Available Managed Transforms

Adds HTTP request headers with bot-related values:

• cf-bot-score: Contains the bot score (for example, 30).
• cf-verified-bot: Contains true if the request comes from a verified bot, or false otherwise.
• cf-threat-score: Contains the threat score (0-100).
• cf-ja3-hash: Contains the JA3 fingerprint.

This Managed Transform requires a Enterprise plan with Bot Management enabled.

Adds HTTP request headers with location information for the visitor's IP address. The added headers are:

• cf-ipcity: The visitor's city (value from the ip.src.city field).
• cf-ipcountry: The visitor's country (value from the ip.src.country field).
• cf-ipcontinent: The visitor's continent (value from the ip.geoip.continent field).
• cf-iplongitude: The visitor's longitude (value from the ip.src.lon field).
• cf-iplatitude: The visitor's latitude (value from the ip.src.lat field).

Adds a True-Client-IP request header with the visitor's IP address.

Only available on Enterprise plans.

Unavailable when Remove visitor IP headers is enabled.

Removes HTTP request headers that may contain the visitor's IP address. Handles the following HTTP request headers:

• cf-connecting-ip
• x-forwarded-for
• true-client-ip

Unavailable when Add "True-Client-IP" header is enabled.

Removes the X-Powered-By HTTP response header that provides information about the application at the origin server that handled the request.

Adds several security-related HTTP response headers. The added response headers and values are the following:

• X-Content-Type-Options: nosniff
• X-XSS-Protection: 1; mode=block
• X-Frame-Options: SAMEORIGIN
• Referrer-Policy: same-origin
• Expect-CT: max-age=86400, enforce

To increase protection, enable HTTP Strict Transport Security (HSTS) for your website.