#Smuggling CF CDN IP in headers as Hosting provider does not provide proxy URL

Hey,

my hosting provider does not pass in headers IP of Cloudflare CDN server that made the request to the hosting. This limits my options to blocking non-CF traffic in hosting.

I wanted to transform request custom header to add an CF IP into it and check on server as .htaccess (using Apache) Require ip does not work... How to define such rule?

I started in https://developers.cloudflare.com/ruleset-engine/rules-language/fields/#http-request-header-fields but don't know how to debug what values are even available.

For now I use header transform rule that adds custom request header but it might leak and check hostname but it's non-strict as I belife it's spoofable.'

Thanks

Yeah the CF provided ones are really the only ones you can trust

Why does your host remove these headers? That sounds like something you should bring up with them

Outside of that, your best bet is as random of a header name as you can do. Security through obscurity is by no means fool proof though. I'd work with your host to get the real headers.

Any way to generate random values in header with a formula that I could also run in hosting to have kind of dynamic key?