Security Headers Stripped?


#1

Does Cloudflare strip security headers from the origin? Is there a way to get those to passthru?

In particular:
Content-Security-Policy
Referrer-Policy
X-XSS-Protection
and
X-Frame-Options is modified from DENY to SAMEORIGIN

I see a few posts about this with mixed responses.

This same site has very different results.
https://securityheaders.com/?q=www.dvcstats.com&followRedirects=on (cloudflare)
https://securityheaders.com/?q=dvc-rofr-stats.netlify.com&followRedirects=on (origin)


#2

I use most of those headers on my sites and they’re not stripped out.


#3

We have specifically set a rule to block all headers for sites managed by @david.kassa as a matter of principle.

It appears in your first test link we are getting a 525 error trying to communicate with the origin over SSL and so no headers from the origin are available to be returned.

525 Origin SSL Handshake Error

P.S. Hi @david.kassa


#4

Should have guess it was user error. I’ll take another look.

P.S. hi @cscharff - looks like you landed at a great company.


#5
P.S. hi @cscharff - looks like you landed at a great company.

I did indeed. :slight_smile: Would you like my boss’ email address so you can provide him a shoulder to cry on?

You might try using Full vs Full (Strict) on your crypto tab to see if that helps in this instance. 250 OK?


#6

Yeah, it’s odd - I had a CSP error that I fixed (whoops). Now the primary (www) works in full but the naked url still gives the 525. If I move it to Flexible the naked URL works but I’m still not getting my security headers in either case. It feels like a Netlify issue but still looking.


#7

Works for me? Redirects to www?


#8

Yes, thanks for the sanity check. I hate Firefox - I have some weird caching issue even with it supposedly disabled.


#9

I tested with

curl -I https://your.domain … much easier to see what is going on there when it comes to redirection and headers.


#10

This topic was automatically closed after 14 days. New replies are no longer allowed.