Security findings - can these get fixed on Cloudflare?

A recent security scan reveiled the following findings and I would like to ask if any or all can be resolved on Cloudflare:

• HTML Security Issues:
Problems detected in the web page HTML. - Do not use any HTTP resources over HTTPS

• Ineffective headers: X-Frame-Options:
The implementation of these header(s) do not follow security best practices. - Ensure your headers are implemented correctly, as outlined in http_s://tools.ietf.org/html/rfc7231. Your headers should not permit caching of encrypted content. They should also have specific permissions (as opposed to using wildcards or other generalizations) and be formatted properly

• Missing required headers:
One or more required security headers are not set. - Ensure your policy correctly implements the required headers. Refer to the http_s://help.bitsighttech.com/hc/en-us/articles/360008632054

You can add/modify response headers using Transform Rules. You can build the rule yourself OR try the “Managed Transforms” → “Add security headers” option but it might not be exactly what you want.

For the first thing, you really need to fix your HTML, try searching your pages for src="http:, verify that the resources are actually available via HTTPS and then update the source.

You can try using the “Automatic HTTPS Rewrites” option which does basically the same thing but on-the-fly every time the page loads. Instead of “fixing” on every page load, though, why not just fix your HTML and be done with it forever?

1 Like