My site when tested on securityheaders.com gives C rating lacks strict-transport-security, content-security-policy and X-content-type-options How to implement these missing security headers on my blogger site with the help of Cloudflare.
You can do that with https://dash.cloudflare.com/?to=/:account/:zone/rules/transform-rules
Make one that under modify Response Headers and you can add the headers that you need.
1 Like
There are 4 tabs which one should I go for? And is there any online resource which provides security headers name with proper values that I can implement.
You want Modify Response headers tab. For headers, you can see HTTP Headers - OWASP Cheat Sheet Series as well as the ones missing from your scan. I would recommend checking the application that you are running as to what the best values for headers are.
When I add strict transport security header then under attack mode gets disabled currently my website is under DDoS attack Is there any way to add strict transport security header without disabling under attack mode
I have never seen that behavior before, and you should be able to have both. I guess try making the header then re-enabling under attack mode.
I have one custom firewall rule with http version set as per malicious bots requests that takes action of managed challenge is that affecting Under Attack mode Or should I disable this custom rule.
As far as I am aware, nothing should be affecting under attack mode.
Yeah It worked Thanks a lot just I am unsure about the Content-Security-Policy value and its the last that is to be added
Thanks for your support Security Headers are now added properly
This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.