February 13, 2021, 12:40pm
Hello Cloudflare Team and Community,
I’ve applied security headers on origin webserver (nginx) to be passed on responses, listed below, but Cloudflare doesn’t seem to pass them, even after purging all cache multiple times.
The headers are on the domain dci.com.br (Pro plan):
Strict-Transport-Security “max-age=31536000; includeSubDomains; preload”;
Content-Security-Policy “frame-ancestors ‘self’;”;
X-XSS-Protection “1; mode=block”;
Even already paying for a Pro plan, I do not want to pay for Workers to add the headers since the site receive dozens of millions of access per month, which would generate extra costs, unnecessarily.
Also, it’s not nice to pay for a feature already 100% done and solved on my own server, and it would be interesting if Cloudflare could “pass” those headers as well, already defined on origin.
February 13, 2021, 12:50pm
If someone test the domain, the HSTS and X-Content-Type-Options are present only because there are options to enable them directly on Cloudflare.
They are not being passed from the origin and that is the reason why all our other security headers are wrongly missing.
February 13, 2021, 12:52pm
I see some of the headers coming through. Can you run the following command which will show your origin response bypassing Cloudflare, and share the result:
curl --resolve www.dci.com.br:443:<origin IP address> https://www.dci.com.br/ -o /dev/null --dump-header -
February 13, 2021, 12:57pm
Thanks, Michael. I’m posting right now.
It seems the headers are not present, which is strange:
date: Sat, 13 Feb 2021 13:00:19 GMT
content-type: text/html; charset=UTF-8
link: https://www.dci.com.br/wp-json/; rel=“ https://api.w.org/”
link: https://www.dci.com.br/wp-json/wp/v2/pages/22376; rel=“alternate”; type=“application/json”
I will reset the fastcgi cache to see if this is the root cause.
February 13, 2021, 1:05pm
Make sure you use the Origin IP address. This looks like the request still came through Cloudflare.
February 13, 2021, 1:10pm
Your original instruction is correct, and I’m replacing
<origin IP address> with the origin IP, but the response is still the same, with
I even tried adding both port 80 and 443, as well as
curl --resolve www.dci.com.br:443:<origin IP address> --resolve www.dci.com.br:80:<origin IP address> --resolve dci.com.br:443:<origin IP address> --resolve dci.com.br:80:<origin IP address> https://www.dci.com.br/ -o /dev/null --dump-header -
<origin IP address> with my server’s dedicated IP)
But the result is still the same…
February 13, 2021, 1:19pm
I tested inside the dedicated server from dci.com.br, and the problem is that
the dedicated server itself is passing the Cloudflare response. How can this be even possible?
Even forcing the curl request with the
--resolve parameter inside the dedicated server. I’ve never seen this before.
This site is using Wordpress, the Cloudflare Wordpress plugin and APO, but technically it would not be able to remove headers added from Nginx, right?
February 13, 2021, 1:21pm
OK. Ran my own test with an OVH address that has a Let’s Encrypt cert for your hostname. Not sure how that cf-edge-cache header is getting in there, but that’s a separate investigation for you.
The origin is not responding with the headers you are setting, so Cloudflare cannot pass them through. Investigation of what is happening in your Nginx/Wordpress setup is left as an exercise for the user!
February 13, 2021, 1:23pm
Thanks, Michael! I will investigate!
Cause discovered! The defined headers weren’t being applied for the reasons explained
One is that nginx only processes the
add_header it spots down a tree. So if you have an
add_header in the
server context, then another in the
location nested context, it will only process the
add_header directive inside the
location context. Only the deepest context.
official Ngin docs:
There could be several
add_header directives. These directives are inherited from the previous level if and only if there are no
add_header directives defined on the current level.
Now I identified this on my config and applied the necessary changes. Everything is correct, now.
February 13, 2021, 3:25pm
Any idea where the cf-edge-cache header is coming from? Are you proxying against another Cloudflare host?
You can also configure the
x-content-type-options Headers using the HSTS feature on the Cloudflare
February 14, 2021, 3:26pm
This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.