Like this picture.
I’m not very familiar with Managed Transforms.
Like if I turn it all the way up, will my website be better?
Is it more secure?
Please guide me, thank you.
You can see what each one does here:
The HTTP Response headers options aren’t a bad idea in my opinion, as long as they don’t break your application. Add Security Headers add a few sane security defaults to prevent xss attacks and such. Removing "x-powered-by" header reduces a bit of information attackers could get if your origin responds with the header.
The HTTP Request Header options, however, are mostly things you’d only want for specific use cases. Removing Visitor IPs generally isn’t what you want, and could prevent your web server/logs from getting the User’s real IP. Visitor Location headers are only useful if your origin/web server actually uses them. TLS Client Auth headers are only useful if you use mTLS (unlikely). They’re helpful things for specific purposes if you know you need them.
If your goal is security, one of the most important things you can do to ensure security is make sure your SSL/TLS Mode is Full (Strict). You can find it in your Cloudflare dashboard, under Websites, select your website, and then SSL/TLS → Overview. Only Full (Strict) is secure.
Once you do that, you can take other steps to secure your origin, such as allowlisting only Cloudflare IPs:
2 Likes
Thank you very much.
This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.