CSP et al headers from origin are only applied when cf-cache-status is BYPASS

What is the name of the domain?

What is the issue you’re encountering

CSP et al headers from origin are only applied when cf-cache-status is BYPASS

What steps have you taken to resolve the issue?

I have reviewed that the rules exist and are configured properly in NGINX, and function when I allow direct origin access through Cloudflare.

What are the steps to reproduce the issue?

Load the homepage and load the response headers.
Go to a page that has music playing, and look at the response for the opus file. The proper headers from the server are all there but the cf-cache-status is BYPASS

Screenshot of the error

Screenshot From 2025-05-15 09-11-41.png542×447 62 KB

Hi there!

Sorry to hear you’re not seeing the expected headers.

When I connect directly to your NGINX server, I am not seeing any CSP headers:

> GET / HTTP/2
> Host: ebonyriddle.com
> Accept: */*
> Accept-Encoding: gzip
>
* Request completely sent off
{ [5 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [65 bytes data]
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
{ [65 bytes data]
< HTTP/2 200
< server: nginx
< date: Thu, 15 May 2025 14:12:47 GMT
< content-type: text/html; charset=utf-8
< last-modified: Mon, 12 Aug 2024 22:18:01 GMT
< vary: Accept-Encoding
< etag: W/"66ba8a19-1437"
< expires: Fri, 16 May 2025 14:12:47 GMT
< cache-control: max-age=86400
< cache-control: public, no-transform
< content-encoding: gzip

Please double check your server configuration to make sure it always returns the expected headers.

You can also test locally on the server with this command:
curl -svo /dev/null https://ebonyriddle.com --connect-to ::localhost

Interesting, it was working prior to moving my DNS to cloudflare. Here is an example of a file that is getting BYPASS and has the headers configured on the server.

Screenshot From 2025-05-15 09-12-35542×645 112 KB

You’re testing two different URLs.

Does the home page ever show CSP for a BYPASS or MISS?

I am getting the CSP headers on the audio files, specifically here

https://ebonyriddle.com/common/trac01.opus

While Cloudflare does cache ogg audio, it does this based on the file extension, not the mime type.

You can setup a page rule to always cache content when the extension is .opus

Ok, I do see that CSP, though it’s usually not necessary since the .opus file probably isn’t going to trigger any other loads that CSP needs to manage.

You’ll still need to fix the server so it returns CSP for the home page, and other HTML.

If it’s not cloudflare, the only thing it might be is brotli compression module?

    brotli on;
    brotli_comp_level 11;
    brotli_static on;
    brotli_types text/plain text/css application/javascript application/x-javascript text/xml
      application/xml application/xml+rss text/javascript image/x-icon
      image/vnd.microsoft.icon image/bmp image/svg+xml;

Otherwise, nothing has changed and there is no rules that exclude headers from any requests. They are defined within the top level server block with no surrounding logic.

Solved it, I had included an external configuration to add cache control headers to certain directory structures, not realizing that an add_header in a location block removed all other headers defined in the parent server.

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.