Block all requests except a certain header

I’m using a shared account and I would like to help block direct IP connections. Looking at the headers in the Web Developer of my browser I see server: “cloudflare”. So I thought by adding one of the two codes to my htaccess I’d help block non-cloudflare traffic, but I just get a 403 all the time. What am I doing wrong?

RewriteCond %{HTTP:x-server-header} !^cloudflare$ [NC]
RewriteRule ^ - [F]

RewriteCond %{HTTP:server-header} !^cloudflare$ [NC]
RewriteRule ^ - [F]

6 posts were merged into an existing topic: Block direct IP address

Similar question asked by same user. Merged to keep all discussion in one place.