I try to implement the IfModule mod_headers for my website in the .htAccess file not with a worker.
Header set Strict-Transport-Security: max-age=10886400
Header set X-Frame-Options "DENY“
Header set X-XSS-Protection “1; mode=block”
Header set X-Content-Type-Options “nosniff”
Evaluating the settings with https://securityheaders.com/, my site shows an “F”, meaning no settings are active for my site.
So I tried to set up a worker with code from Secure Web Application using HTTP Security Headers- Cloudflare Workers - SrcCodes, and the security headers settings are working fine. But as stated above, I’d like to have the setting in my .htaccess file.
Am I missing some initial setup or configuration on Cloudflare, or is the setting respected, but just not showing in the security check, cause a Cloudflare header is read by the security check and not the header of my website.
Is there a way to check if the settings are respected? I am thankful for any hint, or help…