Ability to set page rules by headers (i.e. user-agent, referrer etc)


Is this something you are interested in? Please provide your use case and details on this topic and vote up if it is important.


I would be interested in this, my scenario would be: all my visitors to one of my websites all give a unique header because they are coming from a set top box, to have the ability to allow my legitimate traffic from the set top box only and disallow all other traffic by page rules would be great also would be another security feature for my website!


yes - that would come in handy

I’d also like to be able to do it based on TLS version - so I can send people to an upgrade your browser page if they are using TLS1.0



If particular bad user-agent matches, do DNS error.

Is it possible?


@GulshanKumar you want to return a page that looks like the DNS error? That’s actually pretty creative and funny. Not sure bots would get the humor but it could certainly mess with scraping applications. I’ll pass it along.


I want like this. Assuming that, making cluless is better than giving hint of a specific error.

split this topic #7

A post was split to a new topic: Country redirections


Yes, I am interested in the HTTP referer header.
Example: if (HTTP referer contains “something”) perform a 302 redirect.



Is there any update on User-agent sniffing feature? I want to bypass cache for a evil bot.

I want this because I am facing a real problem due to HIT response CACHE.

I have a rule like this

Force https, avoid redirect chain, excluding robots.txt path and evil bot.
RewriteEngine On 
RewriteCond %{HTTP_HOST} ^example\.com [NC]
RewriteCond %{HTTP:X-Forwarded-Proto} !https
RewriteCond %{REQUEST_URI} !^/robots\.txt$
RewriteCond %{HTTP_USER_AGENT} !^.*(evil).*$ [NC]
RewriteRule ^(.*)$ https://www.example.com/$1 [R=301,L]
Again… dont give any clue to evil bot, simply return to aim = HTTP response 404 for all requests
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} .(evil).*$ [NC]
RewriteCond %{REQUEST_URI} !^/robots\.txt$
RewriteRule .* - [R=404,L,NC]

Unfortunately, above rules based on user-agent doesn’t work as long I use Cache Everything page rule.

I can bypass cache for few path. But really, that’s not a complete solution.

I think here user-agent sniffing should work from Cloudflare page rule side, then only I can get a perfect solution.

Please let me know the answer

Thanks & Regards,


This feature will be very useful.

i have some question can its use with URL matches? like
URL Pattern: img.example.com/*
HEADER Pattern: referrer: example.com/

i can think like only allow referrer from some domain otherwise redirect to example.com/do-not-hotlink.jpg


I agree,
and vice versa (allowing everybody except for a referer from some domain)

@ryan are you still considering implementing the “rules by headers”?
We are very interested in this feature.


Was this feature ever added?


This sounds like it might be great for pages that display different content based on user-agent. Anything to make the user-agent detection faster!


I would like to see this feature. Use case: externaldomain.com that I don’t control is redirecting to my domain. I want a visitor with a referrer of externaldomain.com to go a specific page within my website.

If I can’t do this in the page rules, I am stuck doing it in my CMS, and if I cache all my HTML, I am stuck doing it on the front-end, which isn’t ideal.


This would be great, I wanted to display different contents for users who embed my webpage but there was not way to do when cache everything is on. So I had to use “x-frame-options: den” header rule that was not wanted as I wanted different contents. So a page rule based on page referrer will be awesome.