Cloudflare blocking Security Header


Cloudflare is blocking the secuirty headers that have been set on the origin server :slight_smile:

context / {

extraHeaders <<<END_extraHeaders

X-Frame-Options SAMEORIGIN
X-Content-Type-Options nosniff
Content-Security-Policy “upgrade-insecure-requests;connect-src *”
X-XSS-Protection 1;mode=block
Referrer-Policy “strict-origin-when-cross-origin”
Permissions-Policy “accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()”


Therefore, by disabling the proxy from Cloudflare the test via shows an A+ rating. By enabling the Cloudflare proxy, it shows level D and says that.


are missing.

So few suggestions:

  1. Have you enabled HSTS on the zone? SSL/TLS > Edge Certificates.
  2. Create a Transform Rules (Rules > Transform Rules) to add the other three response headers. This will allow you to remove all of that code from your origin.

Thank you for your suggestions.

  1. It is now enabled, and I received better score. The only headers that are missing now are:
    -Content-Security Policy

  2. Therefore, I tried to use your suggestion, but unfortunately I’m not quite sure how to apply these rules on the requested header.

Another point regarding “remove all of that code from your origin”. Wouldn’t it be more secure to using this connection between my origin and Cloudflare server? Otherwise, the security headers would only be used between client and Cloudflare.

I used to set all those headers at the origin, and Cloudflare let them through.

Now I use Transform Rules, as mentioned by Sam.

Security Headers are only used by the Browser. Cloudflare doesn’t do anything with those.

Can you please explain what’s in the value “URI Path does not contain XXX”? These are my settings, and it still didn’t work out.


  • Is there a specific reason why you changed your settings from letting them through from Cloudflare and setting it now up on Cloudflare?
  • What are the settings to just let them through?

Those look good to me. Unfortunately, without knowing the actual hostname, we can’t provide specific suggestions.

There’s a path that needs some exemptions, so I don’t apply the headers there.

It’s quicker and easier for me to modify CSP here, rather than reloading my web server configuration. And if I migrate my site to another server, I don’t lose the settings.

There’s no setting. I never had to do anything special to get my server-configured headers show up in a browser request.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.