Hide usage instructions

Filter Syntax

Enter a filter expression using the Wireshark-like syntax. See the Cloudflare documentation for more details.

Transformation Functions

Use transformation functions to modify field values.

String Functions

lower(http.host) == "example.com"

upper(http.host) == "EXAMPLE.COM"

len(http.user_agent) > 100

concat(http.host, http.user_agent) contains "Mozilla"

starts_with(http.request.uri.path, "/api")

ends_with(http.host, ".com")

substring(http.request.uri.path, 0, 4) == "/api"

regex_replace(http.host, "\\.", "-") == "example-com"

remove_bytes(http.host, ".") == "examplecom"

to_string(tcp.port) == "443"

url_decode(http.request.uri.query) contains "param"

decode_base64(http.request.headers["authorization"]) contains "username"

IP Functions

cidr(ip.src, "192.168.0.0/16")

Logical Functions

any(cf.bot_management.verified_bot, cf.client.bot)

all(ssl, http.host contains "secure")

Operators and grouping symbols

The Cloudflare Rules language supports both comparison and logical operators.

== != eq ne - Equality operators
< > <= >= lt gt le ge - Comparison operators
contains - String containment
wildcard strict wildcard - Wildcard matching
~ matches - Regex matching
in - Check if value is in a set
&& and - Logical AND
|| or - Logical OR
^^ xor - Logical XOR
! not - Logical NOT

Supported Fields

The wirefilter language supports a variety of fields for filtering, including requeset fields such as headers, uri, body, as well as IP field, Cloudflare-specific fields and more.

See the Cloudflare fields reference for the full list of available fields.

Cloudflare Fields

cf.api_gateway.auth_id_present
cf.api_gateway.fallthrough_detected
cf.api_gateway.request_violates_schema
cf.bot_management.corporate_proxy
cf.bot_management.detection_ids
cf.bot_management.ja3_hash
cf.bot_management.ja4
cf.bot_management.js_detection.passed
cf.bot_management.score
cf.bot_management.static_resource
cf.bot_management.verified_bot
cf.client.bot
cf.edge.server_ip
cf.edge.server_port
cf.hostname.metadata
cf.llm.prompt.detected
cf.llm.prompt.pii_categories
cf.llm.prompt.pii_detected
cf.random_seed
cf.ray_id
cf.response.1xxx_code
cf.response.error_type
cf.threat_score
cf.tls_cipher
cf.tls_ciphers_sha1
cf.tls_client_auth.cert_fingerprint_sha1
cf.tls_client_auth.cert_fingerprint_sha256
cf.tls_client_auth.cert_issuer_dn
cf.tls_client_auth.cert_issuer_dn_legacy
cf.tls_client_auth.cert_issuer_dn_rfc2253
cf.tls_client_auth.cert_issuer_serial
cf.tls_client_auth.cert_issuer_ski
cf.tls_client_auth.cert_not_after
cf.tls_client_auth.cert_not_before
cf.tls_client_auth.cert_presented
cf.tls_client_auth.cert_revoked
cf.tls_client_auth.cert_serial
cf.tls_client_auth.cert_ski
cf.tls_client_auth.cert_subject_dn
cf.tls_client_auth.cert_subject_legacy
cf.tls_client_auth.cert_subject_dn_rfc2253
cf.tls_client_auth.cert_verified
cf.tls_client_extensions_sha1
cf.tls_client_extensions_sha1_le
cf.tls_client_length_hello
cf.tls_client_random
cf.tls_version
cf.verified_bot_category
cf.waf.auth_detected
cf.waf.content_scan.has_failed
cf.waf.content_scan.has_malicious_obj
cf.waf.content_scan.has_obj
cf.waf.content_scan.num_malicious_obj
cf.waf.content_scan.num_obj
cf.waf.content_scan.obj_results
cf.waf.content_scan.obj_sizes
cf.waf.content_scan.obj_types
cf.waf.credential_check.password_leaked
cf.waf.credential_check.username_and_password_leaked
cf.waf.credential_check.username_leaked
cf.waf.credential_check.username_password_similar
cf.waf.score
cf.waf.score.class
cf.waf.score.rce
cf.waf.score.sqli
cf.waf.score.xss
cf.worker.upstream_zone

HTTP Fields

http.cookie
http.host
http.referer
http.user_agent
http.x_forwarded_for
http.request.accepted_languages
http.request.method
http.request.timestamp.msec
http.request.timestamp.sec
http.request.version
http.request.body.form
http.request.body.form.names
http.request.body.form.values
http.request.body.mime
http.request.body.multipart
http.request.body.multipart.content_disposition
http.request.body.multipart.content_transfer_encoding
http.request.body.multipart.content_type
http.request.body.multipart.filenames
http.request.body.multipart.names
http.request.body.multipart.values
http.request.body.raw
http.request.body.size
http.request.body.truncated
http.request.headers
http.request.headers.names
http.request.headers.truncated
http.request.headers.values
http.request.jwt.claims.aud
http.request.jwt.claims.aud.names
http.request.jwt.claims.aud.values
http.request.jwt.claims.iat.sec
http.request.jwt.claims.iat.sec.names
http.request.jwt.claims.iat.sec.values
http.request.jwt.claims.iss
http.request.jwt.claims.iss.names
http.request.jwt.claims.iss.values
http.request.jwt.claims.iss.jti
http.request.jwt.claims.iss.jti.names
http.request.jwt.claims.iss.jti.values
http.request.jwt.claims.nbf.sec
http.request.jwt.claims.nbf.sec.names
http.request.jwt.claims.nbf.sec.values
http.request.jwt.claims.sub
http.request.jwt.claims.sub.names
http.request.jwt.claims.sub.values
http.request.uri
http.request.uri.args
http.request.uri.args.names
http.request.uri.args.values
http.request.uri.path
http.request.uri.path.extension
http.request.uri.query
http.response.code
http.response.content_type.media_type
http.response.headers
http.response.headers.names
http.response.headers.values

IP Fields

ip.dst
ip.src
ip.src.asnum
ip.src.city
ip.src.continent
ip.src.country
ip.src.is_in_european_union
ip.src.lat
ip.src.lon
ip.src.metro_code
ip.src.postal_code
ip.src.region
ip.src.region_code
ip.src.subdivision_1_iso_code
ip.src.subdivision_2_iso_code
ip.src.timezone.name

Raw Fields

raw.http.request.full_uri
raw.http.request.uri.args
raw.http.request.uri.args.names
raw.http.request.uri.args.values
raw.http.request.uri.path
raw.http.request.uri.path.extension
raw.http.request.uri.path.query

SSL Fields

ssl

Wirechecker Playground