Security Headers


#1

Hello,

just as it is now possible to enable Strict-Transport-Security and X-Content-Type-Options in the administration, so it would be great to be able to enable and set up additional Security Headers, like Content-Security-Policy, X-Frame-Options, X-Xss-Protection and Referrer-Policy. Could you please consider this functionality?

Thanks a lot!

Tom


#2

I already do that with my .htaccess files.

I believe the issue with those headers is that they are more likely to break a site than anything else Cloudflare does. Especially CSP.

The HSTS setting here is only available if you’re already running SSL for your domain. And that’s a pretty surefire “will work” setting. Note that you get DANGER DANGER type warnings when you enable HSTS. So imagine all the DANGER warnings Cloudflare would need to include if they enabled CSP.

I can’t speak for Cloudflare, but I’d think that’s a headache they don’t want.

What I think would be a better approach would be a Headers App. In fact, I think that’d be awesome! Other useful headers could include the HTTP/2 Push feature for certain files. Expect-CT is another header that would come in handy.

I’m sure @shimsa is familiar with header checking, but for everyone else, give it a try:


#3

I just ran across this thanks to Scott Helme:
https://scotthelme.co.uk/security-headers-cloudflare-worker/

Sounds awesome, but the $5/month per domain will sure add up quickly for me. Thankfully I have full access to my servers. Plus, I do all of it with .htaccess anyway.

At this point, I’m beginning wonder what the difference is between Workers and Apps.


#4

For all the great replies I see you post here, @sdayman, surprised the Cloudflare guys haven’t yet thrown you a bone and given you some kind of MVP access to all features for free. They certainly should do.


#5

They’ve been very kind to me. Some Beta access and other goodies. I think they’re just trying to get me addicted to some of their cooler features :wink:.


#6

Pssssh… don’t encourage @sdayman :slight_smile:

Many moons ago I was a Microsoft MVP and my personal dream is that someday Cloudflare has a similar program.


#7

I think in the near(?) future we may allow developers to publish their workers as apps in the marketplace, so that line will get even fuzzier.


#8

This topic was automatically closed after 14 days. New replies are no longer allowed.