Cloudflare Docs
Logs
Visit Logs on GitHub
Set theme to dark (⇧+D)

HTTP requests

The descriptions below detail the fields available for http_requests.

FieldValueType
BotDetectionIDsList of IDs that correlate to the Bot Management Heuristic detections made on a request. Available in Logpush v2 only.array[int]
BotScoreCloudflare Bot Score. Scores below 30 are commonly associated with automated traffic. Available for Bot Management customers (please contact your account team to enable).int
BotScoreSrcDetection engine responsible for generating the Bot Score.
Possible values are Not Computed | Heuristics | Machine Learning | Behavioral Analysis | Verified Bot | JS Fingerprinting | Cloudflare Service.
string
BotTagsType of bot traffic (if available). Refer to Bot Tags for the list of potential values. Available in Logpush v2 only.array[string]
CacheCacheStatusCache status.
Possible values are unknown | miss | expired | updating | stale | hit | ignored | bypass | revalidated | dynamic | stream_hit | deferred
“dynamic” means that a request is not eligible for cache. This can mean, for example that it was blocked by the firewall. Refer to Cloudflare cache responses for more details.
string
CacheReserveUsedCache Reserve was used to serve this request. Available in Logpush v2 only.bool
CacheResponseBytesNumber of bytes returned by the cache.int
CacheResponseStatus (deprecated)HTTP status code returned by the cache to the edge. All requests (including non-cacheable ones) go through the cache. Refer also to CacheCacheStatus field.int
CacheTieredFillTiered Cache was used to serve this request.bool
ClientASNClient AS number.int
ClientCountry2-letter ISO-3166 country code of the client IP address.string
ClientDeviceTypeClient device type.string
ClientIPIP address of the client.string
ClientIPClassClient IP class.
Possible values are unknown | badHost | searchEngine | allowlist | monitoringService | noRecord | scan | tor.
string
ClientMTLSAuthCertFingerprintThe SHA256 fingerprint of the certificate presented by the client during mTLS authentication. Only populated on the first request on an mTLS connection. Available in Logpush v2 only.string
ClientMTLSAuthStatusThe status of mTLS authentication. Only populated on the first request on an mTLS connection. Available in Logpush v2 only.
Possible values are unknown | ok | absent | untrusted | notyetvalid | expired.
string
ClientRegionCodeThe ISO-3166-2 region code of the client IP address.string
ClientRequestBytesNumber of bytes in the client request.int
ClientRequestHostHost requested by the client.string
ClientRequestMethodHTTP method of client request.string
ClientRequestPathURI path requested by the client.string
ClientRequestProtocolHTTP protocol of client request.string
ClientRequestRefererHTTP request referrer.string
ClientRequestSchemeThe URL scheme requested by the visitor. Available in Logpush v2 only.string
ClientRequestSourceIdentifies requests as coming from an external source or another service within Cloudflare. Refer to ClientRequestSource field for the list of potential values. Available in Logpush v2 only.string
ClientRequestURIURI requested by the client.string
ClientRequestUserAgentUser agent reported by the client.string
ClientSSLCipherClient SSL cipher.string
ClientSSLProtocolClient SSL (TLS) protocol. The value “none” means that SSL was not used.string
ClientSrcPortClient source port.int
ClientTCPRTTMsThe smoothed average of TCP round-trip time (SRTT). For the initial request on a connection, this is measured only during connection setup. For a subsequent request on the same connection, it is measured over the entire connection lifetime up until the time that request is received. Available in Logpush v2 only.int
ClientXRequestedWithX-Requested-With HTTP header.string
ContentScanObjResultsList of content scan results.array[string]
ContentScanObjTypesList of content types.array[string]
CookiesString key-value pairs for Cookies.object
EdgeCFConnectingO2OTrue if the request looped through multiple zones on the Cloudflare edge. This is considered an orange to orange (o2o) request. Available in Logpush v2 only.bool
EdgeColoCodeIATA airport code of data center that received the request.string
EdgeColoIDCloudflare edge colo id.int
EdgeEndTimestampTimestamp at which the edge finished sending response to the client.int or string
EdgePathingOpIndicates what type of response was issued for this request (unknown = no specific action).string
EdgePathingSrcDetails how the request was classified based on security checks (unknown = no specific classification).string
EdgePathingStatusIndicates what data was used to determine the handling of this request (unknown = no data).string
EdgeRateLimitAction (deprecated)The action taken by the blocking rule; empty if no action taken.
Possible values are unknown | simulate | ban | challenge | jsChallenge.
string
EdgeRateLimitID (deprecated)The internal rule ID of the rate-limiting rule that triggered a block (ban) or log action. 0 if no action taken.int
EdgeRequestHostHost header on the request from the edge to the origin.string
EdgeResponseBodyBytesSize of the HTTP response body returned to clients. Available in Logpush v2 only.int
EdgeResponseBytesNumber of bytes returned by the edge to the client.int
EdgeResponseCompressionRatioEdge response compression ratio.float
EdgeResponseContentTypeEdge response Content-Type header value.string
EdgeResponseStatusHTTP status code returned by Cloudflare to the client.int
EdgeServerIPIP of the edge server making a request to the origin. Possible responses are string in IPv4 or IPv6 format, or empty string. Empty string means that there was no request made to the origin server.string
EdgeStartTimestampTimestamp at which the edge received request from the client.int or string
EdgeTimeToFirstByteMsTotal view of Time To First Byte as measured at Cloudflare’s edge. Starts after a TCP connection is established and ends when Cloudflare begins returning the first byte of a response to eyeballs. Includes TLS handshake time (for new connections) and origin response time. Available in Logpush v2 only.int
FirewallMatchesActions (deprecated)Array of actions the Cloudflare firewall products performed on this request. The individual firewall products associated with this action be found in FirewallMatchesSources and their respective RuleIds can be found in FirewallMatchesRuleIDs. The length of the array is the same as FirewallMatchesRuleIDs and FirewallMatchesSources.
Possible actions are unknown | allow | block | challenge | jschallenge | log | connectionClose | challengeSolved | challengeFailed | challengeBypassed | jschallengeSolved | jschallengeFailed | jschallengeBypassed | bypass | managedChallenge | managedChallengeSkipped | managedChallengeNonInteractiveSolved | managedChallengeInteractiveSolved | managedChallengeBypassed. Use SecurityActions instead (available in Logpush v2 only).
array[string]
FirewallMatchesRuleIDs (deprecated)Array of RuleIDs of the firewall product that has matched the request. The firewall product associated with the RuleID can be found in FirewallMatchesSources. The length of the array is the same as FirewallMatchesActions and FirewallMatchesSources. Use SecurityRuleIDs instead (available in Logpush v2 only).array[string]
FirewallMatchesSources (deprecated)The firewall products that matched the request. The same product can appear multiple times, which indicates different rules or actions that were activated. The RuleIDs can be found in FirewallMatchesRuleIDs, the actions can be found in FirewallMatchesActions. The length of the array is the same as FirewallMatchesRuleIDs and FirewallMatchesActions.
Possible sources are unknown | asn | country | ip | ipRange | securityLevel | zoneLockdown | waf | firewallRules | uaBlock | rateLimit | bic | hot | l7ddos | botFight | apiShield | botManagement | dlp | firewallManaged | firewallCustom. Use SecuritySources instead (available in Logpush v2 only).
array[string]
JA3HashThe MD5 hash of the JA3 fingerprint used to profile SSL/TLS clients. Available in Logpush v2 only.string
OriginDNSResponseTimeMsTime taken to receive a DNS response for an origin name. Usually takes a few milliseconds, but may be longer if a CNAME record is used. Available in Logpush v2 only.int
OriginIPIP of the origin server.string
OriginRequestHeaderSendDurationMsTime taken to send request headers to origin after establishing a connection. Note that this value is usually 0. Available in Logpush v2 only.int
OriginResponseBytes (deprecated)Number of bytes returned by the origin server.int
OriginResponseDurationMsUpstream response time, measured from the first datacenter that receives a request. Includes time taken by Argo Smart Routing and Tiered Cache, plus time to connect and receive a response from origin servers. This field replaces OriginResponseTime. Available in Logpush v2 only.int
OriginResponseHTTPExpiresValue of the origin ’expires’ header in RFC1123 format.string
OriginResponseHTTPLastModifiedValue of the origin ’last-modified’ header in RFC1123 format.string
OriginResponseHeaderReceiveDurationMsTime taken for origin to return response headers after Cloudflare finishes sending request headers. Available in Logpush v2 only.int
OriginResponseStatusStatus returned by the origin server. The value 0 means that there was no request made to the origin server and the response was served by Cloudflare’s Edge.int
OriginResponseTime (deprecated)Number of nanoseconds it took the origin to return the response to edge.int
OriginSSLProtocolSSL (TLS) protocol used to connect to the origin.string
OriginTCPHandshakeDurationMsTime taken to complete TCP handshake with origin. This will be 0 if an origin connection is reused. Available in Logpush v2 only.int
OriginTLSHandshakeDurationMsTime taken to complete TLS handshake with origin. This will be 0 if an origin connection is reused. Available in Logpush v2 only.int
ParentRayIDRay ID of the parent request if this request was made using a Worker script.string
RayIDID of the request.string
RequestHeadersString key-value pairs for RequestHeaders.object
ResponseHeadersString key-value pairs for ResponseHeaders.object
SecurityActionAction of the security rule that triggered a terminating action, if any. Available in Logpush v2 only.string
SecurityActionsArray of actions the Cloudflare security products performed on this request. The individual security products associated with this action be found in SecuritySources and their respective rule Ids can be found in SecurityRuleIDs. The length of the array is the same as SecurityRuleIDs and SecuritySources.
Possible actions are unknown | allow | block | challenge | jschallenge | log | connectionClose | challengeSolved | challengeFailed | challengeBypassed | jschallengeSolved | jschallengeFailed | jschallengeBypassed | bypass | managedChallenge | managedChallengeSkipped | managedChallengeNonInteractiveSolved | managedChallengeInteractiveSolved | managedChallengeBypassed | rewrite | forceConnectionClose | skip | managedChallengeFailed. Available in Logpush v2 only.
array[string]
SecurityLevel (deprecated)The security level configured at the time of this request. This is used to determine the sensitivity of the IP Reputation system.string
SecurityRuleDescriptionDescription of the security rule that triggered a terminating action, if any. Available in Logpush v2 only.string
SecurityRuleIDRule ID of the security rule that triggered a terminating action, if any. Available in Logpush v2 only.string
SecurityRuleIDsArray of rule IDs of the security product that matched the request. The security product associated with the rule ID can be found in SecuritySources. The length of the array is the same as SecurityActions and SecuritySources. Available in Logpush v2 only.array[string]
SecuritySourcesArray of security products that matched the request. The same product can appear multiple times, which indicates different rules or actions that were activated. The rule IDs can be found in SecurityRuleIDs, and the actions can be found in SecurityActions. The length of the array is the same as SecurityRuleIDs and SecurityActions.
Possible sources are unknown | asn | country | ip | ipRange | securityLevel | zoneLockdown | waf | firewallRules | uaBlock | rateLimit | bic | hot | l7ddos | validation | botFight | apiShield | botManagement | dlp | firewallManaged | firewallCustom | apiShieldSchemaValidation | apiShieldTokenValidation. Available in Logpush v2 only.
array[string]
SmartRouteColoIDThe Cloudflare datacenter used to connect to the origin server if Argo Smart Routing is used. Available in Logpush v2 only.int
UpperTierColoIDThe “upper tier” datacenter that was checked for a cached copy if Tiered Cache is used. Available in Logpush v2 only.int
WAFAction (deprecated)Action taken by the WAF, if triggered. Use SecurityAction instead (available in Logpush v2 only).string
WAFAttackScoreOverall request score generated by the WAF detection module.int
WAFFlags (deprecated)Additional configuration flags: simulate (0x1) | null.string
WAFMatchedVar (deprecated)The full name of the most-recently matched variable.string
WAFProfile (deprecated)WAF profile.
Possible values are low | med | high.
string
WAFRCEAttackScoreWAF score for an RCE attack.int
WAFRuleID (deprecated)ID of the applied WAF rule. Use SecurityRuleID instead (available in Logpush v2 only).string
WAFRuleMessage (deprecated)Rule message associated with the triggered rule. Use SecurityRuleDescription instead (available in Logpush v2 only).string
WAFSQLiAttackScoreWAF score for an SQLi attack.int
WAFXSSAttackScoreWAF score for an XSS attack.int
WorkerCPUTimeAmount of time in microseconds spent executing a worker, if any.int
WorkerStatusStatus returned from worker daemon.string
WorkerSubrequestWhether or not this request was a worker subrequest.bool
WorkerSubrequestCountNumber of subrequests issued by a worker when handling this request.int
WorkerWallTimeUsReal-time in microseconds elapsed between start and end of worker invocation.int
ZoneNameThe human-readable name of the zone (e.g. ‘cloudflare.com’). Available in Logpush v2 only.string