Hello Cloudflare Team and Community,
I’ve applied security headers on origin webserver (nginx) to be passed on responses, listed below, but Cloudflare doesn’t seem to pass them, even after purging all cache multiple times.
The headers are on the domain dci.com.br (Pro plan):
Strict-Transport-Security “max-age=31536000; includeSubDomains; preload”;
Content-Security-Policy “frame-ancestors ‘self’;”;
X-XSS-Protection “1; mode=block”;
Even already paying for a Pro plan, I do not want to pay for Workers to add the headers since the site receive dozens of millions of access per month, which would generate extra costs, unnecessarily.
Also, it’s not nice to pay for a feature already 100% done and solved on my own server, and it would be interesting if Cloudflare could “pass” those headers as well, already defined on origin.