Security Headers Cloudflare Worker

I run which is a free tool to check the HTTP response headers set by a site and grade them based on their security. To allow you easily set these headers I created the Security Headers Cloudflare Worker!

The worker is really easy to setup and use, you can find more information in my blog post:

Please let me know if you have any questions!


Reminds me of something I did a while ago:

1 Like

Hi @Scott_Helme, great seeing you here!

I would like to simply point out that in the blog post you are supposing that users are able to add multiple Worker scripts, but that is not the case. Only those who have the Enterprise plan do, all others have a single script allowed. It would be great if that was corrected. In case you need any help (I doubt that, but you might never know) just ask!

PS: love the Weekly Updates(and the various blog posts) you do together with @troyhunt and the Report URI service!


Hi @Scott_Helme excellent blog for getting started on Cloudflare workers, Thanks!

I am trying to make a simple worker that adds a single header to the response, It works for me in the test/preview window, i see the extra header. but after Saving it and waiting a few mins, my production endpoint doesn’t show the new header. Is there something I need to do to make it live? The dns entry is “orange-clouded” in Cloudflare

Thanks again,

Do you really suggest that people use upgrade-insecure-requests for CSP? Any tool I evaluate such a CSP header with gives a negative result.

That should be all you need to do. If it works in the test window you really should be good to go!

I’m not sure what you mean by a ‘negative result’, could you explain?

I would recommend any site that serves content over HTTPS to use upgrade-insecure-requests.

1 Like

If I use upgrade-insecure-requests for CSP as your Worker uses, Mozilla’s Observatory says:

Content Security Policy (CSP) implemented unsafely.

This includes ‘unsafe-inline’ or data: inside script-src, overly broad sources such as https: inside object-src or script-src, or not restricting the sources for object-src or script-src.

In fact, upgrade-insecure-requests only gets 3 of the possible checkmarks for CSP with Mozilla:

Hence my question if you suggest to use upgrade-insecure-requests for CSP or to implement something more strict (with the risk of breaking things), as Mozilla wants us to do.

1 Like

I see what they’re saying with that warning, you could go further with CSP and restrict things like script-src and object-src too. That said, having UIR is better than not having it!


For an up-to-date policy with explanations of meanings of certain headers as well as linked-to resources, see: