Cloudflare not passing Content-Security-Policy Headers

I am receiving a “D” Security Score from WebPageTest.org. even though security headers are enabled with the HTTP Header Plugin. Why is Cloudflare bypassing this information?

These are the active plug-in settings:
X-Frame-Options SAMEORIGIN
X-XSS-Protection 1; mode=block
X-Content-Type-Options nosniff
Strict-Transport-Security max-age=63072000; includeSubDomains; preload
Referrer-Policy no-referrer
Content-Security-Policy frame-ancestors ‘none’
Feature Policy ON

Here is the report: https://www.webpagetest.org/result/200514_BA_df03ee95a364681fdcee5a0295e2ee6a/

I have since enabled the Strict-Transport-Security setting in Cloudflare but have no idea how to address the remaining policies…

Any idea what is happening?

Thanks,

Stephen

Any proof for this?
Have you made any tests without CloudFlare and saw exactly that it is working without CloudFlare properly and not as soon as it gets routed through CloudFlare?
If no, pls dont state this.

After calling you site I have not seen this header infos.

X-Frame-Options SAMEORIGIN
X-XSS-Protection 1; mode=block
X-Content-Type-Options nosniff
Strict-Transport-Security max-age=63072000; includeSubDomains; preload
Referrer-Policy no-referrer
Content-Security-Policy frame-ancestors ‘none’
Feature Policy ON

Fact is:

  • every change I did to my header have never been blocked by CloudFlare.
  • you implemented it via “Plugin” which directly tells me you are using WordPress and you may not exactly know what you (or the Plugin) did there.
  • If this Plugin adds something into the .htaccess and you deliver the page with nginx this will not work (same the other way around)
  • you did not tell us anything about your setup etc…

There are just way to less infos about your Setup and you have done no tests at all to start with. Please set CloudFlare into developer mode and clear cache completely then check (as CloudFlare now will not modify anything anymore) if your headers are working fine or not.

A) its working perfectly = CloudFlares fault
B) its still not working = Your fault

I’ve used that plugin extensively, specifically for CSP, and Cloudflare has passed the headers through. I’ve added most of the other headers you’ve included as well.

The same thing has happened to me. When I ran my test yesterday, my security score was an A. Woke up this morning and it was an F. I also went through my Cloudflare settings and fixed up the Strict-Transport Security, but I can’t figure out the rest??

The Security Score (at WebPageTest) is not just defined by “Security Header” but also. And for me it did not changed at all. CloudFlare does edit anything. It just adds its own headers.

Check here, mine still on “A+” and never ever changed.
https://webpagetest.org/result/200514_81_9564a7493700c8c77ebf16b9413f67c0/

You can click on the Security Score and see the explanation. But the security score is provided by snyk.io if they change the “requirements” for a rank then this does not have anything to do with CloudFlare.

For checking Security Header I anyway would recommend this tool: https://securityheaders.com

Also: you guys should really never relay on a “Plug & Play” solution. Its good for a good/fast start but Optimizations should be done natively.

Just imagine once going away from CloudFlare… and then? Then all the good things you have profit from are gone. But not if you implement them natively and optimize things where they are presist.

Set the required header where you should set them and have a good natively optimized & more secure site

Thanks. Securityheaders.com gives me the same result.

Ofc it does. Its just more strict and gives you better details on how to achive the missing options.

I did not shows this to get a “measurement which fits your needs” its just “better” in my point of view.

Hi M4rt1n,

Yes, all headers were working properly before I added Cloudflare.

This is what appears to be happening (provided by HTTP Header plug-in support):

"When I open your website I see these response headers:

cache-control: max-age=0

cf-cache-status: DYNAMIC

cf-ray: 592e056389d70d5a-VIE

cf-request-id: 02b0a1b23800000d5a24315200000001

content-encoding: br

content-type: text/html; charset=UTF-8

date: Wed, 13 May 2020 17:15:22 GMT

expect-ct: max-age=604800, report-uri=“https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct

expires: Wed, 13 May 2020 17:15:21 GMT

last-modified: Wed, 13 May 2020 16:29:59 GMT

server: cloudflare

status: 200

vary: Accept-Encoding,Cookie,User-Agent,Accept

x-content-type-options: nosniff

then I open the same page like this: https://www.auction-savvy.com/?adasdas

and I get the following response headers:

cache-control: max-age=0

cf-cache-status: DYNAMIC

cf-ray: 592e07515b2f0d5a-VIE

cf-request-id: 02b0a2e6d900000d5a241da200000001

content-encoding: br

content-security-policy: frame-ancestors ‘none’

content-type: text/html; charset=UTF-8

date: Wed, 13 May 2020 17:16:43 GMT

expect-ct: max-age=604800, report-uri=“https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct

expires: Wed, 13 May 2020 17:16:40 GMT

link: https://www.auction-savvy.com/wp-json/; rel=“https://api.w.org/

referrer-policy: no-referrer

server: cloudflare

status: 200

strict-transport-security: max-age=63072000; includeSubDomains; preload

vary: Accept,Accept-Encoding,User-Agent

x-content-type-options: nosniff

x-frame-options: SAMEORIGIN

x-xss-protection: 1; mode=block

As you can see the late is a “fresh” request, with all your security headers.

So, I guess you are using some intermediate cache like Cloudflare."

I have done further testing and found that if I disable the WP Rocket plug-in the security ratings go from “D” to “A” on WebPageTest and Security Headers. So perhaps there is a conflict between Cloudflare and the WP Rocket plug-in. I will submit a support ticket to WP Rocket to see if they can resolve.

Any further help is appreciated and thanks for the responses!

Stephen

That sounds vaguely familiar. If I added a security header to a page, then my page caching plugin saved the page, it wouldn’t save the CSP header. I don’t know why Cloudflare would change this behavior. Maybe WP-Rocket knows.

Hi,

I will post the response once I hear back from WP Rocket. Thanks for assuring me that I am not alone!

Stephen

1 Like

I wonder if Cloudflare is caching correctly. It says DYNAMIC instead of HIT. Could this be a problem?

HTML will be DYNAMIC. Static files, like CSS, JS and images will be MISS/HIT. I like to cache most of my HTML, so I use either special Cache Everything Page Rules, or a Worker.

But CSP will pass through for HTML no matter what the cache status. Here’s the same page cached, and then in dev mode.

Thanks for the clarification.
Per your suggestion I tried this in Cloudflare Page Rules:
www.auction-savvy.com/ Cache Level: Cache Everything
The caching level still shows DYNAMIC.
Did I set it up correctly?

Stephen

I added an "" to the rule:
www.auction-savvy.com/
Cache Level: Cache Everything
The caching level shows MISS

I’m seeing an Expires header that’s set for the exact time I request that URL.
expires: Sat, 16 May 2020 20:30:24 GMT

And when refreshed again the caching level shows REVALIDATED…

I am not sure what that means. Can you clarify? Thanks!

Hi,

Working with WP Rocket support we’ve narrowed the issue to the ModRewrite Script in the WP Rocket Plugin. Hopefully to be resolved soon…

Stephen

1 Like

WP Rocket’s recommendation is a quick fix but does not resolve the inherent issue with their plugin passing the security headers. Regrettably they seem unwilling to address the issue…

Here is their solution:

" …just install and activate this one (plugin) instead:

…as it is limited only to the rocket_htaccess_mod_rewrite filter, which covers both of the problematic rules you identified earlier.

Keep in mind also that these .htaccess rules are not required in order for WP Rocket to function properly on your site, so removing some or all of them is a completely normal solution that we commonly recommend when they cause a conflict on a customer’s site. (This is why we have the helper plugins at all.)"

In the meantime I enabled a free caching plugin and the security headers and policies are being recognized. WP Rocket won’t provide a refund, but needless to say I will not be renewing my subscription.