Cloudflare Docs
Rules
Cloudflare Docs
Rules
Search icon (depiction of a magnifying glass)
GitHub icon
Visit Rules on GitHub
Set theme to dark (⇧+D)

Create an HTTP Response Header Modification Rule via API

Use the Rulesets API to create HTTP Response Header Modification Rules via API. Define the header modification configuration in the action_parameters field. Refer to Response header modification examples for examples of rule definitions.

When creating an HTTP Response Header Modification Rule via API, make sure you:

  • Set the rule action to rewrite.
  • Define the header modification parameters in the action_parameters field according to the operation to perform (set or remove header).
  • Deploy the rule to the http_response_headers_transform phase at the zone level.

Follow this workflow to create an HTTP Response Header Modification Rule for a given zone via API:

  1. Use the List existing rulesets method to check if there is already a ruleset for the http_response_headers_transform phase at the zone level.

  2. If the phase ruleset does not exist, create it using the Create ruleset method with the zone-level endpoint. In the new ruleset properties, set the following values:

    • kind: zone
    • phase: http_response_headers_transform

  3. Use the Update ruleset method to add an HTTP Response Header Modification Rule to the list of ruleset rules (check the examples below). Alternatively, include the rule in the Create ruleset request mentioned in the previous step.

Required API token permissions

The API token used in API requests to manage HTTP Response Header Modification Rules must have at least the following permissions:

  • Transform Rules: Edit
  • Account Rulesets: Read

Examples

Example: Add an HTTP response header with a static value

The following example sets the rules of an existing phase ruleset (<RULESET_ID>) to a single HTTP Response Header Modification Rule — adding an HTTP response header with a static value — using the Update ruleset method:

---
header: Request
---
curl -X PUT \
"https://api.cloudflare.com/client/v4/zones/<ZONE_ID>/rulesets/<RULESET_ID>" \
-H "Authorization: Bearer <API_TOKEN>" \
-H "Content-Type: application/json" \
-d '{
  "rules": [
    {
      "expression": "(starts_with(http.request.uri.path, \"/en/\"))",
      "description": "My first HTTP Response Header Modification Rule",
      "action": "rewrite",
      "action_parameters": {
        "headers": {
          "X-Source": {
            "operation": "set",
            "value": "Cloudflare"
          }
        }
      }
    }
  ]
}'

The response contains the complete definition of the ruleset you updated.

---
header: Response
---
{
  "result": {
    "id": "<RULESET_ID>",
    "name": "Zone-level Response Headers Transform Ruleset",
    "description": "Zone-level ruleset that will execute Response Header Modification Rules.",
    "kind": "zone",
    "version": "2",
    "rules": [
      {
        "id": "<RULE_ID>",
        "version": "1",
        "action": "rewrite",
        "action_parameters": {
          "headers": {
            "X-Source": {
              "operation": "set",
              "value": "Cloudflare"
            }
          }
        },
        "expression": "(starts_with(http.request.uri.path, \"/en/\"))",
        "description": "My first HTTP Response Header Modification Rule",
        "last_updated": "2021-04-14T14:42:04.219025Z",
        "ref": "<RULE_REF>"
      }
    ],
    "last_updated": "2021-04-14T14:42:04.219025Z",
    "phase": "http_response_headers_transform"
  },
  "success": true,
  "errors": [],
  "messages": []
}
Example: Add an HTTP response header with a dynamic value

The following example sets the rules of an existing phase ruleset (<RULESET_ID>) to a single HTTP Response Header Modification Rule — adding an HTTP response header with a dynamic value — using the Update ruleset method:

---
header: Request
---
curl -X PUT \
"https://api.cloudflare.com/client/v4/zones/<ZONE_ID>/rulesets/<RULESET_ID>" \
-H "Authorization: Bearer <API_TOKEN>" \
-H "Content-Type: application/json" \
-d '{
  "rules": [
    {
      "expression": "(starts_with(http.request.uri.path, \"/en/\"))",
      "description": "My first HTTP Response Header Modification Rule",
      "action": "rewrite",
      "action_parameters": {
        "headers": {
          "X-Bot-Score": {
            "operation": "set",
            "expression": "to_string(cf.bot_management.score)"
          }
        }
      }
    }
  ]
}'

The response contains the complete definition of the ruleset you updated.

---
header: Response
---
{
  "result": {
    "id": "<RULESET_ID>",
    "name": "Zone-level Response Headers Transform Ruleset",
    "description": "Zone-level ruleset that will execute Response Header Modification Rules.",
    "kind": "zone",
    "version": "2",
    "rules": [
      {
        "id": "<RULE_ID>",
        "version": "1",
        "action": "rewrite",
        "action_parameters": {
          "headers": {
            "X-Bot-Score": {
              "operation": "set",
              "expression": "to_string(cf.bot_management.score)"
            }
          }
        },
        "expression": "(starts_with(http.request.uri.path, \"/en/\"))",
        "description": "My first HTTP Response Header Modification Rule",
        "last_updated": "2021-04-14T14:42:04.219025Z",
        "ref": "<RULE_REF>"
      }
    ],
    "last_updated": "2021-04-14T14:42:04.219025Z",
    "phase": "http_response_headers_transform"
  },
  "success": true,
  "errors": [],
  "messages": []
}
Example: Remove an HTTP response header

The following example sets the rules of an existing phase ruleset (<RULESET_ID>) to a single HTTP Response Header Modification Rule — removing an HTTP response header — using the Update ruleset method:

---
header: Request
---
curl -X PUT \
"https://api.cloudflare.com/client/v4/zones/<ZONE_ID>/rulesets/<RULESET_ID>" \
-H "Authorization: Bearer <API_TOKEN>" \
-H "Content-Type: application/json" \
-d '{
  "rules": [
    {
      "expression": "(starts_with(http.request.uri.path, \"/en/\"))",
      "description": "My first HTTP Response Header Modification Rule",
      "action": "rewrite",
      "action_parameters": {
        "headers": {
          "cf-connecting-ip": {
            "operation": "remove"
          }
        }
      }
    }
  ]
}'

The response contains the complete definition of the ruleset you updated.

---
header: Response
---
{
  "result": {
    "id": "<RULESET_ID>",
    "name": "Zone-level Response Headers Transform Ruleset",
    "description": "Zone-level ruleset that will execute Response Header Modification Rules.",
    "kind": "zone",
    "version": "2",
    "rules": [
      {
        "id": "<RULE_ID>",
        "version": "1",
        "action": "rewrite",
        "action_parameters": {
          "headers": {
            "cf-connecting-ip": {
              "operation": "remove"
            }
          }
        },
        "expression": "(starts_with(http.request.uri.path, \"/en/\"))",
        "description": "My first HTTP Response Header Modification Rule",
        "last_updated": "2021-04-14T14:42:04.219025Z",
        "ref": "<RULE_REF>"
      }
    ],
    "last_updated": "2021-04-14T14:42:04.219025Z",
    "phase": "http_response_headers_transform"
  },
  "success": true,
  "errors": [],
  "messages": []
}