Adding security headers to cloudflare

First of all … hi all :slight_smile:

My problem, i dont get the security headers to work.
If I add them to my wordpress website, Cloudflare seems to filter them out.
Next i tried it via a Worker …nothing happened:
No i try it with page rules.

Again there is no change, when i test my site with

What do i do wrong. Oh by the way i use the “pro” plan in Cloudflare.

Regards Chris

Hi Chris

So the wildcards are probably the issue in your filter. if you change hostname to just be and the second one to contains removing the * then re-deploy.





lets wait. :slight_smile:

Please remove this part, since it is unnecessary and will never be triggered. The rest seems to be correct. I anyway for some reasons would not recommend using Cloudflare for setting security headers.

  1. it just applies when traffic is routed through Cloudflare, if unproxied or you once want to switch CDN you lose your security headers.
  2. if someone calls your page and resolved your domain directly to your origin IP all the security features do not apply.
  3. you are depending on Cloudflare
  4. you don’t use any free Cloudflare rules for things that are solvable differently/better

I personally recommend always impelemting them natively in your server config (nginx.conf or .htaccess)

my security headers are implemented like this in my .htaccess:

# ------------------------------------------------------------------------------
# |                      ### HEADER Modifikationen ###                         |
# ------------------------------------------------------------------------------
<IfModule mod_headers.c>

		# ------------------------------------------------------------------------------
		# |                     ### Sicherheitsrichtlinien ###                         |
		# ------------------------------------------------------------------------------
		Header set Content-Security-Policy "default-src 'self'; script-src 'self' 'nonce-inlinejs'; style-src 'self'; img-src 'self' data:; font-src 'self'; connect-src 'self'; media-src 'none'; object-src 'none'; frame-src 'none'; worker-src 'none'; frame-ancestors 'none'; form-action 'none'; base-uri 'self'; manifest-src 'none'; upgrade-insecure-requests; block-all-mixed-content"
		Header always set Permissions-Policy: "accelerometer=(), autoplay=(), camera=(), cross-origin-isolated=(), display-capture=(), document-domain=(), encrypted-media=(), fullscreen=(), geolocation=(), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), payment=(), picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), web-share=(), xr-spatial-tracking=()"
		Header set X-Frame-Options DENY
		Header set X-XSS-Protection "1; mode=block"
		Header set X-Permitted-Cross-Domain-Policies "none"
		Header set Referrer-Policy "strict-origin-when-cross-origin"
		Header always set X-Content-Type-Options "nosniff"
		Header always edit Set-Cookie (.*) "$1; HTTPOnly; Secure; SameSite=Strict"
		Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
		Header always unset X-Powered-By

    	# ------------------------------------------------------------------------------
   		# |                      ### Cross-Origin Policies ###                         |
    	# ------------------------------------------------------------------------------
    	Header set Cross-Origin-Embedder-Policy "require-corp"
    	Header set Cross-Origin-Opener-Policy "same-origin"
    	Header set Cross-Origin-Resource-Policy "same-origin"

Feel free to modify it, so it fits your needs.

You can see the results here: Security Header results for


Oh well … you know what?
When you do things right, they work :rofl:

Thank you very much :upside_down_face:

Regards Chris

1 Like

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.