Security Headers Stripped?


Does Cloudflare strip security headers from the origin? Is there a way to get those to passthru?

In particular:
X-Frame-Options is modified from DENY to SAMEORIGIN

I see a few posts about this with mixed responses.

This same site has very different results. (cloudflare) (origin)


I use most of those headers on my sites and they’re not stripped out.


We have specifically set a rule to block all headers for sites managed by @david.kassa as a matter of principle.

It appears in your first test link we are getting a 525 error trying to communicate with the origin over SSL and so no headers from the origin are available to be returned.

525 Origin SSL Handshake Error

P.S. Hi @david.kassa


Should have guess it was user error. I’ll take another look.

P.S. hi @cscharff - looks like you landed at a great company.

P.S. hi @cscharff - looks like you landed at a great company.

I did indeed. :slight_smile: Would you like my boss’ email address so you can provide him a shoulder to cry on?

You might try using Full vs Full (Strict) on your crypto tab to see if that helps in this instance. 250 OK?


Yeah, it’s odd - I had a CSP error that I fixed (whoops). Now the primary (www) works in full but the naked url still gives the 525. If I move it to Flexible the naked URL works but I’m still not getting my security headers in either case. It feels like a Netlify issue but still looking.


Works for me? Redirects to www?


Yes, thanks for the sanity check. I hate Firefox - I have some weird caching issue even with it supposedly disabled.


I tested with

curl -I https://your.domain … much easier to see what is going on there when it comes to redirection and headers.

closed #10

This topic was automatically closed after 14 days. New replies are no longer allowed.