Rules and Ruleset Engine
By the end of this lesson you will understand the different types of Cloudflare Rules, how the Ruleset Engine evaluates them, and how to create rules for common traffic management tasks.
What Are Cloudflare Rules?
Cloudflare Rules let you modify request and response behavior at the edge — without changing your origin server. You can redirect URLs, rewrite headers, change cache settings, and apply security measures based on conditions you define.
flowchart LR
REQUEST["Incoming Request"] --> RULES["Ruleset Engine\n(Evaluate conditions)"]
RULES -->|"Match"| ACTION["Apply Action\n(Redirect, Rewrite, Block)"]
RULES -->|"No Match"| PASS["Pass Through"]
ACTION --> ORIGIN["Origin / Cache"]
PASS --> ORIGIN
style RULES fill:#f6821f,color:#fff,stroke:#e5711e
Rule Types (Free Plan)
| Rule Type | What It Does | Free Limit |
|---|---|---|
| Redirect Rules | URL redirects (301, 302) | 10 rules |
| Transform Rules (URL) | Rewrite URL paths and query strings | 10 rules |
| Transform Rules (Headers) | Modify request/response headers | 10 rules |
| Cache Rules | Control caching behavior (covered in Module 3) | 10 rules |
| Configuration Rules | Override zone settings per-request | 10 rules |
| Custom Rules (WAF) | Block/challenge based on conditions | 5 rules |
Redirect Rules
Redirect rules send visitors from one URL to another with a 301 (permanent) or 302 (temporary) redirect.
Common Examples
Redirect www to non-www
| Setting | Value |
|---|---|
| When | Hostname equals www.example.com |
| Then | Dynamic redirect to https://example.com${http.request.uri.path} |
| Status code | 301 (Permanent) |
Redirect old paths to new paths
| Setting | Value |
|---|---|
| When | URI Path equals /old-page |
| Then | Static redirect to https://example.com/new-page |
| Status code | 301 |
Redirect all HTTP to HTTPS
This is better handled via SSL/TLS → Always Use HTTPS, but can also be done with a redirect rule:
| Setting | Value |
|---|---|
| When | SSL/HTTPS is Off |
| Then | Dynamic redirect to https://${http.host}${http.request.uri.path} |
| Status code | 301 |
Transform Rules
Transform rules modify the request or response without redirecting the user.
URL Rewrite
Change the URL path that reaches your origin without the visitor seeing a redirect:
| Setting | Value |
|---|---|
| When | URI Path starts with /api/v1/ |
| Then | Rewrite path to /api/v2/${http.request.uri.path.substr(8)} |
Request Header Modification
Add, set, or remove headers on the request going to your origin:
| Setting | Value |
|---|---|
| When | All requests |
| Then | Set header X-Forwarded-Proto to https |
Response Header Modification
Add security headers to every response:
| Header | Value | Purpose |
|---|---|---|
X-Content-Type-Options | nosniff | Prevent MIME-type sniffing |
X-Frame-Options | DENY | Prevent clickjacking |
Referrer-Policy | strict-origin-when-cross-origin | Control referrer information |
Permissions-Policy | camera=(), microphone=() | Restrict browser features |
The Ruleset Engine
All Cloudflare Rules are evaluated by the Ruleset Engine — a single, unified rules engine that processes rules in a defined order:
flowchart TD
REQ["Incoming Request"] --> CUSTOM["Custom Rules\n(WAF)"]
CUSTOM --> RATE["Rate Limiting\n(Paid)"]
RATE --> TRANSFORM["Transform Rules\n(URL + Headers)"]
TRANSFORM --> REDIRECT["Redirect Rules"]
REDIRECT --> CACHE_RULES["Cache Rules"]
CACHE_RULES --> CONFIG["Configuration Rules"]
CONFIG --> ORIGIN["Forward to Origin"]
style REQ fill:#2563eb,color:#fff,stroke:#1e40af
style ORIGIN fill:#16a34a,color:#fff,stroke:#15803d
Rule Evaluation
- Rules within each type are evaluated in order (top to bottom)
- The first matching rule in each category executes
- Multiple categories can match the same request (e.g., a Transform Rule AND a Cache Rule)
Expression Language
Cloudflare Rules use an expression language for conditions:
| Field | Example | Description |
|---|---|---|
http.host | http.host eq "example.com" | Request hostname |
http.request.uri.path | starts_with(http.request.uri.path, "/api") | URL path |
http.request.method | http.request.method eq "POST" | HTTP method |
ip.src | ip.src in {203.0.113.0/24} | Client IP |
ip.geoip.country | ip.geoip.country eq "US" | Client country |
http.user_agent | contains(http.user_agent, "bot") | User-Agent string |
ssl | not ssl | Whether HTTPS |
Common Misconceptions
"I need Workers for simple redirects"
Reality: Redirect Rules handle simple redirects without any code. Use Workers only for complex logic that rules can't express.
"Rules execute in the order I see them across all types"
Reality: Each rule type has its own execution phase. Within a type, rules execute in order. Across types, the Ruleset Engine has a fixed evaluation order.
Key Takeaways
- Cloudflare Rules let you control traffic behavior at the edge — no origin changes needed.
- 10 free rules per type: Redirects, URL Transforms, Header Transforms, Cache, Config.
- 5 free Custom Rules (WAF) for security conditions.
- Rules use an expression language for flexible matching on hostname, path, IP, country, and more.
- The Ruleset Engine evaluates rules in a defined type order, with top-to-bottom priority within each type.
What's Next
- Continue to Notifications to learn about configuring Cloudflare alerts.