Security Headers Stripped?

Does Cloudflare strip security headers from the origin? Is there a way to get those to passthru?

In particular:
Content-Security-Policy
Referrer-Policy
X-XSS-Protection
and
X-Frame-Options is modified from DENY to SAMEORIGIN

I see a few posts about this with mixed responses.

This same site has very different results.
Scan results for www.dvcstats.com (Cloudflare)
Scan results for dvc-rofr-stats.netlify.com (origin)

I use most of those headers on my sites and they’re not stripped out.

1 Like

We have specifically set a rule to block all headers for sites managed by @david.kassa as a matter of principle.

It appears in your first test link we are getting a 525 error trying to communicate with the origin over SSL and so no headers from the origin are available to be returned.

525 Origin SSL Handshake Error

P.S. Hi @david.kassa

Should have guess it was user error. I’ll take another look.

P.S. hi @cs-cf - looks like you landed at a great company.

P.S. hi @cscharff - looks like you landed at a great company.

I did indeed. :slight_smile: Would you like my boss’ email address so you can provide him a shoulder to cry on?

You might try using Full vs Full (Strict) on your SSL/TLS app to see if that helps in this instance. 250 OK?

Yeah, it’s odd - I had a CSP error that I fixed (whoops). Now the primary (www) works in full but the naked url still gives the 525. If I move it to Flexible the naked URL works but I’m still not getting my security headers in either case. It feels like a Netlify issue but still looking.

Works for me? Redirects to www?

Yes, thanks for the sanity check. I hate Firefox - I have some weird caching issue even with it supposedly disabled.

1 Like

I tested with

curl -I https://your.domain … much easier to see what is going on there when it comes to redirection and headers.

1 Like

This topic was automatically closed after 14 days. New replies are no longer allowed.