I am doing some bug hunting. I inserted a malicious payload into a request. But I am not sure if the response is from CloudFlare or the origin. Are there special headers which help me to distinguish the origin from the CDN? I always see the HTTP header
Server: CloudFlare even if the response came from the origin. Why don't I see
I'm not sure how you're accessing the origin directly unless you're accessing the origin by using its IP. Once you point your domain name at Cloudflare, all requests go through Cloudflare.
Assuming you're accessing the domain name, the content itself did come from your origin even if Cloudflare is currently returning a cached response. You can see if it's a cached response based 'cf-cache-status' header (hit = Cloudflare cache, miss = Cloudflare had to make a request to your origin because it didn't have anything in cache).
You can also turn on Development Mode so Cloudflare bypasses cache.
Temporarily bypass our cache. See changes to your origin server in realtime.