Security Headers don't persist on cached pages

We have x-frame-option and content security policy headers configured on our nginx server on our Wordpress hosted site. We also have the Cloudflare Wordpress plugin enabled with APO and Rocket loader.

Our cached page shows without the CSP or x-frame-options set to deny

Non-cached version of the page shows both response headers

Does anyone know why the security headers aren’t persisting from our nginx server?

Good question. I see you’re using APO, so maybe @yevgen knows why those headers didn’t get stored with the cached version.

In the mean time, you can try a Transform Rule for Response headers and add them there as well.

We don’t perform any type of headers filtering on APO side. Is there a chance the response was cached before the security headers were added?

1 Like

Thanks for the responses. I don’t think so. The headers are added by the Wordpress server. Do you know how I would check?

Do a Purge Everything in your cache here so Cloudflare fetches a fresh copy. Something newer than the 110,000 seconds that resource has been sitting in cache.

I did a purge everything with the same result.

BYPASS Cache

Cache HIT

You’ll see that the cached version is still not sending over the security headers

How exactly are they added?

Personally, I add all those here:

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.