I think I found a bug. When I add a custom header, it gets added twice. See photos.
I turn off this rule, I don’t see any headers matching X-XSS-PROTECTION
I turn it on, I see two of the same headers.
Even 3 times here
That’s interesting behavior.
For the XSS Header, I would double check to make sure the Managed Transform “Add security headers” is not on, as if you have that on, and a custom response rule, I do get that same behavior of the xss header existing twice.
The issue with three adding is a bit stranger. When I was testing, I did notice it seems (At least at the moment of my testing) that changing Transform Rules takes a solid few minutes to update, which makes testing a bit painful, so make sure you are waiting for the change.
One other thing that might be worth pointing out, if your origin is sending any headers, Add will just add another one to that as well.
I know it’s not a solution to your original issue, but it sounds like you want to use the “set static” action instead of Add. Set Static will override any existing header, or add it if it’s missing.
https://developers.cloudflare.com/rules/transform/response-header-modification/
“Set the value of an HTTP response header to a literal string value, overwriting its previous value or adding a new header to the response if it does not exist.”
This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.