Mod Security Header in htAccess not respected by Cloudflare

I try to implement the IfModule mod_headers for my website in the .htAccess file not with a worker.

Header set Strict-Transport-Security: max-age=10886400
Header set X-Frame-Options "DENY“
Header set X-XSS-Protection “1; mode=block”
Header set X-Content-Type-Options “nosniff”

Evaluating the settings with, my site shows an “F”, meaning no settings are active for my site.
So I tried to set up a worker with code from Secure Web Application using HTTP Security Headers- Cloudflare Workers - SrcCodes, and the security headers settings are working fine. But as stated above, I’d like to have the setting in my .htaccess file.

Am I missing some initial setup or configuration on Cloudflare, or is the setting respected, but just not showing in the security check, cause a Cloudflare header is read by the security check and not the header of my website.

Is there a way to check if the settings are respected? I am thankful for any hint, or help…

Cloudflare passes through essentially all headers.

If you run the following against your origin, what do you see:

curl --dump-header - --silent -o /dev/null --connect-to ::Origin-IP-Here https://your-server-name/whatever


…great thanks! Didn’t think of to curl in the first place. It seems my Mod Security Header settings aren’t active at all and there’s some misconfiguration.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.