Duplicate headers added by transform rules

General Rules
1

What is the name of the domain?

eamda.eu

What is the issue you’re encountering

Duplicate HTTP headers are added

What steps have you taken to resolve the issue?

Removing and re-adding rules, varying the header in question, defining the host or selecting option “for all requests”.

What are the steps to reproduce the issue?

THE BUG MAY BE SPECIFIC TO THIS PARTICULAR ACCOUNT/DOMAIN. It does not occur on another account.

  1. Go to Response Header Transform Rules
  2. Create a Response Header Transform Rule
  3. Add a static header - for instance, “x-author = AUTHOR”, for all requests or by specifying the host name (http.host eq “www.domain.com”)
  4. Save the rule.
  5. Check the response headers using https://www.securityheaders.com

What is expected?

x-author = AUTHOR

What is observed:

x-author = AUTHOR
x-author = AUTHOR

For some headers (e.g., “Permissions-Policy”), the website even shows a warning about a duplicate header.

All headers added by these rules will be duplicated irrespective of their number.

The bug appears to be account/domain specific. I mirrored the configuration across two different Cloudflare accounts/domains, and only one is affected by the bug.

2

I would suggest to use Trace to output all the matching configurations on a request and review them one by one.

If you have a worker running on https://www.eamda.eu/, keep in mind that a subrequest from your worker towards your zone might result in the Response Header Transform Rule matching on your subrequest as well. This could cause the same header being added twice: one for subrequest issued by the worker, and another one for the original request.

To prevent that from happening, you can either modify the filter of your Response Header Transform Rule to only add the header if it’s not present already, or you can exclude Workers subrequests from matching on your rule by using cf.worker.upstream_zone field.