@sdayman If you’d like to raise your score to
130/100, then take advantage of
Subresource Integrity via the
require-sri-for style script
Content-Security-Policy header. However - and here’s the catch - it must be used for at least one script and must be used for all that you do use. Example: for my redesigned site, one script I do use with it is the following:
<script src="https://cdnjs.Cloudflare.com/ajax/libs/materialize/1.0.0/js/materialize.min.js" integrity="sha384-ZOED+d9HxogEQwD+jFvux96iGQR9TxfJO+mPF2ZS0TuKH6eWrmvPsDpO6I0OWdiX" crossorigin="anonymous"></script>
__Secure-Max-Age=0; path=/; domain=.intr0.com; HttpOnly; Secure; SameSite=Strict
The above is what I set for my domain. And it does not interfere with Cloudflare’s
newHeaders.set("Set-Cookie", "__Secure-Max-Age=0; path=/; domain=.example.com; HttpOnly; Secure; SameSite=Strict");
Note that the prefix
__Secure- prefix must use the double underline
__ not a single underline
_ and the dash
- is necessary as a suffix for the
__Secure- prefix for the
where Max-Age=0 ended up resulting in my cookie being named Max-Age, which is fine.^(1) Experimentation will enable you to use what you will for
cookie-name=cookie-value; Max-Age=n. Though
Max-Age=0 is not explicitly disallowed by web browser engines, it is discouraged, though for what reason I’m unaware since it’s not depreciated and still in use.
Edit: also, if one were to use the actual
0, it would require setting browser cache expiration to
respect existing headers, turning off
Always Online, and bypassing the cache in (a) page rule(s).
Edit: The changes to the Cloudflare cache directives using the dashboard only effect Cache-Control header. I.e., if one wishes to have a
Cache-Control header of
private, max-age=0 the changes as outlined in the initial edit should be followed.
(1) Applied to pre-edited information; left in place for historical purposes.