From 8ad4f022f3e43b4c8f01f05d8a515bc4cd5c0206 Mon Sep 17 00:00:00 2001 From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com> Date: Thu, 7 Nov 2024 15:39:42 +0000 Subject: [PATCH 1/2] [Ruleset Engine] Use Type component in fields reference --- .../rules-language/fields/dynamic-fields.mdx | 164 +++++++++--------- .../fields/http-request-body.mdx | 42 ++--- .../fields/http-request-header.mdx | 20 ++- .../fields/http-request-response.mdx | 63 +++---- .../rules-language/fields/magic-firewall.mdx | 68 ++++---- .../rules-language/fields/standard-fields.mdx | 80 ++++----- .../rules-language/fields/uri.mdx | 14 +- 7 files changed, 219 insertions(+), 232 deletions(-) diff --git a/src/content/docs/ruleset-engine/rules-language/fields/dynamic-fields.mdx b/src/content/docs/ruleset-engine/rules-language/fields/dynamic-fields.mdx index 2c622626156603..f1a0cd2718a286 100644 --- a/src/content/docs/ruleset-engine/rules-language/fields/dynamic-fields.mdx +++ b/src/content/docs/ruleset-engine/rules-language/fields/dynamic-fields.mdx @@ -8,7 +8,7 @@ head: content: Dynamic fields | Fields reference --- -import { Render } from "~/components"; +import { Render, Type, GlossaryTooltip } from "~/components"; Dynamic fields represent computed or derived values, typically related to threat intelligence about an HTTP request. @@ -28,49 +28,49 @@ The Cloudflare Rules language supports these dynamic fields. ## `cf.bot_management.verified_bot` -`cf.bot_management.verified_bot` `Boolean` +`cf.bot_management.verified_bot` -When `true`, this field indicates the request originated from a known good bot or crawler. Provides the same information as `cf.client.bot`. +When `true`, this field indicates the request originated from a known good bot or crawler. Provides the same information as [`cf.client.bot`](#cfclientbot). ## `cf.verified_bot_category` -`cf.verified_bot_category` `String` +`cf.verified_bot_category` Provides the type and purpose of a verified bot. For more details, refer to [Verified Bot Categories](/bots/reference/verified-bot-categories/). ## `cf.bot_management.score` -`cf.bot_management.score` `Number` +`cf.bot_management.score` Represents the likelihood that a request originates from a bot using a score from 1–99. A low score indicates that the request comes from a bot or an automated agent. A high score indicates that a human issued the request. ## `cf.bot_management.static_resource` -`cf.bot_management.static_resource` `Boolean` +`cf.bot_management.static_resource` -Indicates whether static resources should be included when you create a rule using `cf.bot_management.score`. For more details, refer to [Static resource protection](/bots/reference/static-resources/). +Indicates whether static resources should be included when you create a rule using [`cf.bot_management.score`](#cfbot_managementscore). For more details, refer to [Static resource protection](/bots/reference/static-resources/). ## `cf.bot_management.ja3_hash` -`cf.bot_management.ja3_hash` `String` +`cf.bot_management.ja3_hash` Provides an SSL/TLS fingerprint to help you identify potential bot requests. For more details, refer to [JA3/JA4 Fingerprint](/bots/concepts/ja3-ja4-fingerprint/). ## `cf.bot_management.ja4` -`cf.bot_management.ja4` `String` +`cf.bot_management.ja4` Provides an SSL/TLS fingerprint to help you identify potential bot requests. For more details, refer to [JA3/JA4 Fingerprint](/bots/concepts/ja3-ja4-fingerprint/). ## `cf.bot_management.js_detection.passed` -`cf.bot_management.js_detection.passed` `Boolean` +`cf.bot_management.js_detection.passed` Indicates whether the visitor has previously passed a JS Detection. For more details, refer to [JavaScript detections](/bots/reference/javascript-detections/). ## `cf.bot_management.detection_ids` -`cf.bot_management.detection_ids` `Array` +`cf.bot_management.detection_ids` List of IDs that correlate to the Bot Management heuristic detections made on a request (you can have multiple heuristic detections on the same request). Use this field to explicitly match a specific heuristic or to exclude a heuristic in a rule. @@ -82,49 +82,49 @@ any(cf.bot_management.detection_ids[*] eq 33554817) ## `cf.client.bot` -`cf.client.bot` `Boolean` +`cf.client.bot` -When `true`, this field indicates the request originated from a known good bot or crawler. Provides the same information as `cf.bot_management.verified_bot`. +When `true`, this field indicates the request originated from a known good bot or crawler. Provides the same information as [`cf.bot_management.verified_bot`](#cfbot_managementverified_bot). ## `cf.edge.server_ip` -`cf.edge.server_ip` `IP Address` +`cf.edge.server_ip` Represents the global network's IP address to which the HTTP request has resolved. This field is only meaningful for [BYOIP customers](/byoip/). ## `cf.edge.server_port` -`cf.edge.server_port` `Number` +`cf.edge.server_port` Represents the port number at which the Cloudflare global network received the request. Use this field to filter traffic on a specific port. The value is a port number in the range 1–65535. ## `cf.hostname.metadata` -`cf.hostname.metadata` `String` +`cf.hostname.metadata` Returns the string representation of the per-hostname [custom metadata](/cloudflare-for-platforms/cloudflare-for-saas/domain-support/custom-metadata/) JSON object set by SSL for SaaS customers. ## `cf.random_seed` -`cf.random_seed` `Bytes` +`cf.random_seed` Returns per-request random bytes that you can use in the [`uuidv4()`](/ruleset-engine/rules-language/functions/#uuidv4) function. ## `cf.ray_id` -`cf.ray_id` `String` +`cf.ray_id` The Ray ID of the current request. A [Ray ID](/fundamentals/reference/cloudflare-ray-id/) is an identifier given to every request that goes through Cloudflare. ## `cf.threat_score` -`cf.threat_score` `Number` +`cf.threat_score` Represents a Cloudflare threat score from 0–100, where 0 indicates low risk. Values above 10 may represent spammers or bots, and values above 40 identify bad actors on the Internet. It is rare to see values above 60. A common recommendation is to challenge requests with a score above 10 and to block those above 50. ## `cf.tls_cipher` -`cf.tls_cipher` `String` +`cf.tls_cipher` The cipher for the connection to Cloudflare. @@ -136,25 +136,25 @@ Example: ## `cf.tls_client_auth.cert_revoked` -`cf.tls_client_auth.cert_revoked` `Boolean` +`cf.tls_client_auth.cert_revoked` -Returns `true` when a request presents a valid but revoked client certificate. When `true`, the `cf.tls_client_auth.cert_verified` field is also `true`. +Returns `true` when a request presents a valid but revoked client certificate. When `true`, the [`cf.tls_client_auth.cert_verified`](#cftls_client_authcert_verified) field is also `true`. ## `cf.tls_client_auth.cert_verified` -`cf.tls_client_auth.cert_verified` `Boolean` +`cf.tls_client_auth.cert_verified` -Returns `true` when a request presents a valid client certificate. Also returns `true` when a request includes a valid certificate that was revoked (see `cf.tls_client_auth.cert_revoked`). +Returns `true` when a request presents a valid client certificate. Also returns `true` when a request includes a valid certificate that was revoked (refer to [`cf.tls_client_auth.cert_revoked`](#cftls_client_authcert_revoked)). ## `cf.tls_client_auth.cert_presented` -`cf.tls_client_auth.cert_presented` `Boolean` +`cf.tls_client_auth.cert_presented` Returns `true` when a request presents a certificate (valid or not). ## `cf.tls_client_auth.cert_issuer_dn` -`cf.tls_client_auth.cert_issuer_dn` `String` +`cf.tls_client_auth.cert_issuer_dn` The Distinguished Name (DN) of the Certificate Authority (CA) that issued the certificate included in the request. @@ -166,7 +166,7 @@ Example: ## `cf.tls_client_auth.cert_subject_dn` -`cf.tls_client_auth.cert_subject_dn` `String` +`cf.tls_client_auth.cert_subject_dn` The Distinguished Name (DN) of the owner (or requester) of the certificate included in the request. @@ -178,7 +178,7 @@ Example: ## `cf.tls_client_auth.cert_issuer_dn_rfc2253` -`cf.tls_client_auth.cert_issuer_dn_rfc2253` `String` +`cf.tls_client_auth.cert_issuer_dn_rfc2253` The Distinguished Name (DN) of the Certificate Authority (CA) that issued the certificate in the request in [RFC 2253](https://datatracker.ietf.org/doc/html/rfc2253) format. @@ -190,7 +190,7 @@ Example: ## `cf.tls_client_auth.cert_subject_dn_rfc2253` -`cf.tls_client_auth.cert_subject_dn_rfc2253` `String` +`cf.tls_client_auth.cert_subject_dn_rfc2253` The Distinguished Name (DN) of the owner (or requester) of the certificate in the request in [RFC 2253](https://datatracker.ietf.org/doc/html/rfc2253) format. @@ -202,7 +202,7 @@ Example: ## `cf.tls_client_auth.cert_issuer_dn_legacy` -`cf.tls_client_auth.cert_issuer_dn_legacy` `String` +`cf.tls_client_auth.cert_issuer_dn_legacy` The Distinguished Name (DN) of the Certificate Authority (CA) that issued the certificate in the request in a legacy format. @@ -214,7 +214,7 @@ Example: ## `cf.tls_client_auth.cert_subject_dn_legacy` -`cf.tls_client_auth.cert_subject_dn_legacy` `String` +`cf.tls_client_auth.cert_subject_dn_legacy` The Distinguished Name (DN) of the owner (or requester) of the certificate in the request in a legacy format. @@ -226,7 +226,7 @@ Example: ## `cf.tls_client_auth.cert_serial` -`cf.tls_client_auth.cert_serial` `String` +`cf.tls_client_auth.cert_serial` Serial number of the certificate in the request. @@ -238,7 +238,7 @@ Example: ## `cf.tls_client_auth.cert_issuer_serial` -`cf.tls_client_auth.cert_issuer_serial` `String` +`cf.tls_client_auth.cert_issuer_serial` Serial number of the direct issuer of the certificate in the request. @@ -250,7 +250,7 @@ Example: ## `cf.tls_client_auth.cert_fingerprint_sha256` -`cf.tls_client_auth.cert_fingerprint_sha256` `String` +`cf.tls_client_auth.cert_fingerprint_sha256` The SHA-256 fingerprint of the certificate in the request. @@ -262,7 +262,7 @@ Example: ## `cf.tls_client_auth.cert_fingerprint_sha1` -`cf.tls_client_auth.cert_fingerprint_sha1` `String` +`cf.tls_client_auth.cert_fingerprint_sha1` The SHA-1 fingerprint of the certificate in the request. @@ -274,7 +274,7 @@ Example: ## `cf.tls_client_auth.cert_not_before` -`cf.tls_client_auth.cert_not_before` `String` +`cf.tls_client_auth.cert_not_before` The certificate in the request is not valid before this date. @@ -286,7 +286,7 @@ Example: ## `cf.tls_client_auth.cert_not_after` -`cf.tls_client_auth.cert_not_after` `String` +`cf.tls_client_auth.cert_not_after` The certificate in the request is not valid after this date. @@ -298,7 +298,7 @@ Example: ## `cf.tls_client_auth.cert_ski` -`cf.tls_client_auth.cert_ski` `String` +`cf.tls_client_auth.cert_ski` The Subject Key Identifier (SKI) of the certificate in the request. @@ -310,7 +310,7 @@ Example: ## `cf.tls_client_auth.cert_issuer_ski` -`cf.tls_client_auth.cert_issuer_ski` `String` +`cf.tls_client_auth.cert_issuer_ski` The Subject Key Identifier (SKI) of the direct issuer of the certificate in the request. @@ -322,7 +322,7 @@ Example: ## `cf.tls_client_extensions_sha1` -`cf.tls_client_extensions_sha1` `String` +`cf.tls_client_extensions_sha1` The SHA-1 fingerprint of TLS client extensions, encoded in Base64. @@ -334,7 +334,7 @@ Example: ## `cf.tls_client_hello_length` -`cf.tls_client_hello_length` `Number` +`cf.tls_client_hello_length` The length of the client hello message sent in a [TLS handshake](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake). Specifically, the length of the bytestring of the client hello. @@ -346,7 +346,7 @@ Example: ## `cf.tls_client_random` -`cf.tls_client_random` `String` +`cf.tls_client_random` The value of the 32-byte random value provided by the client in a [TLS handshake](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake), encoded in Base64. Refer to [RFC 8446](https://datatracker.ietf.org/doc/html/rfc8446#section-4.1.2) for more details. @@ -358,7 +358,7 @@ Example: ## `cf.tls_version` -`cf.tls_version` `String` +`cf.tls_version` The TLS version of the connection to Cloudflare. @@ -370,15 +370,15 @@ Example: ## `cf.waf.content_scan.has_obj` -`cf.waf.content_scan.has_obj` `Boolean` +`cf.waf.content_scan.has_obj` -When `true`, the request contains at least one [content object](https://www.cloudflare.com/learning/ssl/what-happens-in-a-tls-handshake/). +When `true`, the request contains at least one content object. For more details, refer to [Malicious uploads detection](/waf/detections/malicious-uploads/). ## `cf.waf.content_scan.has_malicious_obj` -`cf.waf.content_scan.has_malicious_obj` `Boolean` +`cf.waf.content_scan.has_malicious_obj` When `true`, the request contains at least one malicious content object. @@ -386,7 +386,7 @@ For more details, refer to [Malicious uploads detection](/waf/detections/malicio ## `cf.waf.content_scan.num_malicious_obj` -`cf.waf.content_scan.num_malicious_obj` `Integer` +`cf.waf.content_scan.num_malicious_obj` The number of malicious content objects detected in the request (zero or greater). @@ -394,7 +394,7 @@ For more details, refer to [Malicious uploads detection](/waf/detections/malicio ## `cf.waf.content_scan.has_failed` -`cf.waf.content_scan.has_failed` `Boolean` +`cf.waf.content_scan.has_failed` When `true`, the file scanner was unable to scan all the content objects detected in the request. @@ -402,7 +402,7 @@ For more details, refer to [Malicious uploads detection](/waf/detections/malicio ## `cf.waf.content_scan.num_obj` -`cf.waf.content_scan.num_obj` `Integer` +`cf.waf.content_scan.num_obj` The number of content objects detected in the request (zero or greater). @@ -410,7 +410,7 @@ For more details, refer to [Malicious uploads detection](/waf/detections/malicio ## `cf.waf.content_scan.obj_sizes` -`cf.waf.content_scan.obj_sizes` `Array` +`cf.waf.content_scan.obj_sizes` An array of file sizes in bytes, in the order the content objects were detected in the request. @@ -418,7 +418,7 @@ For more details, refer to [Malicious uploads detection](/waf/detections/malicio ## `cf.waf.content_scan.obj_types` -`cf.waf.content_scan.obj_types` `Array` +`cf.waf.content_scan.obj_types` An array of file types in the order the content objects were detected in the request. If Cloudflare cannot determine the file type of a content object, the corresponding value in the `obj_types` array will be `application/octet-stream`. @@ -426,7 +426,7 @@ For more details, refer to [Malicious uploads detection](/waf/detections/malicio ## `cf.waf.content_scan.obj_results` -`cf.waf.content_scan.obj_results` `Array` +`cf.waf.content_scan.obj_results` An array of scan results in the order the content objects were detected in the request. The possible values are: `clean`, `suspicious`, `infected`, and `not scanned`. @@ -434,37 +434,37 @@ For more details, refer to [Malicious uploads detection](/waf/detections/malicio ## `cf.waf.score` -`cf.waf.score` `Number` +`cf.waf.score` A global score from 1 to 99 that combines the score of each WAF attack vector into a single score. This is the standard [WAF attack score](/waf/detections/attack-score/) to detect variants of attack patterns. ## `cf.waf.score.sqli` -`cf.waf.score.sqli` `Number` +`cf.waf.score.sqli` An attack score from 1 to 99 classifying the SQL injection (SQLi) attack vector. ## `cf.waf.score.xss` -`cf.waf.score.xss` `Number` +`cf.waf.score.xss` An attack score from 1 to 99 classifying the cross-site scripting (XSS) attack vector. ## `cf.waf.score.rce` -`cf.waf.score.rce` `Number` +`cf.waf.score.rce` An attack score from 1 to 99 classifying the command injection or Remote Code Execution (RCE) attack vector. ## `cf.waf.score.class` -`cf.waf.score.class` `String` +`cf.waf.score.class` The attack score class of the current request, based on the WAF attack score. Can have one of the following values: `attack`, `likely_attack`, `likely_clean`, `clean`. ## `cf.waf.auth_detected` -`cf.waf.auth_detected` `Boolean` +`cf.waf.auth_detected` When `true`, the Cloudflare WAF detected authentication credentials in the request. @@ -472,7 +472,7 @@ Only available when [leaked credentials detection](/waf/detections/leaked-creden ## `cf.waf.credential_check.password_leaked` -`cf.waf.credential_check.password_leaked` `Boolean` +`cf.waf.credential_check.password_leaked` When `true`, the password detected in the request was previously leaked. @@ -480,7 +480,7 @@ Only available when [leaked credentials detection](/waf/detections/leaked-creden ## `cf.waf.credential_check.username_leaked` -`cf.waf.credential_check.username_leaked` `Boolean` +`cf.waf.credential_check.username_leaked` When `true`, the username detected in the request was previously leaked. @@ -488,7 +488,7 @@ Only available when [leaked credentials detection](/waf/detections/leaked-creden ## `cf.waf.credential_check.username_and_password_leaked` -`cf.waf.credential_check.username_and_password_leaked` `Boolean` +`cf.waf.credential_check.username_and_password_leaked` When `true`, the authentication credentials detected in the request (username and password pair) were previously leaked. @@ -496,7 +496,7 @@ Only available when [leaked credentials detection](/waf/detections/leaked-creden ## `cf.waf.credential_check.username_password_similar` -`cf.waf.credential_check.username_password_similar` `Boolean` +`cf.waf.credential_check.username_password_similar` When `true`, a similar version of the username and password credentials detected in the request were previously leaked. @@ -504,7 +504,7 @@ Only available when [leaked credentials detection](/waf/detections/leaked-creden ## `cf.worker.upstream_zone` -`cf.worker.upstream_zone` `String` +`cf.worker.upstream_zone` Identifies whether a request comes from a worker or not. When a request comes from a worker, this field will hold the name of the zone for that worker. Otherwise, `cf.worker.upstream_zone` is empty. @@ -518,9 +518,9 @@ Identifies whether a request comes from a worker or not. When a request comes fr ### `aud` (audience) -`http.request.jwt.claims.aud` `Map>`
-`http.request.jwt.claims.aud.names` `Array`
-`http.request.jwt.claims.aud.values` `Array`
+`http.request.jwt.claims.aud`
+`http.request.jwt.claims.aud.names`
+`http.request.jwt.claims.aud.values`
The `aud` (audience) claim identifies the recipients that the JSON Web Token (JWT) is intended for. Each principal intended to process the JWT must identify itself with a value in the audience claim. In the general case, the `aud` value is an array of case-sensitive strings, each containing a `StringOrURI` value. @@ -528,9 +528,9 @@ The `aud` (audience) claim identifies the recipients that the JSON Web Token (JW ### `iat` (issued at) -`http.request.jwt.claims.iat.sec` `Map>`
-`http.request.jwt.claims.iat.sec.names` `Array`
-`http.request.jwt.claims.iat.sec.values` `Array`
+`http.request.jwt.claims.iat.sec`
+`http.request.jwt.claims.iat.sec.names`
+`http.request.jwt.claims.iat.sec.values` The `iat` (issued at) claim identifies the time (number of seconds) at which the JWT was issued. @@ -538,9 +538,9 @@ The `iat` (issued at) claim identifies the time (number of seconds) at which the ### `iss` (issuer) -`http.request.jwt.claims.iss` `Map>`
-`http.request.jwt.claims.iss.names` `Array`
-`http.request.jwt.claims.iss.values` `Array`
+`http.request.jwt.claims.iss`
+`http.request.jwt.claims.iss.names`
+`http.request.jwt.claims.iss.values`
The `iss` (issuer) claim identifies the principal that issued the JWT. @@ -548,9 +548,9 @@ The `iss` (issuer) claim identifies the principal that issued the JWT. ### `jti` (JWT ID) -`http.request.jwt.claims.jti` `Map>`
-`http.request.jwt.claims.jti.names` `Array`
-`http.request.jwt.claims.jti.values` `Array`
+`http.request.jwt.claims.jti`
+`http.request.jwt.claims.jti.names`
+`http.request.jwt.claims.jti.values`
The `jti` (JWT ID) claim provides a unique identifier for the JWT. @@ -558,9 +558,9 @@ The `jti` (JWT ID) claim provides a unique identifier for the JWT. ### `nbf` (not before) -`http.request.jwt.claims.nbf.sec` `Map>`
-`http.request.jwt.claims.nbf.sec.names` `Array`
-`http.request.jwt.claims.nbf.sec.values` `Array`
+`http.request.jwt.claims.nbf.sec`
+`http.request.jwt.claims.nbf.sec.names`
+`http.request.jwt.claims.nbf.sec.values` The `nbf` (not before) claim identifies the time (number of seconds) before which the JWT must not be accepted for processing. @@ -568,10 +568,10 @@ The `nbf` (not before) claim identifies the time (number of seconds) before whic ### `sub` (subject) -`http.request.jwt.claims.sub` `Map>`
-`http.request.jwt.claims.sub.names` `Array`
-`http.request.jwt.claims.sub.values` `Array`
+`http.request.jwt.claims.sub`
+`http.request.jwt.claims.sub.names`
+`http.request.jwt.claims.sub.values`
The `sub` (subject) claim identifies the principal that is the subject of the JWT. The claims in a JWT are normally statements about the subject. - \ No newline at end of file + diff --git a/src/content/docs/ruleset-engine/rules-language/fields/http-request-body.mdx b/src/content/docs/ruleset-engine/rules-language/fields/http-request-body.mdx index 0d9e10280b7932..e91e7e197fcaf3 100644 --- a/src/content/docs/ruleset-engine/rules-language/fields/http-request-body.mdx +++ b/src/content/docs/ruleset-engine/rules-language/fields/http-request-body.mdx @@ -8,6 +8,8 @@ head: content: HTTP request body fields | Fields reference --- +import { Type } from "~/components"; + :::note Access to HTTP request body fields requires a Cloudflare Enterprise plan with a paid add-on, except for the `http.request.body.mime` field. ::: @@ -16,7 +18,7 @@ The Rules language includes fields that represent properties of an HTTP request :::caution -All `http.request.body.*` fields (except `http.request.body.size`) handle a given maximum body size, which varies per plan. For Enterprise customers, the maximum body size analyzed by Cloudflare is 128 KB; for lower Cloudflare plans, the maximum size is lower. You cannot define expressions that rely on request body data beyond the maximum size set for your plan. If the request body is larger, the body fields will contain a truncated value and the `http.request.body.truncated` field will be set to `true`. The `http.request.body.size` field will contain the full size of the request without any truncation. +All `http.request.body.*` fields (except [`http.request.body.size`](#httprequestbodysize)) handle a given maximum body size, which varies per plan. For Enterprise customers, the maximum body size analyzed by Cloudflare is 128 KB; for lower Cloudflare plans, the maximum size is lower. You cannot define expressions that rely on request body data beyond the maximum size set for your plan. If the request body is larger, the body fields will contain a truncated value and the [`http.request.body.truncated`](#httprequestbodytruncated) field will be set to `true`. The [`http.request.body.size`](#httprequestbodysize) field will contain the full size of the request without any truncation. The maximum body size applies only to the values of HTTP body fields — the origin server will still receive the complete request body. @@ -26,11 +28,11 @@ The Cloudflare Rules language supports these HTTP body fields. ## `http.request.body.raw` -`http.request.body.raw` `String` +`http.request.body.raw` The unaltered HTTP request body. -When the value of `http.request.body.truncated` is true, the return value may be truncated. +When the value of [`http.request.body.truncated`](#httprequestbodytruncated) is true, the return value may be truncated. - Decoding: no decoding performed - Whitespace: preserved @@ -38,7 +40,7 @@ When the value of `http.request.body.truncated` is true, the return value may be ## `http.request.body.truncated` -`http.request.body.truncated` `Boolean` +`http.request.body.truncated` Indicates whether the HTTP request body is truncated. @@ -46,17 +48,17 @@ When true, `http.request.body` fields may not contain all of the HTTP request bo ## `http.request.body.size` -`http.request.body.size` `Number` +`http.request.body.size` The total size of the HTTP request body (in bytes). :::note -This field may have a value larger than the one returned by `len(http.request.body.raw)`, since the `http.request.body.raw` field only considers the request body up to a maximum size that varies according to your Cloudflare plan. +This field may have a value larger than the one returned by `len(http.request.body.raw)`, since the [`http.request.body.raw`](#httprequestbodyraw) field only considers the request body up to a maximum size that varies according to your Cloudflare plan. ::: ## `http.request.body.form` -`http.request.body.form` `Map>` +`http.request.body.form` The HTTP request body of a form represented as a Map (or associative array). Populated when the `Content-Type` header is `application/x-www-form-urlencoded`. @@ -64,7 +66,7 @@ The values are not pre-processed and retain the original case used in the reques When a field repeats, then the array contains multiple items in the order they are in the request. -The return value may be truncated if `http.request.body.truncated` is true. +The return value may be truncated if [`http.request.body.truncated`](#httprequestbodytruncated) is true. - **Decoding:** no decoding performed - **Whitespace:** preserved @@ -81,7 +83,7 @@ Example value: ## `http.request.body.form.names` -`http.request.body.form.names` `Array` +`http.request.body.form.names` The names of the form fields in an HTTP request where the content type is `application/x-www-form-urlencoded`. @@ -89,7 +91,7 @@ Names are not pre-processed and retain the original case used in the request. Th Duplicate names are listed multiple times. -The return value may be truncated if `http.request.body.truncated` is true. +The return value may be truncated if [`http.request.body.truncated`](#httprequestbodytruncated) is true. - **Decoding:** no decoding performed - **Whitespace:** preserved @@ -107,7 +109,7 @@ Example value: ## `http.request.body.form.values` -`http.request.body.form.values` `Array` +`http.request.body.form.values` The values of the form fields in an HTTP request where the content type is `application/x-www-form-urlencoded`. @@ -115,7 +117,7 @@ The values are not pre-processed and retain the original case used in the reques Duplicated values are listed multiple times. -The return value may be truncated if `http.request.body.truncated` is true. +The return value may be truncated if [`http.request.body.truncated`](#httprequestbodytruncated) is true. - **Decoding:** no decoding performed - **Whitespace:** preserved @@ -133,7 +135,7 @@ Example value: ## `http.request.body.mime` -`http.request.body.mime` `String` +`http.request.body.mime` The MIME type of the request detected from the request body. @@ -147,7 +149,7 @@ This field is available on all Cloudflare plans. ## `http.request.body.multipart` -`http.request.body.multipart` `Map>` +`http.request.body.multipart` A Map (or associative array) representation of multipart names to multipart values in the request body. @@ -157,7 +159,7 @@ Example value: ## `http.request.body.multipart.names` -`http.request.body.multipart.names` `Array>` +`http.request.body.multipart.names` List of multipart names for every part in the multipart body. @@ -171,7 +173,7 @@ Example: ## `http.request.body.multipart.values` -`http.request.body.multipart.values` `Array` +`http.request.body.multipart.values` List of multipart values for every part in the multipart body. @@ -181,7 +183,7 @@ Example value: ## `http.request.body.multipart.content_types` -`http.request.body.multipart.content_types` `Array>` +`http.request.body.multipart.content_types` List of `Content-Type` headers for each part in the multipart body. @@ -195,7 +197,7 @@ Example: ## `http.request.body.multipart.content_dispositions` -`http.request.body.multipart.content_dispositions` `Array>` +`http.request.body.multipart.content_dispositions` List of `Content-Disposition` headers for each part in the multipart body. @@ -205,7 +207,7 @@ Example value: ## `http.request.body.multipart.content_transfer_encodings` -`http.request.body.multipart.content_transfer_encodings` `Array>` +`http.request.body.multipart.content_transfer_encodings` List of `Content-Transfer-Encoding` headers for each part in the multipart body. @@ -215,7 +217,7 @@ Example value: ## `http.request.body.multipart.filenames` -`http.request.body.multipart.filenames` `Array>` +`http.request.body.multipart.filenames` List of filenames for each part in the multipart body. diff --git a/src/content/docs/ruleset-engine/rules-language/fields/http-request-header.mdx b/src/content/docs/ruleset-engine/rules-language/fields/http-request-header.mdx index 640efc8717cff1..c05cfd468335a4 100644 --- a/src/content/docs/ruleset-engine/rules-language/fields/http-request-header.mdx +++ b/src/content/docs/ruleset-engine/rules-language/fields/http-request-header.mdx @@ -8,13 +8,15 @@ head: content: HTTP request header fields | Fields reference --- +import { Type } from "~/components"; + The Rules language includes fields that represent properties of HTTP request headers. Many of these return [arrays](/ruleset-engine/rules-language/values/#arrays) containing the respective values. The Cloudflare Rules language supports these HTTP header fields. ## `http.request.headers` -`http.request.headers` `Map>` +`http.request.headers` The HTTP request headers represented as a Map (or associative array). @@ -42,7 +44,7 @@ Example value: ## `http.request.headers.names` -`http.request.headers.names` `Array` +`http.request.headers.names` The names of the headers in the HTTP request. @@ -52,7 +54,7 @@ The names are not pre-processed and retain the original case used in the request In HTTP/2, the names of HTTP headers are always in lowercase. Recent versions of the `curl` tool [enable HTTP/2 by default](https://curl.se/docs/manpage.html#--http2) for HTTPS connections. ::: -The order of header names is not guaranteed but will match `http.request.headers.values`. +The order of header names is not guaranteed but will match [`http.request.headers.values`](#httprequestheadersvalues). Duplicate headers are listed multiple times. @@ -70,13 +72,13 @@ Example value: `["content-type"]` ## `http.request.headers.values` -`http.request.headers.values` `Array` +`http.request.headers.values` The values of the headers in the HTTP request. The values are not pre-processed and retain the original case used in the request. -The order of header values is not guaranteed but will match `http.request.headers.names`. +The order of header values is not guaranteed but will match [`http.request.headers.names`](#httprequestheadersnames). Duplicate headers are listed multiple times. @@ -112,19 +114,19 @@ Example value 2: ## `http.request.headers.truncated` -`http.request.headers.truncated` `Boolean` +`http.request.headers.truncated` Returns `true` when the HTTP request contains too many headers; otherwise, returns `false`. -When `true`, `http.request.headers`, `http.request.headers.names`, and `http.request.headers.values` may not contain all of the headers sent in the HTTP request. +When `true`, [`http.request.headers`](#httprequestheaders), [`http.request.headers.names`](#httprequestheadersnames), and [`http.request.headers.values`](#httprequestheadersvalues) may not contain all of the headers sent in the HTTP request. ## `http.request.accepted_languages` -`http.request.accepted_languages` `Array` +`http.request.accepted_languages` List of language tags provided in the [`Accept-Language`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Accept-Language) HTTP request header, sorted by weight (`;q=`, with a default weight of `1`) in descending order. -If the HTTP header is not present in the request or is empty, `http.request.accepted_languages[0]` will return a "[missing value](/ruleset-engine/rules-language/values/#notes)", which the `concat()` function will handle as an empty string. +If the HTTP header is not present in the request or is empty, `http.request.accepted_languages[0]` will return a "[missing value](/ruleset-engine/rules-language/values/#notes)", which the [`concat()`](/ruleset-engine/rules-language/functions/#concat) function will handle as an empty string. If the HTTP header includes the language tag `*` it will not be stored in the array. diff --git a/src/content/docs/ruleset-engine/rules-language/fields/http-request-response.mdx b/src/content/docs/ruleset-engine/rules-language/fields/http-request-response.mdx index 89f3255b6c006c..c8b89d02ab3ed8 100644 --- a/src/content/docs/ruleset-engine/rules-language/fields/http-request-response.mdx +++ b/src/content/docs/ruleset-engine/rules-language/fields/http-request-response.mdx @@ -8,13 +8,13 @@ head: content: HTTP request response fields | Fields reference --- -import { Details } from "~/components"; +import { Details, Type } from "~/components"; The Cloudflare Rules language supports these HTTP response fields. ## `http.response.code` -`http.response.code` `Integer` +`http.response.code` The HTTP status code returned to the client, either set by a Cloudflare product or returned by the origin server. @@ -23,7 +23,7 @@ Example value: ## `http.response.headers` -`http.response.headers` `Map>` +`http.response.headers` The HTTP response headers represented as a Map (or associative array). @@ -47,9 +47,11 @@ Example value: ## `http.response.headers.names` +`http.response.headers.names` + The names of the headers in the HTTP response. The names are not pre-processed and retain the original case used in the response. -The order of header names is not guaranteed but will match `http.response.headers.values`. +The order of header names is not guaranteed but will match [`http.response.headers.values`](#httpresponseheadersvalues). Duplicate headers are listed multiple times. @@ -67,11 +69,13 @@ Example value: `["content-type"]` ## `http.response.headers.values` +`http.response.headers.values` + The values of the headers in the HTTP response. The values are not pre-processed and retain the original case used in the response. -The order of header values is not guaranteed but will match `http.response.headers.names`. +The order of header values is not guaranteed but will match [`http.response.headers.names`](#httpresponseheadersnames). Duplicate headers are listed multiple times. @@ -100,49 +104,28 @@ Example value 2: ## `http.response.content_type.media_type` -`http.response.content_type.media_type` `String` +`http.response.content_type.media_type` The lowercased content type (including subtype and suffix) without any parameters such as `charset`, based on the response's `Content-Type` header.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Content-Type headerField value
text/html"text/html"
text/html; charset=utf-8"text/html"
text/html+extra"text/html+extra"
text/html+extra; charset=utf-8"text/html+extra"
text/HTML"text/html"
text/html; charset=utf-8; other=value"text/html"
+ +| Content-Type header | Field value | +| --------------------------------------- | ------------------- | +| `text/html` | `"text/html"` | +| `text/html; charset=utf-8` | `"text/html"` | +| `text/html+extra` | `"text/html+extra"` | +| `text/html+extra; charset=utf-8` | `"text/html+extra"` | +| `text/HTML` | `"text/html"` | +| `text/html; charset=utf-8; other=value` | `"text/html"` |
## `cf.response.1xxx_code` -`cf.response.1xxx_code` `Integer` +`cf.response.1xxx_code` -Contains the specific code for 1xxx Cloudflare errors. Use this field to differentiate between 1xxx errors associated with the same HTTP status code. The default value is `0`. For a list of 1xxx errors, refer to [Troubleshooting Cloudflare 1XXX errors](/support/troubleshooting/cloudflare-errors/troubleshooting-cloudflare-1xxx-errors/). +Contains the specific code for 1XXX Cloudflare errors. Use this field to differentiate between 1XXX errors associated with the same HTTP status code. The default value is `0`. For a list of 1XXX errors, refer to [Troubleshooting Cloudflare 1XXX errors](/support/troubleshooting/cloudflare-errors/troubleshooting-cloudflare-1xxx-errors/). Example value: `1020` @@ -153,7 +136,7 @@ Note: This field is only available in [HTTP response header modifications](/rule ## `cf.response.error_type` -`cf.response.error_type` `String` +`cf.response.error_type` A string with the type of error in the response being returned. The default value is an empty string (`""`). @@ -170,7 +153,7 @@ The available values are the following: - `country_challenge` - `ratelimit` -You can use this field to customize the response for a specific type of error (for example, all 1xxx errors or all WAF block actions). +You can use this field to customize the response for a specific type of error (for example, all 1XXX errors or all WAF block actions). :::note This field is only available in [HTTP response header modifications](/rules/transform/response-header-modification/) and [Custom Error Responses](/rules/custom-error-responses/). diff --git a/src/content/docs/ruleset-engine/rules-language/fields/magic-firewall.mdx b/src/content/docs/ruleset-engine/rules-language/fields/magic-firewall.mdx index c27cdbd0d888e8..8d521787373d8b 100644 --- a/src/content/docs/ruleset-engine/rules-language/fields/magic-firewall.mdx +++ b/src/content/docs/ruleset-engine/rules-language/fields/magic-firewall.mdx @@ -8,15 +8,15 @@ head: content: Magic firewall fields | Fields reference --- +import { Type } from "~/components"; + :::note Some Magic Firewall fields are available only to customers who purchased Magic Firewall's advanced features. Refer to [Magic Firewall plans](/magic-firewall/plans/) for more information. ::: -Here is the formatted table: - ## `cf.colo.name` -`cf.colo.name` `String` +`cf.colo.name` The data center that is handling this traffic. @@ -26,7 +26,7 @@ Example value: `sfo06` ## `cf.colo.region` -`cf.colo.region` `String` +`cf.colo.region` Region of the data center that is handling this traffic. @@ -36,7 +36,7 @@ Example value: `WNAM` ## `icmp` -`icmp` `String` +`icmp` The raw ICMP packet as a list of bytes. It should be used in conjunction with the bit_slice function when other structured fields are lacking. @@ -44,7 +44,7 @@ The raw ICMP packet as a list of bytes. It should be used in conjunction with th ## `icmp.type` -`icmp.type` `Number` +`icmp.type` The [ICMP type](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol#header_type). Only applies to ICMP packets. @@ -54,7 +54,7 @@ Example value: `8` ## `icmp.code` -`icmp.code` `Number` +`icmp.code` The [ICMP code](https://en.wikipedia.org/wiki/Internet_Control_Message_Protocol#header_code). Only applies to ICMP packets. @@ -64,7 +64,7 @@ Example value: `2` ## `ip` -`ip` `String` +`ip` The raw IP packet as a list of bytes. It should be used in conjunction with the bit_slice function when other structured fields are lacking. @@ -72,7 +72,7 @@ The raw IP packet as a list of bytes. It should be used in conjunction with the ## `ip.dst` -`ip.dst` `IP Address` +`ip.dst` The destination address as specified in the IP packet. @@ -82,7 +82,7 @@ Example value: `192.0.2.2` ## `ip.dst.country` -`ip.dst.country` `String` +`ip.dst.country` Represents the 2-letter country code associated with the server IP address in [ISO 3166-1 Alpha 2](https://www.iso.org/obp/ui/#search/code/) format. @@ -94,7 +94,7 @@ For more information on the ISO 3166-1 Alpha 2 format, refer to [ISO 3166-1 Alph ## `ip.src.country` -`ip.src.country` `String` +`ip.src.country` Represents the 2-letter country code associated with the client IP address in [ISO 3166-1 Alpha 2](https://www.iso.org/obp/ui/#search/code/) format. @@ -108,7 +108,7 @@ For Magic Firewall, the `ip.geoip.country` field (which is deprecated) will matc ## `ip.hdr_len` -`ip.hdr_len` `Number` +`ip.hdr_len` The length of the IPv4 header in bytes. @@ -118,7 +118,7 @@ Example value: `5` ## `ip.len` -`ip.len` `Number` +`ip.len` The length of the packet including the header. @@ -128,7 +128,7 @@ Example value: `60` ## `ip.opt.type` -`ip.opt.type` `Number` +`ip.opt.type` The first byte of [IP options field](https://en.wikipedia.org/wiki/IPv4#Options), if the options field is set. @@ -138,7 +138,7 @@ Example value: `25` ## `ip.proto` -`ip.proto` `String` +`ip.proto` The transport layer for the packet, if it can be determined. @@ -148,7 +148,7 @@ Example values: `icmp`, `tcp` ## `ip.src` -`ip.src` `IP Address` +`ip.src` The source address of the IP Packet. @@ -156,7 +156,7 @@ The source address of the IP Packet. ## `ip.src.country` -`ip.src.country` `String` +`ip.src.country` Represents the 2-letter country code associated with the client IP address in [ISO 3166-1 Alpha 2](https://www.iso.org/obp/ui/#search/code/) format. @@ -168,7 +168,7 @@ For more information on the ISO 3166-1 Alpha 2 format, refer to [ISO 3166-1 Alph ## `ip.ttl` -`ip.ttl` `Number` +`ip.ttl` The time-to-live of the IP Packet. @@ -178,7 +178,7 @@ Example values: `54` ## `sip` -`sip` `Boolean` +`sip` Determines if packets are valid L7 protocol [SIP](https://datatracker.ietf.org/doc/html/rfc2543). Requires UDP packets to operate. @@ -190,7 +190,7 @@ Use a guard clause as shown below to ensure the packet is UDP (wirefilter): ## `tcp` -`tcp` `String` +`tcp` The raw TCP packet as a list of bytes. It should be used in conjunction with the bit_slice function when other structured fields are lacking. @@ -198,7 +198,7 @@ The raw TCP packet as a list of bytes. It should be used in conjunction with the ## `tcp.flags` -`tcp.flags` `Number` +`tcp.flags` The numeric value of the TCP flags byte. @@ -206,7 +206,7 @@ The numeric value of the TCP flags byte. ## `tcp.flags.ack` -`tcp.flags.ack` `Boolean` +`tcp.flags.ack` TCP acknowledgment flag. @@ -214,7 +214,7 @@ TCP acknowledgment flag. ## `tcp.flags.cwr` -`tcp.flags.cwr` `Boolean` +`tcp.flags.cwr` TCP congestion window reduced flag. @@ -222,7 +222,7 @@ TCP congestion window reduced flag. ## `tcp.flags.ecn` -`tcp.flags.ecn` `Boolean` +`tcp.flags.ecn` TCP ECN-Echo flag. @@ -230,7 +230,7 @@ TCP ECN-Echo flag. ## `tcp.flags.fin` -`tcp.flags.fin` `Boolean` +`tcp.flags.fin` TCP flag indicating this is the last packet from sender. @@ -238,7 +238,7 @@ TCP flag indicating this is the last packet from sender. ## `tcp.flags.push` -`tcp.flags.push` `Boolean` +`tcp.flags.push` TCP push flag. @@ -246,7 +246,7 @@ TCP push flag. ## `tcp.flags.reset` -`tcp.flags.reset` `Boolean` +`tcp.flags.reset` TCP reset flag. @@ -254,7 +254,7 @@ TCP reset flag. ## `tcp.flags.syn` -`tcp.flags.syn` `Boolean` +`tcp.flags.syn` TCP synchronize flag. @@ -262,7 +262,7 @@ TCP synchronize flag. ## `tcp.flags.urg` -`tcp.flags.urg` `Boolean` +`tcp.flags.urg` TCP urgent flag. @@ -270,7 +270,7 @@ TCP urgent flag. ## `tcp.srcport` -`tcp.srcport` `Number` +`tcp.srcport` Source port number of the IP packet. Only applies to TCP packets. @@ -278,7 +278,7 @@ Source port number of the IP packet. Only applies to TCP packets. ## `tcp.dstport` -`tcp.dstport` `Number` +`tcp.dstport` Destination port number of the IP packet. Only applies to TCP packets. @@ -286,7 +286,7 @@ Destination port number of the IP packet. Only applies to TCP packets. ## `udp` -`udp` `String` +`udp` The raw UDP packet as a list of bytes. It should be used in conjunction with the bit_slice function when other structured fields are lacking. @@ -294,7 +294,7 @@ The raw UDP packet as a list of bytes. It should be used in conjunction with the ## `udp.dstport` -`udp.dstport` `Number` +`udp.dstport` Destination port number of the IP packet. Only applies to UDP packets. @@ -302,7 +302,7 @@ Destination port number of the IP packet. Only applies to UDP packets. ## `udp.srcport` -`udp.srcport` `Number` +`udp.srcport` Source port number of the IP packet. Only applies to UDP packets. diff --git a/src/content/docs/ruleset-engine/rules-language/fields/standard-fields.mdx b/src/content/docs/ruleset-engine/rules-language/fields/standard-fields.mdx index 2b935f8a102f55..de7a24483d217f 100644 --- a/src/content/docs/ruleset-engine/rules-language/fields/standard-fields.mdx +++ b/src/content/docs/ruleset-engine/rules-language/fields/standard-fields.mdx @@ -8,7 +8,7 @@ head: content: Standard fields | Fields reference --- -import { Details, Render } from "~/components"; +import { Details, Render, Type } from "~/components"; Most standard fields use the same naming conventions as [Wireshark display fields](https://www.wireshark.org/docs/wsug_html_chunked/ChWorkBuildDisplayFilterSection.html). However, there are some subtle differences between Cloudflare and Wireshark: @@ -32,7 +32,7 @@ The Cloudflare Rules language supports these standard fields. ## `http.cookie` -`http.cookie` `String` +`http.cookie` The entire cookie as a string. @@ -44,7 +44,7 @@ session=8521F670545D7865F79C3D7BEDC29CCE;-background=light ## `http.host` -`http.host` `String` +`http.host` The hostname used in the full request URI. @@ -56,7 +56,7 @@ www.example.org ## `http.referer` -`http.referer` `String` +`http.referer` The HTTP `Referer` request header, which contains the address of the web page that linked to the currently requested page. @@ -68,7 +68,7 @@ Referer: htt­ps://developer.example.org/en-US/docs/Web/JavaScript ## `http.request.full_uri` -`http.request.full_uri` `String` +`http.request.full_uri` The full URI as received by the web server (does not include `#fragment`, which is not sent to web servers). @@ -80,7 +80,7 @@ htt­ps://www.example.org/articles/index?section=539061&expand=comments ## `http.request.method` -`http.request.method` `String` +`http.request.method` The HTTP method, returned as a string of uppercase characters. @@ -92,7 +92,7 @@ GET ## `http.request.cookies` -`http.request.cookies` `Map>` +`http.request.cookies` The `Cookie` HTTP header associated with a request represented as a Map (associative array). The cookie values are not pre-processed and retain the original case used in the request. @@ -112,11 +112,11 @@ Example value: ## `http.request.timestamp.sec` -`http.request.timestamp.sec` `Integer` +`http.request.timestamp.sec` The timestamp when Cloudflare received the request, expressed as UNIX time in seconds. This value is 10 digits long. -To obtain the timestamp milliseconds, use the `http.request.timestamp.msec` field. +To obtain the timestamp milliseconds, use the [`http.request.timestamp.msec`](#httprequesttimestampmsec) field. Example value: @@ -124,15 +124,15 @@ Example value: 1484063137 ``` -When validating HMAC tokens in an expression, pass this field as the `currentTimestamp` argument to the [is_timed_hmac_valid_v0()](/ruleset-engine/rules-language/functions/#hmac-validation) validation function. +When validating HMAC tokens in an expression, pass this field as the `currentTimestamp` argument to the [`is_timed_hmac_valid_v0()`](/ruleset-engine/rules-language/functions/#hmac-validation) validation function. ## `http.request.timestamp.msec` -`http.request.timestamp.msec` `Integer` +`http.request.timestamp.msec` The millisecond when Cloudflare received the request, between 0 and 999. -To obtain the complete timestamp, use both `http.request.timestamp.sec` and `http.request.timestamp.msec` fields. +To obtain the complete timestamp, use both [`http.request.timestamp.sec`](#httprequesttimestampsec) and [`http.request.timestamp.msec`](#httprequesttimestampmsec) fields. Example value: @@ -144,7 +144,7 @@ Here is the formatted information for the provided rows: ## `http.request.uri` -`http.request.uri` `String` +`http.request.uri` The URI path and query string of the request. @@ -156,7 +156,7 @@ Example value: ## `http.request.uri.path` -`http.request.uri.path` `String` +`http.request.uri.path` The URI path of the request. @@ -168,7 +168,7 @@ Example value: ## `http.request.uri.path.extension` -`http.request.uri.path.extension` `String` +`http.request.uri.path.extension` The lowercased file extension in the URI path without the dot (`.`) character. This corresponds to the string after the last dot in the URI path, excluding the query string. @@ -195,7 +195,7 @@ Example values: ## `http.request.uri.query` -`http.request.uri.query` `String` +`http.request.uri.query` The entire query string, without the `?` delimiter. @@ -207,7 +207,7 @@ section=539061&expand=comments ## `http.user_agent` -`http.user_agent` `String` +`http.user_agent` The HTTP `User-Agent` request header, which contains a characteristic string to identify the client operating system and web browser. @@ -219,7 +219,7 @@ Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/65 ## `http.request.version` -`http.request.version` `String` +`http.request.version` The version of the HTTP protocol used. Use this field when different checks are needed for different versions. @@ -230,7 +230,7 @@ Example values: ## `http.x_forwarded_for` -`http.x_forwarded_for` `String` +`http.x_forwarded_for` The full `X-Forwarded-For` HTTP header. @@ -242,7 +242,7 @@ Example value: ## `ip.src` -`ip.src` `IP address` +`ip.src` The client TCP IP address, which may be adjusted to reflect the actual address of the client using HTTP headers such as `X-Forwarded-For` or `X-Real-IP`. @@ -254,7 +254,7 @@ Example value: ## `ip.src.lat` -`ip.src.lat` `String` +`ip.src.lat` The latitude associated with the client IP address. @@ -266,7 +266,7 @@ Example value: ## `ip.src.lon` -`ip.src.lon` `String` +`ip.src.lon` The longitude associated with the client IP address. @@ -278,7 +278,7 @@ Example value: ## `ip.src.city` -`ip.src.city` `String` +`ip.src.city` The city associated with the client IP address. @@ -290,7 +290,7 @@ San Francisco ## `ip.src.postal_code` -`ip.src.postal_code` `String` +`ip.src.postal_code` The postal code associated with the incoming request. @@ -302,7 +302,7 @@ Example value: ## `ip.src.metro_code` -`ip.src.metro_code` `String` +`ip.src.metro_code` The metro code or Designated Market Area (DMA) code associated with the incoming request. @@ -314,7 +314,7 @@ Example value: ## `ip.src.region` -`ip.src.region` `String` +`ip.src.region` The region name associated with the incoming request. @@ -326,7 +326,7 @@ Texas ## `ip.src.region_code` -`ip.src.region_code` `String` +`ip.src.region_code` The region code associated with the incoming request. @@ -338,7 +338,7 @@ TX ## `ip.src.timezone.name` -`ip.src.timezone.name` `String` +`ip.src.timezone.name` The name of the timezone associated with the incoming request. This field is only available in rewrite expressions of [Transform Rules](/rules/transform/). @@ -350,7 +350,7 @@ America/Chicago ## `ip.src.asnum` -`ip.src.asnum` `Number` +`ip.src.asnum` The 16-bit or 32-bit integer representing the Autonomous System (AS) number associated with the client IP address. @@ -358,7 +358,7 @@ This field has the same value as the `ip.geoip.asnum` field, which is deprecated ## `ip.src.continent` -`ip.src.continent` `String` +`ip.src.continent` The continent code associated with the client IP address: @@ -375,7 +375,7 @@ This field has the same value as the `ip.geoip.continent` field, which is deprec ## `ip.src.country` -`ip.src.country` `String` +`ip.src.country` The 2-letter country code in [ISO 3166-1 Alpha 2](https://www.iso.org/obp/ui/#search/code/) format. @@ -391,7 +391,7 @@ This field has the same value as the `ip.geoip.country` field, which is deprecat ## `ip.src.subdivision_1_iso_code` -`ip.src.subdivision_1_iso_code` `String` +`ip.src.subdivision_1_iso_code` The ISO 3166-2 code for the first-level region associated with the IP address. When the actual value is not available, this field contains an empty string. @@ -407,7 +407,7 @@ This field has the same value as the `ip.geoip.subdivision_1_iso_code` field, wh ## `ip.src.subdivision_2_iso_code` -`ip.src.subdivision_2_iso_code` `String` +`ip.src.subdivision_2_iso_code` The ISO 3166-2 code for the second-level region associated with the IP address. When the actual value is not available, this field contains an empty string. @@ -423,7 +423,7 @@ This field has the same value as the `ip.geoip.subdivision_2_iso_code` field, wh ## `ip.src.is_in_european_union` -`ip.src.is_in_european_union` `Boolean` +`ip.src.is_in_european_union` Returns `true` when the request originates from a country in the European Union (EU). @@ -474,7 +474,7 @@ This field has the same value as the `ip.geoip.is_in_european_union` field, whic ## `raw.http.request.full_uri` -`raw.http.request.full_uri` `String` +`raw.http.request.full_uri` The raw full URI as received by the web server without the URI fragment (if any) and without any transformation. @@ -487,7 +487,7 @@ The raw full URI as received by the web server without the URI fragment (if any) ## `raw.http.request.uri` -`raw.http.request.uri` `String` +`raw.http.request.uri` The raw URI path and query string of the request without any transformation. @@ -500,7 +500,7 @@ The raw URI path and query string of the request without any transformation. ## `raw.http.request.uri.path` -`raw.http.request.uri.path` `String` +`raw.http.request.uri.path` The raw URI path of the request without any transformation. @@ -513,7 +513,7 @@ The raw URI path of the request without any transformation. ## `raw.http.request.uri.path.extension` -`raw.http.request.uri.path.extension` `String` +`raw.http.request.uri.path.extension` The raw file extension in the request URI path without any transformation. @@ -527,7 +527,7 @@ The raw file extension in the request URI path without any transformation. ## `raw.http.request.uri.query` -`raw.http.request.uri.query` `String` +`raw.http.request.uri.query` The entire query string without the `?` delimiter and without any transformation. @@ -540,7 +540,7 @@ The entire query string without the `?` delimiter and without any transformation ## `ssl` -`ssl` `Boolean` +`ssl` Returns `true` when the HTTP connection to the client is encrypted. diff --git a/src/content/docs/ruleset-engine/rules-language/fields/uri.mdx b/src/content/docs/ruleset-engine/rules-language/fields/uri.mdx index beff5428b9af85..ba93a919861532 100644 --- a/src/content/docs/ruleset-engine/rules-language/fields/uri.mdx +++ b/src/content/docs/ruleset-engine/rules-language/fields/uri.mdx @@ -8,7 +8,7 @@ head: content: URI argument and value fields | Fields reference --- -import { Render } from "~/components"; +import { Render, Type } from "~/components"; The Cloudflare Rules language includes URI argument and value fields associated with HTTP requests. Many of these fields return [arrays](/ruleset-engine/rules-language/values/#arrays) containing the respective values. @@ -16,7 +16,7 @@ The Cloudflare Rules language supports these URI argument and value fields. ## `http.request.uri.args` -`http.request.uri.args` `Map>` +`http.request.uri.args` The HTTP URI arguments associated with a request represented as a Map (associative array). @@ -37,7 +37,7 @@ Example value: ## `http.request.uri.args.names` -`http.request.uri.args.names` `Array` +`http.request.uri.args.names` The names of the arguments in the HTTP URI query string. The names are not pre-processed and retain the original case used in the request. @@ -56,7 +56,7 @@ Example value: ## `http.request.uri.args.values` -`http.request.uri.args.values` `Array` +`http.request.uri.args.values` The values of arguments in the HTTP URI query string. The values are not pre-processed and retain the original case used in the request. They are in the same order as in the request. @@ -75,7 +75,7 @@ Example value: ## `raw.http.request.uri.args` -`raw.http.request.uri.args` `Map>` +`raw.http.request.uri.args` The raw HTTP URI arguments associated with a request represented as a Map (associative array). @@ -86,7 +86,7 @@ The raw HTTP URI arguments associated with a request represented as a Map (assoc ## `raw.http.request.uri.args.names` -`raw.http.request.uri.args.names` `Array` +`raw.http.request.uri.args.names` The raw names of the arguments in the HTTP URI query string. @@ -99,7 +99,7 @@ The raw names of the arguments in the HTTP URI query string. ## `raw.http.request.uri.args.values` -`raw.http.request.uri.args.values` `Array` +`raw.http.request.uri.args.values` The raw values of arguments in the HTTP URI query string. From 6fb2e66cc6eebf289e8f9479224ab9d6bb3fd4ec Mon Sep 17 00:00:00 2001 From: Pedro Sousa <680496+pedrosousa@users.noreply.github.com> Date: Fri, 8 Nov 2024 14:08:00 +0000 Subject: [PATCH 2/2] Remove some line breaks --- .../rules-language/fields/dynamic-fields.mdx | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/content/docs/ruleset-engine/rules-language/fields/dynamic-fields.mdx b/src/content/docs/ruleset-engine/rules-language/fields/dynamic-fields.mdx index f1a0cd2718a286..5f69290abdba06 100644 --- a/src/content/docs/ruleset-engine/rules-language/fields/dynamic-fields.mdx +++ b/src/content/docs/ruleset-engine/rules-language/fields/dynamic-fields.mdx @@ -520,7 +520,7 @@ Identifies whether a request comes from a worker or not. When a request comes fr `http.request.jwt.claims.aud`
`http.request.jwt.claims.aud.names`
-`http.request.jwt.claims.aud.values`
+`http.request.jwt.claims.aud.values` The `aud` (audience) claim identifies the recipients that the JSON Web Token (JWT) is intended for. Each principal intended to process the JWT must identify itself with a value in the audience claim. In the general case, the `aud` value is an array of case-sensitive strings, each containing a `StringOrURI` value. @@ -540,7 +540,7 @@ The `iat` (issued at) claim identifies the time (number of seconds) at which the `http.request.jwt.claims.iss`
`http.request.jwt.claims.iss.names`
-`http.request.jwt.claims.iss.values`
+`http.request.jwt.claims.iss.values` The `iss` (issuer) claim identifies the principal that issued the JWT. @@ -550,7 +550,7 @@ The `iss` (issuer) claim identifies the principal that issued the JWT. `http.request.jwt.claims.jti`
`http.request.jwt.claims.jti.names`
-`http.request.jwt.claims.jti.values`
+`http.request.jwt.claims.jti.values` The `jti` (JWT ID) claim provides a unique identifier for the JWT. @@ -570,7 +570,7 @@ The `nbf` (not before) claim identifies the time (number of seconds) before whic `http.request.jwt.claims.sub`
`http.request.jwt.claims.sub.names`
-`http.request.jwt.claims.sub.values`
+`http.request.jwt.claims.sub.values` The `sub` (subject) claim identifies the principal that is the subject of the JWT. The claims in a JWT are normally statements about the subject.