_subject_dn`](/ruleset-engine/rules-language/fields/reference/cf.tls_client_auth.cert_subject_dn/) field.
+- `cf-cert-issuer-dn-rfc2253`: Value from the [`cf.tls_client_auth.cert_issuer_dn_rfc2253`](/ruleset-engine/rules-language/fields/reference/cf.tls_client_auth.cert_issuer_dn_rfc2253/) field.
+- `cf-cert-subject-dn-rfc2253`: Value from the [`cf.tls_client_auth.cert_subject_dn_rfc2253`](/ruleset-engine/rules-language/fields/reference/cf.tls_client_auth.cert_subject_dn_rfc2253/) field.
+- `cf-cert-issuer-dn-legacy`: Value from the [`cf.tls_client_auth.cert_issuer_dn_legacy`](/ruleset-engine/rules-language/fields/reference/cf.tls_client_auth.cert_issuer_dn_legacy/) field.
+- `cf-cert-subject-dn-legacy`: Value from the [`cf.tls_client_auth.cert_subject_dn_legacy`](/ruleset-engine/rules-language/fields/reference/cf.tls_client_auth.cert_subject_dn_legacy/) field.
+- `cf-cert-serial`: Value from the [`cf.tls_client_auth.cert_serial`](/ruleset-engine/rules-language/fields/reference/cf.tls_client_auth.cert_serial/) field.
+- `cf-cert-issuer-serial`: Value from the [`cf.tls_client_auth.cert_issuer_serial`](/ruleset-engine/rules-language/fields/reference/cf.tls_client_auth.cert_issuer_serial/) field.
+- `cf-cert-fingerprint-sha256`: Value from the [`cf.tls_client_auth.cert_fingerprint_sha256`](/ruleset-engine/rules-language/fields/reference/cf.tls_client_auth.cert_fingerprint_sha256/) field.
+- `cf-cert-fingerprint-sha1`: Value from the [`cf.tls_client_auth.cert_fingerprint_sha1`](/ruleset-engine/rules-language/fields/reference/cf.tls_client_auth.cert_fingerprint_sha1/) field.
+- `cf-cert-not-before`: Value from the [`cf.tls_client_auth.cert_not_before`](/ruleset-engine/rules-language/fields/reference/cf.tls_client_auth.cert_not_before/) field.
+- `cf-cert-not-after`: Value from the [`cf.tls_client_auth.cert_not_after`](/ruleset-engine/rules-language/fields/reference/cf.tls_client_auth.cert_not_after/) field.
+- `cf-cert-ski`: Value from the [`cf.tls_client_auth.cert_ski`](/ruleset-engine/rules-language/fields/reference/cf.tls_client_auth.cert_ski/) field.
+- `cf-cert-issuer-ski`: Value from the [`cf.tls_client_auth.cert_issuer_ski`](/ruleset-engine/rules-language/fields/reference/cf.tls_client_auth.cert_issuer_ski/) field.
 
 ### Add visitor location headers
 
 Adds HTTP headers with location information for the visitor's IP address to the request sent to the origin server:
 
-- `cf-ipcity`: The visitor's city (value from the [`ip.src.city`](/ruleset-engine/rules-language/fields/standard-fields/#ipsrccity) field).
-- `cf-ipcountry`: The visitor's country (value from the [`ip.src.country`](/ruleset-engine/rules-language/fields/standard-fields/#ipsrccountry) field).
-- `cf-ipcontinent`: The visitor's continent (value from the [`ip.src.continent`](/ruleset-engine/rules-language/fields/standard-fields/#ipsrccontinent) field).
-- `cf-iplongitude`: The visitor's longitude (value from the [`ip.src.lon`](/ruleset-engine/rules-language/fields/standard-fields/#ipsrclon) field).
-- `cf-iplatitude`: The visitor's latitude (value from the [`ip.src.lat`](/ruleset-engine/rules-language/fields/standard-fields/#ipsrclat) field).
-- `cf-region`: The visitor's region (value from the [`ip.src.region`](/ruleset-engine/rules-language/fields/standard-fields/#ipsrcregion) field).
-- `cf-region-code`: The visitor's region code (value from the [`ip.src.region_code`](/ruleset-engine/rules-language/fields/standard-fields/#ipsrcregion_code) field).
-- `cf-metro-code`: The visitor's metro code (value from the [`ip.src.metro_code`](/ruleset-engine/rules-language/fields/standard-fields/#ipsrcmetro_code) field).
-- `cf-postal-code`: The visitor's postal code (value from the [`ip.src.postal_code`](/ruleset-engine/rules-language/fields/standard-fields/#ipsrcpostal_code) field).
-- `cf-timezone`: The name of the visitor's timezone (value from the [`ip.src.timezone.name`](/ruleset-engine/rules-language/fields/standard-fields/#ipsrctimezonename) field).
+- `cf-ipcity`: The visitor's city (value from the [`ip.src.city`](/ruleset-engine/rules-language/fields/reference/ip.src.city/) field).
+- `cf-ipcountry`: The visitor's country (value from the [`ip.src.country`](/ruleset-engine/rules-language/fields/reference/ip.src.country/) field).
+- `cf-ipcontinent`: The visitor's continent (value from the [`ip.src.continent`](/ruleset-engine/rules-language/fields/reference/ip.src.continent/) field).
+- `cf-iplongitude`: The visitor's longitude (value from the [`ip.src.lon`](/ruleset-engine/rules-language/fields/reference/ip.src.lon/) field).
+- `cf-iplatitude`: The visitor's latitude (value from the [`ip.src.lat`](/ruleset-engine/rules-language/fields/reference/ip.src.lat/) field).
+- `cf-region`: The visitor's region (value from the [`ip.src.region`](/ruleset-engine/rules-language/fields/reference/ip.src.region/) field).
+- `cf-region-code`: The visitor's region code (value from the [`ip.src.region_code`](/ruleset-engine/rules-language/fields/reference/ip.src.region_code/) field).
+- `cf-metro-code`: The visitor's metro code (value from the [`ip.src.metro_code`](/ruleset-engine/rules-language/fields/reference/ip.src.metro_code/) field).
+- `cf-postal-code`: The visitor's postal code (value from the [`ip.src.postal_code`](/ruleset-engine/rules-language/fields/reference/ip.src.postal_code/) field).
+- `cf-timezone`: The name of the visitor's timezone (value from the [`ip.src.timezone.name`](/ruleset-engine/rules-language/fields/reference/ip.src.timezone.name/) field).
 
 :::caution
 Turning on [IP geolocation](/network/ip-geolocation/) will send a `cf-ipcountry` HTTP header to your origin server even when **Add visitor location headers** is turned off.
diff --git a/src/content/docs/ruleset-engine/rules-language/functions.mdx b/src/content/docs/ruleset-engine/rules-language/functions.mdx
index 3cf94fdef440359..59657c6db1f6f2c 100644
--- a/src/content/docs/ruleset-engine/rules-language/functions.mdx
+++ b/src/content/docs/ruleset-engine/rules-language/functions.mdx
@@ -354,7 +354,7 @@ any(url_decode(http.request.body.form.values[*])[*] contains "an xss attack")
 {/* prettier-ignore */}
 <code>uuidv4(source <Type text="Bytes" />)</code>: <Type text="String" />
 
-Generates a random UUIDv4 (Universally Unique Identifier, version 4) based on the given argument (a source of randomness). To obtain an array of random bytes, use the [`cf.random_seed`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfrandom_seed) field.
+Generates a random UUIDv4 (Universally Unique Identifier, version 4) based on the given argument (a source of randomness). To obtain an array of random bytes, use the [`cf.random_seed`](/ruleset-engine/rules-language/fields/reference/cf.random_seed/) field.
 
 For example, `uuidv4(cf.random_seed)` will return a UUIDv4 similar to `49887398-6bcf-485f-8899-f15dbef4d1d5`.
 
diff --git a/src/content/docs/ruleset-engine/rules-language/values.mdx b/src/content/docs/ruleset-engine/rules-language/values.mdx
index 854d855c9e347aa..832708c6dd4bb2a 100644
--- a/src/content/docs/ruleset-engine/rules-language/values.mdx
+++ b/src/content/docs/ruleset-engine/rules-language/values.mdx
@@ -184,7 +184,7 @@ any(http.request.headers["accept"][*] == "application/json") # ==> true
 any(http.request.headers["accept"][*] == "text/plain")       # ==> false
 ```
 
-The following example is based on the [`http.request.uri.args`](/ruleset-engine/rules-language/fields/uri/#httprequesturiargs) field with a data type of `Map<Array<String>>`, where array elements are of `String` data type.
+The following example is based on the [`http.request.uri.args`](/ruleset-engine/rules-language/fields/reference/http.request.uri.args/) field with a data type of `Map<Array<String>>`, where array elements are of `String` data type.
 
 If an HTTP request included three `filter` URI arguments `waf`, `botm`, and `cdn`, the following expressions would evaluate to the indicated values:
 
diff --git a/src/content/docs/waf/custom-rules/use-cases/allow-traffic-from-specific-countries.mdx b/src/content/docs/waf/custom-rules/use-cases/allow-traffic-from-specific-countries.mdx
index 164127a025db588..3a712a5b7e9186e 100644
--- a/src/content/docs/waf/custom-rules/use-cases/allow-traffic-from-specific-countries.mdx
+++ b/src/content/docs/waf/custom-rules/use-cases/allow-traffic-from-specific-countries.mdx
@@ -3,7 +3,7 @@ pcx_content_type: configuration
 title: Allow traffic from specific countries only
 ---
 
-This example blocks requests based on country code using the [`ip.src.country`](/ruleset-engine/rules-language/fields/standard-fields/#ipsrccountry) field, only allowing requests from two countries: United States and Mexico.
+This example blocks requests based on country code using the [`ip.src.country`](/ruleset-engine/rules-language/fields/reference/ip.src.country/) field, only allowing requests from two countries: United States and Mexico.
 
 - **Expression**: `(not ip.src.country in {"US" "MX"})`
 - **Action**: _Block_
diff --git a/src/content/docs/waf/custom-rules/use-cases/allow-traffic-from-verified-bots.mdx b/src/content/docs/waf/custom-rules/use-cases/allow-traffic-from-verified-bots.mdx
index d02d6026b6cc252..1af3b3320fb6c96 100644
--- a/src/content/docs/waf/custom-rules/use-cases/allow-traffic-from-verified-bots.mdx
+++ b/src/content/docs/waf/custom-rules/use-cases/allow-traffic-from-verified-bots.mdx
@@ -8,7 +8,7 @@ head:
 
 This example challenges requests from a list of countries, but allows traffic from search engine bots — such as Googlebot and Bingbot — and from other [verified bots](/bots/concepts/bot/#verified-bots).
 
-The rule expression uses the [`cf.client.bot`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfclientbot) field to determine if the request originated from a known good bot or crawler.
+The rule expression uses the [`cf.client.bot`](/ruleset-engine/rules-language/fields/reference/cf.client.bot/) field to determine if the request originated from a known good bot or crawler.
 
 - **Expression**: `(ip.src.country in {"US" "MX"} and not cf.client.bot)`
 - **Action**: _Managed Challenge_
diff --git a/src/content/docs/waf/custom-rules/use-cases/block-traffic-from-specific-countries.mdx b/src/content/docs/waf/custom-rules/use-cases/block-traffic-from-specific-countries.mdx
index c086ffb10947a9b..f0c7fa25d16450a 100644
--- a/src/content/docs/waf/custom-rules/use-cases/block-traffic-from-specific-countries.mdx
+++ b/src/content/docs/waf/custom-rules/use-cases/block-traffic-from-specific-countries.mdx
@@ -3,7 +3,7 @@ pcx_content_type: configuration
 title: Block traffic from specific countries
 ---
 
-This example blocks requests based on country code using the [`ip.src.country`](/ruleset-engine/rules-language/fields/standard-fields/#ipsrccountry) field.
+This example blocks requests based on country code using the [`ip.src.country`](/ruleset-engine/rules-language/fields/reference/ip.src.country/) field.
 
 - **Expression**: `(ip.src.country in {"KN" "SY"})`
 - **Action**: _Block_
diff --git a/src/content/docs/waf/custom-rules/use-cases/challenge-bad-bots.mdx b/src/content/docs/waf/custom-rules/use-cases/challenge-bad-bots.mdx
index 3f95eda99b119cc..46b102962745a6f 100644
--- a/src/content/docs/waf/custom-rules/use-cases/challenge-bad-bots.mdx
+++ b/src/content/docs/waf/custom-rules/use-cases/challenge-bad-bots.mdx
@@ -13,9 +13,9 @@ Bot score ranges from 1 through 99. A low score indicates the request comes from
 
 These examples use:
 
-- [`cf.bot_management.score`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfbot_managementscore) to target requests from bots
-- [`cf.bot_management.verified_bot`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfbot_managementverified_bot) to identify requests from [known good bots](https://radar.cloudflare.com/verified-bots)
-- [`cf.bot_management.ja3_hash`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfbot_managementja3_hash) to target specific [JA3 Fingerprints](/bots/concepts/ja3-ja4-fingerprint/)
+- [`cf.bot_management.score`](/ruleset-engine/rules-language/fields/reference/cf.bot_management.score/) to target requests from bots
+- [`cf.bot_management.verified_bot`](/ruleset-engine/rules-language/fields/reference/cf.bot_management.verified_bot/) to identify requests from [known good bots](https://radar.cloudflare.com/verified-bots)
+- [`cf.bot_management.ja3_hash`](/ruleset-engine/rules-language/fields/reference/cf.bot_management.ja3_hash/) to target specific [JA3 Fingerprints](/bots/concepts/ja3-ja4-fingerprint/)
 
 ## Suggested rules
 
diff --git a/src/content/docs/waf/custom-rules/use-cases/exempt-partners-hotlink-protection.mdx b/src/content/docs/waf/custom-rules/use-cases/exempt-partners-hotlink-protection.mdx
index 90531304e62afbd..bce35e011ce980c 100644
--- a/src/content/docs/waf/custom-rules/use-cases/exempt-partners-hotlink-protection.mdx
+++ b/src/content/docs/waf/custom-rules/use-cases/exempt-partners-hotlink-protection.mdx
@@ -9,7 +9,7 @@ When enabled, [Cloudflare Hotlink Protection](/waf/tools/scrape-shield/hotlink-p
 
 You can use custom rules to protect against hotlinking while allowing inline links from your partners. In this case, you will need to disable [Hotlink Protection](/waf/tools/scrape-shield/hotlink-protection/) within the **Scrape Shield** app so that partner referrals are not blocked by that feature.
 
-This example uses the [`http.referer`](/ruleset-engine/rules-language/fields/standard-fields/#httpreferer) field to target HTTP referrals from partner sites.
+This example uses the [`http.referer`](/ruleset-engine/rules-language/fields/reference/http.referer/) field to target HTTP referrals from partner sites.
 
 The `not` operator matches HTTP referrals that are not from partner sites, and the action blocks them:
 
diff --git a/src/content/docs/waf/custom-rules/use-cases/require-specific-cookie.mdx b/src/content/docs/waf/custom-rules/use-cases/require-specific-cookie.mdx
index cec213b9d947ad1..a215f4157b9bb92 100644
--- a/src/content/docs/waf/custom-rules/use-cases/require-specific-cookie.mdx
+++ b/src/content/docs/waf/custom-rules/use-cases/require-specific-cookie.mdx
@@ -5,7 +5,7 @@ title: Require a specific cookie
 
 To secure a sensitive area such as a development area, you can share a cookie with trusted individuals and then filter requests so that only users with that cookie can access your site.
 
-Use the [`http.cookie`](/ruleset-engine/rules-language/fields/standard-fields/#httpcookie) field to target requests based on the presence of a specific cookie.
+Use the [`http.cookie`](/ruleset-engine/rules-language/fields/reference/http.cookie/) field to target requests based on the presence of a specific cookie.
 
 This example comprises two rules:
 
diff --git a/src/content/docs/waf/custom-rules/use-cases/require-specific-http-ports.mdx b/src/content/docs/waf/custom-rules/use-cases/require-specific-http-ports.mdx
index 505fa7ef299fc24..e8c4c18a0d259c9 100644
--- a/src/content/docs/waf/custom-rules/use-cases/require-specific-http-ports.mdx
+++ b/src/content/docs/waf/custom-rules/use-cases/require-specific-http-ports.mdx
@@ -7,7 +7,7 @@ import { Render } from "~/components";
 
 By default, Cloudflare allows requests on a [number of different HTTP ports](/fundamentals/reference/network-ports/).
 
-You can target requests based on their HTTP port with the [`cf.edge.server_port`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfedgeserver_port) field. Use the `in` [comparison operator](/ruleset-engine/rules-language/operators/#comparison-operators) to target a set of ports.
+You can target requests based on their HTTP port with the [`cf.edge.server_port`](/ruleset-engine/rules-language/fields/reference/cf.edge.server_port/) field. Use the `in` [comparison operator](/ruleset-engine/rules-language/operators/#comparison-operators) to target a set of ports.
 
 This example blocks requests to `www.example.com` that are not on ports `80` or `443`:
 
diff --git a/src/content/docs/waf/custom-rules/use-cases/stop-rudy-attacks.mdx b/src/content/docs/waf/custom-rules/use-cases/stop-rudy-attacks.mdx
index 141bf271b511839..a9e9e6fb2c66ce3 100644
--- a/src/content/docs/waf/custom-rules/use-cases/stop-rudy-attacks.mdx
+++ b/src/content/docs/waf/custom-rules/use-cases/stop-rudy-attacks.mdx
@@ -7,7 +7,7 @@ R-U-Dead-Yet (R.U.D.Y.) attacks accomplish denial of service (DoS) by submitting
 
 This example combines three expressions to target HTTP `POST` requests that do not contain a legitimate authenticated session cookie:
 
-- The first expression uses the [`http.request.uri.path`](/ruleset-engine/rules-language/fields/standard-fields/#httprequesturipath) field to target the paths to secure from R.U.D.Y.:
+- The first expression uses the [`http.request.uri.path`](/ruleset-engine/rules-language/fields/reference/http.request.uri.path/) field to target the paths to secure from R.U.D.Y.:
 
   ```txt
   http.request.uri.path matches "(comment|conversation|event|poll)/create"
diff --git a/src/content/docs/waf/custom-rules/use-cases/update-rules-customers-partners.mdx b/src/content/docs/waf/custom-rules/use-cases/update-rules-customers-partners.mdx
index e7b2bc70520c1e1..6bd23643d1972d0 100644
--- a/src/content/docs/waf/custom-rules/use-cases/update-rules-customers-partners.mdx
+++ b/src/content/docs/waf/custom-rules/use-cases/update-rules-customers-partners.mdx
@@ -22,8 +22,8 @@ If a customer or partner is large enough, you could set up a custom rule based o
 
 This example uses:
 
-- The [`ip.src.asnum`](/ruleset-engine/rules-language/fields/standard-fields/#ipsrcasnum) field to specify the general region.
-- The [`cf.bot_management.score`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfbot_managementscore) field to ensure partner traffic does not come from bots.
+- The [`ip.src.asnum`](/ruleset-engine/rules-language/fields/reference/ip.src.asnum/) field to specify the general region.
+- The [`cf.bot_management.score`](/ruleset-engine/rules-language/fields/reference/cf.bot_management.score/) field to ensure partner traffic does not come from bots.
 
 Example rule:
 
@@ -39,8 +39,8 @@ Access to [Bot Management](/bots/plans/bm-subscription/) requires a Cloudflare E
 
 This example uses:
 
-- The [`ip.src.asnum`](/ruleset-engine/rules-language/fields/standard-fields/#ipsrcasnum) field to specify the general region.
-- The [`cf.threat_score`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfthreat_score) dynamic field to ensure requests are not high-risk traffic.
+- The [`ip.src.asnum`](/ruleset-engine/rules-language/fields/reference/ip.src.asnum/) field to specify the general region.
+- The [`cf.threat_score`](/ruleset-engine/rules-language/fields/reference/cf.threat_score/) dynamic field to ensure requests are not high-risk traffic.
 
 If a request meets these criteria, your custom rule skips [User Agent Blocking](/waf/tools/user-agent-blocking/) rules.
 
@@ -57,7 +57,7 @@ For smaller organizations, you could set up custom rules based on IP addresses.
 This example:
 
 - Specifies the source IP address and the host.
-- Uses the [`cf.bot_management.score`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfbot_managementscore) field to ensure requests are not high-risk traffic.
+- Uses the [`cf.bot_management.score`](/ruleset-engine/rules-language/fields/reference/cf.bot_management.score/) field to ensure requests are not high-risk traffic.
 
 Example rule:
 
diff --git a/src/content/docs/waf/detections/attack-score.mdx b/src/content/docs/waf/detections/attack-score.mdx
index a36c824d67b9fa2..b6fdb0e8dd2045e 100644
--- a/src/content/docs/waf/detections/attack-score.mdx
+++ b/src/content/docs/waf/detections/attack-score.mdx
@@ -26,11 +26,11 @@ The Cloudflare WAF provides the following attack score fields:
 
 | Score                  | Data type | Minimum plan required | Attack vector               | Field                                                                                         |
 | ---------------------- | --------- | --------------------- | --------------------------- | --------------------------------------------------------------------------------------------- |
-| WAF Attack Score       | Number    | Enterprise            | N/A (global score)          | [`cf.waf.score`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfwafscore)            |
-| WAF SQLi Attack Score  | Number    | Enterprise            | SQL injection (SQLi)        | [`cf.waf.score.sqli`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfwafscoresqli)   |
-| WAF XSS Attack Score   | Number    | Enterprise            | Cross-site scripting (XSS)  | [`cf.waf.score.xss`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfwafscorexss)     |
-| WAF RCE Attack Score   | Number    | Enterprise            | Remote Code Execution (RCE) | [`cf.waf.score.rce`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfwafscorerce)     |
-| WAF Attack Score Class | String    | Business              | N/A (global classification) | [`cf.waf.score.class`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfwafscoreclass) |
+| WAF Attack Score       | Number    | Enterprise            | N/A (global score)          | [`cf.waf.score`](/ruleset-engine/rules-language/fields/reference/cf.waf.score/)            |
+| WAF SQLi Attack Score  | Number    | Enterprise            | SQL injection (SQLi)        | [`cf.waf.score.sqli`](/ruleset-engine/rules-language/fields/reference/cf.waf.score.sqli/)   |
+| WAF XSS Attack Score   | Number    | Enterprise            | Cross-site scripting (XSS)  | [`cf.waf.score.xss`](/ruleset-engine/rules-language/fields/reference/cf.waf.score.xss/)     |
+| WAF RCE Attack Score   | Number    | Enterprise            | Remote Code Execution (RCE) | [`cf.waf.score.rce`](/ruleset-engine/rules-language/fields/reference/cf.waf.score.rce/)     |
+| WAF Attack Score Class | String    | Business              | N/A (global classification) | [`cf.waf.score.class`](/ruleset-engine/rules-language/fields/reference/cf.waf.score.class/) |
 
 You can use these fields in expressions of [custom rules](/waf/custom-rules/) and [rate limiting rules](/waf/rate-limiting-rules/). Attack score fields of data type `Number` vary between `1` and `99` with the following meaning:
 
diff --git a/src/content/docs/waf/detections/leaked-credentials/index.mdx b/src/content/docs/waf/detections/leaked-credentials/index.mdx
index 3fd95e2c78db6cc..d948e30330d8241 100644
--- a/src/content/docs/waf/detections/leaked-credentials/index.mdx
+++ b/src/content/docs/waf/detections/leaked-credentials/index.mdx
@@ -75,11 +75,11 @@ When specifying a custom detection location, only the location of the username f
 Expressions used to specify custom detection locations can include the following fields and functions:
 
 - Fields:
-  - [`http.request.body.form`](/ruleset-engine/rules-language/fields/http-request-body/#httprequestbodyform)
-  - [`http.request.body.multipart`](/ruleset-engine/rules-language/fields/http-request-body/#httprequestbodymultipart)
-  - [`http.request.body.raw`](/ruleset-engine/rules-language/fields/http-request-body/#httprequestbodyraw)
-  - [`http.request.headers`](/ruleset-engine/rules-language/fields/http-request-header/#httprequestheaders)
-  - [`http.request.uri.query`](/ruleset-engine/rules-language/fields/standard-fields/#httprequesturiquery)
+  - [`http.request.body.form`](/ruleset-engine/rules-language/fields/reference/http.request.body.form/)
+  - [`http.request.body.multipart`](/ruleset-engine/rules-language/fields/reference/http.request.body.multipart/)
+  - [`http.request.body.raw`](/ruleset-engine/rules-language/fields/reference/http.request.body.raw/)
+  - [`http.request.headers`](/ruleset-engine/rules-language/fields/reference/http.request.headers/)
+  - [`http.request.uri.query`](/ruleset-engine/rules-language/fields/reference/http.request.uri.query/)
 - Functions:
   - [`lookup_json_string()`](/ruleset-engine/rules-language/functions/#lookup_json_string)
   - [`url_decode()`](/ruleset-engine/rules-language/functions/#url_decode)
@@ -96,8 +96,8 @@ For instructions on configuring a custom detection location, refer to [Get start
 | Similar Password Leaked     | [`cf.waf.credential_check.username_password_similar`][4]    | Enterprise plan    |
 | Authentication detected     | [`cf.waf.auth_detected`][5]                                 | Enterprise plan    |
 
-[1]: /ruleset-engine/rules-language/fields/dynamic-fields/#cfwafcredential_checkpassword_leaked
-[2]: /ruleset-engine/rules-language/fields/dynamic-fields/#cfwafcredential_checkusername_and_password_leaked
-[3]: /ruleset-engine/rules-language/fields/dynamic-fields/#cfwafcredential_checkusername_leaked
-[4]: /ruleset-engine/rules-language/fields/dynamic-fields/#cfwafcredential_checkusername_password_similar
-[5]: /ruleset-engine/rules-language/fields/dynamic-fields/#cfwafauth_detected
+[1]: /ruleset-engine/rules-language/fields/reference/cf.waf.credential_check.password_leaked/
+[2]: /ruleset-engine/rules-language/fields/reference/cf.waf.credential_check.username_and_password_leaked/
+[3]: /ruleset-engine/rules-language/fields/reference/cf.waf.credential_check.username_leaked/
+[4]: /ruleset-engine/rules-language/fields/reference/cf.waf.credential_check.username_password_similar/
+[5]: /ruleset-engine/rules-language/fields/reference/cf.waf.auth_detected/
diff --git a/src/content/docs/waf/detections/malicious-uploads/index.mdx b/src/content/docs/waf/detections/malicious-uploads/index.mdx
index 8058c6fda9434ca..6f21a355c2a2a62 100644
--- a/src/content/docs/waf/detections/malicious-uploads/index.mdx
+++ b/src/content/docs/waf/detections/malicious-uploads/index.mdx
@@ -77,13 +77,13 @@ When content scanning is enabled, you can use the following fields in WAF rules:
 
 | Field name in the dashboard                                                                | Field name in expressions                                                                                                           |
 | ------------------------------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------- |
-| Has content object                                                                         | [`cf.waf.content_scan.has_obj`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfwafcontent_scanhas_obj)                     |
-| Has malicious content object                                                               | [`cf.waf.content_scan.has_malicious_obj`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfwafcontent_scanhas_malicious_obj) |
-| Number of malicious content objects                                                        | [`cf.waf.content_scan.num_malicious_obj`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfwafcontent_scannum_malicious_obj) |
-| Content scan has failed                                                                    | [`cf.waf.content_scan.has_failed`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfwafcontent_scanhas_failed)               |
-| Number of content objects                                                                  | [`cf.waf.content_scan.num_obj`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfwafcontent_scannum_obj)                     |
-| Content object size (in bytes)                                                             | [`cf.waf.content_scan.obj_sizes`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfwafcontent_scanobj_sizes)                 |
-| Content object type                                                                        | [`cf.waf.content_scan.obj_types`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfwafcontent_scanobj_types)                 |
-| Content object result<br/>Values: `clean`, `suspicious`,<br/>`infected`, and `not scanned` | [`cf.waf.content_scan.obj_results`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfwafcontent_scanobj_results)             |
+| Has content object                                                                         | [`cf.waf.content_scan.has_obj`](/ruleset-engine/rules-language/fields/reference/cf.waf.content_scan.has_obj/)                     |
+| Has malicious content object                                                               | [`cf.waf.content_scan.has_malicious_obj`](/ruleset-engine/rules-language/fields/reference/cf.waf.content_scan.has_malicious_obj/) |
+| Number of malicious content objects                                                        | [`cf.waf.content_scan.num_malicious_obj`](/ruleset-engine/rules-language/fields/reference/cf.waf.content_scan.num_malicious_obj/) |
+| Content scan has failed                                                                    | [`cf.waf.content_scan.has_failed`](/ruleset-engine/rules-language/fields/reference/cf.waf.content_scan.has_failed/)               |
+| Number of content objects                                                                  | [`cf.waf.content_scan.num_obj`](/ruleset-engine/rules-language/fields/reference/cf.waf.content_scan.num_obj/)                     |
+| Content object size (in bytes)                                                             | [`cf.waf.content_scan.obj_sizes`](/ruleset-engine/rules-language/fields/reference/cf.waf.content_scan.obj_sizes/)                 |
+| Content object type                                                                        | [`cf.waf.content_scan.obj_types`](/ruleset-engine/rules-language/fields/reference/cf.waf.content_scan.obj_types/)                 |
+| Content object result<br/>Values: `clean`, `suspicious`,<br/>`infected`, and `not scanned` | [`cf.waf.content_scan.obj_results`](/ruleset-engine/rules-language/fields/reference/cf.waf.content_scan.obj_results/)             |
 
 For examples of rule expressions using these fields, refer to [Example rules](/waf/detections/malicious-uploads/example-rules/).
diff --git a/src/content/docs/waf/rate-limiting-rules/best-practices.mdx b/src/content/docs/waf/rate-limiting-rules/best-practices.mdx
index 13bcbebe35e37f0..c53bb3622be2905 100644
--- a/src/content/docs/waf/rate-limiting-rules/best-practices.mdx
+++ b/src/content/docs/waf/rate-limiting-rules/best-practices.mdx
@@ -224,7 +224,7 @@ _This example rule requires Advanced Rate Limiting and payload inspection._
 
 :::note
 
-If the request body is not JSON, you can use the [`http.request.body.raw`](/ruleset-engine/rules-language/fields/http-request-body/#httprequestbodyraw) field and regular expressions (along with the [`matches` operator](/ruleset-engine/rules-language/operators/#comparison-operators)) to achieve the same goal.
+If the request body is not JSON, you can use the [`http.request.body.raw`](/ruleset-engine/rules-language/fields/reference/http.request.body.raw/) field and regular expressions (along with the [`matches` operator](/ruleset-engine/rules-language/operators/#comparison-operators)) to achieve the same goal.
 :::
 
 ### Limit requests from bots
diff --git a/src/content/partials/rules/transform/header-modification-fields.mdx b/src/content/partials/rules/transform/header-modification-fields.mdx
index a65f6dc490d559a..4f9bb6e21049a63 100644
--- a/src/content/partials/rules/transform/header-modification-fields.mdx
+++ b/src/content/partials/rules/transform/header-modification-fields.mdx
@@ -40,11 +40,11 @@
 - `ip.src.subdivision_2_iso_code`
 - `ssl`
 
-Refer to [Fields](/ruleset-engine/rules-language/fields/) for reference information on these fields.
+Refer to [Fields](/ruleset-engine/rules-language/fields/reference/) for reference information on these fields.
 
 :::caution[Important]
 
-- To obtain the value of an HTTP request header using the [`http.request.headers`](/ruleset-engine/rules-language/fields/http-request-header/#httprequestheaders) field, specify the header name in **lowercase**. For example, to get the first value of the `Accept-Encoding` request header in an expression, use: `http.request.headers["accept-encoding"][0]`.
+- To obtain the value of an HTTP request header using the [`http.request.headers`](/ruleset-engine/rules-language/fields/reference/http.request.headers/) field, specify the header name in **lowercase**. For example, to get the first value of the `Accept-Encoding` request header in an expression, use: `http.request.headers["accept-encoding"][0]`.
 
 - Use the `to_string()` function to get the string representation of a non-string value like an Integer value. For example, `to_string(cf.bot_management.score)`.
 
diff --git a/src/content/partials/rules/transform/transform-phase-fields.mdx b/src/content/partials/rules/transform/transform-phase-fields.mdx
index 146cbb3a5d1f0a9..9fecbb468afc30c 100644
--- a/src/content/partials/rules/transform/transform-phase-fields.mdx
+++ b/src/content/partials/rules/transform/transform-phase-fields.mdx
@@ -39,11 +39,11 @@
 - `ip.src.subdivision_2_iso_code`
 - `ssl`
 
-Refer to [Fields](/ruleset-engine/rules-language/fields/) for reference information on these fields.
+Refer to [Fields](/ruleset-engine/rules-language/fields/reference/) for reference information on these fields.
 
 :::caution[Important]
 
-- To obtain the value of an HTTP request header using the [`http.request.headers`](/ruleset-engine/rules-language/fields/http-request-header/#httprequestheaders) field, specify the header name in **lowercase**. For example, to get the first value of the `Accept-Encoding` request header in an expression, use: `http.request.headers["accept-encoding"][0]`.
+- To obtain the value of an HTTP request header using the [`http.request.headers`](/ruleset-engine/rules-language/fields/reference/http.request.headers/) field, specify the header name in **lowercase**. For example, to get the first value of the `Accept-Encoding` request header in an expression, use: `http.request.headers["accept-encoding"][0]`.
 
 - Use the `to_string()` function to get the string representation of a non-string value like an Integer value.
 
diff --git a/src/content/partials/waf/rate-limiting-availability-by-plan.mdx b/src/content/partials/waf/rate-limiting-availability-by-plan.mdx
index b92a6605381df8c..81eddbfed8cdf3c 100644
--- a/src/content/partials/waf/rate-limiting-availability-by-plan.mdx
+++ b/src/content/partials/waf/rate-limiting-availability-by-plan.mdx
@@ -4,7 +4,7 @@
 
 | Feature                                     | Free                                                                                                     | Pro                                            | Business                                                                      | Enterprise with app security                                                                                                                                                                                                                                                                              | Enterprise with Advanced Rate Limiting                                                                                                                                                                                                                                                                                                                                                                 |
 | ------------------------------------------- | -------------------------------------------------------------------------------------------------------- | ---------------------------------------------- | ----------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
-| Available fields<br/>in rule expression     | Path, [Verified Bot](/ruleset-engine/rules-language/fields/dynamic-fields/#cfbot_managementverified_bot) | Host, URI, Path, Full URI, Query, Verified Bot | Host, URI, Path, Full URI, Query, Method, Source IP, User Agent, Verified Bot | [Standard fields](/ruleset-engine/rules-language/fields/standard-fields/), [request header fields](/ruleset-engine/rules-language/fields/http-request-header/), [dynamic fields](/ruleset-engine/rules-language/fields/dynamic-fields/) (including Verified Bot), other Bot Management fields<sup>1</sup> | [Standard fields](/ruleset-engine/rules-language/fields/standard-fields/), [request header fields](/ruleset-engine/rules-language/fields/http-request-header/), [dynamic fields](/ruleset-engine/rules-language/fields/dynamic-fields/) (including Verified Bot), other Bot Management fields<sup>1</sup>, [request body fields](/ruleset-engine/rules-language/fields/http-request-body/)<sup>2</sup> |
+| Available fields<br/>in rule expression     | Path, [Verified Bot](/ruleset-engine/rules-language/fields/reference/cf.bot_management.verified_bot/) | Host, URI, Path, Full URI, Query, Verified Bot | Host, URI, Path, Full URI, Query, Method, Source IP, User Agent, Verified Bot | General request fields, request header fields, Verified Bot, Bot Management fields<sup>1</sup> | General request fields, request header fields, Verified Bot, Bot Management fields<sup>1</sup>, request body fields<sup>2</sup> |
 | Counting characteristics                    | IP                                                                                                       | IP                                             | IP                                                                            | IP, IP with NAT support                                                                                                                                                                                                                                                                                   | IP, IP with NAT support, Query, Host, Headers, Cookie, ASN, Country, Path, JA3/JA4 Fingerprint<sup>1</sup>, JSON field value<sup>2</sup>, Body<sup>2</sup>, Form input value<sup>2</sup>, Custom                                                                                                                                                                                                       |
 | Available fields<br/>in counting expression | N/A                                                                                                      | N/A                                            | All rule expression fields, Response code, Response headers                   | All rule expression fields, Response code, Response headers                                                                                                                                                                                                                                               | All rule expression fields, Response code, Response headers                                                                                                                                                                                                                                                                                                                                            |
 | Counting model                              | Number of requests                                                                                       | Number of requests                             | Number of requests                                                            | Number of requests                                                                                                                                                                                                                                                                                        | Number of requests,<br/>[complexity score](/waf/rate-limiting-rules/request-rate/#complexity-based-rate-limiting)                                                                                                                                                                                                                                                                                      |

From 74782fb27f16a0612c2faea18c7272abe89d681c Mon Sep 17 00:00:00 2001
From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com>
Date: Tue, 14 Jan 2025 18:14:51 +0000
Subject: [PATCH 36/45] Manual link updates (point to reference when
 appropriate)

---
 .../docs/cache/how-to/cache-rules/settings.mdx     | 14 +++++++-------
 .../managed-rulesets/http/override-expressions.mdx |  2 +-
 .../network/override-expressions.mdx               |  4 ++--
 .../cf-dashboard/create-edit-delete-rules.mdx      |  2 +-
 .../load-balancing-rules/reference.mdx             |  2 +-
 .../docs/rules/reference/troubleshooting.mdx       |  2 +-
 .../url-rewrite/reference/fields-functions.mdx     |  2 +-
 .../url-forwarding/bulk-redirects/concepts.mdx     |  2 +-
 .../url-forwarding/single-redirects/settings.mdx   |  2 +-
 src/content/docs/ruleset-engine/about/rules.mdx    |  4 ++--
 .../ruleset-engine/rules-language/functions.mdx    |  2 +-
 .../docs/ruleset-engine/rules-language/values.mdx  |  2 +-
 .../rate-limiting-rulesets/create-dashboard.mdx    |  2 +-
 .../use-cases/require-specific-headers.mdx         |  2 +-
 .../rate-limiting-rules/create-zone-dashboard.mdx  |  2 +-
 .../docs/waf/rate-limiting-rules/parameters.mdx    |  4 ++--
 src/content/docs/waf/tools/lists/custom-lists.mdx  | 10 +++++-----
 .../waiting-room-rules/bypass-rules.mdx            |  9 +++------
 src/content/partials/bots/firewall-variables.mdx   |  2 +-
 19 files changed, 34 insertions(+), 37 deletions(-)

diff --git a/src/content/docs/cache/how-to/cache-rules/settings.mdx b/src/content/docs/cache/how-to/cache-rules/settings.mdx
index 07effd41bb0645e..b83893e312f35f2 100644
--- a/src/content/docs/cache/how-to/cache-rules/settings.mdx
+++ b/src/content/docs/cache/how-to/cache-rules/settings.mdx
@@ -30,11 +30,11 @@ The fields available for Cache Rule matching expressions in the Expression Build
 * Request Headers - `http.request.headers`
 * Cookie value of - `http.request.cookies`
 
-For a list of all available fields refer to [Fields](/ruleset-engine/rules-language/fields/).
+For a list of all available fields refer to the [Fields reference](/ruleset-engine/rules-language/fields/reference/).
 
 :::note
 
-Not all fields are available as a trigger for Cache Rules due to incompatibility with [Purge](/cache/how-to/purge-cache/). 
+Not all fields are available as a trigger for Cache Rules due to incompatibility with [Purge](/cache/how-to/purge-cache/).
 :::
 
 ## Operators
@@ -56,7 +56,7 @@ The operators available for Cache Rule expressions are:
 
 :::note
 
-Not all operators are available for every selected field. 
+Not all operators are available for every selected field.
 :::
 
 ## Cache eligibility
@@ -73,7 +73,7 @@ When you select **Eligible for cache**, you can change the configuration setting
 
 :::note
 
-If you use cache rules, image transformations, and zone versioning simultaneously, some settings may not be applied correctly. 
+If you use cache rules, image transformations, and zone versioning simultaneously, some settings may not be applied correctly.
 :::
 
 #### Edge TTL
@@ -84,7 +84,7 @@ Edge Cache TTL refers to the maximum cache time-to-live (TTL), or how long an as
 * **Use cache-control header if present, use default Cloudflare caching behavior if not**: If a cache-control header is present on the response, follow its directives. If not, cache in accordance with our [default edge TTL settings](/cache/how-to/configure-cache-status-code/#edge-ttl).
 * **Ignore cache-control header and use this TTL**: Completely ignore any cache-control header on the response and instead cache the response for a duration specified in the timing dropdown.
 
-Additionally, you can select how long you would like a particular matching status code’s content to be cached in Cloudflare’s global network. In **Status Code TTL** section you can define the TTL duration for one or more status codes of responses from the origin server. This setting can be applied to a *Single code* status code, to a *Greater than or equal* or *Less than or equal* status code, or to a *Range* of status codes. Status code TTLs are similar to **Ignore cache-control header and use this TTL** in that the cache-control header on the response will be ignored in favor of the TTL specified by the cache rule. For more information, refer to [Status code TTL](/cache/how-to/configure-cache-status-code/).
+Additionally, you can select how long you would like a particular matching status code's content to be cached in Cloudflare's global network. In **Status Code TTL** section you can define the TTL duration for one or more status codes of responses from the origin server. This setting can be applied to a *Single code* status code, to a *Greater than or equal* or *Less than or equal* status code, or to a *Range* of status codes. Status code TTLs are similar to **Ignore cache-control header and use this TTL** in that the cache-control header on the response will be ignored in favor of the TTL specified by the cache rule. For more information, refer to [Status code TTL](/cache/how-to/configure-cache-status-code/).
 
 
 <Details header="API information">
@@ -256,7 +256,7 @@ This rule can also be used to specify Cache Reserve eligibility for website reso
 
 :::note
 
-Cloudflare will still enforce the plan-based [cacheable file limits](/cache/concepts/default-cache-behavior/#customization-options-and-limits) when using this configuration. 
+Cloudflare will still enforce the plan-based [cacheable file limits](/cache/concepts/default-cache-behavior/#customization-options-and-limits) when using this configuration.
 :::
 
 <Details header="API information">
@@ -290,7 +290,7 @@ Cloudflare supports several [network ports](/fundamentals/reference/network-port
 
 :::note
 
-Cloudflare supports many ports by default and will cache on them without needing this rule to be configured. For ports that Cloudflare supports, but for which caching is disabled, use this rule. 
+Cloudflare supports many ports by default and will cache on them without needing this rule to be configured. For ports that Cloudflare supports, but for which caching is disabled, use this rule.
 :::
 
 
diff --git a/src/content/docs/ddos-protection/managed-rulesets/http/override-expressions.mdx b/src/content/docs/ddos-protection/managed-rulesets/http/override-expressions.mdx
index 4090ada36803e16..60466dcc19f0b56 100644
--- a/src/content/docs/ddos-protection/managed-rulesets/http/override-expressions.mdx
+++ b/src/content/docs/ddos-protection/managed-rulesets/http/override-expressions.mdx
@@ -43,4 +43,4 @@ You can use the following fields in override expressions:
 - `ssl`
 - `cf.tls_client_auth.cert_verified`
 
-Refer to [Fields](/ruleset-engine/rules-language/fields/) in the Rules language documentation for more information.
+Refer to the [Fields reference](/ruleset-engine/rules-language/fields/reference/) in the Rules language documentation for more information.
diff --git a/src/content/docs/ddos-protection/managed-rulesets/network/override-expressions.mdx b/src/content/docs/ddos-protection/managed-rulesets/network/override-expressions.mdx
index 90d97511d01f398..e8afc28f7d3afaa 100644
--- a/src/content/docs/ddos-protection/managed-rulesets/network/override-expressions.mdx
+++ b/src/content/docs/ddos-protection/managed-rulesets/network/override-expressions.mdx
@@ -34,11 +34,11 @@ You can use the following fields in override expressions:
 - `udp.srcport`
 - `udp.dstport`
 
-Refer to [Fields](/ruleset-engine/rules-language/fields/) in the Rules language documentation for more information.
+Refer to the [Fields reference](/ruleset-engine/rules-language/fields/reference/) in the Rules language documentation for more information.
 
 ## Important remarks
 
 - Each expression is limited to 4,000 characters, which means you can enter approximately a maximum of 200 IP addresses in a single expression. However, you can enter IP addresses in CIDR format, which allows you to include a larger number of IP addresses. For example, you can use `192.0.0.0/24` to match IP addresses from `192.0.0.0` to `192.0.0.255`.
 - An expression is not an <GlossaryTooltip term="allowlist">allowlist</GlossaryTooltip> and does not become part of the attack fingerprint. The expression applies to the scope of the override and is used right before applying a mitigation action, to determine if the sensitivity level and action need to be adjusted.<br/>
-  
+
   For example, if you have an expression matching <GlossaryTooltip term="data packet">packets</GlossaryTooltip> with a specific source IP address and the override sets the sensitivity level to low, this override will only lower the sensitivity level for traffic that comes directly from that source IP address. If the DDoS protection system detects an attack coming from many source IP addresses targeted at a single destination IP and port, the generated fingerprint will only match the common criteria of the attack which, in this example, does not include the source IP address. The system will trigger the required mitigation actions at the default high sensitivity level because the traffic did not come from the user-provided source IP address. Therefore, traffic from the source IP in the override expression may still be blocked because the fingerprint only contains the destination IP address and port of the attack.
diff --git a/src/content/docs/firewall/cf-dashboard/create-edit-delete-rules.mdx b/src/content/docs/firewall/cf-dashboard/create-edit-delete-rules.mdx
index 7f2eb685020d425..15004ab803fedfb 100644
--- a/src/content/docs/firewall/cf-dashboard/create-edit-delete-rules.mdx
+++ b/src/content/docs/firewall/cf-dashboard/create-edit-delete-rules.mdx
@@ -32,7 +32,7 @@ When an incoming HTTP request matches a firewall rule expression, Cloudflare per
 
 4. In the **Create firewall rule** page that displays, use the **Rule name** input to supply a descriptive name.
 
-5. Under **When incoming requests match**, use the **Field** drop-down list to choose an HTTP property (refer to [Fields reference](/ruleset-engine/rules-language/fields/) for details). For each request, the value of the property you choose for **Field** is compared to the value you specify for **Value**.
+5. Under **When incoming requests match**, use the **Field** drop-down list to choose an HTTP property (refer to the [Fields reference](/ruleset-engine/rules-language/fields/reference/) for details). For each request, the value of the property you choose for **Field** is compared to the value you specify for **Value**.
 
    Alternatively, use the [Expression Editor](/ruleset-engine/rules-language/expressions/edit-expressions/#expression-editor) to define the rule expression.
 
diff --git a/src/content/docs/load-balancing/additional-options/load-balancing-rules/reference.mdx b/src/content/docs/load-balancing/additional-options/load-balancing-rules/reference.mdx
index 616a0df0e72c978..d16aac9464430ed 100644
--- a/src/content/docs/load-balancing/additional-options/load-balancing-rules/reference.mdx
+++ b/src/content/docs/load-balancing/additional-options/load-balancing-rules/reference.mdx
@@ -127,7 +127,7 @@ Regardless of your traffic [proxy status](/load-balancing/understand-basics/prox
 
 If your traffic is proxied through Cloudflare, you have access to all the fields listed under [Fields supported regardless of proxy](#fields-supported-regardless-of-proxy) in addition to the following fields:
 
-Many of these fields are referenced from the [Rules language documentation](/ruleset-engine/rules-language/fields/).
+Many of these fields are referenced from the [Rules language documentation](/ruleset-engine/rules-language/fields/reference/).
 
 <table style="width:100%">
   <thead>
diff --git a/src/content/docs/rules/reference/troubleshooting.mdx b/src/content/docs/rules/reference/troubleshooting.mdx
index 7f3a3dbd07978e0..07b9e1d53d0599a 100644
--- a/src/content/docs/rules/reference/troubleshooting.mdx
+++ b/src/content/docs/rules/reference/troubleshooting.mdx
@@ -81,4 +81,4 @@ In the current example, you could use the `raw.http.request.uri.path` field in b
 
 This way, the two rules will work as intended. Additionally, this allows you to use the same expression in the two rules, even when the first rule is updating the URI path value.
 
-For a list of raw fields, refer to the [Fields](/ruleset-engine/rules-language/fields/) reference page.
+For a list of raw fields, refer to the [Fields reference](/ruleset-engine/rules-language/fields/reference/).
diff --git a/src/content/docs/rules/transform/url-rewrite/reference/fields-functions.mdx b/src/content/docs/rules/transform/url-rewrite/reference/fields-functions.mdx
index eac205d08a81a78..e0770b369667fce 100644
--- a/src/content/docs/rules/transform/url-rewrite/reference/fields-functions.mdx
+++ b/src/content/docs/rules/transform/url-rewrite/reference/fields-functions.mdx
@@ -26,6 +26,6 @@ A rewrite expression (that is, the expression that defines the dynamic URL rewri
 - `http.request.headers.*`
 - `http.request.accepted_languages`
 
-Refer to [Fields](/ruleset-engine/rules-language/fields/) for reference information on these fields.
+Refer to the [Fields reference](/ruleset-engine/rules-language/fields/reference/) for more information on these fields.
 
 The [`concat()`](/ruleset-engine/rules-language/functions/#concat), [`regex_replace()`](/ruleset-engine/rules-language/functions/#regex_replace), and [`wildcard_replace()`](/ruleset-engine/rules-language/functions/#wildcard_replace) functions can appear only **once** in a rewrite expression.
diff --git a/src/content/docs/rules/url-forwarding/bulk-redirects/concepts.mdx b/src/content/docs/rules/url-forwarding/bulk-redirects/concepts.mdx
index 148f072251bfd26..3bc19e60dd4b9ff 100644
--- a/src/content/docs/rules/url-forwarding/bulk-redirects/concepts.mdx
+++ b/src/content/docs/rules/url-forwarding/bulk-redirects/concepts.mdx
@@ -107,7 +107,7 @@ At the left of the `in` operator you can only use fields directly and not values
 - `http.request.full_uri`
 - `raw.http.request.full_uri`
 
-Refer to [Fields](/ruleset-engine/rules-language/fields/) for more information.
+Refer to the [Fields reference](/ruleset-engine/rules-language/fields/reference/) for more information.
 
 :::
 
diff --git a/src/content/docs/rules/url-forwarding/single-redirects/settings.mdx b/src/content/docs/rules/url-forwarding/single-redirects/settings.mdx
index fcffaecce39ce33..2ea2442a69c3353 100644
--- a/src/content/docs/rules/url-forwarding/single-redirects/settings.mdx
+++ b/src/content/docs/rules/url-forwarding/single-redirects/settings.mdx
@@ -64,7 +64,7 @@ Performs a dynamic URL redirect, where the target URL is determined by an expres
 
 A dynamic URL redirect has the following configuration parameters:
 
-- **Expression**: An [expression](/ruleset-engine/rules-language/expressions/) that defines the target URL of the redirect. The result of evaluating this expression will be used in the `Location` HTTP header returned in the redirect response. Refer to the [fields](/ruleset-engine/rules-language/fields/) and [functions](/ruleset-engine/rules-language/functions/) you can use in expressions.
+- **Expression**: An [expression](/ruleset-engine/rules-language/expressions/) that defines the target URL of the redirect. The result of evaluating this expression will be used in the `Location` HTTP header returned in the redirect response. Refer to the [fields](/ruleset-engine/rules-language/fields/reference/) and [functions](/ruleset-engine/rules-language/functions/) you can use in expressions.
 
 - **Status code**: The HTTP status code of the redirect response (_301_ by default). Must be one of the following: _301_ (Moved permanently), _302_ (Found, also known as Moved temporarily), _307_ (Temporary redirect), or _308_ (Permanent redirect).
 
diff --git a/src/content/docs/ruleset-engine/about/rules.mdx b/src/content/docs/ruleset-engine/about/rules.mdx
index ef8bb635e73430e..e9552c5f349602b 100644
--- a/src/content/docs/ruleset-engine/about/rules.mdx
+++ b/src/content/docs/ruleset-engine/about/rules.mdx
@@ -30,7 +30,7 @@ When you use `true` as the rule filter expression, this means "apply the rule to
 
 
 * A rule filter expression must evaluate to a boolean value (either `true` or `false`).
-* Rules of specific Cloudflare products, such as [Transform Rules](/rules/transform/), may include other expressions used to specify dynamic values. These expressions do not have to evaluate to a boolean value. 
+* Rules of specific Cloudflare products, such as [Transform Rules](/rules/transform/), may include other expressions used to specify dynamic values. These expressions do not have to evaluate to a boolean value.
   :::
 
 ### Field values during rule evaluation
@@ -45,5 +45,5 @@ For example:
 
 :::note
 
-If you want to use the original field values in rules evaluated later, you can use raw fields (for example, `raw.http.request.uri.path`) in their expressions. These special fields are immutable during the entire request evaluation workflow. For a list of raw fields, refer to [Fields](/ruleset-engine/rules-language/fields/). 
+If you want to use the original field values in rules evaluated later, you can use raw fields (for example, `raw.http.request.uri.path`) in their expressions. These special fields are immutable during the entire request evaluation workflow. For a list of raw fields, refer to the [Fields reference](/ruleset-engine/rules-language/fields/reference/).
 :::
diff --git a/src/content/docs/ruleset-engine/rules-language/functions.mdx b/src/content/docs/ruleset-engine/rules-language/functions.mdx
index 59657c6db1f6f2c..cfa47bd5d8a236f 100644
--- a/src/content/docs/ruleset-engine/rules-language/functions.mdx
+++ b/src/content/docs/ruleset-engine/rules-language/functions.mdx
@@ -274,7 +274,7 @@ For example, if `http.request.uri.path` is `"/blog/first-post"`, then `starts_wi
 {/* prettier-ignore */}
 <code>substring(field <Type text="String | Bytes" />, start <Type text="Integer" />, end <Type text="Integer" /> <MetaInfo text='optional' />)</code>: <Type text="String" />
 
-Returns part of the `field` value (the value of a String or Bytes [field](/ruleset-engine/rules-language/fields/)) from the `start` byte index up to (but excluding) the `end` byte index. The first byte in `field` has index `0`. If you do not provide the optional `end` index, the function returns the part of the string from `start` index to the end of the string.
+Returns part of the `field` value (the value of a String or Bytes [field](/ruleset-engine/rules-language/fields/reference/)) from the `start` byte index up to (but excluding) the `end` byte index. The first byte in `field` has index `0`. If you do not provide the optional `end` index, the function returns the part of the string from `start` index to the end of the string.
 
 The `start` and `end` indexes can be negative integer values, which allows you to access characters from the end of the string instead of the beginning.
 
diff --git a/src/content/docs/ruleset-engine/rules-language/values.mdx b/src/content/docs/ruleset-engine/rules-language/values.mdx
index 832708c6dd4bb2a..7c403385f580450 100644
--- a/src/content/docs/ruleset-engine/rules-language/values.mdx
+++ b/src/content/docs/ruleset-engine/rules-language/values.mdx
@@ -172,7 +172,7 @@ For maps where the values have an `Array` type, you cannot directly use [operato
 
 ### Examples
 
-The following example is based on the [`http.request.headers`](/ruleset-engine/rules-language/fields/http-request-header/) field with a data type of `Map<Array<String>>`, where array elements are of `String` data type.
+The following example is based on the [`http.request.headers`](/ruleset-engine/rules-language/fields/reference/http.request.headers/) field with a data type of `Map<Array<String>>`, where array elements are of `String` data type.
 
 If an incoming HTTP request included a single `Accept: application/json` HTTP header, the following expressions would evaluate to the indicated values:
 
diff --git a/src/content/docs/waf/account/rate-limiting-rulesets/create-dashboard.mdx b/src/content/docs/waf/account/rate-limiting-rulesets/create-dashboard.mdx
index d172af4d70a83e3..fe5a341f49ebba7 100644
--- a/src/content/docs/waf/account/rate-limiting-rulesets/create-dashboard.mdx
+++ b/src/content/docs/waf/account/rate-limiting-rulesets/create-dashboard.mdx
@@ -43,7 +43,7 @@ To create a new custom rate limiting ruleset:
 
    The available characteristics depend on your Cloudflare plan and product subscriptions.
 
-10. (Optional) To define an expression that specifies the conditions for incrementing the rate counter, enable **Use custom counting expression** and set the expression. By default, the counting expression is the same as the rule expression. The counting expression can include [response fields](/ruleset-engine/rules-language/fields/http-request-response/).
+10. (Optional) To define an expression that specifies the conditions for incrementing the rate counter, enable **Use custom counting expression** and set the expression. By default, the counting expression is the same as the rule expression. The counting expression can include [response fields](/ruleset-engine/rules-language/fields/reference/).
 
 11. Under **When rate exceeds**, define the maximum number of requests and the time period to consider when determining the rate.
 
diff --git a/src/content/docs/waf/custom-rules/use-cases/require-specific-headers.mdx b/src/content/docs/waf/custom-rules/use-cases/require-specific-headers.mdx
index 48794c2c1efbc60..044970a07aa44a7 100644
--- a/src/content/docs/waf/custom-rules/use-cases/require-specific-headers.mdx
+++ b/src/content/docs/waf/custom-rules/use-cases/require-specific-headers.mdx
@@ -3,7 +3,7 @@ pcx_content_type: configuration
 title: Require specific HTTP headers
 ---
 
-Many organizations qualify traffic based on the presence of specific HTTP request headers. Use the Rules language [HTTP request header fields](/ruleset-engine/rules-language/fields/http-request-header/) to target requests with specific headers.
+Many organizations qualify traffic based on the presence of specific HTTP request headers. Use the Rules language [HTTP request header fields](/ruleset-engine/rules-language/fields/reference/) to target requests with specific headers.
 
 This example uses the `http.headers.names` field to look for the presence of an `X-CSRF-Token` header. The [`lower()`](/ruleset-engine/rules-language/functions/#lower) transformation function converts the value to lowercase so that the expression is case insensitive.
 
diff --git a/src/content/docs/waf/rate-limiting-rules/create-zone-dashboard.mdx b/src/content/docs/waf/rate-limiting-rules/create-zone-dashboard.mdx
index 4968d62a0b2526d..572eed74cd15ef0 100644
--- a/src/content/docs/waf/rate-limiting-rules/create-zone-dashboard.mdx
+++ b/src/content/docs/waf/rate-limiting-rules/create-zone-dashboard.mdx
@@ -28,7 +28,7 @@ import { Render } from "~/components";
 
 7. Under **With the same characteristics**, add one or more characteristics that will define the request counters for rate limiting purposes. Each value combination will have its own counter to determine the rate. Refer to [How Cloudflare determines the request rate](/waf/rate-limiting-rules/request-rate/) for more information.
 
-8. (Optional) To define an expression that specifies the conditions for incrementing the rate counter, enable **Use custom counting expression** and set the expression. By default, the counting expression is the same as the rule expression. The counting expression can include [response fields](/ruleset-engine/rules-language/fields/http-request-response/).
+8. (Optional) To define an expression that specifies the conditions for incrementing the rate counter, enable **Use custom counting expression** and set the expression. By default, the counting expression is the same as the rule expression. The counting expression can include [response fields](/ruleset-engine/rules-language/fields/reference/).
 
 9. Under **When rate exceeds**, define the maximum number of requests and the time period to consider when determining the rate.
 
diff --git a/src/content/docs/waf/rate-limiting-rules/parameters.mdx b/src/content/docs/waf/rate-limiting-rules/parameters.mdx
index 5d3a82a8d8f57ab..714a5f926fcab3f 100644
--- a/src/content/docs/waf/rate-limiting-rules/parameters.mdx
+++ b/src/content/docs/waf/rate-limiting-rules/parameters.mdx
@@ -73,7 +73,7 @@ Only available in the Cloudflare dashboard when you enable **Use custom counting
 
 Defines the criteria used for determining the request rate. By default, the counting expression is the same as the rule matching expression (defined in **If incoming requests match**). This default is also applied when you set this field to an empty string (`""`).
 
-The counting expression can include [HTTP response fields](/ruleset-engine/rules-language/fields/http-request-response/). When there are response fields in the counting expression, the counting will happen after the response is sent.
+The counting expression can include [HTTP response fields](/ruleset-engine/rules-language/fields/reference/). When there are response fields in the counting expression, the counting will happen after the response is sent.
 
 In some cases, you cannot include HTTP response fields in the counting expression due to configuration restrictions. Refer to [Configuration restrictions](#configuration-restrictions) for details.
 
@@ -231,4 +231,4 @@ To use claims inside a JSON Web Token (JWT), you must first set up a [token vali
 
 - If the rule expression [includes IP lists](/waf/tools/lists/use-in-expressions/), you must enable the **Also apply rate limiting to cached assets** parameter.
 
-- The rule counting expression, defined in the **Increment counter when** parameter, cannot include both [HTTP response fields](/ruleset-engine/rules-language/fields/http-request-response/) and [IP lists](/waf/tools/lists/custom-lists/#lists-with-ip-addresses-ip-lists). If you use IP lists, you must enable the **Also apply rate limiting to cached assets** parameter.
+- The rule counting expression, defined in the **Increment counter when** parameter, cannot include both [HTTP response fields](/ruleset-engine/rules-language/fields/reference/) and [IP lists](/waf/tools/lists/custom-lists/#lists-with-ip-addresses-ip-lists). If you use IP lists, you must enable the **Also apply rate limiting to cached assets** parameter.
diff --git a/src/content/docs/waf/tools/lists/custom-lists.mdx b/src/content/docs/waf/tools/lists/custom-lists.mdx
index 955dc978878c9c2..51b78d7263ef792 100644
--- a/src/content/docs/waf/tools/lists/custom-lists.mdx
+++ b/src/content/docs/waf/tools/lists/custom-lists.mdx
@@ -38,11 +38,11 @@ Use custom lists in rule [expressions](/ruleset-engine/rules-language/expression
 
 The fields you can use vary according to the list item type:
 
-| List item type | Available fields                                                                         |
-| -------------- | ---------------------------------------------------------------------------------------- |
-| IP address     | Fields with type `IP address` listed in [Fields](/ruleset-engine/rules-language/fields/) |
-| Hostname       | `http.host`                                                                              |
-| ASN            | `ip.src.asnum`                                                                           |
+| List item type | Available fields                                                                                                 |
+| -------------- | ---------------------------------------------------------------------------------------------------------------- |
+| IP address     | Fields with type `IP address` listed in the [Fields reference](/ruleset-engine/rules-language/fields/reference/) |
+| Hostname       | `http.host`                                                                                                      |
+| ASN            | `ip.src.asnum`                                                                                                   |
 
 For more information and examples, refer to [Use lists in expressions](/waf/tools/lists/use-in-expressions/).
 
diff --git a/src/content/docs/waiting-room/additional-options/waiting-room-rules/bypass-rules.mdx b/src/content/docs/waiting-room/additional-options/waiting-room-rules/bypass-rules.mdx
index 3f95706ed203d25..48f9293f6950116 100644
--- a/src/content/docs/waiting-room/additional-options/waiting-room-rules/bypass-rules.mdx
+++ b/src/content/docs/waiting-room/additional-options/waiting-room-rules/bypass-rules.mdx
@@ -10,13 +10,10 @@ import { Details } from "~/components"
 
 A Waiting Room Bypass Rule is a type of Waiting Room Rule built on Cloudflare’s Ruleset Engine and managed via the Waiting Room API. A Waiting Room Bypass Rule allows you to indicate specific traffic or areas of your site or application that you do not want a waiting room to apply to. Each bypass rule is created and managed at the individual waiting room level for precise control over your waiting room traffic.
 
-To indicate where you want your bypass rules to apply, write [custom logic](/ruleset-engine/rules-language/) using the [fields](/ruleset-engine/rules-language/fields/) available via the Cloudflare Ruleset Engine from the following fields categories:
+To indicate where you want your bypass rules to apply, write [custom logic](/ruleset-engine/rules-language/) using the [fields](/ruleset-engine/rules-language/fields/reference/) available via the Cloudflare Ruleset Engine, except the following:
 
-* [Standard fields](/ruleset-engine/rules-language/fields/standard-fields)
-* [Dynamic fields](/ruleset-engine/rules-language/fields/dynamic-fields) except `cf.threat_score` and fields starting with `cf.bot_management`
-* [URI and argument value fields](/ruleset-engine/rules-language/fields/uri/)
-* [HTTP request header fields](/ruleset-engine/rules-language/fields/http-request-header/)
-* [HTTP request body fields](/ruleset-engine/rules-language/fields/http-request-body/)
+- `cf.threat_score` and fields starting with `cf.bot_management`
+- HTTP response fields
 
 Please be advised that the waiting room will not apply to all the traffic that matches the expressions written for bypass rules and will not be counted as active users. No Waiting Room features, including but not limited to, Event pre-queueing, Reject queueing method, or Queue-all will apply to this traffic. Be mindful of this when creating and enabling Bypass Waiting Room rules. Only use bypass rules for traffic you are confident will not overwhelm your origin or cause significant traffic surges.
 
diff --git a/src/content/partials/bots/firewall-variables.mdx b/src/content/partials/bots/firewall-variables.mdx
index f77466304824b8d..23c583cf25ab014 100644
--- a/src/content/partials/bots/firewall-variables.mdx
+++ b/src/content/partials/bots/firewall-variables.mdx
@@ -2,7 +2,7 @@
 {}
 ---
 
-Bot Management provides access to several [new variables](/ruleset-engine/rules-language/fields/dynamic-fields/) within the expression builder of Ruleset Engine-based products such as [WAF custom rules](/waf/custom-rules/).
+Bot Management provides access to several [new variables](/ruleset-engine/rules-language/fields/reference/) within the expression builder of Ruleset Engine-based products such as [WAF custom rules](/waf/custom-rules/).
 
 - **Bot Score** (`cf.bot_management.score`): An integer between 1-99 that indicates [Cloudflare's level of certainty](/bots/concepts/bot-score/) that a request comes from a bot.
 - **Verified Bot** (`cf.bot_management.verified_bot`): A boolean value that is true if the request comes from a good bot, like Google or Bing. Most customers choose to allow this traffic. For more details, see [Traffic from known bots](/waf/troubleshooting/faq/#how-does-the-waf-handle-traffic-from-known-bots).

From 16c46b594f8920601c8e2cc9c9a4868b0ef532f4 Mon Sep 17 00:00:00 2001
From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com>
Date: Tue, 14 Jan 2025 18:24:35 +0000
Subject: [PATCH 37/45] Move Magic Firewall fields page to MFW tile

---
 public/_redirects                             |   2 +-
 .../about/protocol-validation-rules.mdx       |   2 +-
 .../magic-firewall/about/traffic-types.mdx    |   2 +-
 .../reference/magic-firewall-fields.mdx       | 307 ++++++++++++++++-
 .../rules-language/fields/magic-firewall.mdx  | 311 ------------------
 5 files changed, 308 insertions(+), 316 deletions(-)
 delete mode 100644 src/content/docs/ruleset-engine/rules-language/fields/magic-firewall.mdx

diff --git a/public/_redirects b/public/_redirects
index db37e8959560b19..be1771c7f7fd251 100644
--- a/public/_redirects
+++ b/public/_redirects
@@ -744,7 +744,7 @@
 /logs/reference/logpush-api-configuration/examples/example-logpush-curl/ /logs/tutorials/examples/example-logpush-curl/ 301
 
 # magic-firewall
-/magic-firewall/reference/magic-firewall-fields/ /ruleset-engine/rules-language/fields/magic-firewall/ 301
+/ruleset-engine/rules-language/fields/magic-firewall/ /magic-firewall/reference/magic-firewall-fields/ 301
 /magic-firewall/reference/examples/ /magic-firewall/how-to/add-rules/ 301
 /magic-firewall/how-to/pcaps-bucket-setup/ /magic-firewall/packet-captures/pcaps-bucket-setup/ 301
 /magic-firewall/how-to/collect-pcaps/ /magic-firewall/packet-captures/collect-pcaps/ 301
diff --git a/src/content/docs/magic-firewall/about/protocol-validation-rules.mdx b/src/content/docs/magic-firewall/about/protocol-validation-rules.mdx
index e45e4855dd6e295..5d98286f5e341fd 100644
--- a/src/content/docs/magic-firewall/about/protocol-validation-rules.mdx
+++ b/src/content/docs/magic-firewall/about/protocol-validation-rules.mdx
@@ -6,6 +6,6 @@ pcx_content_type: concept
 
 Magic Firewall supports [Session Initiation Protocol (SIP)](https://datatracker.ietf.org/doc/html/rfc2543) to inspect traffic validity and enforce a positive security model.
 
-You can use the `sip` field when creating a rule to determine if packets are valid SIP Layer 7 (L7) protocol. Refer to [Magic Firewall fields](/ruleset-engine/rules-language/fields/magic-firewall/), specifically the `sip` field, for more information on this topic.
+You can use the `sip` field when creating a rule to determine if packets are valid SIP Layer 7 (L7) protocol. Refer to [Magic Firewall fields](/magic-firewall/reference/magic-firewall-fields/), specifically the `sip` field, for more information on this topic.
 
 Contact your account manager if you need Magic Firewall to support additional protocols.
diff --git a/src/content/docs/magic-firewall/about/traffic-types.mdx b/src/content/docs/magic-firewall/about/traffic-types.mdx
index 8bb443f03c922af..cbb62430ca6e38b 100644
--- a/src/content/docs/magic-firewall/about/traffic-types.mdx
+++ b/src/content/docs/magic-firewall/about/traffic-types.mdx
@@ -10,4 +10,4 @@ Magic Firewall enables you to allow or block traffic on a variety of packet char
 
 Magic Firewall supports layers three and four — network and transport — protocols such as TCP, UDP, and ICMP. Any type of layer three or four protocols can go through Magic Firewall and then be matched on those protocols.
 
-To view the list of available fields, refer to [Magic Firewall fields](/ruleset-engine/rules-language/fields/magic-firewall/).
+To view the list of available fields, refer to [Magic Firewall fields](/magic-firewall/reference/magic-firewall-fields/).
diff --git a/src/content/docs/magic-firewall/reference/magic-firewall-fields.mdx b/src/content/docs/magic-firewall/reference/magic-firewall-fields.mdx
index 535624b9922b8ef..7595cfb98d02c09 100644
--- a/src/content/docs/magic-firewall/reference/magic-firewall-fields.mdx
+++ b/src/content/docs/magic-firewall/reference/magic-firewall-fields.mdx
@@ -1,6 +1,309 @@
 ---
-pcx_content_type: navigation
 title: Magic Firewall fields
-external_link: /ruleset-engine/rules-language/fields/magic-firewall/
+pcx_content_type: reference
+head:
+  - tag: title
+    content: Magic Firewall fields
+---
+
+import { Type } from "~/components";
+
+:::note
+Some Magic Firewall fields are available only to customers who purchased Magic Firewall's advanced features. Refer to [Magic Firewall plans](/magic-firewall/plans/) for more information.
+:::
+
+## `cf.colo.name`
+
+`cf.colo.name` <Type text='String' />
+
+The data center that is handling this traffic.
+
+Example value: `sfo06`
+
+---
+
+## `cf.colo.region`
+
+`cf.colo.region` <Type text='String' />
+
+Region of the data center that is handling this traffic.
+
+Example value: `WNAM`
+
+---
+
+## `icmp`
+
+`icmp` <Type text='String' />
+
+The raw ICMP packet as a list of bytes. It should be used in conjunction with the bit_slice function when other structured fields are lacking.
+
+---
+
+## `icmp.type`
+
+`icmp.type` <Type text='Number' />
+
+The [ICMP type](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol#header_type). Only applies to ICMP packets.
+
+Example value: `8`
+
+---
+
+## `icmp.code`
+
+`icmp.code` <Type text='Number' />
+
+The [ICMP code](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol#header_code). Only applies to ICMP packets.
+
+Example value: `2`
+
+---
+
+## `ip`
+
+`ip` <Type text='String' />
+
+The raw IP packet as a list of bytes. It should be used in conjunction with the bit_slice function when other structured fields are lacking.
 
 ---
+
+## `ip.dst`
+
+`ip.dst` <Type text='IP address' />
+
+The destination address as specified in the IP packet.
+
+Example value: `192.0.2.2`
+
+---
+
+## `ip.dst.country`
+
+`ip.dst.country` <Type text='String' />
+
+Represents the 2-letter country code associated with the server IP address in [ISO 3166-1 Alpha 2](https://www.iso.org/obp/ui/#search/code/) format.
+
+Example value: `GB`
+
+For more information on the ISO 3166-1 Alpha 2 format, refer to [ISO 3166-1 Alpha 2](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2) on Wikipedia.
+
+---
+
+## `ip.src.country`
+
+`ip.src.country` <Type text='String' />
+
+Represents the 2-letter country code associated with the client IP address in [ISO 3166-1 Alpha 2](https://www.iso.org/obp/ui/#search/code/) format.
+
+Example value: `GB`
+
+For more information on the ISO 3166-1 Alpha 2 format, refer to [ISO 3166-1 Alpha 2](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2) on Wikipedia.
+
+For Magic Firewall, the `ip.geoip.country` field (which is deprecated) will match on either source or destination address. The `ip.geoip.country` field is still available for new and existing rules, but you should use the `ip.src.country` and/or `ip.dst.country` fields instead.
+
+---
+
+## `ip.hdr_len`
+
+`ip.hdr_len` <Type text='Number' />
+
+The length of the IPv4 header in bytes.
+
+Example value: `5`
+
+---
+
+## `ip.len`
+
+`ip.len` <Type text='Number' />
+
+The length of the packet including the header.
+
+Example value: `60`
+
+---
+
+## `ip.opt.type`
+
+`ip.opt.type` <Type text='Number' />
+
+The first byte of [IP options field](https://en.wikipedia.org/wiki/IPv4#Options), if the options field is set.
+
+Example value: `25`
+
+---
+
+## `ip.proto`
+
+`ip.proto` <Type text='String' />
+
+The transport layer for the packet, if it can be determined.
+
+Example values: `icmp`, `tcp`
+
+---
+
+## `ip.src`
+
+`ip.src` <Type text='IP address' />
+
+The source address of the IP Packet.
+
+---
+
+## `ip.src.country`
+
+`ip.src.country` <Type text='String' />
+
+Represents the 2-letter country code associated with the client IP address in [ISO 3166-1 Alpha 2](https://www.iso.org/obp/ui/#search/code/) format.
+
+Example value: `GB`
+
+For more information on the ISO 3166-1 Alpha 2 format, refer to [ISO 3166-1 Alpha 2](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2) on Wikipedia.
+
+---
+
+## `ip.ttl`
+
+`ip.ttl` <Type text='Number' />
+
+The time-to-live of the IP Packet.
+
+Example values: `54`
+
+---
+
+## `sip`
+
+`sip` <Type text='Boolean' />
+
+Determines if packets are valid L7 protocol [SIP](https://datatracker.ietf.org/doc/html/rfc2543). Requires UDP packets to operate.
+
+Use a guard clause as shown below to ensure the packet is UDP (wirefilter):
+
+`ip.proto == "udp"`
+
+---
+
+## `tcp`
+
+`tcp` <Type text='String' />
+
+The raw TCP packet as a list of bytes. It should be used in conjunction with the bit_slice function when other structured fields are lacking.
+
+---
+
+## `tcp.flags`
+
+`tcp.flags` <Type text='Number' />
+
+The numeric value of the TCP flags byte.
+
+---
+
+## `tcp.flags.ack`
+
+`tcp.flags.ack` <Type text='Boolean' />
+
+TCP acknowledgment flag.
+
+---
+
+## `tcp.flags.cwr`
+
+`tcp.flags.cwr` <Type text='Boolean' />
+
+TCP congestion window reduced flag.
+
+---
+
+## `tcp.flags.ecn`
+
+`tcp.flags.ecn` <Type text='Boolean' />
+
+TCP ECN-Echo flag.
+
+---
+
+## `tcp.flags.fin`
+
+`tcp.flags.fin` <Type text='Boolean' />
+
+TCP flag indicating this is the last packet from sender.
+
+---
+
+## `tcp.flags.push`
+
+`tcp.flags.push` <Type text='Boolean' />
+
+TCP push flag.
+
+---
+
+## `tcp.flags.reset`
+
+`tcp.flags.reset` <Type text='Boolean' />
+
+TCP reset flag.
+
+---
+
+## `tcp.flags.syn`
+
+`tcp.flags.syn` <Type text='Boolean' />
+
+TCP synchronize flag.
+
+---
+
+## `tcp.flags.urg`
+
+`tcp.flags.urg` <Type text='Boolean' />
+
+TCP urgent flag.
+
+---
+
+## `tcp.srcport`
+
+`tcp.srcport` <Type text='Number' />
+
+Source port number of the IP packet. Only applies to TCP packets.
+
+---
+
+## `tcp.dstport`
+
+`tcp.dstport` <Type text='Number' />
+
+Destination port number of the IP packet. Only applies to TCP packets.
+
+---
+
+## `udp`
+
+`udp` <Type text='String' />
+
+The raw UDP packet as a list of bytes. It should be used in conjunction with the bit_slice function when other structured fields are lacking.
+
+---
+
+## `udp.dstport`
+
+`udp.dstport` <Type text='Number' />
+
+Destination port number of the IP packet. Only applies to UDP packets.
+
+---
+
+## `udp.srcport`
+
+`udp.srcport` <Type text='Number' />
+
+Source port number of the IP packet. Only applies to UDP packets.
+
+---
+
+_GeoIP is the registered trademark of MaxMind, Inc._
diff --git a/src/content/docs/ruleset-engine/rules-language/fields/magic-firewall.mdx b/src/content/docs/ruleset-engine/rules-language/fields/magic-firewall.mdx
deleted file mode 100644
index 8d521787373d8b0..000000000000000
--- a/src/content/docs/ruleset-engine/rules-language/fields/magic-firewall.mdx
+++ /dev/null
@@ -1,311 +0,0 @@
----
-title: Magic firewall fields
-pcx_content_type: reference
-sidebar:
-  order: 2
-head:
-  - tag: title
-    content: Magic firewall fields | Fields reference
----
-
-import { Type } from "~/components";
-
-:::note
-Some Magic Firewall fields are available only to customers who purchased Magic Firewall's advanced features. Refer to [Magic Firewall plans](/magic-firewall/plans/) for more information.
-:::
-
-## `cf.colo.name`
-
-`cf.colo.name` <Type text='String' />
-
-The data center that is handling this traffic.
-
-Example value: `sfo06`
-
----
-
-## `cf.colo.region`
-
-`cf.colo.region` <Type text='String' />
-
-Region of the data center that is handling this traffic.
-
-Example value: `WNAM`
-
----
-
-## `icmp`
-
-`icmp` <Type text='String' />
-
-The raw ICMP packet as a list of bytes. It should be used in conjunction with the bit_slice function when other structured fields are lacking.
-
----
-
-## `icmp.type`
-
-`icmp.type` <Type text='Number' />
-
-The [ICMP type](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol#header_type). Only applies to ICMP packets.
-
-Example value: `8`
-
----
-
-## `icmp.code`
-
-`icmp.code` <Type text='Number' />
-
-The [ICMP code](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol#header_code). Only applies to ICMP packets.
-
-Example value: `2`
-
----
-
-## `ip`
-
-`ip` <Type text='String' />
-
-The raw IP packet as a list of bytes. It should be used in conjunction with the bit_slice function when other structured fields are lacking.
-
----
-
-## `ip.dst`
-
-`ip.dst` <Type text='IP address' />
-
-The destination address as specified in the IP packet.
-
-Example value: `192.0.2.2`
-
----
-
-## `ip.dst.country`
-
-`ip.dst.country` <Type text='String' />
-
-Represents the 2-letter country code associated with the server IP address in [ISO 3166-1 Alpha 2](https://www.iso.org/obp/ui/#search/code/) format.
-
-Example value: `GB`
-
-For more information on the ISO 3166-1 Alpha 2 format, refer to [ISO 3166-1 Alpha 2](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2) on Wikipedia.
-
----
-
-## `ip.src.country`
-
-`ip.src.country` <Type text='String' />
-
-Represents the 2-letter country code associated with the client IP address in [ISO 3166-1 Alpha 2](https://www.iso.org/obp/ui/#search/code/) format.
-
-Example value: `GB`
-
-For more information on the ISO 3166-1 Alpha 2 format, refer to [ISO 3166-1 Alpha 2](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2) on Wikipedia.
-
-For Magic Firewall, the `ip.geoip.country` field (which is deprecated) will match on either source or destination address. The `ip.geoip.country` field is still available for new and existing rules, but you should use the `ip.src.country` and/or `ip.dst.country` fields instead.
-
----
-
-## `ip.hdr_len`
-
-`ip.hdr_len` <Type text='Number' />
-
-The length of the IPv4 header in bytes.
-
-Example value: `5`
-
----
-
-## `ip.len`
-
-`ip.len` <Type text='Number' />
-
-The length of the packet including the header.
-
-Example value: `60`
-
----
-
-## `ip.opt.type`
-
-`ip.opt.type` <Type text='Number' />
-
-The first byte of [IP options field](https://en.wikipedia.org/wiki/IPv4#Options), if the options field is set.
-
-Example value: `25`
-
----
-
-## `ip.proto`
-
-`ip.proto` <Type text='String' />
-
-The transport layer for the packet, if it can be determined.
-
-Example values: `icmp`, `tcp`
-
----
-
-## `ip.src`
-
-`ip.src` <Type text='IP address' />
-
-The source address of the IP Packet.
-
----
-
-## `ip.src.country`
-
-`ip.src.country` <Type text='String' />
-
-Represents the 2-letter country code associated with the client IP address in [ISO 3166-1 Alpha 2](https://www.iso.org/obp/ui/#search/code/) format.
-
-Example value: `GB`
-
-For more information on the ISO 3166-1 Alpha 2 format, refer to [ISO 3166-1 Alpha 2](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2) on Wikipedia.
-
----
-
-## `ip.ttl`
-
-`ip.ttl` <Type text='Number' />
-
-The time-to-live of the IP Packet.
-
-Example values: `54`
-
----
-
-## `sip`
-
-`sip` <Type text='Boolean' />
-
-Determines if packets are valid L7 protocol [SIP](https://datatracker.ietf.org/doc/html/rfc2543). Requires UDP packets to operate.
-
-Use a guard clause as shown below to ensure the packet is UDP (wirefilter):
-
-`ip.proto == "udp"`
-
----
-
-## `tcp`
-
-`tcp` <Type text='String' />
-
-The raw TCP packet as a list of bytes. It should be used in conjunction with the bit_slice function when other structured fields are lacking.
-
----
-
-## `tcp.flags`
-
-`tcp.flags` <Type text='Number' />
-
-The numeric value of the TCP flags byte.
-
----
-
-## `tcp.flags.ack`
-
-`tcp.flags.ack` <Type text='Boolean' />
-
-TCP acknowledgment flag.
-
----
-
-## `tcp.flags.cwr`
-
-`tcp.flags.cwr` <Type text='Boolean' />
-
-TCP congestion window reduced flag.
-
----
-
-## `tcp.flags.ecn`
-
-`tcp.flags.ecn` <Type text='Boolean' />
-
-TCP ECN-Echo flag.
-
----
-
-## `tcp.flags.fin`
-
-`tcp.flags.fin` <Type text='Boolean' />
-
-TCP flag indicating this is the last packet from sender.
-
----
-
-## `tcp.flags.push`
-
-`tcp.flags.push` <Type text='Boolean' />
-
-TCP push flag.
-
----
-
-## `tcp.flags.reset`
-
-`tcp.flags.reset` <Type text='Boolean' />
-
-TCP reset flag.
-
----
-
-## `tcp.flags.syn`
-
-`tcp.flags.syn` <Type text='Boolean' />
-
-TCP synchronize flag.
-
----
-
-## `tcp.flags.urg`
-
-`tcp.flags.urg` <Type text='Boolean' />
-
-TCP urgent flag.
-
----
-
-## `tcp.srcport`
-
-`tcp.srcport` <Type text='Number' />
-
-Source port number of the IP packet. Only applies to TCP packets.
-
----
-
-## `tcp.dstport`
-
-`tcp.dstport` <Type text='Number' />
-
-Destination port number of the IP packet. Only applies to TCP packets.
-
----
-
-## `udp`
-
-`udp` <Type text='String' />
-
-The raw UDP packet as a list of bytes. It should be used in conjunction with the bit_slice function when other structured fields are lacking.
-
----
-
-## `udp.dstport`
-
-`udp.dstport` <Type text='Number' />
-
-Destination port number of the IP packet. Only applies to UDP packets.
-
----
-
-## `udp.srcport`
-
-`udp.srcport` <Type text='Number' />
-
-Source port number of the IP packet. Only applies to UDP packets.
-
----
-
-_GeoIP is the registered trademark of MaxMind, Inc._

From 8b63feb23d66c3dfc82866e1e40dee765ed304f0 Mon Sep 17 00:00:00 2001
From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com>
Date: Wed, 15 Jan 2025 10:11:49 +0000
Subject: [PATCH 38/45] Remove old pages with fields

---
 public/_redirects                             |  11 +-
 .../rules-language/fields/dynamic-fields.mdx  | 579 ------------------
 .../fields/http-request-body.mdx              | 226 -------
 .../fields/http-request-header.mdx            | 146 -----
 .../fields/http-request-response.mdx          | 160 -----
 .../rules-language/fields/index.mdx           |  21 +-
 .../rules-language/fields/standard-fields.mdx | 547 -----------------
 .../rules-language/fields/uri.mdx             | 111 ----
 8 files changed, 28 insertions(+), 1773 deletions(-)
 delete mode 100644 src/content/docs/ruleset-engine/rules-language/fields/dynamic-fields.mdx
 delete mode 100644 src/content/docs/ruleset-engine/rules-language/fields/http-request-body.mdx
 delete mode 100644 src/content/docs/ruleset-engine/rules-language/fields/http-request-header.mdx
 delete mode 100644 src/content/docs/ruleset-engine/rules-language/fields/http-request-response.mdx
 delete mode 100644 src/content/docs/ruleset-engine/rules-language/fields/standard-fields.mdx
 delete mode 100644 src/content/docs/ruleset-engine/rules-language/fields/uri.mdx

diff --git a/public/_redirects b/public/_redirects
index be1771c7f7fd251..1eeed92997e203c 100644
--- a/public/_redirects
+++ b/public/_redirects
@@ -744,7 +744,6 @@
 /logs/reference/logpush-api-configuration/examples/example-logpush-curl/ /logs/tutorials/examples/example-logpush-curl/ 301
 
 # magic-firewall
-/ruleset-engine/rules-language/fields/magic-firewall/ /magic-firewall/reference/magic-firewall-fields/ 301
 /magic-firewall/reference/examples/ /magic-firewall/how-to/add-rules/ 301
 /magic-firewall/how-to/pcaps-bucket-setup/ /magic-firewall/packet-captures/pcaps-bucket-setup/ 301
 /magic-firewall/how-to/collect-pcaps/ /magic-firewall/packet-captures/collect-pcaps/ 301
@@ -927,7 +926,6 @@
 /reference-architecture/load-balancing-reference-architecture/ /reference-architecture/architectures/load-balancing/ 301
 /reference-architecture/magic-transit-reference-architecture/ /reference-architecture/architectures/magic-transit/ 301
 /reference-architecture/multi-vendor-architecture/ /reference-architecture/architectures/multi-vendor/ 301
-
 /reference-architecture/secure-application-delivery-design-guide/ /reference-architecture/design-guides/secure-application-delivery/ 301
 
 # radar
@@ -966,6 +964,15 @@
 /rules/url-forwarding/single-redirects/examples/ /rules/url-forwarding/examples/ 301
 /rules/url-forwarding/dynamic-redirects/parameters/ /rules/url-forwarding/single-redirects/settings/ 301
 
+# ruleset engine
+/ruleset-engine/rules-language/fields/standard-fields/ /ruleset-engine/rules-language/fields/reference/ 301
+/ruleset-engine/rules-language/fields/dynamic-fields/ /ruleset-engine/rules-language/fields/reference/ 301
+/ruleset-engine/rules-language/fields/uri/ /ruleset-engine/rules-language/fields/reference/ 301
+/ruleset-engine/rules-language/fields/http-request-header/ /ruleset-engine/rules-language/fields/reference/ 301
+/ruleset-engine/rules-language/fields/http-request-body/ /ruleset-engine/rules-language/fields/reference/ 301
+/ruleset-engine/rules-language/fields/http-request-response/ /ruleset-engine/rules-language/fields/reference/ 301
+/ruleset-engine/rules-language/fields/magic-firewall/ /magic-firewall/reference/magic-firewall-fields/ 301
+
 # security center
 /security-center/indicator-feeds/getting-started/ /security-center/indicator-feeds/ 301
 /security-center/indicator-feeds/get-started/ /security-center/indicator-feeds/ 301
diff --git a/src/content/docs/ruleset-engine/rules-language/fields/dynamic-fields.mdx b/src/content/docs/ruleset-engine/rules-language/fields/dynamic-fields.mdx
deleted file mode 100644
index 90773329967b89a..000000000000000
--- a/src/content/docs/ruleset-engine/rules-language/fields/dynamic-fields.mdx
+++ /dev/null
@@ -1,579 +0,0 @@
----
-title: Dynamic fields
-pcx_content_type: reference
-sidebar:
-  order: 2
-head:
-  - tag: title
-    content: Dynamic fields | Fields reference
----
-
-import { Render, Type, GlossaryTooltip } from "~/components";
-
-Dynamic fields represent computed or derived values, typically related to threat intelligence about an HTTP request.
-
-:::note
-
-- Access to `cf.bot_management.*` fields requires a Cloudflare Enterprise plan with [Bot Management](/bots/plans/bm-subscription/) enabled.
-
-- Access to `cf.waf.content_scan.*` fields requires a Cloudflare Enterprise plan with [malicious uploads detection](/waf/detections/malicious-uploads/) enabled.
-
-- Access to fields `cf.waf.auth_detected` and `cf.waf.credential_check.*` depends on your Cloudflare plan and add-ons. For more information, refer to [Leaked credentials detection](/waf/detections/leaked-credentials/).
-
-- The `cf.tls_client_auth.*` string fields are only filled in if the request includes a client certificate for [mTLS authentication](/ssl/client-certificates/enable-mtls/).
-
-:::
-
-The Cloudflare Rules language supports these dynamic fields.
-
-## `cf.bot_management.verified_bot`
-
-`cf.bot_management.verified_bot` <Type text='Boolean' />
-
-When `true`, this field indicates the request originated from a known good bot or crawler. Provides the same information as [`cf.client.bot`](#cfclientbot).
-
-## `cf.verified_bot_category`
-
-`cf.verified_bot_category` <Type text='String' />
-
-Provides the type and purpose of a verified bot. For more details, refer to [Verified Bot Categories](/bots/reference/verified-bot-categories/).
-
-## `cf.bot_management.score`
-
-`cf.bot_management.score` <Type text='Number' />
-
-Represents the likelihood that a request originates from a bot using a score from 1–99. A low score indicates that the request comes from a bot or an automated agent. A high score indicates that a human issued the request.
-
-## `cf.bot_management.static_resource`
-
-`cf.bot_management.static_resource` <Type text='Boolean' />
-
-Indicates whether static resources should be included when you create a rule using [`cf.bot_management.score`](#cfbot_managementscore). For more details, refer to [Static resource protection](/bots/reference/static-resources/).
-
-## `cf.bot_management.ja3_hash`
-
-`cf.bot_management.ja3_hash` <Type text='String' />
-
-Provides an SSL/TLS fingerprint to help you identify potential bot requests. For more details, refer to [JA3/JA4 Fingerprint](/bots/concepts/ja3-ja4-fingerprint/).
-
-## `cf.bot_management.ja4`
-
-`cf.bot_management.ja4` <Type text='String' />
-
-Provides an SSL/TLS fingerprint to help you identify potential bot requests. For more details, refer to [JA3/JA4 Fingerprint](/bots/concepts/ja3-ja4-fingerprint/).
-
-## `cf.bot_management.js_detection.passed`
-
-`cf.bot_management.js_detection.passed` <Type text='Boolean' />
-
-Indicates whether the visitor has previously passed a JS Detection. For more details, refer to [JavaScript detections](/bots/reference/javascript-detections/).
-
-## `cf.bot_management.detection_ids`
-
-`cf.bot_management.detection_ids` <Type text='Array<Number>' />
-
-List of IDs that correlate to the Bot Management heuristic detections made on a request (you can have multiple heuristic detections on the same request). Use this field to explicitly match a specific heuristic or to exclude a heuristic in a rule.
-
-Example:
-
-```txt
-any(cf.bot_management.detection_ids[*] eq 33554817)
-```
-
-## `cf.client.bot`
-
-`cf.client.bot` <Type text='Boolean' />
-
-When `true`, this field indicates the request originated from a known good bot or crawler. Provides the same information as [`cf.bot_management.verified_bot`](#cfbot_managementverified_bot).
-
-## `cf.edge.server_ip`
-
-`cf.edge.server_ip` <Type text='IP address' />
-
-Represents the global network's IP address to which the HTTP request has resolved. This field is only meaningful for [BYOIP customers](/byoip/).
-
-## `cf.edge.server_port`
-
-`cf.edge.server_port` <Type text='Number' />
-
-Represents the port number at which the Cloudflare global network received the request. Use this field to filter traffic on a specific port. The value is a port number in the range 1–65535.
-
-## `cf.hostname.metadata`
-
-`cf.hostname.metadata` <Type text='String' />
-
-Returns the string representation of the per-hostname [custom metadata](/cloudflare-for-platforms/cloudflare-for-saas/domain-support/custom-metadata/) JSON object set by SSL for SaaS customers.
-
-## `cf.random_seed`
-
-`cf.random_seed` <Type text='Bytes' />
-
-Returns per-request random bytes that you can use in the [`uuidv4()`](/ruleset-engine/rules-language/functions/#uuidv4) function.
-
-## `cf.ray_id`
-
-`cf.ray_id` <Type text='String' />
-
-The Ray ID of the current request. A [Ray ID](/fundamentals/reference/cloudflare-ray-id/) is an identifier given to every request that goes through Cloudflare.
-
-## `cf.threat_score`
-
-`cf.threat_score` <Type text='Number' />
-
-Represents a Cloudflare threat score from 0–100, where 0 indicates low risk. Values above 10 may represent spammers or bots, and values above 40 identify bad actors on the Internet. It is rare to see values above 60. A common recommendation is to challenge requests with a score above 10 and to block those above 50.
-
-## `cf.tls_cipher`
-
-`cf.tls_cipher` <Type text='String' />
-
-The cipher for the connection to Cloudflare.
-
-Example:
-
-```txt
-"AES128-SHA256"
-```
-
-## `cf.tls_client_auth.cert_revoked`
-
-`cf.tls_client_auth.cert_revoked` <Type text='Boolean' />
-
-Returns `true` when a request presents a valid but revoked client certificate. When `true`, the [`cf.tls_client_auth.cert_verified`](#cftls_client_authcert_verified) field is also `true`.
-
-## `cf.tls_client_auth.cert_verified`
-
-`cf.tls_client_auth.cert_verified` <Type text='Boolean' />
-
-Returns `true` when a request presents a valid client certificate. Also returns `true` when a request includes a valid certificate that was revoked (refer to [`cf.tls_client_auth.cert_revoked`](#cftls_client_authcert_revoked)).
-
-## `cf.tls_client_auth.cert_presented`
-
-`cf.tls_client_auth.cert_presented` <Type text='Boolean' />
-
-Returns `true` when a request presents a certificate (valid or not).
-
-## `cf.tls_client_auth.cert_issuer_dn`
-
-`cf.tls_client_auth.cert_issuer_dn` <Type text='String' />
-
-The Distinguished Name (DN) of the Certificate Authority (CA) that issued the certificate included in the request.
-
-Example:
-
-```txt
-"CN=Access Testing CA,OU=TX,O=Access Testing,L=Austin,ST=Texas,C=US"
-```
-
-## `cf.tls_client_auth.cert_subject_dn`
-
-`cf.tls_client_auth.cert_subject_dn` <Type text='String' />
-
-The Distinguished Name (DN) of the owner (or requester) of the certificate included in the request.
-
-Example:
-
-```txt
-"CN=James Royal,OU=Access Admins,O=Access,L=Austin,ST=Texas,C=US"
-```
-
-## `cf.tls_client_auth.cert_issuer_dn_rfc2253`
-
-`cf.tls_client_auth.cert_issuer_dn_rfc2253` <Type text='String' />
-
-The Distinguished Name (DN) of the Certificate Authority (CA) that issued the certificate in the request in [RFC 2253](https://datatracker.ietf.org/doc/html/rfc2253) format.
-
-Example:
-
-```
-"CN=Access Testing CA,OU=TX,O=Access Testing,L=Austin,ST=Texas,C=US"
-```
-
-## `cf.tls_client_auth.cert_subject_dn_rfc2253`
-
-`cf.tls_client_auth.cert_subject_dn_rfc2253` <Type text='String' />
-
-The Distinguished Name (DN) of the owner (or requester) of the certificate in the request in [RFC 2253](https://datatracker.ietf.org/doc/html/rfc2253) format.
-
-Example:
-
-```
-"CN=James Royal,OU=Access Admins,O=Access,L=Austin,ST=Texas,C=US"
-```
-
-## `cf.tls_client_auth.cert_issuer_dn_legacy`
-
-`cf.tls_client_auth.cert_issuer_dn_legacy` <Type text='String' />
-
-The Distinguished Name (DN) of the Certificate Authority (CA) that issued the certificate in the request in a legacy format.
-
-Example:
-
-```
-"/C=US/ST=Texas/L=Austin/O=Access Testing/OU=TX/CN=Access Testing CA"
-```
-
-## `cf.tls_client_auth.cert_subject_dn_legacy`
-
-`cf.tls_client_auth.cert_subject_dn_legacy` <Type text='String' />
-
-The Distinguished Name (DN) of the owner (or requester) of the certificate in the request in a legacy format.
-
-Example:
-
-```
-"/C=US/ST=Texas/L=Austin/O=Access/OU=Access Admins/CN=James Royal"
-```
-
-## `cf.tls_client_auth.cert_serial`
-
-`cf.tls_client_auth.cert_serial` <Type text='String' />
-
-Serial number of the certificate in the request.
-
-Example:
-
-```
-"527E0F20A20EA2A4146C78390F34CE7AF0878CA4"
-```
-
-## `cf.tls_client_auth.cert_issuer_serial`
-
-`cf.tls_client_auth.cert_issuer_serial` <Type text='String' />
-
-Serial number of the direct issuer of the certificate in the request.
-
-Example:
-
-```
-"2688201DBA77402EA87118876F2E1B24CF8B0395"
-```
-
-## `cf.tls_client_auth.cert_fingerprint_sha256`
-
-`cf.tls_client_auth.cert_fingerprint_sha256` <Type text='String' />
-
-The SHA-256 fingerprint of the certificate in the request.
-
-Example:
-
-```
-"af363dc85bc942a892d3cee9796190fdb36d89cd588a4f1cb17c74a943439714"
-```
-
-## `cf.tls_client_auth.cert_fingerprint_sha1`
-
-`cf.tls_client_auth.cert_fingerprint_sha1` <Type text='String' />
-
-The SHA-1 fingerprint of the certificate in the request.
-
-Example:
-
-```
-"933ad5282c560ae3f482a43ecd73bc9de878a190"
-```
-
-## `cf.tls_client_auth.cert_not_before`
-
-`cf.tls_client_auth.cert_not_before` <Type text='String' />
-
-The certificate in the request is not valid before this date.
-
-Example:
-
-```
-"Mar 21 13:35:00 2022 GMT"
-```
-
-## `cf.tls_client_auth.cert_not_after`
-
-`cf.tls_client_auth.cert_not_after` <Type text='String' />
-
-The certificate in the request is not valid after this date.
-
-Example:
-
-```
-"Mar 21 13:35:00 2023 GMT"
-```
-
-## `cf.tls_client_auth.cert_ski`
-
-`cf.tls_client_auth.cert_ski` <Type text='String' />
-
-The Subject Key Identifier (SKI) of the certificate in the request.
-
-Example:
-
-```
-"27846FAE6EAC4A8DAD9101B519CF1EB460242831"
-```
-
-## `cf.tls_client_auth.cert_issuer_ski`
-
-`cf.tls_client_auth.cert_issuer_ski` <Type text='String' />
-
-The Subject Key Identifier (SKI) of the direct issuer of the certificate in the request.
-
-Example:
-
-```
-"8204924CF49D471E855862706D889F58F6B784D3"
-```
-
-## `cf.tls_client_extensions_sha1`
-
-`cf.tls_client_extensions_sha1` <Type text='String' />
-
-The SHA-1 fingerprint of TLS client extensions, encoded in Base64.
-
-Example:
-
-```
-"OWFiM2I5ZDc0YWI0YWYzZmFkMGU0ZjhlYjhiYmVkMjgxNTU5YTU2Mg=="
-```
-
-## `cf.tls_client_hello_length`
-
-`cf.tls_client_hello_length` <Type text='Number' />
-
-The length of the client hello message sent in a [TLS handshake](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake). Specifically, the length of the bytestring of the client hello.
-
-Example:
-
-```
-508
-```
-
-## `cf.tls_client_random`
-
-`cf.tls_client_random` <Type text='String' />
-
-The value of the 32-byte random value provided by the client in a [TLS handshake](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake), encoded in Base64. Refer to [RFC 8446](https://datatracker.ietf.org/doc/html/rfc8446#section-4.1.2) for more details.
-
-Example:
-
-```
-"YWJjZA=="
-```
-
-## `cf.tls_version`
-
-`cf.tls_version` <Type text='String' />
-
-The TLS version of the connection to Cloudflare.
-
-Example:
-
-```
-"TLSv1.2"
-```
-
-## `cf.waf.content_scan.has_obj`
-
-`cf.waf.content_scan.has_obj` <Type text='Boolean' />
-
-When `true`, the request contains at least one <GlossaryTooltip term="content object">content object</GlossaryTooltip>.
-
-For more details, refer to [Malicious uploads detection](/waf/detections/malicious-uploads/).
-
-## `cf.waf.content_scan.has_malicious_obj`
-
-`cf.waf.content_scan.has_malicious_obj` <Type text='Boolean' />
-
-When `true`, the request contains at least one malicious content object.
-
-For more details, refer to [Malicious uploads detection](/waf/detections/malicious-uploads/).
-
-## `cf.waf.content_scan.num_malicious_obj`
-
-`cf.waf.content_scan.num_malicious_obj` <Type text='Integer' />
-
-The number of malicious content objects detected in the request (zero or greater).
-
-For more details, refer to [Malicious uploads detection](/waf/detections/malicious-uploads/).
-
-## `cf.waf.content_scan.has_failed`
-
-`cf.waf.content_scan.has_failed` <Type text='Boolean' />
-
-When `true`, the file scanner was unable to scan all the content objects detected in the request.
-
-For more details, refer to [Malicious uploads detection](/waf/detections/malicious-uploads/).
-
-## `cf.waf.content_scan.num_obj`
-
-`cf.waf.content_scan.num_obj` <Type text='Integer' />
-
-The number of content objects detected in the request (zero or greater).
-
-For more details, refer to [Malicious uploads detection](/waf/detections/malicious-uploads/).
-
-## `cf.waf.content_scan.obj_sizes`
-
-`cf.waf.content_scan.obj_sizes` <Type text='Array<Integer>' />
-
-An array of file sizes in bytes, in the order the content objects were detected in the request.
-
-For more details, refer to [Malicious uploads detection](/waf/detections/malicious-uploads/).
-
-## `cf.waf.content_scan.obj_types`
-
-`cf.waf.content_scan.obj_types` <Type text='Array<String>' />
-
-An array of file types in the order the content objects were detected in the request. If Cloudflare cannot determine the file type of a content object, the corresponding value in the `obj_types` array will be `application/octet-stream`.
-
-For more details, refer to [Malicious uploads detection](/waf/detections/malicious-uploads/).
-
-## `cf.waf.content_scan.obj_results`
-
-`cf.waf.content_scan.obj_results` <Type text='Array<String>' />
-
-An array of scan results in the order the content objects were detected in the request. The possible values are: `clean`, `suspicious`, `infected`, and `not scanned`.
-
-For more details, refer to [Malicious uploads detection](/waf/detections/malicious-uploads/).
-
-## `cf.waf.score`
-
-`cf.waf.score` <Type text='Number' />
-
-A global score from `1` to `99` that combines the score of each WAF attack vector into a single score. This is the standard [WAF attack score](/waf/detections/attack-score/) to detect variants of attack patterns.
-
-## `cf.waf.score.sqli`
-
-`cf.waf.score.sqli` <Type text='Number' />
-
-An attack score from `1` to `99` classifying the SQL injection (SQLi) attack vector.
-
-## `cf.waf.score.xss`
-
-`cf.waf.score.xss` <Type text='Number' />
-
-An attack score from `1` to `99` classifying the cross-site scripting (XSS) attack vector.
-
-## `cf.waf.score.rce`
-
-`cf.waf.score.rce` <Type text='Number' />
-
-An attack score from `1` to `99` classifying the command injection or Remote Code Execution (RCE) attack vector.
-
-## `cf.waf.score.class`
-
-`cf.waf.score.class` <Type text='String' />
-
-The attack score class of the current request, based on the WAF attack score. Can have one of the following values: `attack`, `likely_attack`, `likely_clean`, `clean`.
-
-## `cf.waf.auth_detected`
-
-`cf.waf.auth_detected` <Type text='Boolean' />
-
-When `true`, the Cloudflare WAF detected authentication credentials in the request.
-
-Only available when [leaked credentials detection](/waf/detections/leaked-credentials/) is enabled.
-
-## `cf.waf.credential_check.password_leaked`
-
-`cf.waf.credential_check.password_leaked` <Type text='Boolean' />
-
-When `true`, the password detected in the request was previously leaked.
-
-Only available when [leaked credentials detection](/waf/detections/leaked-credentials/) is enabled.
-
-## `cf.waf.credential_check.username_leaked`
-
-`cf.waf.credential_check.username_leaked` <Type text='Boolean' />
-
-When `true`, the username detected in the request was previously leaked.
-
-Only available when [leaked credentials detection](/waf/detections/leaked-credentials/) is enabled.
-
-## `cf.waf.credential_check.username_and_password_leaked`
-
-`cf.waf.credential_check.username_and_password_leaked` <Type text='Boolean' />
-
-When `true`, the authentication credentials detected in the request (username and password pair) were previously leaked.
-
-Only available when [leaked credentials detection](/waf/detections/leaked-credentials/) is enabled.
-
-## `cf.waf.credential_check.username_password_similar`
-
-`cf.waf.credential_check.username_password_similar` <Type text='Boolean' />
-
-When `true`, a similar version of the username and password credentials detected in the request were previously leaked.
-
-Only available when [leaked credentials detection](/waf/detections/leaked-credentials/) is enabled.
-
-## `cf.worker.upstream_zone`
-
-`cf.worker.upstream_zone` <Type text='String' />
-
-Identifies whether a request comes from a worker or not. When a request comes from a worker, this field will hold the name of the zone for that worker. Otherwise, `cf.worker.upstream_zone` is empty.
-
-## Corporate Proxy
-
-<Render file="corporate_proxy" product="bots" />
-
-## JSON Web Tokens Validation claims
-
-[API Shield](/api-shield/) users can now create [custom rules](/waf/custom-rules/) using claims present in tokens processed by [JSON Web Tokens Validation](/api-shield/security/jwt-validation/).
-
-Users can also use any custom JWT claim. Refer to the [WAF documentation](/waf/custom-rules/use-cases/check-jwt-claim-to-protect-admin-user/) for an example of a custom JWT claim.
-
-### `aud` (audience)
-
-`http.request.jwt.claims.aud` <Type text='Map<Array<String>>' /> <br />
-`http.request.jwt.claims.aud.names` <Type text='Array<String>' /> <br />
-`http.request.jwt.claims.aud.values` <Type text='Array<String>' />
-
-The `aud` (audience) claim identifies the recipients that the JSON Web Token (JWT) is intended for. Each principal intended to process the JWT must identify itself with a value in the audience claim. In the general case, the `aud` value is an array of case-sensitive strings, each containing a `StringOrURI` value.
-
-<Render file="jwt-claims" product="api-shield" />
-
-### `iat` (issued at)
-
-`http.request.jwt.claims.iat.sec` <Type text='Map<Array<Integer>>' /> <br />
-`http.request.jwt.claims.iat.sec.names` <Type text='Array<String>' /> <br />
-`http.request.jwt.claims.iat.sec.values` <Type text='Array<Integer>' />
-
-The `iat` (issued at) claim identifies the time (number of seconds) at which the JWT was issued.
-
-<Render file="jwt-claims" product="api-shield" />
-
-### `iss` (issuer)
-
-`http.request.jwt.claims.iss` <Type text='Map<Array<String>>' /> <br />
-`http.request.jwt.claims.iss.names` <Type text='Array<String>' /> <br />
-`http.request.jwt.claims.iss.values` <Type text='Array<String>' />
-
-The `iss` (issuer) claim identifies the principal that issued the JWT.
-
-<Render file="jwt-claims" product="api-shield" />
-
-### `jti` (JWT ID)
-
-`http.request.jwt.claims.jti` <Type text='Map<Array<String>>' /> <br />
-`http.request.jwt.claims.jti.names` <Type text='Array<String>' /> <br />
-`http.request.jwt.claims.jti.values` <Type text='Array<String>' />
-
-The `jti` (JWT ID) claim provides a unique identifier for the JWT.
-
-<Render file="jwt-claims" product="api-shield" />
-
-### `nbf` (not before)
-
-`http.request.jwt.claims.nbf.sec` <Type text='Map<Array<Integer>>' /> <br />
-`http.request.jwt.claims.nbf.sec.names` <Type text='Array<String>' /> <br />
-`http.request.jwt.claims.nbf.sec.values` <Type text='Array<Integer>' />
-
-The `nbf` (not before) claim identifies the time (number of seconds) before which the JWT must not be accepted for processing.
-
-<Render file="jwt-claims" product="api-shield" />
-
-### `sub` (subject)
-
-`http.request.jwt.claims.sub` <Type text='Map<Array<String>>' /> <br />
-`http.request.jwt.claims.sub.names` <Type text='Array<String>' /> <br />
-`http.request.jwt.claims.sub.values` <Type text='Array<String>' />
-
-The `sub` (subject) claim identifies the principal that is the subject of the JWT. The claims in a JWT are normally statements about the subject.
-
-<Render file="jwt-claims" product="api-shield" />
diff --git a/src/content/docs/ruleset-engine/rules-language/fields/http-request-body.mdx b/src/content/docs/ruleset-engine/rules-language/fields/http-request-body.mdx
deleted file mode 100644
index e91e7e197fcaf3f..000000000000000
--- a/src/content/docs/ruleset-engine/rules-language/fields/http-request-body.mdx
+++ /dev/null
@@ -1,226 +0,0 @@
----
-title: HTTP request body fields
-pcx_content_type: reference
-sidebar:
-  order: 6
-head:
-  - tag: title
-    content: HTTP request body fields | Fields reference
----
-
-import { Type } from "~/components";
-
-:::note
-Access to HTTP request body fields requires a Cloudflare Enterprise plan with a paid add-on, except for the `http.request.body.mime` field.
-:::
-
-The Rules language includes fields that represent properties of an HTTP request body. Many of these return [arrays](/ruleset-engine/rules-language/values/#arrays) containing the respective values.
-
-:::caution
-
-All `http.request.body.*` fields (except [`http.request.body.size`](#httprequestbodysize)) handle a given maximum body size, which varies per plan. For Enterprise customers, the maximum body size analyzed by Cloudflare is 128 KB; for lower Cloudflare plans, the maximum size is lower. You cannot define expressions that rely on request body data beyond the maximum size set for your plan. If the request body is larger, the body fields will contain a truncated value and the [`http.request.body.truncated`](#httprequestbodytruncated) field will be set to `true`. The [`http.request.body.size`](#httprequestbodysize) field will contain the full size of the request without any truncation.
-
-The maximum body size applies only to the values of HTTP body fields — the origin server will still receive the complete request body.
-
-:::
-
-The Cloudflare Rules language supports these HTTP body fields.
-
-## `http.request.body.raw`
-
-`http.request.body.raw` <Type text='String' />
-
-The unaltered HTTP request body.
-
-When the value of [`http.request.body.truncated`](#httprequestbodytruncated) is true, the return value may be truncated.
-
-- Decoding: no decoding performed
-- Whitespace: preserved
-- Non-ASCII: preserved
-
-## `http.request.body.truncated`
-
-`http.request.body.truncated` <Type text='Boolean' />
-
-Indicates whether the HTTP request body is truncated.
-
-When true, `http.request.body` fields may not contain all of the HTTP request body.
-
-## `http.request.body.size`
-
-`http.request.body.size` <Type text='Number' />
-
-The total size of the HTTP request body (in bytes).
-
-:::note
-This field may have a value larger than the one returned by `len(http.request.body.raw)`, since the [`http.request.body.raw`](#httprequestbodyraw) field only considers the request body up to a maximum size that varies according to your Cloudflare plan.
-:::
-
-## `http.request.body.form`
-
-`http.request.body.form` <Type text='Map<Array<String>>' />
-
-The HTTP request body of a form represented as a Map (or associative array). Populated when the `Content-Type` header is `application/x-www-form-urlencoded`.
-
-The values are not pre-processed and retain the original case used in the request.
-
-When a field repeats, then the array contains multiple items in the order they are in the request.
-
-The return value may be truncated if [`http.request.body.truncated`](#httprequestbodytruncated) is true.
-
-- **Decoding:** no decoding performed
-- **Whitespace:** preserved
-- **Non-ASCII:** preserved
-
-Example:
-
-```txt
-any(http.request.body.form["username"][*] == "admin")
-```
-
-Example value:
-`{username": ["admin"]}`
-
-## `http.request.body.form.names`
-
-`http.request.body.form.names` <Type text='Array<String>' />
-
-The names of the form fields in an HTTP request where the content type is `application/x-www-form-urlencoded`.
-
-Names are not pre-processed and retain the original case used in the request. They are listed in the same order as in the request.
-
-Duplicate names are listed multiple times.
-
-The return value may be truncated if [`http.request.body.truncated`](#httprequestbodytruncated) is true.
-
-- **Decoding:** no decoding performed
-- **Whitespace:** preserved
-- **Non-ASCII:** preserved
-
-Example:
-
-```txt
-any(http.request.body.form.names[*] == "username")
-```
-
-Example value:
-
-`["username"]`
-
-## `http.request.body.form.values`
-
-`http.request.body.form.values` <Type text='Array<String>' />
-
-The values of the form fields in an HTTP request where the content type is `application/x-www-form-urlencoded`.
-
-The values are not pre-processed and retain the original case used in the request. They are listed in the same order as in the request.
-
-Duplicated values are listed multiple times.
-
-The return value may be truncated if [`http.request.body.truncated`](#httprequestbodytruncated) is true.
-
-- **Decoding:** no decoding performed
-- **Whitespace:** preserved
-- **Non-ASCII:** preserved
-
-Example:
-
-```txt
-any(http.request.body.form.values[*] == "admin")
-```
-
-Example value:
-
-`["admin"]`
-
-## `http.request.body.mime`
-
-`http.request.body.mime` <Type text='String' />
-
-The MIME type of the request detected from the request body.
-
-Supports the most common MIME types of the following general categories: video, audio, image, application, text.
-
-Example:
-
-`image/jpeg`
-
-This field is available on all Cloudflare plans.
-
-## `http.request.body.multipart`
-
-`http.request.body.multipart` <Type text='Map<Array<String>>' />
-
-A Map (or associative array) representation of multipart names to multipart values in the request body.
-
-Example value:
-
-`{"username": ["alice_doe"], "picture": [<binary_content_of_file>]}`
-
-## `http.request.body.multipart.names`
-
-`http.request.body.multipart.names` <Type text='Array<Array<String>>' />
-
-List of multipart names for every part in the multipart body.
-
-Example value:
-
-`[["username"], ["picture"]]`
-
-Example:
-
-`any(http.request.body.multipart.names[*][0] == "picture")`
-
-## `http.request.body.multipart.values`
-
-`http.request.body.multipart.values` <Type text='Array<String>' />
-
-List of multipart values for every part in the multipart body.
-
-Example value:
-
-`["alice_doe", <binary_content_of_file>]`
-
-## `http.request.body.multipart.content_types`
-
-`http.request.body.multipart.content_types` <Type text='Array<Array<String>>' />
-
-List of `Content-Type` headers for each part in the multipart body.
-
-Example value:
-
-`[["text/plain"], ["image/jpeg"]]`
-
-Example:
-
-`any(http.request.body.multipart.content_types[*][0] == "application/octet-stream")`
-
-## `http.request.body.multipart.content_dispositions`
-
-`http.request.body.multipart.content_dispositions` <Type text='Array<Array<String>>' />
-
-List of `Content-Disposition` headers for each part in the multipart body.
-
-Example value:
-
-`[["form-data; name=\"username\"], ["form-data;name=\"picture\"]]`
-
-## `http.request.body.multipart.content_transfer_encodings`
-
-`http.request.body.multipart.content_transfer_encodings` <Type text='Array<Array<String>>' />
-
-List of `Content-Transfer-Encoding` headers for each part in the multipart body.
-
-Example value:
-
-`[["quoted-printable"], ["quoted-printable"]]`
-
-## `http.request.body.multipart.filenames`
-
-`http.request.body.multipart.filenames` <Type text='Array<Array<String>>' />
-
-List of filenames for each part in the multipart body.
-
-Example value:
-
-`[["file1.txt"], ["photo.jpg"]]`
diff --git a/src/content/docs/ruleset-engine/rules-language/fields/http-request-header.mdx b/src/content/docs/ruleset-engine/rules-language/fields/http-request-header.mdx
deleted file mode 100644
index c05cfd468335a4a..000000000000000
--- a/src/content/docs/ruleset-engine/rules-language/fields/http-request-header.mdx
+++ /dev/null
@@ -1,146 +0,0 @@
----
-title: HTTP request header fields
-pcx_content_type: reference
-sidebar:
-  order: 5
-head:
-  - tag: title
-    content: HTTP request header fields | Fields reference
----
-
-import { Type } from "~/components";
-
-The Rules language includes fields that represent properties of HTTP request headers. Many of these return [arrays](/ruleset-engine/rules-language/values/#arrays) containing the respective values.
-
-The Cloudflare Rules language supports these HTTP header fields.
-
-## `http.request.headers`
-
-`http.request.headers` <Type text='Map<Array<String>>' />
-
-The HTTP request headers represented as a Map (or associative array).
-
-The keys of the associative array are the names of HTTP request headers converted to lowercase.
-
-When there are repeating headers, the array includes them in the order they appear in the request.
-
-The request header values are not pre-processed and retain the original case used in the request.
-
-- **Decoding:** no decoding performed
-- **Whitespace:** preserved
-- **Non-ASCII:** preserved
-
-Example:
-
-```txt
-any(http.request.headers["content-type"][*] == "application/json")
-```
-
-Example value:
-
-```
-{"content-type": ["application/json"]}
-```
-
-## `http.request.headers.names`
-
-`http.request.headers.names` <Type text='Array<String>' />
-
-The names of the headers in the HTTP request.
-
-The names are not pre-processed and retain the original case used in the request.
-
-:::note
-In HTTP/2, the names of HTTP headers are always in lowercase. Recent versions of the `curl` tool [enable HTTP/2 by default](https://curl.se/docs/manpage.html#--http2) for HTTPS connections.
-:::
-
-The order of header names is not guaranteed but will match [`http.request.headers.values`](#httprequestheadersvalues).
-
-Duplicate headers are listed multiple times.
-
-- **Decoding:** no decoding performed
-- **Whitespace:** preserved
-- **Non-ASCII:** preserved
-
-Example:
-
-```
-any(http.request.headers.names[*] == "content-type")
-```
-
-Example value: `["content-type"]`
-
-## `http.request.headers.values`
-
-`http.request.headers.values` <Type text='Array<String>' />
-
-The values of the headers in the HTTP request.
-
-The values are not pre-processed and retain the original case used in the request.
-
-The order of header values is not guaranteed but will match [`http.request.headers.names`](#httprequestheadersnames).
-
-Duplicate headers are listed multiple times.
-
-- **Decoding:** no decoding performed
-- **Whitespace:** preserved
-- **Non-ASCII:** preserved
-
-Example 1:
-
-```
-any(http.request.headers.values[*] == "application/json")
-```
-
-Example value 1:
-
-```
-["application/json"]
-```
-
-Additionally used to match requests according to the specified operator and the length/size entered for the header value.
-
-Example 2:
-
-```
-any(len(http.request.headers.values[*])[*] gt 10)
-```
-
-Example value 2:
-
-```
-["This header value is longer than 10 bytes"]
-```
-
-## `http.request.headers.truncated`
-
-`http.request.headers.truncated` <Type text='Boolean' />
-
-Returns `true` when the HTTP request contains too many headers; otherwise, returns `false`.
-
-When `true`, [`http.request.headers`](#httprequestheaders), [`http.request.headers.names`](#httprequestheadersnames), and [`http.request.headers.values`](#httprequestheadersvalues) may not contain all of the headers sent in the HTTP request.
-
-## `http.request.accepted_languages`
-
-`http.request.accepted_languages` <Type text='Array<String>' />
-
-List of language tags provided in the [`Accept-Language`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Language) HTTP request header, sorted by weight (`;q=<weight>`, with a default weight of `1`) in descending order.
-
-If the HTTP header is not present in the request or is empty, `http.request.accepted_languages[0]` will return a "[missing value](/ruleset-engine/rules-language/values/#notes)", which the [`concat()`](/ruleset-engine/rules-language/functions/#concat) function will handle as an empty string.
-
-If the HTTP header includes the language tag `*` it will not be stored in the array.
-
-Example 1:
-
-Request with header `Accept-Language: fr-CH, fr;q=0.8, en;q=0.9, de;q=0.7, *;q=0.5`. In this case:
-`http.request.accepted_languages[0] == "fr-CH"`
-`http.request.accepted_languages == ["fr-CH", "en", "fr", "de"]`
-
-Example 2:
-
-Request without an `Accept-Language` HTTP header and a URI of `https://www.example.com/my-path`. In this case:
-`concat("/", http.request.accepted_languages[0], http.request.uri.path) == "//my-path"`.
-
-:::note
-This field is only available in [Transform Rules](/rules/transform/).
-:::
diff --git a/src/content/docs/ruleset-engine/rules-language/fields/http-request-response.mdx b/src/content/docs/ruleset-engine/rules-language/fields/http-request-response.mdx
deleted file mode 100644
index c8b89d02ab3ed83..000000000000000
--- a/src/content/docs/ruleset-engine/rules-language/fields/http-request-response.mdx
+++ /dev/null
@@ -1,160 +0,0 @@
----
-title: HTTP request response fields
-pcx_content_type: reference
-sidebar:
-  order: 7
-head:
-  - tag: title
-    content: HTTP request response fields | Fields reference
----
-
-import { Details, Type } from "~/components";
-
-The Cloudflare Rules language supports these HTTP response fields.
-
-## `http.response.code`
-
-`http.response.code` <Type text='Integer' />
-
-The HTTP status code returned to the client, either set by a Cloudflare product or returned by the origin server.
-
-Example value:
-`403`
-
-## `http.response.headers`
-
-`http.response.headers` <Type text='Map<Array<String>>' />
-
-The HTTP response headers represented as a Map (or associative array).
-
-When there are repeating headers, the array includes them in the order they appear in the response. The keys convert to lowercase.
-
-- Decoding: no decoding performed
-- Whitespace: preserved
-- Non-ASCII: preserved
-
-Example:
-
-```txt
-any(http.response.headers["server"][*] == "nginx")
-```
-
-Example value:
-
-```txt
-{"server": ["nginx"]}
-```
-
-## `http.response.headers.names`
-
-`http.response.headers.names` <Type text='Array<String>' />
-
-The names of the headers in the HTTP response. The names are not pre-processed and retain the original case used in the response.
-
-The order of header names is not guaranteed but will match [`http.response.headers.values`](#httpresponseheadersvalues).
-
-Duplicate headers are listed multiple times.
-
-- Decoding: no decoding performed
-- Whitespace: preserved
-- Non-ASCII: preserved
-
-Example:
-
-```
-any(http.response.headers.names[*] == "content-type")
-```
-
-Example value: `["content-type"]`
-
-## `http.response.headers.values`
-
-`http.response.headers.values` <Type text='Array<String>' />
-
-The values of the headers in the HTTP response.
-
-The values are not pre-processed and retain the original case used in the response.
-
-The order of header values is not guaranteed but will match [`http.response.headers.names`](#httpresponseheadersnames).
-
-Duplicate headers are listed multiple times.
-
-- Decoding: no decoding performed
-- Whitespace: preserved
-- Non-ASCII: preserved
-
-Example 1:
-
-```
-any(http.response.headers.values[*] == "application/json")
-```
-
-Example value 1: `["application/json"]`
-
-Additionally used to match responses according to the specified operator and the length/size entered for the header value.
-
-Example 2:
-
-```
-any(len(http.response.headers.values[*])[*] gt 10)
-```
-
-Example value 2:
-`["This header value is longer than 10 bytes"]`
-
-## `http.response.content_type.media_type`
-
-`http.response.content_type.media_type` <Type text='String' />
-
-The lowercased content type (including subtype and suffix) without any parameters such as `charset`, based on the response's `Content-Type` header.
-
-<Details header="Example values">
-
-| Content-Type header                     | Field value         |
-| --------------------------------------- | ------------------- |
-| `text/html`                             | `"text/html"`       |
-| `text/html; charset=utf-8`              | `"text/html"`       |
-| `text/html+extra`                       | `"text/html+extra"` |
-| `text/html+extra; charset=utf-8`        | `"text/html+extra"` |
-| `text/HTML`                             | `"text/html"`       |
-| `text/html; charset=utf-8; other=value` | `"text/html"`       |
-
-</Details>
-
-## `cf.response.1xxx_code`
-
-`cf.response.1xxx_code` <Type text='Integer' />
-
-Contains the specific code for 1XXX Cloudflare errors. Use this field to differentiate between 1XXX errors associated with the same HTTP status code. The default value is `0`. For a list of 1XXX errors, refer to [Troubleshooting Cloudflare 1XXX errors](/support/troubleshooting/cloudflare-errors/troubleshooting-cloudflare-1xxx-errors/).
-
-Example value:
-`1020`
-
-:::note
-Note: This field is only available in [HTTP response header modifications](/rules/transform/response-header-modification/) and [Custom Error Responses](/rules/custom-error-responses/).
-:::
-
-## `cf.response.error_type`
-
-`cf.response.error_type` <Type text='String' />
-
-A string with the type of error in the response being returned. The default value is an empty string (`""`).
-
-The available values are the following:
-
-- `managed_challenge`
-- `iuam`
-- `legacy_challenge`
-- `ip_ban`
-- `waf`
-- `5xx`
-- `1xxx`
-- `always_online`
-- `country_challenge`
-- `ratelimit`
-
-You can use this field to customize the response for a specific type of error (for example, all 1XXX errors or all WAF block actions).
-
-:::note
-This field is only available in [HTTP response header modifications](/rules/transform/response-header-modification/) and [Custom Error Responses](/rules/custom-error-responses/).
-:::
diff --git a/src/content/docs/ruleset-engine/rules-language/fields/index.mdx b/src/content/docs/ruleset-engine/rules-language/fields/index.mdx
index f87360c5015c080..be1026e6166b4f6 100644
--- a/src/content/docs/ruleset-engine/rules-language/fields/index.mdx
+++ b/src/content/docs/ruleset-engine/rules-language/fields/index.mdx
@@ -10,6 +10,23 @@ head:
 
 import { DirectoryListing } from "~/components";
 
-The Cloudflare Rules language supports a range of field types:
+The Cloudflare Rules language supports different types of fields, including:
 
-<DirectoryListing />
+- Request fields that represent the basic properties of incoming requests, including specific fields for accessing request headers, URI components, and the request body.
+- Dynamic fields that represent computed or derived values, typically related to threat intelligence about an HTTP request.
+- Response fields that represent the basic properties of the received response.
+- Raw fields that preserve the original request values for later evaluations.
+
+Refer to the [Fields reference](/ruleset-engine/rules-language/fields/reference/) for the list of available fields.
+
+## Differences from Wireshark display fields
+
+Most fields supported by the Cloudflare Rules language use the same naming conventions as [Wireshark display fields](https://www.wireshark.org/docs/wsug_html_chunked/ChWorkBuildDisplayFilterSection.html). However, there are some subtle differences between Cloudflare and Wireshark:
+
+- Wireshark supports [CIDR (Classless Inter-Domain Routing) notation](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) for expressing IP address ranges in equality comparisons (`ip.src == 1.2.3.0/24`, for example). Cloudflare does not.
+
+  To evaluate a range of addresses using CIDR notation, use the `in` [comparison operator](/ruleset-engine/rules-language/operators/#comparison-operators) as in this example: `ip.src in {1.2.3.0/24 4.5.6.0/24}`.
+
+- In Wireshark, `ssl` is a protocol field containing hundreds of other fields of various types that are available for comparison in multiple ways. However, in the Rules language `ssl` is a single Boolean field that indicates whether the connection from the client to Cloudflare is encrypted.
+
+- The Cloudflare Rules language does not support the `slice` operator.
diff --git a/src/content/docs/ruleset-engine/rules-language/fields/standard-fields.mdx b/src/content/docs/ruleset-engine/rules-language/fields/standard-fields.mdx
deleted file mode 100644
index e5b4a146f27e742..000000000000000
--- a/src/content/docs/ruleset-engine/rules-language/fields/standard-fields.mdx
+++ /dev/null
@@ -1,547 +0,0 @@
----
-title: Standard fields
-pcx_content_type: reference
-sidebar:
-  order: 1
-head:
-  - tag: title
-    content: Standard fields | Fields reference
----
-
-import { Details, Render, Type } from "~/components";
-
-Most standard fields use the same naming conventions as [Wireshark display fields](https://www.wireshark.org/docs/wsug_html_chunked/ChWorkBuildDisplayFilterSection.html). However, there are some subtle differences between Cloudflare and Wireshark:
-
-- Wireshark supports [CIDR (Classless Inter-Domain Routing) notation](https://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing) for expressing IP address ranges in equality comparisons (`ip.src == 1.2.3.0/24`, for example). Cloudflare does not.
-
-  To evaluate a range of addresses using CIDR notation, use the `in` [comparison operator](/ruleset-engine/rules-language/operators/#comparison-operators) as in this example: `ip.src in {1.2.3.0/24 4.5.6.0/24}`.
-
-- In Wireshark, `ssl` is a protocol field containing hundreds of other fields of various types that are available for comparison in multiple ways. However, in the Rules language `ssl` is a single Boolean field that indicates whether the connection from the client to Cloudflare is encrypted.
-
-- The Cloudflare Rules language does not support the `slice` operator.
-
-:::note[Availability notes]
-
-- Geolocation information is provided and maintained by MaxMind. Access to `ip.src.is_in_european_union`, `ip.src.subdivision_1_iso_code`, and `ip.src.subdivision_2_iso_code` fields requires a Cloudflare Business or Enterprise plan.
-
-- Access to `http.request.cookies` field requires a Cloudflare Pro, Business, or Enterprise plan.
-
-:::
-
-The Cloudflare Rules language supports these standard fields.
-
-## `http.cookie`
-
-`http.cookie` <Type text='String' />
-
-The entire cookie as a string.
-
-Example value:
-
-```txt
-session=8521F670545D7865F79C3D7BEDC29CCE;-background=light
-```
-
-## `http.host`
-
-`http.host` <Type text='String' />
-
-The hostname used in the full request URI.
-
-Example value:
-
-```txt
-www.example.org
-```
-
-## `http.referer`
-
-`http.referer` <Type text='String' />
-
-The HTTP `Referer` request header, which contains the address of the web page that linked to the currently requested page.
-
-Example value:
-
-```txt
-Referer: htt­ps://developer.example.org/en-US/docs/Web/JavaScript
-```
-
-## `http.request.full_uri`
-
-`http.request.full_uri` <Type text='String' />
-
-The full URI as received by the web server (does not include `#fragment`, which is not sent to web servers).
-
-Example value:
-
-```txt
-htt­ps://www.example.org/articles/index?section=539061&expand=comments
-```
-
-## `http.request.method`
-
-`http.request.method` <Type text='String' />
-
-The HTTP method, returned as a string of uppercase characters.
-
-Example value:
-
-```txt
-GET
-```
-
-## `http.request.cookies`
-
-`http.request.cookies` <Type text='Map<Array<String>>' />
-
-The `Cookie` HTTP header associated with a request represented as a Map (associative array). The cookie values are not pre-processed and retain the original case used in the request.
-
-**Decoding:** The cookie names are URL decoded. If two cookies have the same name after decoding, their value arrays are merged.
-
-Example:
-
-```txt
-any(http.request.cookies["app"][*] == "test")
-```
-
-Example value:
-
-```json
-{ "app": ["test"] }
-```
-
-## `http.request.timestamp.sec`
-
-`http.request.timestamp.sec` <Type text='Integer' />
-
-The timestamp when Cloudflare received the request, expressed as UNIX time in seconds. This value is 10 digits long.
-
-To obtain the timestamp milliseconds, use the [`http.request.timestamp.msec`](#httprequesttimestampmsec) field.
-
-Example value:
-
-```txt
-1484063137
-```
-
-When validating HMAC tokens in an expression, pass this field as the `currentTimestamp` argument to the [`is_timed_hmac_valid_v0()`](/ruleset-engine/rules-language/functions/#hmac-validation) validation function.
-
-## `http.request.timestamp.msec`
-
-`http.request.timestamp.msec` <Type text='Integer' />
-
-The millisecond when Cloudflare received the request, between 0 and 999.
-
-To obtain the complete timestamp, use both [`http.request.timestamp.sec`](#httprequesttimestampsec) and [`http.request.timestamp.msec`](#httprequesttimestampmsec) fields.
-
-Example value:
-
-```txt
-857
-```
-
-## `http.request.uri`
-
-`http.request.uri` <Type text='String' />
-
-The URI path and query string of the request.
-
-Example value:
-
-```txt
-/articles/index?section=539061&expand=comments
-```
-
-## `http.request.uri.path`
-
-`http.request.uri.path` <Type text='String' />
-
-The URI path of the request.
-
-Example value:
-
-```txt
-/articles/index
-```
-
-## `http.request.uri.path.extension`
-
-`http.request.uri.path.extension` <Type text='String' />
-
-The lowercased file extension in the URI path without the dot (`.`) character. This corresponds to the string after the last dot in the URI path, excluding the query string.
-
-If the first character of the last path segment is a dot and the segment does not contain other dot characters, the field value will be an empty string (`""`). Having a dot as the first character does not represent a file extension and is commonly used in UNIX-like systems to denote a hidden file or directory.
-
-Example values:
-
-- If the URI path is `/articles/index.html`, the field value will be `html`.
-- If the URI path is `/articles/index.`, the field value will be an empty string (`""`).
-
-<Details header="Example values">
-
-| URI path       | Field value |
-| -------------- | ----------- |
-| `/foo`         | `""`        |
-| `/foo.mp3`     | `"mp3"`     |
-| `/.mp3`        | `""`        |
-| `/.foo.mp3`    | `"mp3"`     |
-| `/foo.tar.bz2` | `"bz2"`     |
-| `/foo.`        | `""`        |
-| `/foo.MP3`     | `"mp3"`     |
-
-</Details>
-
-## `http.request.uri.query`
-
-`http.request.uri.query` <Type text='String' />
-
-The entire query string, without the `?` delimiter.
-
-Example value:
-
-```txt
-section=539061&expand=comments
-```
-
-## `http.user_agent`
-
-`http.user_agent` <Type text='String' />
-
-The HTTP `User-Agent` request header, which contains a characteristic string to identify the client operating system and web browser.
-
-Example value:
-
-```txt
-Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65.0.3325.181 Safari/537.36
-```
-
-## `http.request.version`
-
-`http.request.version` <Type text='String' />
-
-The version of the HTTP protocol used. Use this field when different checks are needed for different versions.
-
-Example values:
-
-- `HTTP/1.1`
-- `HTTP/3`
-
-## `http.x_forwarded_for`
-
-`http.x_forwarded_for` <Type text='String' />
-
-The full `X-Forwarded-For` HTTP header.
-
-Example value:
-
-```txt
-203.0.113.195, 70.41.3.18
-```
-
-## `ip.src`
-
-`ip.src` <Type text='IP address' />
-
-The client TCP IP address, which may be adjusted to reflect the actual address of the client using HTTP headers such as `X-Forwarded-For` or `X-Real-IP`.
-
-Example value:
-
-```txt
-93.184.216.34
-```
-
-## `ip.src.lat`
-
-`ip.src.lat` <Type text='String' />
-
-The latitude associated with the client IP address.
-
-Example value:
-
-```txt
-37.78044
-```
-
-## `ip.src.lon`
-
-`ip.src.lon` <Type text='String' />
-
-The longitude associated with the client IP address.
-
-Example value:
-
-```txt
--122.39055
-```
-
-## `ip.src.city`
-
-`ip.src.city` <Type text='String' />
-
-The city associated with the client IP address.
-
-Example value:
-
-```txt
-San Francisco
-```
-
-## `ip.src.postal_code`
-
-`ip.src.postal_code` <Type text='String' />
-
-The postal code associated with the incoming request.
-
-Example value:
-
-```txt
-78701
-```
-
-## `ip.src.metro_code`
-
-`ip.src.metro_code` <Type text='String' />
-
-The metro code or Designated Market Area (DMA) code associated with the incoming request.
-
-Example value:
-
-```txt
-635
-```
-
-## `ip.src.region`
-
-`ip.src.region` <Type text='String' />
-
-The region name associated with the incoming request.
-
-Example value:
-
-```txt
-Texas
-```
-
-## `ip.src.region_code`
-
-`ip.src.region_code` <Type text='String' />
-
-The region code associated with the incoming request.
-
-Example value:
-
-```txt
-TX
-```
-
-## `ip.src.timezone.name`
-
-`ip.src.timezone.name` <Type text='String' />
-
-The name of the timezone associated with the incoming request. This field is only available in rewrite expressions of [Transform Rules](/rules/transform/).
-
-Example value:
-
-```txt
-America/Chicago
-```
-
-## `ip.src.asnum`
-
-`ip.src.asnum` <Type text='Number' />
-
-The 16-bit or 32-bit integer representing the Autonomous System (AS) number associated with the client IP address.
-
-This field has the same value as the `ip.geoip.asnum` field, which is deprecated. The `ip.geoip.asnum` field is still available for new and existing rules, but you should use the `ip.src.asnum` field instead.
-
-## `ip.src.continent`
-
-`ip.src.continent` <Type text='String' />
-
-The continent code associated with the client IP address:
-
-- **AF**: Africa
-- **AN**: Antarctica
-- **AS**: Asia
-- **EU**: Europe
-- **NA**: North America
-- **OC**: Oceania
-- **SA**: South America
-- **T1**: Tor network
-
-This field has the same value as the `ip.geoip.continent` field, which is deprecated. The `ip.geoip.continent` field is still available for new and existing rules, but you should use the `ip.src.continent` field instead.
-
-## `ip.src.country`
-
-`ip.src.country` <Type text='String' />
-
-The 2-letter country code in [ISO 3166-1 Alpha 2](https://www.iso.org/obp/ui/#search/code/) format.
-
-Example value:
-
-```txt
-GB
-```
-
-For more information on the ISO 3166-1 Alpha 2 format, refer to [ISO 3166-1 Alpha 2](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2) on Wikipedia.
-
-This field has the same value as the `ip.geoip.country` field, which is deprecated. The `ip.geoip.country` field is still available for new and existing rules, but you should use the `ip.src.country` field instead.
-
-## `ip.src.subdivision_1_iso_code`
-
-`ip.src.subdivision_1_iso_code` <Type text='String' />
-
-The ISO 3166-2 code for the first-level region associated with the IP address. When the actual value is not available, this field contains an empty string.
-
-Example value:
-
-```txt
-GB-ENG
-```
-
-For more information on the ISO 3166-2 standard and the available regions, refer to [ISO 3166-2](https://en.wikipedia.org/wiki/ISO_3166-2) on Wikipedia.
-
-This field has the same value as the `ip.geoip.subdivision_1_iso_code` field, which is deprecated. The `ip.geoip.subdivision_1_iso_code` field is still available for new and existing rules, but you should use the `ip.src.subdivision_1_iso_code` field instead.
-
-## `ip.src.subdivision_2_iso_code`
-
-`ip.src.subdivision_2_iso_code` <Type text='String' />
-
-The ISO 3166-2 code for the second-level region associated with the IP address. When the actual value is not available, this field contains an empty string.
-
-Example value:
-
-```txt
-GB-SWK
-```
-
-For more information on the ISO 3166-2 standard and the available regions, refer to [ISO 3166-2](https://en.wikipedia.org/wiki/ISO_3166-2) on Wikipedia.
-
-This field has the same value as the `ip.geoip.subdivision_2_iso_code` field, which is deprecated. The `ip.geoip.subdivision_2_iso_code` field is still available for new and existing rules, but you should use the `ip.src.subdivision_2_iso_code` field instead.
-
-## `ip.src.is_in_european_union`
-
-`ip.src.is_in_european_union` <Type text='Boolean' />
-
-Returns `true` when the request originates from a country in the European Union (EU).
-
-<Details header="Countries in the EU (from geolocation data)">
-
-| Country code | Country name    |
-| ------------ | --------------- |
-| `AT`         | Austria         |
-| `AX`         | Åland Islands   |
-| `BE`         | Belgium         |
-| `BG`         | Bulgaria        |
-| `CY`         | Cyprus          |
-| `CZ`         | Czechia         |
-| `DE`         | Germany         |
-| `DK`         | Denmark         |
-| `EE`         | Estonia         |
-| `ES`         | Spain           |
-| `FI`         | Finland         |
-| `FR`         | France          |
-| `GF`         | French Guiana   |
-| `GP`         | Guadeloupe      |
-| `GR`         | Greece          |
-| `HR`         | Croatia         |
-| `HU`         | Hungary         |
-| `IE`         | Ireland         |
-| `IT`         | Italy           |
-| `LT`         | Lithuania       |
-| `LU`         | Luxembourg      |
-| `LV`         | Latvia          |
-| `MF`         | Saint Martin    |
-| `MQ`         | Martinique      |
-| `MT`         | Malta           |
-| `NL`         | The Netherlands |
-| `PL`         | Poland          |
-| `PT`         | Portugal        |
-| `RE`         | Réunion         |
-| `RO`         | Romania         |
-| `SE`         | Sweden          |
-| `SI`         | Slovenia        |
-| `SK`         | Slovakia        |
-| `YT`         | Mayotte         |
-
-The EU country list was obtained from MaxMind's GeoIP2 database on 2023-12-05. For details on obtaining up-to-date country information, refer to the [MaxMind website](https://dev.maxmind.com/geoip/geolite2-free-geolocation-data).
-
-</Details>
-
-This field has the same value as the `ip.geoip.is_in_european_union` field, which is deprecated. The `ip.geoip.is_in_european_union` field is still available for new and existing rules, but you should use the `ip.src.is_in_european_union` field instead.
-
-## `raw.http.request.full_uri`
-
-`raw.http.request.full_uri` <Type text='String' />
-
-The raw full URI as received by the web server without the URI fragment (if any) and without any transformation.
-
-<Render
-	file="raw-fields-definition-with-link"
-	params={{ fieldLink: "[`http.request.full_uri`](#httprequestfull_uri)" }}
-/>
-
-**Note:** This raw field may include some basic normalization done by Cloudflare's HTTP server. However, this can change in the future.
-
-## `raw.http.request.uri`
-
-`raw.http.request.uri` <Type text='String' />
-
-The raw URI path and query string of the request without any transformation.
-
-<Render
-	file="raw-fields-definition-with-link"
-	params={{ fieldLink: "[`http.request.uri`](#httprequesturi)" }}
-/>
-
-**Note:** This raw field may include some basic normalization done by Cloudflare's HTTP server. However, this can change in the future.
-
-## `raw.http.request.uri.path`
-
-`raw.http.request.uri.path` <Type text='String' />
-
-The raw URI path of the request without any transformation.
-
-<Render
-	file="raw-fields-definition-with-link"
-	params={{ fieldLink: "[`http.request.uri.path`](#httprequesturipath)" }}
-/>
-
-**Note:** This raw field may include some basic normalization done by Cloudflare's HTTP server. However, this can change in the future.
-
-## `raw.http.request.uri.path.extension`
-
-`raw.http.request.uri.path.extension` <Type text='String' />
-
-The raw file extension in the request URI path without any transformation.
-
-<Render
-	file="raw-fields-definition-with-link"
-	params={{
-		fieldLink:
-			"[`http.request.uri.path.extension`](#httprequesturipathextension)",
-	}}
-/>
-
-## `raw.http.request.uri.query`
-
-`raw.http.request.uri.query` <Type text='String' />
-
-The entire query string without the `?` delimiter and without any transformation.
-
-<Render
-	file="raw-fields-definition-with-link"
-	params={{ fieldLink: "[`http.request.uri.query`](#httprequesturiquery)" }}
-/>
-
-**Note:** This raw field may include some basic normalization done by Cloudflare's HTTP server. However, this can change in the future.
-
-## `ssl`
-
-`ssl` <Type text='Boolean' />
-
-Returns `true` when the HTTP connection to the client is encrypted.
-
----
-
-_GeoIP is the registered trademark of MaxMind, Inc._
diff --git a/src/content/docs/ruleset-engine/rules-language/fields/uri.mdx b/src/content/docs/ruleset-engine/rules-language/fields/uri.mdx
deleted file mode 100644
index ba93a9198615321..000000000000000
--- a/src/content/docs/ruleset-engine/rules-language/fields/uri.mdx
+++ /dev/null
@@ -1,111 +0,0 @@
----
-title: URI argument and value fields
-pcx_content_type: reference
-sidebar:
-  order: 4
-head:
-  - tag: title
-    content: URI argument and value fields | Fields reference
----
-
-import { Render, Type } from "~/components";
-
-The Cloudflare Rules language includes URI argument and value fields associated with HTTP requests. Many of these fields return [arrays](/ruleset-engine/rules-language/values/#arrays) containing the respective values.
-
-The Cloudflare Rules language supports these URI argument and value fields.
-
-## `http.request.uri.args`
-
-`http.request.uri.args` <Type text='Map<Array<String>>' />
-
-The HTTP URI arguments associated with a request represented as a Map (associative array).
-
-When an argument repeats, the array contains multiple items in the order they appear in the request.
-
-The values are not pre-processed and retain the original case used in the request.
-
-- **Decoding:** no decoding performed
-- **Non-ASCII:** preserved
-
-Example:
-
-`any(http.request.uri.args["search"][*] == "red+apples")`
-
-Example value:
-
-`{"search": ["red+apples"]}`
-
-## `http.request.uri.args.names`
-
-`http.request.uri.args.names` <Type text='Array<String>' />
-
-The names of the arguments in the HTTP URI query string. The names are not pre-processed and retain the original case used in the request.
-
-When a name repeats, the array contains multiple items in the order that they appear in the request.
-
-- **Decoding:** no decoding performed
-- **Non-ASCII:** preserved
-
-Example:
-
-`any(http.request.uri.args.names[*] == "search")`
-
-Example value:
-
-`["search"]`
-
-## `http.request.uri.args.values`
-
-`http.request.uri.args.values` <Type text='Array<String>' />
-
-The values of arguments in the HTTP URI query string. The values are not pre-processed and retain the original case used in the request. They are in the same order as in the request.
-
-Duplicated values are listed multiple times.
-
-- **Decoding:** no decoding performed
-- **Non-ASCII:** preserved
-
-Example:
-
-`any(http.request.uri.args.values[*] == "red+apples")`
-
-Example value:
-
-`["red+apples"]`
-
-## `raw.http.request.uri.args`
-
-`raw.http.request.uri.args` <Type text='Map<Array<String>>' />
-
-The raw HTTP URI arguments associated with a request represented as a Map (associative array).
-
-<Render
-	file="raw-fields-definition-with-link"
-	params={{ fieldLink: "[`http.request.uri.args`](#httprequesturiargs)" }}
-/>
-
-## `raw.http.request.uri.args.names`
-
-`raw.http.request.uri.args.names` <Type text='Array<String>' />
-
-The raw names of the arguments in the HTTP URI query string.
-
-<Render
-	file="raw-fields-definition-with-link"
-	params={{
-		fieldLink: "[`http.request.uri.args.names`](#httprequesturiargsnames)",
-	}}
-/>
-
-## `raw.http.request.uri.args.values`
-
-`raw.http.request.uri.args.values` <Type text='Array<String>' />
-
-The raw values of arguments in the HTTP URI query string.
-
-<Render
-	file="raw-fields-definition-with-link"
-	params={{
-		fieldLink: "[`http.request.uri.args.values`](#httprequesturiargsvalues)",
-	}}
-/>

From 449f7ecf39acb0e5b93424f0ae2cd1c140825cfd Mon Sep 17 00:00:00 2001
From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com>
Date: Wed, 15 Jan 2025 10:30:21 +0000
Subject: [PATCH 39/45] Update a few more links

---
 .../rules/transform/managed-transforms/reference.mdx   | 10 +++++-----
 src/content/docs/waf/managed-rules/index.mdx           |  2 +-
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/src/content/docs/rules/transform/managed-transforms/reference.mdx b/src/content/docs/rules/transform/managed-transforms/reference.mdx
index da1c2e19b0b6cbe..f3b8719763eedfb 100644
--- a/src/content/docs/rules/transform/managed-transforms/reference.mdx
+++ b/src/content/docs/rules/transform/managed-transforms/reference.mdx
@@ -136,11 +136,11 @@ Adds a `Malicious-Uploads-Detection` request header indicating the outcome of sc
 
 The header can have one of the following values:
 
-| Header + Value                   | Description                                                                                                                                                                                                            |
-| -------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| `Malicious-Uploads-Detection: 1` | The request contains at least one malicious content object ([`cf.waf.content_scan.has_malicious_obj`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfwafcontent_scanhas_malicious_obj) is `true`).            |
-| `Malicious-Uploads-Detection: 2` | The file scanner was unable to scan all the content objects detected in the request ([`cf.waf.content_scan.has_failed`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfwafcontent_scanhas_failed) is `true`). |
-| `Malicious-Uploads-Detection: 3` | The request contains at least one content object ([`cf.waf.content_scan.has_obj`](/ruleset-engine/rules-language/fields/dynamic-fields/#cfwafcontent_scanhas_obj) is `true`).                                          |
+| Header + Value                   | Description                                                                                                                                                                                                          |
+| -------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| `Malicious-Uploads-Detection: 1` | The request contains at least one malicious content object ([`cf.waf.content_scan.has_malicious_obj`](/ruleset-engine/rules-language/fields/reference/cf.waf.content_scan.has_malicious_obj/) is `true`).            |
+| `Malicious-Uploads-Detection: 2` | The file scanner was unable to scan all the content objects detected in the request ([`cf.waf.content_scan.has_failed`](/ruleset-engine/rules-language/fields/reference/cf.waf.content_scan.has_failed/) is `true`). |
+| `Malicious-Uploads-Detection: 3` | The request contains at least one content object ([`cf.waf.content_scan.has_obj`](/ruleset-engine/rules-language/fields/reference/cf.waf.content_scan.has_obj/) is `true`).                                          |
 
 For more information, refer to [Malicious uploads detection](/waf/detections/malicious-uploads/).
 
diff --git a/src/content/docs/waf/managed-rules/index.mdx b/src/content/docs/waf/managed-rules/index.mdx
index 6b5ffa09444a6c5..6f488a884513daa 100644
--- a/src/content/docs/waf/managed-rules/index.mdx
+++ b/src/content/docs/waf/managed-rules/index.mdx
@@ -52,4 +52,4 @@ At the zone level, you can only deploy each WAF managed ruleset once. At the [ac
 
 Cloudflare analyzes the body of incoming requests up to a certain maximum size that varies according to your Cloudflare plan. For Enterprise customers, the maximum body size is 128 KB, while for other plans the limit is lower. This means that the behavior of specific managed rules that analyze request bodies can vary according to your current Cloudflare plan.
 
-If included in your plan, you can use [request body fields](/ruleset-engine/rules-language/fields/http-request-body/) such as `http.request.body.truncated` or `http.request.headers.truncated` in [custom rules](/waf/custom-rules/) that apply appropriate actions to requests that have not been fully analyzed by Cloudflare due to the maximum body size.
+If included in your plan, you can use [request body fields](/ruleset-engine/rules-language/fields/reference/) such as `http.request.body.truncated` or `http.request.headers.truncated` in [custom rules](/waf/custom-rules/) that apply appropriate actions to requests that have not been fully analyzed by Cloudflare due to the maximum body size.

From 05a91c2d837c6358a82a4873c7e5c74d16daaec1 Mon Sep 17 00:00:00 2001
From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com>
Date: Wed, 15 Jan 2025 11:11:11 +0000
Subject: [PATCH 40/45] Add new api_gateway fields

---
 src/content/fields/index.yaml | 19 +++++++++++++++++++
 1 file changed, 19 insertions(+)

diff --git a/src/content/fields/index.yaml b/src/content/fields/index.yaml
index 1e5b579d5218fd3..8f7e7ecccfa2b85 100644
--- a/src/content/fields/index.yaml
+++ b/src/content/fields/index.yaml
@@ -448,6 +448,25 @@ entries:
     keywords: [request, tls, https, client, visitor]
     summary: Returns `true` when the HTTP connection to the client is encrypted.
 
+  - name: cf.api_gateway.auth_id_present
+    data_type: Boolean
+    categories: [Request]
+    keywords: [request, session, api shield, client, visitor]
+    plan_info_label: Enterprise add-on
+    summary: Indicates whether the request contained an API session authentication token, as defined by API Shield's saved [session identifiers](/api-shield/get-started/#session-identifiers).
+
+  - name: cf.api_gateway.request_violates_schema
+    data_type: Boolean
+    categories: [Request]
+    keywords: [request, api shield, client, visitor]
+    summary: Indicates whether the request [violated the schema](/api-shield/security/schema-validation/) assigned to the respective saved endpoint.
+
+  - name: cf.api_gateway.fallthrough_detected
+    data_type: Boolean
+    categories: [Request]
+    keywords: [request, api shield, client, visitor]
+    summary: Indicates whether the request matched a saved endpoint in [Endpoint Management](/api-shield/management-and-monitoring/).
+
   - name: cf.bot_management.verified_bot
     data_type: Boolean
     categories: [Request, Bots]

From 8768d8eecd0e3958b907341e33470abecfa2d97c Mon Sep 17 00:00:00 2001
From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com>
Date: Wed, 15 Jan 2025 11:14:39 +0000
Subject: [PATCH 41/45] Fix field description

---
 src/content/fields/index.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/content/fields/index.yaml b/src/content/fields/index.yaml
index 8f7e7ecccfa2b85..4788bfacb9fd4f9 100644
--- a/src/content/fields/index.yaml
+++ b/src/content/fields/index.yaml
@@ -1615,7 +1615,7 @@ entries:
     categories: [Request, Body]
     keywords: [request, body, form, client, visitor]
     plan_info_label: Enterprise add-on
-    summary: The values of the form fields in an HTTP request
+    summary: The values of the form fields in an HTTP request.
     description: |-
       Populated when the `Content-Type` header is `application/x-www-form-urlencoded`.
 

From 0827ac1e712c9b85d560a05d9711981dbb3f770a Mon Sep 17 00:00:00 2001
From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com>
Date: Wed, 15 Jan 2025 13:28:28 +0000
Subject: [PATCH 42/45] Ignore individual field pages in link checker (existing
 issue with dots)

---
 astro.config.ts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/astro.config.ts b/astro.config.ts
index 03b004c6b7be476..7fbceed08ea8047 100644
--- a/astro.config.ts
+++ b/astro.config.ts
@@ -193,6 +193,7 @@ export default defineConfig({
 									"/products/",
 									"/rules/snippets/examples/?operation=*",
 									"/rules/transform/examples/?operation=*",
+									"/ruleset-engine/rules-language/fields/reference/**",
 									"/workers/examples/?languages=*",
 									"/workers/examples/?tags=*",
 									"/workers-ai/models/**",

From 4d4c9fd31194b2fd2a15b8eb5fb0ec0a8963384d Mon Sep 17 00:00:00 2001
From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com>
Date: Wed, 15 Jan 2025 13:55:43 +0000
Subject: [PATCH 43/45] Remove link

---
 .../docs/api-shield/security/jwt-validation/transform-rules.mdx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/content/docs/api-shield/security/jwt-validation/transform-rules.mdx b/src/content/docs/api-shield/security/jwt-validation/transform-rules.mdx
index 12417d4b3e3df6f..e2b705f71acdff8 100644
--- a/src/content/docs/api-shield/security/jwt-validation/transform-rules.mdx
+++ b/src/content/docs/api-shield/security/jwt-validation/transform-rules.mdx
@@ -31,4 +31,4 @@ As an example, to send the `x-send-jwt-claim-user` request header to the origin,
 4. Enter a rule name and a filter expression, if applicable.
 5. Choose **Set dynamic**.
 6. Set the header name to `x-send-jwt-claim-user`.
-7. Set the value to `lookup_json_string(http.request.jwt.claims["<TOKEN_CONFIGURATION_ID>"][0], "claim_name")`, where `<TOKEN_CONFIGURATION_ID>` is your token configuration ID found in JWT Validation and `claim_name` is the [JWT claim](/ruleset-engine/rules-language/fields/reference/http.request.jwt.claims/) you want to add to the header.
+7. Set the value to `lookup_json_string(http.request.jwt.claims["<TOKEN_CONFIGURATION_ID>"][0], "claim_name")`, where `<TOKEN_CONFIGURATION_ID>` is your token configuration ID found in JWT Validation and `claim_name` is the JWT claim you want to add to the header.

From 425fe583fff82658e6d3b2d00e6fbacd578c90d2 Mon Sep 17 00:00:00 2001
From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com>
Date: Wed, 15 Jan 2025 16:32:47 +0000
Subject: [PATCH 44/45] Small text update

---
 src/content/docs/ruleset-engine/rules-language/fields/index.mdx | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/content/docs/ruleset-engine/rules-language/fields/index.mdx b/src/content/docs/ruleset-engine/rules-language/fields/index.mdx
index be1026e6166b4f6..9b1d3a30bddb585 100644
--- a/src/content/docs/ruleset-engine/rules-language/fields/index.mdx
+++ b/src/content/docs/ruleset-engine/rules-language/fields/index.mdx
@@ -10,7 +10,7 @@ head:
 
 import { DirectoryListing } from "~/components";
 
-The Cloudflare Rules language supports different types of fields, including:
+The Cloudflare Rules language supports different types of fields such as:
 
 - Request fields that represent the basic properties of incoming requests, including specific fields for accessing request headers, URI components, and the request body.
 - Dynamic fields that represent computed or derived values, typically related to threat intelligence about an HTTP request.

From b0b71f9f6e1902117be2e9bf204e1235a8ca11dc Mon Sep 17 00:00:00 2001
From: Kian Newman-Hazel <kian@cloudflare.com>
Date: Thu, 16 Jan 2025 16:44:57 +0000
Subject: [PATCH 45/45] Fix nested anchor tags in Markdown

---
 package-lock.json               | 39 +++++++++++++++++++++++++++++++++
 package.json                    |  1 +
 src/components/FieldCatalog.jsx | 13 ++++++-----
 3 files changed, 47 insertions(+), 6 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 5739182a4dd277b..89b98d888b9c411 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -60,6 +60,7 @@
 				"puppeteer": "^24.0.0",
 				"react": "^18.3.1",
 				"react-dom": "^18.3.1",
+				"react-markdown": "^9.0.3",
 				"react-textarea-autosize": "^8.5.7",
 				"redirects-in-workers": "^0.0.5",
 				"rehype-autolink-headings": "^7.1.0",
@@ -10904,6 +10905,17 @@
 			"integrity": "sha512-RuMffC89BOWQoY0WKGpIhn5gX3iI54O6nRA0yC124NYVtzjmFWBIiFd8M0x+ZdX0P9R4lADg1mgP8C7PxGOWuQ==",
 			"dev": true
 		},
+		"node_modules/html-url-attributes": {
+			"version": "3.0.1",
+			"resolved": "https://registry.npmjs.org/html-url-attributes/-/html-url-attributes-3.0.1.tgz",
+			"integrity": "sha512-ol6UPyBWqsrO6EJySPz2O7ZSr856WDrEzM5zMqp+FJJLGMW35cLYmmZnl0vztAZxRUoNZJFTCohfjuIJ8I4QBQ==",
+			"dev": true,
+			"license": "MIT",
+			"funding": {
+				"type": "opencollective",
+				"url": "https://opencollective.com/unified"
+			}
+		},
 		"node_modules/html-void-elements": {
 			"version": "3.0.0",
 			"resolved": "https://registry.npmjs.org/html-void-elements/-/html-void-elements-3.0.0.tgz",
@@ -14986,6 +14998,33 @@
 				"react": "^18.3.1"
 			}
 		},
+		"node_modules/react-markdown": {
+			"version": "9.0.3",
+			"resolved": "https://registry.npmjs.org/react-markdown/-/react-markdown-9.0.3.tgz",
+			"integrity": "sha512-Yk7Z94dbgYTOrdk41Z74GoKA7rThnsbbqBTRYuxoe08qvfQ9tJVhmAKw6BJS/ZORG7kTy/s1QvYzSuaoBA1qfw==",
+			"dev": true,
+			"license": "MIT",
+			"dependencies": {
+				"@types/hast": "^3.0.0",
+				"devlop": "^1.0.0",
+				"hast-util-to-jsx-runtime": "^2.0.0",
+				"html-url-attributes": "^3.0.0",
+				"mdast-util-to-hast": "^13.0.0",
+				"remark-parse": "^11.0.0",
+				"remark-rehype": "^11.0.0",
+				"unified": "^11.0.0",
+				"unist-util-visit": "^5.0.0",
+				"vfile": "^6.0.0"
+			},
+			"funding": {
+				"type": "opencollective",
+				"url": "https://opencollective.com/unified"
+			},
+			"peerDependencies": {
+				"@types/react": ">=18",
+				"react": ">=18"
+			}
+		},
 		"node_modules/react-refresh": {
 			"version": "0.14.2",
 			"resolved": "https://registry.npmjs.org/react-refresh/-/react-refresh-0.14.2.tgz",
diff --git a/package.json b/package.json
index ec7b62b3d4a2aa4..e1749a3e1ce6a53 100644
--- a/package.json
+++ b/package.json
@@ -76,6 +76,7 @@
 		"puppeteer": "^24.0.0",
 		"react": "^18.3.1",
 		"react-dom": "^18.3.1",
+		"react-markdown": "^9.0.3",
 		"react-textarea-autosize": "^8.5.7",
 		"redirects-in-workers": "^0.0.5",
 		"rehype-autolink-headings": "^7.1.0",
diff --git a/src/components/FieldCatalog.jsx b/src/components/FieldCatalog.jsx
index 3cca0cc65027dda..4feaea57b498c2a 100644
--- a/src/components/FieldCatalog.jsx
+++ b/src/components/FieldCatalog.jsx
@@ -1,6 +1,6 @@
 import { useState } from "react";
 import FieldBadges from "./fields/FieldBadges";
-import { marked } from "marked";
+import Markdown from "react-markdown";
 
 const FieldCatalog = ({ fields }) => {
 	const [filters, setFilters] = useState({
@@ -116,12 +116,13 @@ const FieldCatalog = ({ fields }) => {
 									{field.name}
 								</span>
 							</div>
-							<p
+							<Markdown
 								className="!mt-2 line-clamp-2 text-sm leading-6"
-								dangerouslySetInnerHTML={{
-									__html: marked.parseInline(field.summary),
-								}}
-							/>
+								disallowedElements={["a"]}
+								unwrapDisallowed={true}
+							>
+								{field.summary}
+							</Markdown>
 
 							{field.plan_info_label && (
 								<div className="!mt-2 text-xs">