Security Headers in workers

user7451 · May 5, 2022, 5:38pm

I have added the security headers to the workers service and ahead routed it to one of the domains. The issue is the security headers only appears for https://scanningpens.com.au and not for https://www.scanningpens.com.au. It should be reflected under https://www.scanningpens.com.au. Is there any workaround in Cloudflare to do this?

KianNH · May 5, 2022, 5:39pm

How did you add the headers onto the Worker?

It’s hard to guess why it only acts on a single domain without knowing which method you used.

user7451 · May 6, 2022, 7:42am

Hi,

the code that i used was

let DEFAULT_SECURITY_HEADERS = {

"Content-Security-Policy" : "upgrade-insecure-requests",

"Strict-Transport-Security" : "max-age=2592000",

"X-Xss-Protection" : "1; mode=block",

"X-Frame-Options" : "DENY",

"X-Content-Type-Options" : "nosniff",

"Referrer-Policy" : "strict-origin-when-cross-origin",

"permissions-policy": "geolocation=(self \"https://www.scanningpens.com.au\"), microphone=()",

}

let BLOCKED_HEADERS = [

"Public-Key-Pins",

"X-Powered-By",

"X-AspNet-Version",

]

addEventListener(‘fetch’, event => {

event.respondWith(addHeaders(event.request))

})

async function addHeaders(req) {

let response = await fetch(req)

let newHeaders = new Headers(response.headers)

// This sets the headers for HTML responses:

if (newHeaders.has("Content-Type") && !newHeaders.get("Content-Type").includes("text/html")) {

    return new Response(response.body, {

        status: response.status,

        statusText: response.statusText,

        headers: newHeaders

    })

}

Object.keys(DEFAULT_SECURITY_HEADERS).map(function (name) {

    newHeaders.set(name, DEFAULT_SECURITY_HEADERS[name]);

})

BLOCKED_HEADERS.forEach(function (name) {

    newHeaders.delete(name)

})

return new Response(response.body, {

    status: response.status,

    statusText: response.statusText,

    headers: newHeaders

})

}

i am not sure if it acts for only single domain.

the route that i added was scanningpens.com.au/*

user7451 · May 6, 2022, 7:43am

i added the code through the workers services, made a new service and added the code i sent.

KianNH · May 6, 2022, 8:21am

That route won’t match www. - add another specifically for www.scanningpens.com.au/*

user7451 · May 6, 2022, 8:23am

I added the route you mentioned, it doesnot work

KianNH · May 6, 2022, 8:28am

www. isn’t proxied and isn’t going through Cloudflare so it won’t work until it’s a proxied record.

user7451 · May 6, 2022, 8:36am

In the DNS i checked, and there’s a cname for scanningpens.com to www.scanningpens.com.au which is proxied.

and then there’s a cname which says www to netsuite hosting and set to DNS only.
Does anything needs to be fixed here?

KianNH · May 6, 2022, 8:39am

The www one isn’t proxied (since it’s DNS Only) so a Worker can’t be run on that record - it’s probably best checking with your hosting provider (netsuite) that setting it to proxied won’t cause any issues first.

user7451 · May 6, 2022, 10:55am

it is now fixed Thankyou for the help

michael · May 6, 2022, 12:36pm

That looks like the example worker from Scott Helme (https://github.com/securityheaders/security-headers-cloudflare-worker) .

Cloudflare released Transform Rules since that repo was created, and they are probably a better way to apply such headers.

https://developers.cloudflare.com/rules/transform/response-header-modification/

system · May 9, 2022, 12:37pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.