Require specific HTTP headers
Many organizations qualify traffic based on the presence of specific HTTP request headers. Use the Rules language HTTP request header fields to target requests with specific headers.
This example uses the http.headers.names
field to look for the presence of an X-CSRF-Token
header. The lower()
transformation function converts the value to lowercase so that the expression is case insensitive.
When the X-CSRF-Token
header is missing, Cloudflare blocks the request:
Expression | Action |
---|---|
not any(lower(http.request.headers.names[*])[*] eq "x-csrf-token") and
(http.request.full_uri eq "https://www.example.com/somepath")
|
Block |