Security headers are missing

Hi,

I get the security score F in webPageTest site saying :x: The following security headers are missing from the website:

Strict Transport Security

X Content Type Options

X Frame Options

Content Security Policy

X XSS Protection

If I click on the Enable HSTS button under Edge Certificate/ SSL/TLS, that will take care of them? Does it also help speed or performance optimization? Please advise.

HSTS will only fix the first one. The others need to be set up at your server.

Or…you can add a Cloudflare Worker to do this, but Workers cost $5/month and are charged by usage.

https://scotthelme.co.uk/security-headers-cloudflare-worker/

Thank you, sdayman. I will enable HSTS and check more info about the other three.

1 Like

I just want to make sure before committing HSTS cuz the note is kind of intimidating. If I enable it can I turn it off for some reason? I sometime need to pause Cloudflare to check plugin conflict, in that case do I need to turn HSTS off first, then pause?

I strongly suggest that you not use HSTS if your origin web server does not have its own TLS/SSL certificate for your domain. The minimum setting is 1 month, so if you don’t have HTTPS working on your site at any point, it will take a month for any return visitors to be able to view your site without HTTPS.

ok, I think my origin server has SSL certificate but think about HSTS for now.

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.