HTTP header stripping


#1

Hi,

I’d really like to see CloudFlare support HTTP header stripping so that any headers generating by applications that the local systems administrator cannot (or has not!) removed, can be unset by CloudFlare. Something similar to Apache’s “unset header” or nginx’s add_header/proxy_hide_header/etc.

I’m noticing many sites - including those hosted with CloudFlare exposing versions of the application, OS and/or application language along with custom headers that I don’t think should be exposed. Granted, this is something that should be dealt with at the origin, but having it handled at the edge would be cool. Maybe have some presets so that customers can strip away some of the more common headers.

Thanks,

Martyn


#2

Have you seen this?

https://scotthelme.co.uk/security-headers-cloudflare-worker/