Cloudflare Docs
DDoS Protection
Edit this page
Give us feedback
Set theme to dark (⇧+D)

Override expressions

Set an override expression for the HTTP DDoS Attack Protection managed ruleset to define a specific scope for sensitivity level or action adjustments.

For example, you can set different sensitivity levels for different request URI paths: a medium sensitivity level for URI path A and a low sensitivity level for URI path B.

​​ Available expression fields

You can use the following fields in override expressions:

  • cf.client.bot
  • cf.threat_score
  • http.cookie
  • http.host
  • http.referer
  • http.request.uri
  • http.request.uri.path
  • http.request.uri.query
  • http.request.full_uri
  • http.request.method
  • http.request.version
  • http.request.cookies
  • http.user_agent
  • http.x_forwarded_for
  • ip.geoip.asnum
  • ip.geoip.continent
  • ip.geoip.country
  • ip.geoip.is_in_european_union
  • ip.src
  • ssl
  • cf.tls_client_auth.cert_verified

Refer to Fields in the Rules language documentation for more information.