Internal scan not seeing header response set in IIS after Cloudflare implementation

We have an internal security scan that checks the valid headers we have set in IIS. If I run this through Access we do not see the results. If I remove Access service we see the proper values. Is there any way to make sure the headers set on the origin server in IIS present themselves when Access is added. the application owners get emails daily that the application is non-compliant daily, but we need Access for MFA.

without Access enabled

with access enabled

Maybe @SamRhea can take a look at it?

Hi @heath.a.knox - have you given your scanner a way to pass Cloudflare Access? Looks like it’s getting blocked by Access; you could provide it with a service token or bypass its IP if known for the test.

1 Like

I was able to get the worker working for headers, but now we are seeing cookies that are missing some values. We’d like to update the cookie in a worker and have that override the cookies from the origin. Below are the cookies we need to ADD the values at the end of the line in a worker

JSESSIONID=9E038B36D2C5F0757A086B55E5595A0B; Path=/; HttpOnly ADD-Secure

ApplicationGatewayAffinity=dcec2995d01b66c910bb7656957055c4bbea8f3f774649508c450938f74a3cfb;Path=/; ADD-HttpOnly

ApplicationGatewayAffinity=dcec2995d01b66c910bb7656957055c4bbea8f3f774649508c450938f74a3cfb;Path=/; ADD-Secure

ApplicationGatewayAffinityCORS=dcec2995d01b66c910bb7656957055c4bbea8f3f774649508c450938f74a3cfb;Path=/;;SameSite=None;Secure ADD-HttpOnly

That would be much simpler to do on your Origin server, but is possible in Workers. A starting point is the Alter Headers worker example.

Hello Michael,

I’m really a novice on this so I’m not sure where to actually add the cookie details. Does it matter?

async function handleRequest(request) { // Make the headers mutable by re-constructing the Request. request = new Request(request) request.headers.set(“x-my-header”, “custom value”) const URL = “

// URL is set up to respond with dummy HTML let response = await fetch(URL, request)

// Make the headers mutable by re-constructing the Response. response = new Response(response.body, response) response.headers.set(“x-my-header”, “custom value”) return response}

addEventListener(“fetch”, event => { event.respondWith(handleRequest(event.request))})


This topic was automatically closed after 30 days. New replies are no longer allowed.