Cloudflare + Apache + CSP Headers: Old CSP headers are returned

We are using apache2 on our server, which is behind cloudflare (free plan).

I am currently implementing googles recaptcha, which requires me to make changes to our CSP headers. What I did:

  1. Change CSP in Apache VHOST
  2. Run apachectl configtest - all OK
  3. Restart apache
  4. Check if CSP is working & recaptcha gets loaded → for the first 1-2 page visits it did work, but then I got the error: Refused to load because it does not appear in the script-src directive of the Content Security Policy. Browser: Safari without any Addons. I reloaded a few more times and got the error every 2-3 page reloads.
  5. To see if my CSP are the issue, I removed the CSP headers completely & restarted apache
  6. Reloaded the page, but every 2 or 3 reloads I get the above error message again.
  7. I checked the response headers and saw that every few page reloads the old CSP headers are returned, which I have deleted before.

What could be the issue? I assume that this issue is related to cloudflare. I already purged cloudflare caches and set the TTL to “Respect existing headers”, but no change. I also tried it on Chrome and FF, no luck. I bypassed caching for all URLs and cleared the browsers cache but still the same. Am I missing something here? Or does it take some time for the changes to appear?

Left wrong response, right correct response:

The wrong headers also shows an XSS and Referrer policy. But the cache-status is DYNAMIC, so this has to be coming from somewhere.

It’s interesting that the first couple of visits are ok, and inconsistent after that.

I can’t think of anything at the Cloudflare end that would provide inconsistent behavior. It just behaves as if it’s pulling from two different sources.

Without access to your account info (DNS records and IP addresses), we can’t troubleshoot. I recommend you open a Support ticket and post the number here.

To contact Cloudflare Customer Support, login & go to and select get more help. If you receive an automatic response that does not help you, please reply and indicate you need more help.


Thanks for your reply!

Regarding XSS and Referer: I have removed them on my apache VHOST to see if those might caused issues, thats why they are not showing (so its the same issue as CSP, old headers are returned).

Maybe the requests are occasionally routed through a server who has not updated the CSP yet? Do you know is the default propagation time for changes? Maybe I am too impatient :slight_smile:

I added a page rule for the domain and basically disabled everything, see screenshot. But still same issue.

I have created ticket with ID #2090744 now, I hope the support guys can help me.

That URL is DYNAMIC. All content is pulled from the origin at the time of the request.

I see. Well, maybe my apache config is the issue then. I will wait for the support to reply now and in the meantime check if theres an issue with my apache config.

1 Like

That is relatively easy to check. Run the following command, replaying the variables with your data:

curl --resolve <your domain name:443:<your origin IP address> https://<your domain name>/ -o /dev/null --dump-header -

Do you get consistent results? This command shows the headers that come directly from your origin.


Thanks for the command! And dangit, no, I do not get consistent results. Okay, then its my apache configuration.
Is there a maximum length for CSP headers? currently it is ~670 chars long. I already checked and read that up to 1000 chars are okay.
I will try to remove everything that I do not need and let you guys know when I fixed it. Awesome (and fast) community here btw :slight_smile:


I’m not aware of a limit on CSP specifically. Most web servers have a limit on the total size of the headers on any request/response that they will process. I’ve seen a limit of 8KB mentioned in relation to Cloudflare, but not on their documentation. But I suspect you are not in the territory of having an issue with the header size.

1 Like

After nothing helped, I stopped the apache to see if it actually stops. Well and see, my site was still reachable. After running command ps aux | grep apache I saw 4 processes. I ran killall -9 apache2 and then started apache again, and voila, its working.

So I guess due to an previous error or overload multiple apache processes where running, which resulted in the weird behavior. Thank you guys for helping me!

This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.