Manage HTTP headers

Hi all,
around April 2020, i’ve set HTTP Hears on my website and i’m almost sure i did it via CF … but today i can’t retrieve how. And all searches made drive me to “cf workers”, which i do not rely on.

I’ve set these :
• strict-transport-security: max-age=16000000
• x-frame-options: DENY

I’ve checked .htaccess but nothing …
Maybe some one could help me, thanks by advance
Regards, charles

You can manage the Strict-Transport-Security header here:

However, that max-age does not look like one of the options available in the Cloudflare dashboard, so it is probably being set elsewhere.

There are also some apps (like Fortify) that can manage headers. You can manage your Cloudflare apps here:

If you have not used the HSTS setting in the dashboard, and have no apps or Workers running, then this is coming from your origin. You can confirm by running a command like the following, replacing the IP Address with the IP address of your origin.

curl --dump-header - -o /dev/null --resolve**OriginIPAddress**

If you are using SSL Flexible (not recommended) then the command will look like this:
curl --dump-header - -o /dev/null --resolve**OriginIPAddress**

Thanks a lot for your quick reply Michael.
Are are totally right and your command line enlightened me … i’ve now found where this is setup.

Thanks for your time.

This topic was automatically closed after 14 days. New replies are no longer allowed.