Stay organized with collectionsSave and categorize content based on your preferences.
Request Headers in Cloud Functions
An incoming HTTP request includes the HTTP headers sent by the client. Use this
reference page for details about how these HTTP headers are processed in
Cloud Functions requests.
Headers removed from incoming requests
For security purposes, some headers are sanitized or amended by intermediate
proxies before they reach your function.
Headers with names that match theX-Google-*pattern are removed from
incoming requests if a client sends them. This name pattern is reserved for use
by Google.
In addition, the following headers are removed from incoming requests because
they relate to the transfer of HTTP data between the client and server:
Connection
Keep-Alive
Proxy-Authorization
TE
Trailer
Transfer-Encoding
Headers added for your use
Cloud Functions adds the following headers to all requests:
X-Cloud-Trace-Context
A unique identifier for the request used forCloud TraceandCloud Logging. For example:"65011637f09e0a5179677a7429456db7/1027871334010811884;o=1"
X-Forwarded-For
A comma-delimited list of IP addresses through which the client request has
been routed. The first IP in this list is generally the IP of the client that
created the request. The subsequent IPs provide information about proxy servers
that also handled the request before it reached the application server. For
example:
X-Forwarded-For: clientIp, proxy1Ip, proxy2Ip
X-Forwarded-Proto
Showshttporhttpsbased on the protocol the client used to connect to
your application.
The Google Cloud Load Balancer terminates allhttpsconnections, and then
forwards traffic to Cloud Functions overhttp. For example,
if the request is sent to:
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-09-04 UTC."],[[["\u003cp\u003eCloud Functions processes HTTP request headers sent by clients, with certain headers being sanitized or amended for security.\u003c/p\u003e\n"],["\u003cp\u003eHeaders matching the \u003ccode\u003eX-Google-*\u003c/code\u003e pattern are removed from incoming requests, as this pattern is reserved for Google's internal use.\u003c/p\u003e\n"],["\u003cp\u003eSpecific headers related to HTTP data transfer, such as \u003ccode\u003eConnection\u003c/code\u003e, \u003ccode\u003eTransfer-Encoding\u003c/code\u003e, and others, are removed from requests for security and processing reasons.\u003c/p\u003e\n"],["\u003cp\u003eCloud Functions adds headers like \u003ccode\u003eX-Cloud-Trace-Context\u003c/code\u003e, \u003ccode\u003eX-Forwarded-For\u003c/code\u003e, and \u003ccode\u003eX-Forwarded-Proto\u003c/code\u003e to requests, providing data for tracing, client IP information, and protocol details.\u003c/p\u003e\n"],["\u003cp\u003eEntity headers related to the request body, are neither checked nor sanitized, thus functions should not rely on them.\u003c/p\u003e\n"]]],[],null,["# Request Headers in Cloud Functions\n==================================\n\n| **Note:** Cloud Functions (2nd gen) is now Cloud Run functions. The information on this page applies to using the Cloud Functions API, which is still supported for performing operations on functions.\n\nAn incoming HTTP request includes the HTTP headers sent by the client. Use this\nreference page for details about how these HTTP headers are processed in\nCloud Functions requests.\n\nHeaders removed from incoming requests\n--------------------------------------\n\nFor security purposes, some headers are sanitized or amended by intermediate\nproxies before they reach your function.\n\nHeaders with names that match the `X-Google-*` pattern are removed from\nincoming requests if a client sends them. This name pattern is reserved for use\nby Google.\n\nIn addition, the following headers are removed from incoming requests because\nthey relate to the transfer of HTTP data between the client and server:\n\n- `Connection`\n- `Keep-Alive`\n- `Proxy-Authorization`\n- `TE`\n- `Trailer`\n- `Transfer-Encoding`\n\n| **Note:** Entity headers (headers relating to the request body) are not sanitized or checked, so functions should not rely on them. In particular, the `Content-MD5` request header is sent unmodified to the function, so it might not match the MD5 hash of the content. Also, the `Content-Encoding` request header is not checked by the server, so if the client sends a gzipped request body, it will be sent in compressed form to the application.\n\nHeaders added for your use\n--------------------------\n\nCloud Functions adds the following headers to all requests:\n\n### `X-Cloud-Trace-Context`\n\nA unique identifier for the request used for [Cloud Trace](/trace/docs)\nand [Cloud Logging](/logging/docs). For example: `\"65011637f09e0a5179677a7429456db7/1027871334010811884;o=1\"`\n\n### `X-Forwarded-For`\n\nA comma-delimited list of IP addresses through which the client request has\nbeen routed. The first IP in this list is generally the IP of the client that\ncreated the request. The subsequent IPs provide information about proxy servers\nthat also handled the request before it reached the application server. For\nexample: \n\n X-Forwarded-For: clientIp, proxy1Ip, proxy2Ip\n\n### `X-Forwarded-Proto`\n\nShows `http` or `https` based on the protocol the client used to connect to\nyour application.\n\nThe Google Cloud Load Balancer terminates all `https` connections, and then\nforwards traffic to Cloud Functions over `http`. For example,\nif the request is sent to: \n\n```bash\nhttps://YOUR_PROJECT_ID.cloudfunctions.net/YOUR_FUNCTION_NAME\n```\n\nthe `X-Forwarded-Proto` header value is `https`."]]
