Available Managed Transforms

HTTP request headers

Name Description

Name	Description
Add bot protection headers	Adds HTTP request headers with bot-related values: `cf-bot-score`: Contains the bot score (for example, `30`). `cf-verified-bot`: Contains `true` if the request comes from a verified bot, or `false` otherwise. `cf-threat-score`: Contains the threat score (0-100). `cf-ja3-hash`: Contains the JA3 fingerprint. This Managed Transform requires a Cloudflare Enterprise plan with Bot Management enabled.
Add visitor location headers	Adds HTTP request headers with location information for the visitor's IP address. The added headers are: `cf-ipcity`: The visitor's city (value from the `ip.src.city` field). `cf-ipcountry`: The visitor's country (value from the `ip.src.country` field). `cf-ipcontinent`: The visitor's continent (value from the `ip.geoip.continent` field). `cf-iplongitude`: The visitor's longitude (value from the `ip.src.lon` field). `cf-iplatitude`: The visitor's latitude (value from the `ip.src.lat` field).
Remove visitor IP headers	Removes HTTP request headers that may contain the visitor's IP address. Handles the following HTTP request headers: `cf-connecting-ip` `x-forwarded-for` `true-client-ip`

Add bot protection headers

Adds HTTP request headers with bot-related values:

cf-bot-score: Contains the bot score (for example, 30).
cf-verified-bot: Contains true if the request comes from a verified bot, or false otherwise.
cf-threat-score: Contains the threat score (0-100).
cf-ja3-hash: Contains the JA3 fingerprint.

This Managed Transform requires a Cloudflare Enterprise plan with Bot Management enabled.

Add visitor location headers

Adds HTTP request headers with location information for the visitor's IP address. The added headers are:

cf-ipcity: The visitor's city (value from the ip.src.city field).
cf-ipcountry: The visitor's country (value from the ip.src.country field).
cf-ipcontinent: The visitor's continent (value from the ip.geoip.continent field).
cf-iplongitude: The visitor's longitude (value from the ip.src.lon field).
cf-iplatitude: The visitor's latitude (value from the ip.src.lat field).

Remove visitor IP headers

Removes HTTP request headers that may contain the visitor's IP address. Handles the following HTTP request headers:

Name Description

Name	Description
Remove "X-Powered-By" headers	Removes the `X-Powered-By` HTTP response header that provides information about the application at the origin server that handled the request.
Add security headers	Adds several security-related HTTP response headers. The added response headers and values are the following: `X-Content-Type-Options: nosniff` `X-XSS-Protection: 1; mode=block` `X-Frame-Options: SAMEORIGIN` `Referrer-Policy: same-origin` `Expect-CT: max-age=86400, enforce` To increase protection, enable HTTP Strict Transport Security (HSTS) for your website.

Remove "X-Powered-By" headers

Removes the X-Powered-By HTTP response header that provides information about the application at the origin server that handled the request.

Add security headers

Adds several security-related HTTP response headers. The added response headers and values are the following: