Little worker help

Hi Guys,

I was reading this post about stopping cloudflare bypasses to origin server and I cant figure out why its not working…

My current worker:

let securityHeaders = {
  "Content-Security-Policy" : "upgrade-insecure-requests",
  "Strict-Transport-Security" : "max-age=1000",
  "X-Xss-Protection" : "1; mode=block",
  "X-Frame-Options" : "sameorigin",
  "X-Content-Type-Options" : "nosniff",
  "Referrer-Policy" : "strict-origin-when-cross-origin",
  "Feature-Policy": "accelerometer 'none'; camera 'none'; geolocation '*'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'"

let sanitiseHeaders = {
  "Server" : "bums",

let removeHeaders = [

async function addHeaders(req) {
  let response = await fetch(req)
  let newHdrs = new Headers(response.headers)

  if (newHdrs.has("Content-Type") && !newHdrs.get("Content-Type").includes("text/html")) {
        return new Response(response.body , {
            status: response.status,
            statusText: response.statusText,
            headers: newHdrs

  Object.keys(securityHeaders).map(function(name, index) {
    newHdrs.set(name, securityHeaders[name]);

  Object.keys(sanitiseHeaders).map(function(name, index) {
    newHdrs.set(name, sanitiseHeaders[name]);


  return new Response(response.body , {
    status: response.status,
    statusText: response.statusText,
    headers: newHdrs

in the article its saying to use this .htaccess rewrite:

# Route visitors not coming from Cloudflare to, well, Cloudflare
<IfModule mod_rewrite.c>
	RewriteEngine On
	RewriteBase /
	# Both the header and the value should be kept secret
	RewriteCond "%{HTTP:Secret-Header}" "!SeCrEt-kEy"
	# Uncomment and edit w/ IP of services such as certs, cron, Softaculous etc
	# RewriteCond "%{REMOTE_HOST}" "!^xxx\.xxx\.xxx\.xxx$"
	RewriteRule .* "accessdenied.php" [R,L]

and in the worker to add:

addEventListener('fetch', event => {

 * Send header to origin, allowing for
 * .htaccess to block requests
 * not coming from Cloudflare

async function handleRequest(request) {
  // Make the headers mutable by re-constructing the Request.
  request = new Request(request)
  request.headers.set('Secret-Header', 'SeCrEt-kEy')

  return await fetch(request)

but when I do this I get the /accessdenied.php redirect… instead of being directed to the site.

Im missing something about how to add the appropriate code into my current worker file.

Anyone able to help me out… I havent coded like this in over 10 years so totally lost :frowning:


I’m not a JS developer, but could it be that you are adding the secret header as response header, as opposed to request header? The secret header should be passed on from the edge (Cloudflare) to the origin, not to the visitor.

1 Like

Thanks man, yeah I followed your post which is brilliant by the way! Exactly what I needed as I stupidly put mx records up and instantly got hit a few thousand times.

So if I just use your code as is, it should work though right? Pretty sure I added it to another worker for the same domain and got blocked (as I added the firewall rule to block the redirect url)

Thanks for taking the time to respond, I have very much appreciate it!!

1 Like

You’re welcome!

If you use the code as I posted, it should work. I’m not familiar with how to mix different workers, though. It would be interesting to be able to merge that with one that adds headers on the “way back” to the visitor, as perhaps was your original intention.