How does CloudFlare handle HTTP Request headers?

CloudFlare operates as a reverse proxy, so our customers will want to know how existing HTTP headers are handled, and what may change going through CloudFlare.

With these exceptions, CloudFlare passes on all HTTP headers as is from the client to the origin.

First exception: CF-Connecting-IP

To provide the client (visitor) IP address for every request to the origin, CloudFlare adds the CF-Connecting-IP header.

"CF-Connecting-IP: A.B.C.D"

where A.B.C.D is the client's IP address, also known as the original visitor IP address.

Second exception: X-Forwarded-For

X-Forwarded-For is a well-established HTTP header used by proxies, including CloudFlare, to pass along other IP addresses in the request. This is often the same as CF-Connecting-IP, but there may be multiple layers of proxies in a request path.

Two possible outcomes.

First, if there is no existing "X-Forwarded-For" header in the request, then the header would have an identical value to the CF-Connecting-IP header, like this:

"X-Forwarded-For: A.B.C.D"

where A.B.C.D is the client's IP address, also known as the original visitor IP address.

Second, if there is an "X-Forwarded-For" header present in the request, CloudFlare will append the client's IP to its value, as the last in the list.

"X-Forwarded-For: A.B.C.D[,X.X.X.X,Y.Y.Y.Y,]"

where A.B.C.D is the client's IP address, also known as the original visitor IP address. X.X.X.X and Y.Y.Y.Y in this example are IP addresses along the route in the header value.

Third exception: CF-RAY

The CF-Ray header is passed on which includes a hash appended with the datacenter the request came through. A sample looks like this:

"Cf-Ray: 230b030023ae2822-SJC"

Fourth Exception: CF-IPCountry

This header holds the country code of the originating visitor, it is a two character value that will have the Country code, if the country code is unknown, it will be "XX".

"Cf-Ipcountry: US"

Fifth Exception: CF-Visitor

The only values you will see in this header will either be HTTP or HTTPS, it's used to show the scheme used to connect. If you have Flexible SSL, you will see HTTPS was requested by the visitor. 

"Cf-Visitor: { \"scheme\":\"https\"}" 

Sixth Exception: True-Client-IP   * Enterprise Plan only *

To provide the client (visitor) IP address for every request to the origin, CloudFlare adds the True-Client-IP header.

"True-Client-IP: A.B.C.D"

where A.B.C.D is the client's IP address, also known as the original visitor IP address. This request header is only available on our Enterprise plan.

Still not finding what you need?

The CloudFlare team is here to help. 95% of questions can be answered using the search tool, but if you can’t find what you need, submit a support request.

Powered by Zendesk