In mid 2020, we introduced cf-request-id, an experimental HTTP header. This header was present on requests sent to origins and returned in responses to eyeballs (users). After careful evaluation, we decided to remove the cf-request-id header.
Effective today, cf-request-id is deprecated but will remain in place until July 1, 2021. After this date, the header will no longer be present on requests and responses. If you require an identifier for requests, we recommend using the CF-RAY header.
In preparation of the header’s removal, we will perform a test-run on June 15, 2021. The cf-request-id header will not be present from 15:00 UTC to 23:00 UTC. After this time, it will be present until its full removal on July 1.
End of life Date: July 1, 2021
Previously, RFC2616 allowed the use of Transfer-Encoding and Content-Length in request headers at the same time. RFC7230 supersedes RFC2616 and prohibits the use of Transfer-Encoding and Content-Length in request headers at the same time because they can cause HTTP request smuggling vulnerabilities.
Starting on March 31 2023, Cloudflare will decline requests with both Transfer-Encoding and Content-Length in request headers.
End of life Date: March 31, 2023
The __cfduid cookie was set on Cloudflare HTTP responses and was used for providing critical performance and security services on behalf of our customers. Now, we are working to transition our security services to not depend on this cookie. You can read more about this change on our blog: https://blog.cloudflare.com/deprecating-cfduid-cookie/
On 8 April, we will temporarily remove the cfduid cookie for about 12 hours after 16:00 UTC.
Starting on 10 May 2021, we will permanently stop adding a “Set-Cookie” header on all HTTP responses. The last __cfduid cookies will expire 30 days after that.