I have an origin server, which I do not have full control over its configuration. It sends 200-500 bytes of developer debug response headers for each request. Request IDs, CRCs that arent etags, Varnish, timings, cluster nodes, base64 JSON in a header, alot of useless stuff. Yes HTTP2 huffman encoding knocks some of that down. But what about HTTP 1.1/cleartext HTTP.
I know the new April 2021 transform rules feature has a request “remove headers” feature. I am requesting a response “remove headers” feature. I want to remove 5-10 of these junk debug headers my origin sends out, without using a cloudflare worker. This would get alot more of my JSON responses under the 1200 byte body/ 1 packet threshold, which fastest TTFB that can be achieved on IP networks.
If my CF domain is always used cross origin by another domain, by design, and my CF origin has some kind of server side analytics module (phpish), and always sends a Set-cookie, even though browser will ALWAYS reject the Set-cookie on an cross origin image, or no-credentials AJAX. or cleartext HTTP. A transform rule, to delete all set-cookie headers would be nice.
Other more paranoid web devs would argue their origins are sending out “sensitive” metadata to eyeballs, that a blackhat can use, to pen test, Server header for example, or DC city names (pick the correct botnet provider to launch a DDOS), or PHP vs JSP. This can be made secret again with a response remove header feature.
Origin->CF bandwidth 1gig or 10 gig wired, bandwidth is free. CF->mobile, always complicated.