Request Headers in Cloud Functions

An incoming HTTP request includes the HTTP headers sent by the client. Use this reference page for details about how these HTTP headers are processed in Cloud Functions requests.

Headers removed from incoming requests

For security purposes, some headers are sanitized or amended by intermediate proxies before they reach your function.

The following headers are removed from incoming requests if a client sends them:

  • Headers with names that match the X-Google-* pattern. This name pattern is reserved for use by Google.

  • Headers with names that match Cloud Functions-specific headers. Only exact, case-insensitive matches are removed. For example, headers named X-Appengine-Country or X-AppEngine-Country are removed but X-Appengine-Cntry is not.

In addition, the following headers are removed from incoming requests because they relate to the transfer of HTTP data between the client and server:

  • Accept-Encoding
  • Connection
  • Keep-Alive
  • Proxy-Authorization
  • TE
  • Trailer
  • Transfer-Encoding

Headers added for internal Google use

  • x-appengine-default-version-hostname
  • x-appengine-https
  • x-appengine-timeout-ms
  • x-appengine-user-ip
  • x-appengine-request-log-id

Headers added for your use

Cloud Functions adds the following headers to all requests:


Country from which the request originated, as an ISO 3166-1 alpha-2 country code, for example, FR for France. Cloud Functions determines this code from the client's IP address. Note that the country information is not derived from the WHOIS database; it's possible that an IP address with country information in the WHOIS database will not have country information in the X-Appengine-Country header. Your function should also handle the special country code ZZ (unknown country).


A unique identifier for the request used for Cloud Trace and Cloud Logging. For example: "65011637f09e0a5179677a7429456db7/1027871334010811884;o=1"


A comma-delimited list of IP addresses through which the client request has been routed. The first IP in this list is generally the IP of the client that created the request. The subsequent IPs provide information about proxy servers that also handled the request before it reached the application server. For example:

    X-Forwarded-For: clientIp, proxy1Ip, proxy2Ip


Shows http or https based on the protocol the client used to connect to your application.

The Google Cloud Load Balancer terminates all https connections, and then forwards traffic to Cloud Functions over http. For example, if the request is sent to:

the X-Forwarded-Proto header value is https.