CF adds response header of X-Frame-Options: SAMEORIGIN


I noticed that for some of my accounts - its seems like CF automatically adds a response header of:
X-Frame-Options: SAMEORIGIN
and for at least one account it doesn’t.

Most of the header added accounts are a “Pro” plan, but one is in a free plan.

I tried to find a possible config attribute that control this addition - but I didn’t find.

I also tried to access directly, to the origin IP, bypassing CF, one of the sites that adds it - and in this session it wasn’t added, so that led me to assume that CF adds it.

So, where is it added and how can I control it? (e.g. disabling the addition, change the header’s value, etc.)



The same seems to happen for the response header of:
X-Xss-Protection: 1; mode=block

Which, per Mozilla, is not supported anymore by the major browsers and can be by itself a source of XSS, see at X-XSS-Protection - HTTP | MDN
(BTW, use it as well)

A side note of what looks like a bug: when adding a response header using a transform rule - the response contains the added response header - twice, line below line, of the same. FYI

Checked further the dual added response headers - and it happens in Chrome and Edge, doesn’t happen in Firefox. FYI

Do you have any Managed Transforms enabled?

Zone Overview → Transform Rules → Managed Transforms. Check if you have the “Add Security Headers” managed transform enabled, as this can add headers like this.

Wonderful cherryjimbo!

Yes, the item of “add security headers” is the source for these (at least) two headers.
Disabling it removed both.

I hope CF will expand the relevant documentation page about this - to explicitly mention the headers used and their values.

Also, as I noted, the one of “X-Xss-Protection: 1; mode=block” is not supported on most main browser and counted as insecure - so I hope CF will look into removing it.
For example, use “X-Xss-Protection: 0” and doesn’t use this header at all.

Thank you!

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.