Is the CF-Worker header from worker fetch() reliable?

I noticed that, when making a fetch() request from within a worker, it sends a CF-Worker header with the eTLD+1 of the host that served the request. I don’t see any documentation on this header…is it reliable and will it be persistent (i.e., not removed in future versions)?


Yes, this header is reliable and is intended to be used for security and anti-abuse purposes. It actually names the Cloudflare zone, which is usually the eTLD+1, but it’s actually possible (though unusual) for Cloudflare zones to be subdomains.

We should definitely document it better, sorry about that.


Thanks, Kenton. Could it be a subdomain if using a 3rd party zone via SSL for SaaS?

The CF-Worker header identifies the zone that owns the worker, regardless of what hostname received the HTTP request that triggered the worker.