Support for preventing specific cookies from reaching the origin in Request Header Modification Rule

Example/Use-case: We want to prevent the WordPress login cookie from reaching the origin server in a certain case.

Type: Set-Dynamic
Header: Cookie
Value: regex_replace(http.cookie, "wordpress_logged_in_[^;]+;?", "")

Regex reference:

I don’t think that’s possible with a Transform Rule. It requires the cookie name in full, and the wordpress_logged_in_ part of the name is followed by a random string. To the best of my knowledge, you can only use regex in the transformation part of the rule, not in the cookie name.

You may be able to accomplish what you want with Cloudflare Workers.

Technically it seems possible for Cloudflare to support this kind of header value modification in Transform rules but Cloudflare specifically does not allow us to modify the ‘Cookie’ header for some reason using the regex I mentioned earlier. (maybe because it’s easier for people to goof up). We used to modify the Cookie request header going to upstream in Varnish Cache back in the old days.

Quoting the docs.

You cannot set or modify the value of cookie HTTP request headers, but you can remove these headers. Configuring a rule that removes the cookie HTTP request header will remove all cookie headers in matching requests.

Source: HTTP request header modification rules · Cloudflare Rules docs

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.