--- title: HTTP requests description: The descriptions below detail the fields available for http_requests. image: https://developers.cloudflare.com/core-services-preview.png --- > Documentation Index > Fetch the complete documentation index at: https://developers.cloudflare.com/logs/llms.txt > Use this file to discover all available pages before exploring further. [Skip to content](#%5Ftop) # HTTP requests The descriptions below detail the fields available for `http_requests`. ## BotDetectionIDs Type: `array[int]` List of IDs that correlate to the Bot Management Heuristic detections made on a request. Available only for Bot Management customers. To enable this feature, contact your account team. ## BotDetectionTags Type: `array[string]` List of tags that correlate to the Bot Management Heuristic detections made on a request. Available only for Bot Management customers. To enable this feature, contact your account team. ## BotScore Type: `int` Cloudflare Bot Score. Scores below 30 are commonly associated with automated traffic. Available only for Bot Management customers. To enable this feature, contact your account team. ## BotScoreSrc Type: `string` Detection engine responsible for generating the Bot Score. Possible values are _Not Computed_ | _Heuristics_ | _Machine Learning_ | _Behavioral Analysis_ | _Verified Bot_ | _JS Fingerprinting_ | _Cloudflare Service_. Available only for Bot Management customers. To enable this feature, contact your account team. ## BotTags Type: `array[string]` Type of bot traffic (if available). Refer to [Bot Tags](https://developers.cloudflare.com/bots/concepts/bot-tags/) for the list of potential values. Available only for Bot Management customers. To enable this feature, contact your account team. ## CacheCacheStatus Type: `string` Cache status. Possible values are _unknown_ | _miss_ | _expired_ | _updating_ | _stale_ | _hit_ | _ignored_ | _bypass_ | _revalidated_ | _dynamic_ | _stream\_hit_ | _deferred_ "dynamic" means that a request is not eligible for cache. This can mean, for example that it was blocked by the firewall. Refer to [Cloudflare cache responses](https://developers.cloudflare.com/cache/concepts/cache-responses/) for more details. ## CacheReserveUsed Type: `bool` Cache Reserve was used to serve this request. ## CacheResponseBytes Type: `int` Number of bytes returned by the cache. ## CacheResponseStatus (deprecated) Type: `int` HTTP status code returned by the cache to the edge. All requests (including non-cacheable ones) go through the cache. Refer also to CacheCacheStatus field. ## CacheTieredFill Type: `bool` Tiered Cache was used to serve this request. ## ClientASN Type: `int` Client AS number. ## ClientCity Type: `string` Approximate city of the client. ## ClientCountry Type: `string` 2-letter ISO-3166 country code of the client IP address. ## ClientDeviceType Type: `string` Client device type. ## ClientIP Type: `string` IP address of the client. ## ClientIPClass Type: `string` Client IP class. Possible values are _unknown_ | _badHost_ | _searchEngine_ | _allowlist_ | _monitoringService_ | _noRecord_ | _scan_ | _tor_. ## ClientLatitude Type: `string` Approximate latitude of the client. ## ClientLongitude Type: `string` Approximate longitude of the client. ## ClientMTLSAuthCertFingerprint Type: `string` The SHA256 fingerprint of the certificate presented by the client during mTLS authentication. Only populated on the first request on an mTLS connection. ## ClientMTLSAuthStatus Type: `string` The status of mTLS authentication. Only populated on the first request on an mTLS connection. Possible values are _unknown_ | _ok_ | _absent_ | _untrusted_ | _notyetvalid_ | _expired_. ## ClientRegionCode Type: `string` The ISO-3166-2 region code of the client IP address. ## ClientRequestBytes Type: `int` Number of bytes in the client request. ## ClientRequestHost Type: `string` Host requested by the client. ## ClientRequestMethod Type: `string` HTTP method of client request. ## ClientRequestPath Type: `string` URI path requested by the client, which includes only the path portion of the requested URL, without the query string. ## ClientRequestProtocol Type: `string` HTTP protocol of client request. ## ClientRequestReferer Type: `string` HTTP request referrer. ## ClientRequestScheme Type: `string` The URL scheme requested by the visitor. ## ClientRequestSource Type: `string` Identifies requests as coming from an external source or another service within Cloudflare. Refer to [ClientRequestSource field](https://developers.cloudflare.com/logs/reference/clientrequestsource/) for the list of potential values. ## ClientRequestURI Type: `string` URI requested by the client, which includes the full path and query string of the requested URL. ## ClientRequestUserAgent Type: `string` User agent reported by the client. ## ClientSSLCipher Type: `string` Client SSL cipher. ## ClientSSLProtocol Type: `string` Client SSL (TLS) protocol. The value "none" means that SSL was not used. ## ClientSrcPort Type: `int` Client source port. ## ClientTCPRTTMs Type: `int` The smoothed average of TCP round-trip time (SRTT). For the initial request on a connection, this is measured only during connection setup. For a subsequent request on the same connection, it is measured over the entire connection lifetime up until the time that request is received. ## ClientXRequestedWith Type: `string` X-Requested-With HTTP header. ## ContentScanObjResults Type: `array[string]` List of content scan results. ## ContentScanObjSizes Type: `array[int]` List of content object sizes. ## ContentScanObjTypes Type: `array[string]` List of content types. ## Cookies Type: `object` String key-value pairs for cookies. This field is populated based on [Logpush Custom fields](https://developers.cloudflare.com/logs/logpush/logpush-job/custom-fields/), which need to be configured. ## EdgeCFConnectingO2O Type: `bool` True if the request looped through multiple zones on the Cloudflare edge. This is considered an O2O request. ## EdgeColoCode Type: `string` IATA airport code of the data center that received the request. ## EdgeColoID Type: `int` Cloudflare edge data center ID. ## EdgeEndTimestamp Type: `int or string` Timestamp at which the edge finished sending response to the client. ## EdgePathingOp Type: `string` Indicates what type of response was issued for this request (unknown = no specific action). ## EdgePathingSrc Type: `string` Details how the request was classified based on security checks (unknown = no specific classification). ## EdgePathingStatus Type: `string` Indicates what data was used to determine the handling of this request (unknown = no data). ## EdgeRequestHost Type: `string` Host header on the request from the edge to the origin. ## EdgeResponseBodyBytes Type: `int` Size of the HTTP response body returned to clients. ## EdgeResponseBytes Type: `int` Number of bytes returned by the edge to the client. ## EdgeResponseCompressionRatio Type: `float` The edge response compression ratio is calculated as the ratio between the sizes of the original and compressed responses. ## EdgeResponseContentType Type: `string` Edge response Content-Type header value. ## EdgeResponseStatus Type: `int` HTTP status code returned by Cloudflare to the client. ## EdgeServerIP Type: `string` IP of the edge server making a request to the origin. Possible responses are string in IPv4 or IPv6 format, or empty string. Empty string means that there was no request made to the origin server. ## EdgeStartTimestamp Type: `int or string` Timestamp at which the edge received request from the client. ## EdgeTimeToFirstByteMs Type: `int` Total view of Time To First Byte as measured at Cloudflare's edge. Starts after a TCP connection is established and ends when Cloudflare begins returning the first byte of a response to eyeballs. Includes TLS handshake time (for new connections) and origin response time. ## FirewallForAIInjectionScore Type: `int` The score indicating the likelihood of a prompt injection attack in the request, as determined by Firewall for AI. ## FirewallForAIPIICategories Type: `array[string]` List of PII categories detected in the request by Firewall for AI. ## FirewallForAITokenCount Type: `int` The number of tokens in the request, as counted by Firewall for AI. ## FirewallForAIUnsafeTopicCategories Type: `array[string]` List of unsafe topic categories detected in the request by Firewall for AI. ## FraudAttack Type: `string` The primary attack or use case detected in the request by Fraud detections. ## FraudDetectionIDs Type: `array[int]` List of IDs that correlate to the Fraud detections made on a request. ## FraudDetectionTags Type: `array[string]` List of tags that correlate to the Fraud detections made on a request. ## FraudEmailRisk Type: `string` Risk of a specific email address. Possible values are _low_ | _medium_ | _high_. ## FraudUserID Type: `string` A unique identifier generated by the Fraud Detection system for each user, generated during any action determined by the fraud event type. ## JA3Hash Type: `string` The MD5 hash of the JA3 fingerprint used to profile SSL/TLS clients. Available only for Bot Management customers. To enable this feature, contact your account team. ## JA4 Type: `string` The JA4 fingerprint used to profile SSL/TLS clients. Available only for Bot Management customers. To enable this feature, contact your account team. ## JA4Signals Type: `object` Inter-request statistics computed for this JA4 fingerprint. JA4Signals field is organized in key:value pairs, where values are numbers. Available only for Bot Management customers. To enable this feature, contact your account team. ## JSDetectionPassed Type: `string` Whether the request passed background JavaScript Detection. Possible values are _passed_ | _failed_ | _missing_. Available only for Bot Management customers. To enable this feature, contact your account team. ## LeakedCredentialCheckResult Type: `string` Result of the check for [leaked credentials](https://developers.cloudflare.com/waf/detections/leaked-credentials/). Possible results are: _password\_leaked_ | _username\_and\_password\_leaked_ | _username\_password\_similar_ | _username\_leaked_ | _clean_. ## OriginDNSResponseTimeMs Type: `int` Time taken to receive a DNS response for an origin name. Usually takes a few milliseconds, but may be longer if a CNAME record is used. ## OriginIP Type: `string` IP of the origin server. ## OriginRequestHeaderSendDurationMs Type: `int` Time taken to send request headers to origin after establishing a connection. Note that this value is usually 0. ## OriginResponseBytes (deprecated) Type: `int` Number of bytes returned by the origin server. Consider using CacheResponseBytes and filtering out OriginResponseStatus with values 0 and 304, which indicate a revalidated response. Read more [here](https://developers.cloudflare.com/logs/faq/common-calculations/#how-can-i-calculate-bytes-served-by-the-origin-from-cloudflare-logs). ## OriginResponseDurationMs Type: `int` Upstream response time, measured from the first datacenter that receives a request. Includes time taken by Argo Smart Routing and Tiered Cache, plus time to connect and receive a response from origin servers. This field replaces OriginResponseTime. ## OriginResponseHTTPExpires Type: `string` Value of the origin 'expires' header in RFC1123 format. ## OriginResponseHTTPLastModified Type: `string` Value of the origin 'last-modified' header in RFC1123 format. ## OriginResponseHeaderReceiveDurationMs Type: `int` Time taken for origin to return response headers after Cloudflare finishes sending request headers. ## OriginResponseStatus Type: `int` Status returned by the upstream server. The value 0 means that there was no response received from the origin server and the response was served by Cloudflare's Edge. However, if the zone has a Worker running on it, the value 0 could be the result of a Workers subrequest made to the origin. ## OriginResponseTime (deprecated) Type: `int` Number of nanoseconds it took the origin to return the response to edge. ## OriginSSLProtocol Type: `string` SSL (TLS) protocol used to connect to the origin. ## OriginTCPHandshakeDurationMs Type: `int` Time taken to complete TCP handshake with origin. This will be 0 if an origin connection is reused. ## OriginTLSHandshakeDurationMs Type: `int` Time taken to complete TLS handshake with origin. This will be 0 if an origin connection is reused. ## ParentRayID Type: `string` Ray ID of the parent request if this request was made using a Worker script. ## PayPerCrawlStatus Type: `string` Pay Per Crawl outcome, when applicable (for example, request enabled for charging and not blocked by a WAF rule). ## RayID Type: `string` ID of the request. ## RequestHeaders Type: `object` String key-value pairs for request headers. This field is populated based on [Logpush Custom fields](https://developers.cloudflare.com/logs/logpush/logpush-job/custom-fields/), which need to be configured. ## ResponseHeaders Type: `object` String key-value pairs for response headers. This field is populated based on [Logpush Custom fields](https://developers.cloudflare.com/logs/logpush/logpush-job/custom-fields/), which need to be configured. ## SecurityAction Type: `string` Action of the security rule that triggered a terminating action, if any. ## SecurityActions Type: `array[string]` Array of actions the Cloudflare security products performed on this request. The individual security products associated with this action can be found in SecuritySources and their respective rule IDs can be found in SecurityRuleIDs. The length of the array is the same as SecurityRuleIDs and SecuritySources. Possible actions are _unknown_ | _allow_ | _block_ | _challenge_ | _jschallenge_ | _log_ | _connectionClose_ | _challengeSolved_ | _challengeBypassed_ | _jschallengeSolved_ | _jschallengeBypassed_ | _bypass_ | _managedChallenge_ | _managedChallengeNonInteractiveSolved_ | _managedChallengeInteractiveSolved_ | _managedChallengeBypassed_ | _rewrite_ | _forceConnectionClose_ | _skip_. ## SecurityRuleDescription Type: `string` Description of the security rule that triggered a terminating action, if any. ## SecurityRuleID Type: `string` Rule ID of the security rule that triggered a terminating action, if any. ## SecurityRuleIDs Type: `array[string]` Array of rule IDs of the security product that matched the request. The security product associated with the rule ID can be found in SecuritySources. The length of the array is the same as SecurityActions and SecuritySources. ## SecuritySources Type: `array[string]` Array of security products that matched the request. The same product can appear multiple times, which indicates different rules or actions that were activated. The rule IDs can be found in SecurityRuleIDs, and the actions can be found in SecurityActions. The length of the array is the same as SecurityRuleIDs and SecurityActions. Possible sources are _unknown_ | _asn_ | _country_ | _ip_ | _ipRange_ | _securityLevel_ | _zoneLockdown_ | _waf_ | _firewallRules_ | _uaBlock_ | _rateLimit_ | _bic_ | _hot_ | _l7ddos_ | _validation_ | _botFight_ | _apiShield_ | _botManagement_ | _dlp_ | _firewallManaged_ | _firewallCustom_ | _apiShieldSchemaValidation_ | _apiShieldTokenValidation_ | _apiShieldSequenceMitigation_. ## SmartRouteColoID Type: `int` The Cloudflare data center used to connect to the origin server if Argo Smart Routing is used. ## UpperTierColoID Type: `int` The "upper tier" data center that was checked for a cached copy if Tiered Cache is used. ## VerifiedBotCategory Type: `string` The category of verified bot. ## WAFAttackScore Type: `int` Overall request score generated by the WAF detection module. ## WAFFlags (deprecated) Type: `string` Additional configuration flags: _simulate (0x1)_ | _null_. ## WAFMatchedVar (deprecated) Type: `string` The full name of the most-recently matched variable. ## WAFRCEAttackScore Type: `int` WAF score for an RCE attack. ## WAFSQLiAttackScore Type: `int` WAF score for an SQLi attack. ## WAFXSSAttackScore Type: `int` WAF score for an XSS attack. ## WebAssetsLabelsManaged Type: `array[string]` Cloudflare-defined labels matched for the request. ## WebAssetsOperationID Type: `string` UUID of the matched web asset operation. ## WorkerCPUTime Type: `int` Amount of time in microseconds spent executing a Worker, if any. ## WorkerScriptName Type: `string` The Worker script name that made the request. ## WorkerStatus Type: `string` Status returned from Worker daemon. ## WorkerSubrequest Type: `bool` Whether or not this request was a Worker subrequest. ## WorkerSubrequestCount Type: `int` Number of subrequests issued by a Worker when handling this request. ## WorkerWallTimeUs Type: `int` The elapsed time in microseconds between the start of a Worker invocation, and when the Workers Runtime determines that no more JavaScript needs to run. Specifically, this measures the wall-clock time that the JavaScript context remained open. For example, when returning a response with a large body, the Workers runtime can, in some cases, determine that no more JavaScript needs to run, and closes the JS context before all the bytes have passed through and been sent. Alternatively, if you use the `waitUntil()` API to perform work without blocking the return of a response, this work may continue executing after the response has been returned, and will be included in `WorkerWallTimeUs`. ## ZoneName Type: `string` The human-readable name of the zone (for example, 'cloudflare.com'). ```json {"@context":"https://schema.org","@type":"BreadcrumbList","itemListElement":[{"@type":"ListItem","position":1,"item":{"@id":"/directory/","name":"Directory"}},{"@type":"ListItem","position":2,"item":{"@id":"/logs/","name":"Logs"}},{"@type":"ListItem","position":3,"item":{"@id":"/logs/logpush/","name":"Logpush"}},{"@type":"ListItem","position":4,"item":{"@id":"/logs/logpush/logpush-job/","name":"Logpush job setup"}},{"@type":"ListItem","position":5,"item":{"@id":"/logs/logpush/logpush-job/datasets/","name":"Datasets"}},{"@type":"ListItem","position":6,"item":{"@id":"/logs/logpush/logpush-job/datasets/zone/","name":"Zone-scoped datasets"}},{"@type":"ListItem","position":7,"item":{"@id":"/logs/logpush/logpush-job/datasets/zone/http_requests/","name":"HTTP requests"}}]} ```