Manage HTTP headers

Hi all,
around April 2020, i’ve set HTTP Hears on my website and i’m almost sure i did it via CF … but today i can’t retrieve how. And all searches made drive me to “cf workers”, which i do not rely on.

I’ve set these :
• strict-transport-security: max-age=16000000
• x-frame-options: DENY
for https://www.alzheimer-research.eu

I’ve checked .htaccess but nothing …
Maybe some one could help me, thanks by advance
Regards, charles

You can manage the Strict-Transport-Security header here:
https://dash.cloudflare.com/?to=/:account/:zone/ssl-tls/edge-certificates

However, that max-age does not look like one of the options available in the Cloudflare dashboard, so it is probably being set elsewhere.

There are also some apps (like Fortify) that can manage headers. You can manage your Cloudflare apps here: https://dash.cloudflare.com/?to=/:account/:zone/apps

If you have not used the HSTS setting in the dashboard, and have no apps or Workers running, then this is coming from your origin. You can confirm by running a command like the following, replacing the IP Address with the IP address of your origin.

curl https://www.alzheimer-research.eu --dump-header - -o /dev/null --resolve www.alzheimer-research.eu:443:**OriginIPAddress**

If you are using SSL Flexible (not recommended) then the command will look like this:
curl http://www.alzheimer-research.eu --dump-header - -o /dev/null --resolve www.alzheimer-research.eu:80:**OriginIPAddress**

Thanks a lot for your quick reply Michael.
Are are totally right and your command line enlightened me … i’ve now found where this is setup.

Thanks for your time.

This topic was automatically closed after 14 days. New replies are no longer allowed.