Create a request header transform rule via API
Use the Rulesets API to create Request Header Transform Rules via API. Refer to the Rules examples gallery for common use cases.
If you are using Terraform, refer to Transform Rules configuration using Terraform.
When creating a request header transform rule via API, make sure you:
- Set the rule action to rewrite.
- Define the header modification parameters in the action_parametersfield according to the operation to perform (set or remove header).
- Deploy the rule to the http_request_late_transformphase at the zone level.
Follow this workflow to create a request header transform rule for a given zone via API:
- 
Use the List zone rulesets operation to check if there is already a ruleset for the http_request_late_transformphase at the zone level.
- 
If the phase ruleset does not exist, create it using the Create a zone ruleset operation. In the new ruleset properties, set the following values: - kind: zone
- phase: http_request_late_transform
 
- kind: 
- 
Use the Update a zone ruleset operation to add a request header transform rule to the list of ruleset rules. Alternatively, include the rule in the Create a zone ruleset request mentioned in the previous step. 
Make sure your API token has the required permissions to perform the API operations.
Example: Add an HTTP request header with a static value
 The following example sets the rules of an existing phase ruleset ($RULESET_ID) to a single request header transform rule — adding an HTTP request header with a static value — using the Update a zone ruleset operation. The response will contain the complete definition of the ruleset you updated.
Required API token permissions
 
At least one of the following token permissions 
is required:
- Response Compression Write
- Config Settings Write
- Dynamic URL Redirects Write
- Cache Settings Write
- Custom Errors Write
- Origin Write
- Managed headers Write
- Zone Transform Rules Write
- Mass URL Redirects Write
- Magic Firewall Write
- L4 DDoS Managed Ruleset Write
- HTTP DDoS Managed Ruleset Write
- Sanitize Write
- Transform Rules Write
- Select Configuration Write
- Bot Management Write
- Zone WAF Write
- Account WAF Write
- Account Rulesets Write
- Logs Write
- Logs Write
curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/rulesets/$RULESET_ID" \  --request PUT \  --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \  --json '{    "rules": [        {            "expression": "(starts_with(http.request.uri.path, \"/en/\"))",            "description": "My first request header transform rule",            "action": "rewrite",            "action_parameters": {                "headers": {                    "X-Source": {                        "operation": "set",                        "value": "Cloudflare"                    }                }            }        }    ]  }'{  "result": {    "id": "<RULESET_ID>",    "name": "Zone-level Late Transform Ruleset",    "description": "Zone-level ruleset that will execute Late Transform Rules.",    "kind": "zone",    "version": "2",    "rules": [      {        "id": "<RULE_ID>",        "version": "1",        "action": "rewrite",        "action_parameters": {          "headers": {            "X-Source": {              "operation": "set",              "value": "Cloudflare"            }          }        },        "expression": "(starts_with(http.request.uri.path, \"/en/\"))",        "description": "My first request header transform rule",        "last_updated": "2021-04-14T14:42:04.219025Z",        "ref": "<RULE_REF>"      }    ],    "last_updated": "2021-04-14T14:42:04.219025Z",    "phase": "http_request_late_transform"  },  "success": true,  "errors": [],  "messages": []}Example: Add an HTTP request header with a dynamic value
 The following example sets the rules of an existing phase ruleset ($RULESET_ID) to a single request header transform rule — adding an HTTP request header with a dynamic value — using the Update a zone ruleset operation. The response will contain the complete definition of the ruleset you updated.
Required API token permissions
 
At least one of the following token permissions 
is required:
- Response Compression Write
- Config Settings Write
- Dynamic URL Redirects Write
- Cache Settings Write
- Custom Errors Write
- Origin Write
- Managed headers Write
- Zone Transform Rules Write
- Mass URL Redirects Write
- Magic Firewall Write
- L4 DDoS Managed Ruleset Write
- HTTP DDoS Managed Ruleset Write
- Sanitize Write
- Transform Rules Write
- Select Configuration Write
- Bot Management Write
- Zone WAF Write
- Account WAF Write
- Account Rulesets Write
- Logs Write
- Logs Write
curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/rulesets/$RULESET_ID" \  --request PUT \  --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \  --json '{    "rules": [        {            "expression": "(starts_with(http.request.uri.path, \"/en/\"))",            "description": "My first request header transform rule",            "action": "rewrite",            "action_parameters": {                "headers": {                    "X-Bot-Score": {                        "operation": "set",                        "expression": "to_string(cf.bot_management.score)"                    }                }            }        }    ]  }'{  "result": {    "id": "<RULESET_ID>",    "name": "Zone-level Late Transform Ruleset",    "description": "Zone-level ruleset that will execute Late Transform Rules.",    "kind": "zone",    "version": "2",    "rules": [      {        "id": "<RULE_ID>",        "version": "1",        "action": "rewrite",        "action_parameters": {          "headers": {            "X-Bot-Score": {              "operation": "set",              "expression": "to_string(cf.bot_management.score)"            }          }        },        "expression": "(starts_with(http.request.uri.path, \"/en/\"))",        "description": "My first request header transform rule",        "last_updated": "2021-04-14T14:42:04.219025Z",        "ref": "<RULE_REF>"      }    ],    "last_updated": "2021-04-14T14:42:04.219025Z",    "phase": "http_request_late_transform"  },  "success": true,  "errors": [],  "messages": []}Example: Remove an HTTP request header
 The following example sets the rules of an existing phase ruleset ($RULESET_ID) to a single request header transform rule — removing an HTTP request header — using the Update a zone ruleset. The response will contain the complete definition of the ruleset you updated.
Required API token permissions
 
At least one of the following token permissions 
is required:
- Response Compression Write
- Config Settings Write
- Dynamic URL Redirects Write
- Cache Settings Write
- Custom Errors Write
- Origin Write
- Managed headers Write
- Zone Transform Rules Write
- Mass URL Redirects Write
- Magic Firewall Write
- L4 DDoS Managed Ruleset Write
- HTTP DDoS Managed Ruleset Write
- Sanitize Write
- Transform Rules Write
- Select Configuration Write
- Bot Management Write
- Zone WAF Write
- Account WAF Write
- Account Rulesets Write
- Logs Write
- Logs Write
curl "https://api.cloudflare.com/client/v4/zones/$ZONE_ID/rulesets/$RULESET_ID" \  --request PUT \  --header "Authorization: Bearer $CLOUDFLARE_API_TOKEN" \  --json '{    "rules": [        {            "expression": "(starts_with(http.request.uri.path, \"/en/\"))",            "description": "My first request header transform rule",            "action": "rewrite",            "action_parameters": {                "headers": {                    "cf-connecting-ip": {                        "operation": "remove"                    }                }            }        }    ]  }'{  "result": {    "id": "<RULESET_ID>",    "name": "Zone-level Late Transform Ruleset",    "description": "Zone-level ruleset that will execute Late Transform Rules.",    "kind": "zone",    "version": "2",    "rules": [      {        "id": "<RULE_ID>",        "version": "1",        "action": "rewrite",        "action_parameters": {          "headers": {            "cf-connecting-ip": {              "operation": "remove"            }          }        },        "expression": "(starts_with(http.request.uri.path, \"/en/\"))",        "description": "My first request header transform rule",        "last_updated": "2021-04-14T14:42:04.219025Z",        "ref": "<RULE_REF>"      }    ],    "last_updated": "2021-04-14T14:42:04.219025Z",    "phase": "http_request_late_transform"  },  "success": true,  "errors": [],  "messages": []}The API token used in API requests to manage Request Header Transform Rules must have at least the following permissions:
- Transform Rules > Edit
- Account Rulesets > Read
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark