I noticed that for some of my accounts - its seems like CF automatically adds a response header of:
X-Frame-Options: SAMEORIGIN
and for at least one account it doesn’t.
Most of the header added accounts are a “Pro” plan, but one is in a free plan.
I tried to find a possible config attribute that control this addition - but I didn’t find.
I also tried to access directly, to the origin IP, bypassing CF, one of the sites that adds it - and in this session it wasn’t added, so that led me to assume that CF adds it.
So, where is it added and how can I control it? (e.g. disabling the addition, change the header’s value, etc.)
A side note of what looks like a bug: when adding a response header using a transform rule - the response contains the added response header - twice, line below line, of the same. FYI
Zone Overview → Transform Rules → Managed Transforms. Check if you have the “Add Security Headers” managed transform enabled, as this can add headers like this.
Yes, the item of “add security headers” is the source for these (at least) two headers.
Disabling it removed both.
I hope CF will expand the relevant documentation page about this - to explicitly mention the headers used and their values.
Also, as I noted, the one of “X-Xss-Protection: 1; mode=block” is not supported on most main browser and counted as insecure - so I hope CF will look into removing it.
For example, google.com use “X-Xss-Protection: 0” and microsoft.com doesn’t use this header at all.