Restricted default content security headers

Cloudflare set default content security headers and I am unable to change them with meta tags or npm helmet package. Headers look like this content-security-policy default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests Is it possible to modify it in cloudflare dashboard? Because I need custom headers

This sounds like a Pages project. Have you seen this?

1 Like

I made _headers with this content /* X-Frame-Options: DENY X-Content-Type-Options: nosniff Referrer-Policy: no-referrer Permissions-Policy: document-domain=() Content-Security-Policy: script-src 'self' "*.google.com" "*.privacypolicies.com" "*.googlesyncdication.com" "trusted-cdn.com" "ajax.cloudflare.com" "'unsafe-inline'"; img-src 'self' "*.campaignlive.co.uk" "*.cloudfront.net"; connect-src: 'self' "trusted-cdn.com" "ajax.cloudflare.com" "*.adservice.google.*" "*.google.com" "*.privacypolicies.com" "*.googlesyncdication.com"; img-src: 'self' 'data:'; '*.campaignlive.co.uk' '*.cloudfront.net' '*.googlesyncdication.com'; script-src-attr: 'self' "trusted-cdn.com"; style-src: 'self' "'unsafe-inline'"" ,but that doesn’t make any difference. I tried include domain name before /* ,but that doesn’t help too

Firstly, are you using Cloudflare Pages? Otherwise creating a _headers will do nothing.

I tried creating a _headers file with this content and it works as expected.

/*
  X-Frame-Options: DENY
  X-Content-Type-Options: nosniff
  Referrer-Policy: no-referrer
  Permissions-Policy: document-domain=()
  Content-Security-Policy: script-src 'self' "*.google.com" "*.privacypolicies.com" "*.googlesyncdication.com" "trusted-cdn.com" "ajax.cloudflare.com" "'unsafe-inline'"; img-src 'self' "*.campaignlive.co.uk" "*.cloudfront.net"; connect-src: 'self' "trusted-cdn.com" "ajax.cloudflare.com" "*.adservice.google.*" "*.google.com" "*.privacypolicies.com" "*.googlesyncdication.com"; img-src: 'self' 'data:'; '*.campaignlive.co.uk' '*.cloudfront.net' '*.googlesyncdication.com'; script-src-attr: 'self' "trusted-cdn.com"; style-src: 'self' "'unsafe-inline'""

image

2 Likes

No, I am not using cloudflare pages. So how can I modify that?

You’ll have to set the headers at your origin. I’d recommend you ask for help on Stack Exchange or Reddit as it is beyond the scope of this forum.

Figuring out why it doesn’t work would be a good starting point :slightly_smiling_face:

3 Likes

As I mention I configure my headers at my origin correctly. So you say that Cloudflare does not interfere here? Because I believe that if I turn off Cloudflare my content security policy would be modified straight away

From Using Content Security Policy (CSP) with Cloudflare:

Cloudflare’s CDN is compatible with CSP and does not modify CSP headers from the origin web server.

That’s what I’d try first. Pause Cloudflare in the dashboard and check if that changes anything.

3 Likes

Cloudflare will add certain headers to all requests through their proxy service, such as vary (for gzip and br support), cf-cache-status, expect-ct, cf-ray, server and alt-sec (for HTTP/3 and Opportunistic Onion support). There are a few other service specific headers also.

Users can use the HSTS feature to add strict-transport-security and
x-content-type-options

Pages provides a new mechanism to add headers to Pages sites using an _headers instruction file.

All headers like CSP, CORS, COOP, X-XSS-Protection etc. must be added using code on your origin, via a Cloudflare Worker or using an App like Fortify. Which are all things you need to configure.

3 Likes

I am unable to pause at the moment because that would shut down access to my website due to configuration on Cloudflare, but maybe it’s enough to set it to development mode for now? Because on development mode csp stay still restricted

You just tested this?

I’ve used CSP for years, always setting it in my NGINX or LiteSpeed server config, and it’s always come straight through.

What you’re seeing right now is quite a unique CSP. Are you sure something else in what’s generating your site isn’t adding these over what you’re trying to set?

1 Like

Can you share the output of these two commands:

curl https://www.example.com/whatever-path-you-want-to-test --connect-to ::ORIGIN-IP --dump-header - -o /dev/null --silent
curl https://www.example.com/whatever-path-you-want-to-test --dump-header - -o /dev/null --silent

1 Like
date: Tue, 02 Nov 2021 14:45:00 GMT
content-type: text/html; charset=utf-8
content-security-policy: default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests
x-dns-prefetch-control: off
expect-ct: max-age=0
x-frame-options: SAMEORIGIN
strict-transport-security: max-age=15552000; includeSubDomains
x-download-options: noopen
x-content-type-options: nosniff
x-permitted-cross-domain-policies: none
referrer-policy: no-referrer
x-xss-protection: 0
cf-cache-status: DYNAMIC
report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=EnYgXkS1XsIFgkLQXrln4WlRfG5cX8yMzYsMho6Caoa21gHrYg5laJGNotQTwkkcWDW0%2BbnjeCrGm4dW6j5vQ3iNNn8dEY4u8iYjlePq7EQjaNdflWJSVVWoOk%2BQug1pSOlnt11RSuU%3D"}],"group":"cf-nel","max_age":604800}
nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
server: cloudflare
cf-ray: 6a7e24c5cf2ad6dd-FRA
alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400```

Yes. I set my headers at the application level. Here is my http server configuration headers proxy_pass http://localhost:3338; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection 'upgrade'; proxy_set_header Host $host; proxy_cache_bypass $http_upgrade;

It seems that something else generates these restricted headers because it’s somehow unique. That is why I think it’s Cloudflare because I don’t use any other third-party libraries. Otherwise, my http server configuration is wrong?

I didn’t see results from the other command:
curl https://www.example.com/whatever-path-you-want-to-test --connect-to ::ORIGIN-IP --dump-header - -o /dev/null --silent

Also, would you happen to have any Apps activate in the Cloudflare Dashboard for your domain (last tab, I believe).

1 Like

curl https://www.example.com/whatever-path-you-want-to-test --connect-to ::ORIGIN-IP --dump-header - -o /dev/null --silent does not output anything. I am not using any app. And I just test that Cloudflare setup these headers for me. I set my custom headers in my http server, but I ended up with 2 content-security policies right now. The first one, which is Cloudflare headers, and another is which I set up in my http server. How can I remove Cloudflare CSP now? HTTP/2 200 date: Tue, 02 Nov 2021 21:41:48 GMT content-type: text/html; charset=utf-8 content-security-policy: default-src 'self';base-uri 'self';block-all-mixed-content;font-src 'self' https: data:;frame-ancestors 'self';img-src 'self' data:;object-src 'none';script-src 'self';script-src-attr 'none';style-src 'self' https: 'unsafe-inline';upgrade-insecure-requests content-security-policy: script-src 'self' .google.com *.privacypolicies.com *.googlesyncdication.com trusted-cdn.com ajax.cloudflare.com 'unsafe-inline';img-src 'self' *.campaignlive.co.uk *.cloudfront.net; connect-src 'self' trusted-cdn.com ajax.cloudflare.com *.adservice.google. *.google.com *.privacypolicies.com *.googlesyncdication.com; img-src 'self' data:; *.campaignlive.co.uk *.cloudfront.net *.googlesyncdication.com; script-src-attr 'self' trusted-cdn.com; style-src 'self' 'unsafe-inline'; x-dns-prefetch-control: off expect-ct: max-age=0 x-frame-options: SAMEORIGIN strict-transport-security: max-age=15552000; includeSubDomains x-download-options: noopen x-content-type-options: nosniff x-permitted-cross-domain-policies: none referrer-policy: no-referrer x-xss-protection: 0 cf-cache-status: DYNAMIC report-to: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=1uKGLklUA7DwU9aIJgaLwlK29OLTi00tu%2BZALju0QtAhUuhPOSBZIYd%2F8Fmh4DiEYKJEeR5r3Q8egn4SIhc2MNk5WrjIn4pigkwFmhkJ4HKLptnfDFngNdkblmXdGS4j1wM%2F7uyhwBc%3D"}],"group":"cf-nel","max_age":604800} nel: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} server: cloudflare cf-ray: 6a8087580df7167e-DME alt-svc: h3=":443"; ma=86400, h3-29=":443"; ma=86400, h3-28=":443"; ma=86400, h3-27=":443"; ma=86400

At this point, all I can do is repeat what we’ve tried to say several times: Our (myself and other Clouflare customers) standard Cloudflare configurations do not alter CSP.

You’re going to have to ask Support to track down what is injecting this. You can email them at support AT cloudflare DOT com

As soon as you get the autoreply, please post the ticket # here so we can escalate this issue.

1 Like

I am sorry for the inconvenience. [#2295171]

It’s not an inconvenience. It’s an interesting puzzle I’d love to hear the solution for.

I’ve escalated that ticket #. If someone comes on this morning, we’ll bring the ticket # to their attention.