Cloudflare Docs
Ruleset Engine
Edit this page
Report an issue with this page
Log into the Cloudflare dashboard
Set theme to dark (⇧+D)

Rule operators and grouping symbols

The Cloudflare Rules language supports comparison and logical operators:

  • Comparison operators specify how values defined in an expression must relate to the actual HTTP request value for the expression to return true.
  • Logical operators combine two expressions to form a compound expression and use order of precedence to determine how an expression is evaluated.

Grouping symbols allow you to organize expressions, enforce precedence, and nest expressions.

​​ Comparison operators

Comparison operators return true when a value from an HTTP request matches a value defined in an expression.

This is the general pattern for using comparison operators:

<field> <comparison_operator> <value>

The Rules language supports these comparison operators:

NameOperator NotationSupported Data Types
EnglishC-likeStringIPNumberExample (operator in bold)
Equaleq==http.request.uri.path eq "/articles/2008/"
Not equalne!=ip.src ne 203.0.113.0
Less thanlt<cf.threat_score lt 10
Less than
or equal
le<=cf.threat_score le 20
Greater thangt>cf.threat_score gt 25
Greater than
or equal
ge>=cf.threat_score ge 60
Exactly
contains
containshttp.request.uri.path contains "/articles/"
Matches
regex*
matches~http.request.uri.path matches "^/articles/200[7-8]/$"
Value is in
a set of values
inip.src in { 203.0.113.0 203.0.113.1 }

* Access to the matches operator requires a Cloudflare Business or Enterprise plan.

​​ Additional operators in the Cloudflare dashboard

The Cloudflare dashboard shows the following functions as operators:

  • starts with (corresponding to the starts_with function): Returns true when a string starts with a given substring, and false otherwise.
  • ends with (corresponding to the ends_with function): Returns true when a string ends with a given substring, and false otherwise.

However, when writing your own custom expressions, you must use these functions in function calls, not as operators. For example:

# Valid function call
ends_with(http.request.uri.path, ".html")
# Invalid use of ends_with function
http.request.uri.path ends_with ".html"

​​ Comparing string values

String comparison in rule expressions is case sensitive. To account for possible variations of string capitalization in an expression, you can use the lower() function and compare the result with a lowercased string, like in the following example:

lower(http.request.uri.path) contains "/wp-login.php"

​​ Regular expression matching

Customers on Business and Enterprise plans have access to the matches operator. Regular expression matching is performed using the Rust regular expression engine.

If you are using a regular expression, you can test it using a tool like Regular Expressions 101 or Rustexp.

For more information on regular expressions, refer to String values and regular expressions.

​​ Logical operators

Logical operators combine two or more expressions into a single compound expression. A compound expression has this general syntax:

<expression> <logical_operator> <expression>

​​ Supported logical operators

Each logical operator has an order of precedence. The order of precedence (along with grouping symbols) determines the order in which Cloudflare evaluates logical operators in an expression. The not operator ranks first in order of precedence.

NameEnglish
Notation
C-like
Notation
ExampleOrder of Precedence
Logical NOTnot!not ( http.host eq "www.cloudflare.com" and ip.src in {203.0.113.0/24} )1
Logical ANDand&&http.host eq "www.cloudflare.com" and ip.src in {203.0.113.0/24}2
Logical XOR
(exclusive OR)
xor^^http.host eq "www.cloudflare.com" xor ip.src in {203.0.113.0/24}3
Logical ORor||http.host eq "www.cloudflare.com" or ip.src in 203.0.113.0/244

​​ Order of precedence

When writing compound expressions, it is important to be aware of the precedence of logical operators so that your expression is evaluated the way you expect.

For example, consider the following generic expression, which uses and and or operators:

Expression1 and Expression2 or Expression3

If these operators had no order of precedence, it would not be clear which of two interpretations is correct:

  1. Match when Expression 1 and Expression 2 are both true or when Expression 3 is true.
  2. Match when Expression 1 is true and either Expression 2 or Expression 3 is true.

Since the logical and operator has precedence over logical or, the and operator must be evaluated first. Interpretation 1 is correct.

To avoid ambiguity when working with logical operators, use grouping symbols so that the order of evaluation is explicit.

​​ Grouping symbols

The Rules language supports parentheses ((,)) as grouping symbols. Grouping symbols allow you to organize expressions, enforce precedence, and nest expressions.

Only the Expression Editor and the Cloudflare API support grouping symbols. The Expression Builder does not.

​​ Group expressions

Use parentheses to explicitly group expressions that should be evaluated together. In this example, the parentheses do not alter the evaluation of the expression, but they unambiguously call out which logical operators to evaluate first.

(Expression1 and Expression2) or Expression3

Because grouping symbols are so explicit, you are less likely to make errors when you use them to write compound expressions.

​​ Enforce precedence

Grouping symbols are a powerful tool to enforce precedence for grouped elements of a compound expression. In this example, parentheses force the logical or operator to be evaluated before the logical and:

Expression1 and (Expression2 or Expression3)

Without parentheses, the logical and operator would take precedence.

​​ Nest expressions

You can nest expressions grouped by parentheses inside other groups to create very precise, sophisticated expressions, such as this example for a rule designed to block access to a domain:

(
(http.host eq "api.example.com" and http.request.uri.path eq "/api/v2/auth") or
(http.host matches "^(www|store|blog)\.example.com" and http.request.uri.path contains "wp-login.php") or
ip.geoip.country in {"CN" "TH" "US" "ID" "KR" "MY" "IT" "SG" "GB"} or ip.geoip.asnum in {12345 54321 11111}
) and not ip.src in {11.22.33.0/24}

Note that when evaluating the precedence of logical operators, parentheses inside strings delimited by quotes are ignored, such as those in the following regular expression, drawn from the example above:

"^(www|store|blog)\.example\.com"