Does Cloudflare add headers?

So I have a website behind nginx and I wonder where the headers are coming from, for example I have this content security policy: default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests and haven’t specified it on my nginx and also not on my web server.
Any ideas?
If Cloudflare adds headers, is there a way to deactivate it?

By default, no.

Your web app might add them → NodeJS or some similar maybe? :thinking:

You can try to remove them using Transform Rules at Cloudflare, if interested.

https://developers.cloudflare.com/rules/transform/

Is this a Report-Only policy? Cloudflare Page Shield adds a Report-Only CSP policy when it is enabled.

https://developers.cloudflare.com/page-shield/about/

Yes its node

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.