Cloudflare operates as a reverse proxy, so this explains how HTTP headers are handled, and what may change or be added when traffic passes through Cloudflare.
With these added headers, Cloudflare passes on all HTTP headers as-is from the client to the origin.
CF-IPCountry
This header holds the country code of the originating visitor. It is a two character value that will have the country code, if the country code is unknown, it will be "XX". This header is added to requests by enabling Cloudflare IP Geolocation in the dashboard.
"Cf-Ipcountry: US"
CF-Connecting-IP
To provide the client (visitor) IP address for every request to the origin, Cloudflare adds the CF-Connecting-IP header.
"CF-Connecting-IP: A.B.C.D"
Where A.B.C.D is the client's IP address, also known as the original visitor IP address.
X-Forwarded-For
X-Forwarded-For is a well-established HTTP header used by proxies, including Cloudflare, to pass along other IP addresses in the request. This is often the same as CF-Connecting-IP, but there may be multiple layers of proxies in a request path.
There are two possible outcomes:
First, if there was no existing "X-Forwarded-For" header in the request sent to Cloudflare, then the header would have an identical value to the CF-Connecting-IP header, like this:
"X-Forwarded-For: A.B.C.D"
where A.B.C.D is the client's IP address, also known as the original visitor IP address.
Second, if there was an "X-Forwarded-For" header present in the request sent to Cloudflare, Cloudflare appends the client's IP to its value, as the last in the list.
"X-Forwarded-For: A.B.C.D[,X.X.X.X,Y.Y.Y.Y,]"
where A.B.C.D is the client's IP address, also known as the original visitor IP address. X.X.X.X and Y.Y.Y.Y in this example are IP addresses along the route in the header value.
X-Forwarded-Proto
Cloudflare also appends an X-Forwarded-Proto header, which can either be HTTP or HTTPS depending on the protocol the user used to visit the site, like this:
"X-Forwarded-Proto: https"
Note: This header is only relevant when the Flexible SSL setting is used and a visitor requests to Cloudflare over HTTPS (Cloudflare requests to the origin over HTTP). In this case, the origin server can tell that the visitor was using HTTPS by inspecting this header.
CF-RAY
The CF-Ray header is a hash with the data center that the request came through. A sample looks like this:
"Cf-Ray: 230b030023ae2822-SJC"
You can add the CF-Ray header to your server logs which makes it possible to match requests that you see on Cloudflare to requests in your server logs. Enterprise customers can also see all requests made via Cloudflare in Enterprise Log Share.
CF-Visitor
Currently this header is a JSON object, containing only one key called “scheme”. The meaning is identical to that of X-Forwarded-Proto above - e.g. it will be either HTTP or HTTPS, and it is only relevant if you need to enable Flexible SSL in your Cloudflare settings.
"Cf-Visitor: { \"scheme\":\"https\"}"
True-Client-IP * Enterprise Plan only *
To provide the client (visitor) IP address for every request to the origin, Cloudflare adds the True-Client-IP header.
"True-Client-IP: A.B.C.D"
where A.B.C.D is the client's IP address, also known as the original visitor IP address. This request header is only available on our Enterprise plan.
There's absolutely no difference between True-Client-IP and Cf-Connecting-IP besides the name of the header. Some large Enterprise customers with legacy devices need a header like True-Client-IP to avoid updating firewalls or load-balancers to read a custom header name, so Cloudflare makes this heady available for easy backwards compatibility.