Cloudflare Security Headers Worker Conflicts?

Hi,

I was wondering if there are any issues or would be any conflicts using Cloudflare’s Security Headers Worker code with my WordPress site and caching? It broke Cloudflare Insights due to no referer but that has security and privacy concerns. Would I need to add anything to that security policy? If so, I do not expect anyone to give it, I just would like to know.

I am asking because I have been seeing:

cache-control: no-cache, must-revalidate, max-age=0
cf-apo-via: origin,cookie
cf-cache-status: BYPASS
cf-edge-cache: no-cache

and

x-proxy-cache: BYPASS

As well as other console issues. Below is the following code:

const DEFAULT_SECURITY_HEADERS = {
    "X-Frame-Options": "SAMEORIGIN",
	"Content-Security-Policy": "upgrade-insecure-requests;",
 	"Permissions-Policy": "fullscreen=(self)",
    "Referrer-Policy": "strict-origin-when-cross-origin",
}
const BLOCKED_HEADERS = [
    "Public-Key-Pins",
    "X-Powered-By",
    "X-AspNet-Version",
]
addEventListener('fetch', event => {
    event.respondWith(addHeaders(event.request))
})
async function addHeaders(req) {
    let response = await fetch(req)
    let newHeaders = new Headers(response.headers)

    const tlsVersion = req.cf.tlsVersion
    // This sets the headers for HTML responses: 
    if (newHeaders.has("Content-Type") && !newHeaders.get("Content-Type").includes("text/html")) {
        return new Response(response.body, {
            status: response.status,
            statusText: response.statusText,
            headers: newHeaders
        })
    }

    Object.keys(DEFAULT_SECURITY_HEADERS).map(function (name) {
        newHeaders.set(name, DEFAULT_SECURITY_HEADERS[name]);
    })

    BLOCKED_HEADERS.forEach(function (name) {
        newHeaders.delete(name)
    })

    if (tlsVersion != "TLSv1.2" && tlsVersion != "TLSv1.3") {
        return new Response("You need to use TLS version 1.2 or higher.", { status: 400 })
    } else {
        return new Response(response.body, {
            status: response.status,
            statusText: response.statusText,
            headers: newHeaders
        })
    }
}

I would greatly appreciate any feedback! If you would like to check out the site to see for yourself - https://www.tips4gamers.com/

cf-apo-via: origin,cookie

This indicates that cache was bypassed because you have WordPress cookies as logged-in user, it’s not related to Security Headers.

3 Likes

I actually found that out while surfing the web in bed last night. The cache is working great. I appreciate the help!

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.