Cloudflare adds cf headers to non cloudflare domains

I am trying to build a small utility to enable users and check if a webpage is cached by cloudflare or not.

https://cf-cache-status.com/ This domain itself is hosted on cloudflare and is served by it’s worker. In the worker when I call the fetch function, the response headers returned by this function include cf-* headers even if the domain is not hosted by Cloudflare. Here is the code.

    let cfResponse = await fetch("https://google.com")
    let cfHeaders = {};
    for(let entry of cfResponse.headers.entries()) {
      cfHeaders[entry[0]] = entry[1];
    }

When I print the cfHeaders I see the following headers which I suppose should be there for non cloudflare hosted websites.

cf-cache-status => DYNAMIC
cf-ray => 6a9515c7c5f66a75-SYD

My question is why is CF injecting custom headers to a non CF domain?

Thanks

I don’t have extensive knowledge about the inner workings of Cloudflare’s network (sadly :cry:), but I feel like I know enough to make some educated guesses.

Let’s assume this is approximately how requests travel through Cloudflare’s network:

Client -> Inbound Proxy ->  Zone -> Outbound Proxy -> Origin

I’m also going to make the following assumption:

  • Any valid request going through Cloudflare’s Inbound Proxy is assigned a unique ID as specified in the cf-ray header.

Valid request using HTTP/1.0:

[[email protected] ~]$ echo -en "GET /cdn-cgi/trace HTTP/1.0\r\nHost: 1.1.1.1\r\n\r\n" | nc 1.1.1.1 80
HTTP/1.1 200 OK
CF-RAY: 6a9577b1cd937363-CPH

Invalid request using “HTTP/0.1”:

[[email protected] ~]$ echo -en "GET /cdn-cgi/trace HTTP/0.1\r\nHost: 1.1.1.1\r\n\r\n" | nc 1.1.1.1 80
HTTP/1.1 400 Bad Request
CF-RAY: -

I don’t think requests made by Workers are any different. They most likely go through the same process as any other request for security reasons. Therefore, they’re assigned an ID and given the cf-ray header as well.

Again, these are all my assumptions so I could be completely wrong about everything :wink:

1 Like

Thanks, it does make sense. Since it becomes really hard to determine if the domain is behined a CF or not, it would be great if someone from CF can confirm this.

Yea and they completely trample the original Server header too - this is how it’s always been