In Cloudflare's Managed Transforms section, located under the Settings tab within the "Rules" heading, you can perform automatic transformations on HTTP request and response headers. These transformations are often used for security, privacy, and compliance.

In this article, we explain each option under Managed Transforms in detail, step by step, explaining what they do and when you should enable them.

HTTP Request Headers Transformations (Incoming Requests)

1. Add TLS Client Auth Headers

If you are using Mutual TLS (mTLS) authentication, this option forwards client certificate information as custom HTTP headers with the request.
Added headers:
- Cf-Tls-Client-Cert-Subject-Dn
- Cf-Tls-Client-Cert-Issuer-Dn
- Cf-Tls-Client-Cert-Serial
When to use? Required if special processing is to be done on the server side based on the client certificate.

2. Add Visitor Location Headers

Adds headers containing geographic location information from visitors' IP addresses:
- CF-IPCountry, CF-Region, CF-City, CF-Longitude, CF-Latitude
Purpose: Location-based content display (e.g., redirection by country) or analysis

3. Remove Visitor IP Headers

Deletes HTTP headers that may contain visitor IP information (e.g., X-Forwarded-For).
Note: Add True-Client-IP cannot be activated while this feature is enabled.
Should be enabled if you want to hide IP for privacy purposes.

4. Add "True-Client-IP" Header

Adds the True-Client-IP header containing the visitor's real IP address.
Especially useful for servers running behind a Cloudflare proxy to identify the original IP address.
Note: Cannot be used with "Remove Visitor IP Headers".

5. Add Leaked Credentials Checks Header

When this option is enabled, a custom header named Exposed-Credential-Check is added.
If form data, usernames, or passwords have been leaked in the system, Cloudflare will notify you via this header.
Aimed at detecting security vulnerabilities. It kicks in when credentials have been leaked.

HTTP Response Headers Transformations (Responses from the Server)

1. Remove "X-Powered-By" Headers

Removes the X-Powered-By header (e.g., PHP/7.4) indicating the infrastructure used in responses from the server.
Recommended for security, as it prevents information leakage about your infrastructure.

2. Add Security Headers

Automatically adds the following security headers to the response header:
- X-XSS-Protection
- X-Content-Type-Options
- Referrer-Policy
- X-Frame-Options
These headers are very important to protect against attacks like XSS and Clickjacking.

URL Normalization Settings

1. Normalize Incoming URLs

URLs in incoming requests are normalized on Cloudflare edge servers.
That is, encoded characters like %2F are resolved, and unnecessary repetitions like /./, // are simplified.
Systems like Page Rules, WAF, and Workers rely on the normalized URL.
Recommended setting by default.

2. Normalize URLs to Origin

With this option, the normalized URL is transmitted to the original server in its normalized form, not just to Cloudflare.
Some applications are sensitive to the original URL format, so this option should be used with caution.

3. Normalization Type

RFC-3986: Simplification according to the URI standard (strictest)
Cloudflare: Includes extra transformations. For example:
- \ → /
- //// → /
Recommendation: If you are working with complex URLs, the Cloudflare type may be more tolerant

Conclusion

Cloudflare Managed Transforms allow you to improve your website not only in terms of performance but also in terms of security and privacy. Thanks to these settings:

User headers are simplified
Sensitive information is protected
Header and URL manipulations are regularized

If your website customizes content based on visitor geography, values server security, or wants to control server headers, enabling these settings is definitely recommended.