Getting odd CSP header + other security header returns

Hi There,

Please be gentle as im new to all this :slight_smile:

So a while back I had setup CF workers to edit my security headers after a recent hack… I for some reason have gone from an A+ to C now?

Ive been bashing me head against a wall trying to figure out whats happening… if I use or alternative they show no CSP + other headers…

Missing Headers:


But I clearly have them set:

curl -I
HTTP/1.1 420 Enhance Your Calm
Date: Fri, 13 Nov 2020 13:56:44 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Set-Cookie: __cfduid=dd50dfeea78457f73fa6bfd6df01dc88d1605275803; expires=Sun, 13-Dec-20 13:56:43 GMT; path=/;; HttpOnly; SameSite=Lax; Secure
CF-Ray: 5f18ff6ed90fa6e1-DUB
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
Vary: User-Agent
CF-Cache-Status: DYNAMIC
cf-request-id: 06637df94b0000a6e1a6bee000000001
Content-Security-Policy: upgrade-insecure-requests; script-src ‘sha256-hdzyJen1SHUFg9rEG3cCG+K1QV4EQMmzjA1MIAX9tlc=’ ‘sha256-1RGfG9+j6XMOouMGUusdP/KIsB/IsUQ36ogeY6whs+w=’ ‘sha256-kogO7ShS+bfT41vwzWZBhArZWhj14975SX39LcdV0F4=’ ‘sha256-JkpT/R5tGDDazutyjYrPH3ec6oE3rVWeZJiF0bEj7to=’ ‘sha256-+xnRYl6/+4Khb0KyAeJAzRRWk0z6XuhW/iggh0yPvdY=’ ‘sha256-epoS/vNv/oYHko2ikCctSKe3YYdbHkeJAw0Pc/Z3YgY=’ ‘sha256-+O2ipRXwzJA3moyVUlpx/DJ7tC1eZb+DguiU69D+/5U=’ ‘sha256-u9lIf2p6VVZD341mEomabtMasj8kYsFwFqQI9J4PlqQ=’ ‘sha256-rcwhFQGr3R6FqsuaMrf6QA0L3SHWE05tknztQzT294Q=’ ‘sha256-/kUSRQ31MroxIWNitEW1SQVrjOYZdQcf5diV9+dy/Qc=’ ‘sha256-fs+FtuRy1kdSiAsym6wcilPy+cwo2OKhdQmgNaEixRc=’ ‘sha256-VRgc7w1qz8Q/ZKVJyAbMpatZJTXuweZq5bIlpHMtGC0=’ ‘sha256-DIV1ZQLqF4axKBnbW6W6c5RUYs/VwoNftjI53TtlM40=’; object-src ‘self’
Expect-CT: max-age=604800, report-uri=“
feature-policy: accelerometer ‘none’; camera ‘none’; geolocation ‘none’; gyroscope ‘none’; magnetometer ‘none’; microphone ‘none’; payment ‘none’; usb ‘none’
Permissions-Policy: accelerometer ‘none’; camera ‘none’; geolocation ‘none’; gyroscope ‘none’; magnetometer ‘none’; microphone ‘none’; payment ‘none’; usb ‘none’
Pragma: no-cache
Referrer-Policy: strict-origin-when-cross-origin
X-Content-Type-Options: nosniff
X-Frame-Options: SAMEORIGIN
X-Xss-Protection: 1; mode=block
Report-To: {“endpoints”:[{“url”:“"}],“group”:“cf-nel”,"max_age”:604800}
NEL: {“report_to”:“cf-nel”,“max_age”:604800}
Server: cloudflare

Now I did have a CSP plugin which I removed from my wordpress install… and I had this in my .htaccess which I removed:

Header set X-XSS-Protection "1; mode=block" Header set X-Frame-Options "deny" Header set X-Content-Type-Options "nosniff" Header always set Strict-Transport-Security "max-age=max-age=1000; includeSubDomains" Header set Content-Security-Policy "upgrade-insecure-requests" Header set Referrer-Policy "strict-origin-when-cross-origin" Header set Feature-Policy "accelerometer 'none'; camera 'none'; geolocation '*'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none" Header set Pragma "no-cache"

But they were there when I had the A+ rating… so im confused… only thing is do workers need to work off a cron now or something?

Any able to help me out a little? Im not sure what im doing but after being hacked I really want to get this sorted.

Thanks in advance you bunch of lovely people :slight_smile:

1 Like

Is this the security headers report you’re referring to?


Hey dude, yeah thats it :slight_smile:

OH MY FECK!!! I whitelisted security hears IPs lol i thought it could have been the firewall…

hmmm now to figure that piece out!

Thanks a million man!


fighter of the nightman… i could kiss you and shoot myself for such stupidity.

Really appreciate that dude!


This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.