Forwarding URL page rules are failing security audits

We’ve got SecureScoreCard auditing our domains and websites and we’re getting a lot of failures on the forwarding URL’s we’ve got set up in CloudFlare.

Below are some of the items we’re failing. Most of them seem to be missing headers. It seems like this would be the redirect at CloudFlare missing the headers. Is there a way to get these passing?

  • Content Security Policy (CSP) Missing
  • The HTTP site redirects users to a new URL in a way that cannot be secured with HTTPS and HSTS headers.
  • Website Does Not Implement HSTS Best Practices
  • Redirect Chain Contains HTTP
  • Website does not implement X-Frame-Options Best Practices
  • Website does not implement X-XSS-Protection Best Practices
  • Website does not implement X-Content-Type-Options Best Practices


  • Marc

Most of that needs to be handled at the source.

As for Cloudflare:

  • Which HSTS settings are selected?
  • What is this redirect path that’s happening? It sounds like something dips into HTTP. You can do HTTPS-only redirects using page rules.

We are also facing the same issue. At the application level the security headers are added. At the Cloudfare level we have added IP rules. After adding the IP rules the security header are overridden by Cloudfare in the response.
If we remove the IP rule the security header are working as set at the Application level.
Any suggestion why?

These are meaningless for HTTP Request 301/302.

These practices generally applies for HTTP Request 200.

This topic was automatically closed after 30 days. New replies are no longer allowed.