Learn how Cloudflare handles HTTP request headers to your origin web server and what headers Cloudflare adds to proxied requests.

Overview

Cloudflare passes all HTTP headers as-is from the client to the origin and adds additional headers as specified below.

Cloudflare strips any header that contains dots (.) from origin web server responses. For example, the origin web server header test.header:data is removed by Cloudflare’s proxy.

CF-IPCountry

Contains a two character country code of the originating visitor’s country. XX is used for unknown country information. This header is added to requests by enabling Cloudflare IP Geolocation in the dashboard.

Example:

Cf-Ipcountry: US

CF-Connecting-IP

Provides the client (visitor) IP address (connecting to Cloudflare) to the origin web server. cf-connecting-ip contains a special Cloudflare IP 2a06:98c0:3600:0:0:0:0:103 when the request originates from a Cloudflare Workers subrequest instead of the visitor's true IP.

Example:

CF-Connecting-IP: 203.0.113.1

X-Forwarded-For

Maintains proxy server and original visitor IP addresses. If there was no existing X-Forwarded-For header in the request sent to Cloudflare, X-Forwarded-For has an identical value to the CF-Connecting-IP header:

Example:

X-Forwarded-For: 203.0.113.1

If an X-Forwarded-For header was already present in the request to Cloudflare, Cloudflare appends the IP address of the HTTP proxy to the header:

Example:

X-Forwarded-For: 203.0.113.1,198.51.100.101,198.51.100.102

In the examples above, 203.0.113.1 is the original visitor IP address and 198.51.100.101 and 198.51.100.102 are proxy server IP addresses provided to Cloudflare via the X-Forwarded-For header.

To restore original visitor IP addresses at your origin web server, Cloudflare recommends your logs or applications look at CF-Connecting-IP or True-Client-IP instead of X-Forwarded-For since CF-Connecting-IP and True-Client-IP have a consistent format containing only one IP.

X-Forwarded-Proto

Since Flexible SSL instructs Cloudflare to connect to your origin web server over HTTP, the X-Forwarded-Proto informs your origin web server whether the visitor was actually using HTTPS or HTTP in the connection to Cloudflare:

Example:

X-Forwarded-Proto: https

CF-RAY

The cf-ray header is a hashed value encoding information about the data center and the visitor’s request:

Example:

Cf-Ray: 230b030023ae2822-SJC

Add the CF-Ray header to your origin web server logs to match requests proxied to Cloudflare to requests in your server logs. Enterprise customers can also see all requests via Cloudflare Logs.

CF-Visitor

A JSON object containing only one key called scheme. The value is identical to that of X-Forwarded-Proto (either HTTP or HTTPS). CF-Visitor is only relevant if using Flexible SSL.

Example:

Cf-Visitor: { \"scheme\":\"https\"}

True-Client-IP (Enterprise plan only)

Provides the original client (visitor) IP address to the origin web server. True-Client-IP is only available on our Enterprise plan. In the example below, 203.0.113.1 is the original visitor IP address.

Example:

True-Client-IP: 203.0.113.1

There's absolutely no difference between True-Client-IP and Cf-Connecting-IP besides the name of the header. Some Enterprise customers with legacy devices need True-Client-IP to avoid updating firewalls or load-balancers to read a custom header name.

CDN-Loop

Allows Cloudflare to specify how many times a request can enter Cloudflare's network before it is blocked as a looping request.

Example:

CDN-Loop: cloudflare

Related Resources