Skip to content

[Gateway] Document HTTP header manipulation: add, set, delete with dynamic variables#32090

Open
grstnhbr wants to merge 3 commits into
cloudflare:productionfrom
grstnhbr:gateway-header-manipulation
Open

[Gateway] Document HTTP header manipulation: add, set, delete with dynamic variables#32090
grstnhbr wants to merge 3 commits into
cloudflare:productionfrom
grstnhbr:gateway-header-manipulation

Conversation

@grstnhbr

Copy link
Copy Markdown
Contributor

Summary

Documents the new HTTP header manipulation feature for Gateway Allow policies. This expands the existing tenant-control page into a broader "Custom headers" page covering three operations (add, set, delete) and dynamic variable interpolation.

Changes

tenant-control.mdx (renamed title to "Custom headers", filename kept for URL stability):

  • New "Header operations" section documenting add, set, and delete operations with execution order (delete, set, add)
  • New "Dynamic header values" section with full variable reference table (@{identity.email}, @{device.id}, @{source.ip}, and 7 others)
  • New "Configure header operations" section with both dashboard and API instructions, including curl examples and rule_settings field reference
  • Existing SaaS tenant control content preserved under "Use cases > SaaS tenant control" with per-vendor Details collapsibles
  • New use cases: forward user identity to upstream services, strip and replace internal headers
  • Existing WAF exemption and Browser Isolation sections preserved as use cases

index.mdx:

  • Added "Custom headers" subsection under the Allow action linking to the expanded page

Context

  • Functional spec: https://wiki.cfdata.org/spaces/GATE/pages/1392122752
  • Implementation: Alyssa Wang's MRs in GIN/oxy-teams (set_headers, delete_headers, @{} interpolation syntax)
  • API schema uses add_headers, set_headers, delete_headers in rule_settings
  • Dynamic variable delimiter changed from ${} to @{} for Terraform compatibility (GIN-2133)

@grstnhbr grstnhbr requested review from a team and elithrar as code owners July 15, 2026 15:04
@cloudflare-docs-bot

cloudflare-docs-bot Bot commented Jul 15, 2026

Copy link
Copy Markdown
Contributor

Review

⚠️ 1 warning, 💡 1 suggestion found in commit 2d86f7f.

Fix in your agent
Fix the following review findings in PR #32090 (https://github.com/cloudflare/cloudflare-docs/pull/32090).

Before making changes, review each finding and present a brief summary table:
- For each finding, state whether you agree, disagree, or need clarification
- If you disagree (e.g. the fix requires disproportionate effort for minimal benefit,
  or the finding is factually incorrect), explain why
- If you need clarification before deciding, ask those questions
- Then share your plan for which issues to tackle and in what order

After triaging, fix all legitimate findings. For any you decide to skip,
post a comment on this PR with the finding ID and your reasoning.

---

## Code Review

### Warnings (1)

#### CR-c325cbebafca · Inaccurate dashboard instructions for delete operation
- **File:** `src/content/docs/cloudflare-one/traffic-policies/http-policies/tenant-control.mdx` line 75
- **Issue:** Step 6 tells users to enter a header name and value for every header operation and to use the value field for dynamic variables. However, Remove/delete operations only remove a header by name and do not have a value field, so this instruction does not apply to all operation types introduced in step 5.
- **Fix:** Qualify step 6 to note that Remove/delete operations only require a header name, or split the instructions so delete operations are described separately from Add/Overwrite.

---

## Style Guide Review

### Suggestions (1)

#### SG-c9c878cb7e1f · Use `select` instead of `click`
- **File:** `src/content/docs/cloudflare-one/traffic-policies/http-policies/tenant-control.mdx` line 75
- **Issue:** Step instructs the user to `click the `</>` button`.
- **Fix:** Change `click the `</>` button` to `select the `</>` button`.

Code Review

This code review is in beta and may not always be helpful — use your judgment.

Warnings (1)
File Issue
cloudflare-one/traffic-policies/http-policies/tenant-control.mdx line 75 Inaccurate dashboard instructions for delete operation — Step 6 tells users to enter a header name and value for every header operation and to use the value field for dynamic variables. However, Remove/delete operations only remove a header by name and do not have a value field, so this instruction does not apply to all operation types introduced in step 5. Fix: Qualify step 6 to note that Remove/delete operations only require a header name, or split the instructions so delete operations are described separately from Add/Overwrite.

Conventions

No convention issues found.

Style Guide Review

Suggestions (1)
File Issue
cloudflare-one/traffic-policies/http-policies/tenant-control.mdx line 75 Use select instead of click — Step instructs the user to click the </> button. Fix: Change click the </> button to select the </> button.
Commands

Only codeowners can run commands. Post a comment with the command to trigger it.

Command Description
/review Runs a review now. Incremental if a prior review exists, full if not.
/full-review Re-reviews the entire PR diff from scratch, ignoring incremental history. Useful after a rebase, when you want a fresh review, or if the bot gets out of sync and reports issues that no longer exist.
/ignore-review-limit Permanently lifts the 2-review automatic limit for this PR. Future pushes will trigger reviews as normal.
/disable-auto-review Stops automatic reviews from triggering on future pushes to this PR. Codeowners can still run /review or /full-review manually.

3. Build an expression to match the traffic you want to modify.
4. In **Action**, select _Allow_.
5. Under **Modify request headers**, select **Add** or **Overwrite** to add or set headers. To delete a header, select **Remove**.
6. For each header operation, enter the header name and value. To use a dynamic variable, enter the `@{...}` syntax in the value field, or click the `</>` button to see the list of available values.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

click the {} button

| `@{device.id}` | Cloudflare One Client device UUID. |
| `@{device.posture}` | Device posture check results (serialized as a JSON string).|

Dynamic variables require an active identity session. If Gateway cannot resolve a variable (for example, the user is not authenticated), the variable is replaced with an empty string and a warning is logged.

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the variable replaced with a warning string ie cf-unresolved or cf-invalid and a warning is inserted into the http log

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants