Available Managed Transforms

HTTP request headers

Name	Description
Add bot protection headers	Adds HTTP headers with bot-related values to the request sent to the origin server: `cf-bot-score`: Contains the bot score (for example, `30`). `cf-verified-bot`: Contains `true` if the request comes from a verified bot, or `false` otherwise. `cf-threat-score`: Contains the threat score (for example, `10`). `cf-ja3-hash`: Contains the JA3 fingerprint. This Managed Transform requires a Enterprise plan with Bot Management enabled.
Add TLS client auth headers	Adds HTTP headers with Mutual TLS (mTLS) client authentication values to the request sent to the origin server: `cf-cert-revoked`: Value from the `cf.tls_client_auth.cert_revoked` field. `cf-cert-verified`: Value from the `cf.tls_client_auth.cert_verified` field. `cf-cert-presented`: Value from the `cf.tls_client_auth.cert_presented` field. `cf-cert-issuer-dn`: Value from the `cf.tls_client_auth.cert_issuer_dn` field. `cf-cert-subject-dn`: Value from the `cf.tls_client_auth.cert_subject_dn` field. `cf-cert-issuer-dn-rfc2253`: Value from the `cf.tls_client_auth.cert_issuer_dn_rfc2253` field. `cf-cert-subject-dn-rfc2253`: Value from the `cf.tls_client_auth.cert_subject_dn_rfc2253` field. `cf-cert-issuer-dn-legacy`: Value from the `cf.tls_client_auth.cert_issuer_dn_legacy` field. `cf-cert-subject-dn-legacy`: Value from the `cf.tls_client_auth.cert_subject_dn_legacy` field. `cf-cert-serial`: Value from the `cf.tls_client_auth.cert_serial` field. `cf-cert-issuer-serial`: Value from the `cf.tls_client_auth.cert_issuer_serial` field. `cf-cert-fingerprint-sha256`: Value from the `cf.tls_client_auth.cert_fingerprint_sha256` field. `cf-cert-fingerprint-sha1`: Value from the `cf.tls_client_auth.cert_fingerprint_sha1` field. `cf-cert-not-before`: Value from the `cf.tls_client_auth.cert_not_before` field. `cf-cert-not-after`: Value from the `cf.tls_client_auth.cert_not_after` field. `cf-cert-ski`: Value from the `cf.tls_client_auth.cert_ski` field. `cf-cert-issuer-ski`: Value from the `cf.tls_client_auth.cert_issuer_ski` field.
Add visitor location headers	Adds HTTP headers with location information for the visitor's IP address to the request sent to the origin server: `cf-ipcity`: The visitor's city (value from the `ip.src.city` field). `cf-ipcountry`: The visitor's country (value from the `ip.src.country` field). `cf-ipcontinent`: The visitor's continent (value from the `ip.src.continent` field). `cf-iplongitude`: The visitor's longitude (value from the `ip.src.lon` field). `cf-iplatitude`: The visitor's latitude (value from the `ip.src.lat` field). `cf-region`: The visitor's region (value from the `ip.src.region` field). `cf-region-code`: The visitor's region code (value from the `ip.src.region_code` field). `cf-metro-code`: The visitor's metro code (value from the `ip.src.metro_code` field). `cf-postal-code`: The visitor's postal code (value from the `ip.src.postal_code` field). `cf-timezone`: The name of the visitor's timezone (value from the `ip.src.timezone.name` field).
Add "True-Client-IP" header	Adds a `true-client-ip` request header with the visitor's IP address. Only available on Enterprise plans. Unavailable when Remove visitor IP headers is enabled.
Remove visitor IP headers	Removes HTTP headers that may contain the visitor's IP address from the request sent to the origin server. Handles the following HTTP request headers: `cf-connecting-ip` `x-forwarded-for` (refer to the notes below) `true-client-ip` Unavailable when Add "True-Client-IP" header is enabled.

Visitor IP address in the `x-forwarded-for` HTTP header

For the x-forwarded-for HTTP request header, enabling Remove visitor IP headers will only remove the visitor IP from the header value when Cloudflare receives a request proxied by at least another CDN (content delivery network). In this case, Cloudflare will only keep the IP address of the last proxy.

For example, consider an incoming request proxied by two CDNs (CDN_1 and CDN_2) before reaching the Cloudflare network. The x-forwarded-for header would be similar to the following:
x-forwarded-for: <VISITOR_IP>, <THIRD_PARTY_CDN_1_IP>, <THIRD_PARTY_CDN_2_IP>

With Remove visitor IP headers enabled, the x-forwarded-for header sent to the origin server will be:
x-forwarded-for: <THIRD_PARTY_CDN_2_IP>

HTTP response headers

Name Description

Name	Description
Remove "X-Powered-By" headers	Removes the `X-Powered-By` HTTP response header that provides information about the application at the origin server that handled the request.
Add security headers	Adds several security-related HTTP response headers. The added response headers and values are the following: `x-content-type-options: nosniff` `x-xss-protection: 1; mode=block` `x-frame-options: SAMEORIGIN` `referrer-policy: same-origin` `expect-ct: max-age=86400, enforce` To increase protection, enable HTTP Strict Transport Security (HSTS) for your website.

Remove "X-Powered-By" headers

Removes the X-Powered-By HTTP response header that provides information about the application at the origin server that handled the request.

Add security headers

Adds several security-related HTTP response headers. The added response headers and values are the following:

x-content-type-options: nosniff
x-xss-protection: 1; mode=block
x-frame-options: SAMEORIGIN
referrer-policy: same-origin
expect-ct: max-age=86400, enforce

To increase protection, enable HTTP Strict Transport Security (HSTS) for your website.

Available Managed Transforms

​​ HTTP request headers

​​ Visitor IP address in the x-forwarded-for HTTP header

​​ HTTP response headers

HTTP request headers

Visitor IP address in the `x-forwarded-for` HTTP header

HTTP response headers