Unwanted Access-Control-Allow-Origin: * added on Cloudflare Pages

I’m getting started with Cloudflare Pages to host simple static files.

I created a Pages project and deployed a single .txt file and a _headers file to it.

The content of the _headers file is as follows

  Content-Type: text/plain

  X-Robots-Tag: noindex

The .txt file is served as expected, with both HTTP headers from the _headers file sent with it. However Pages is also sending an Access-Control-Allow-Origin: * header with every response.

As I understand from the Pages docs, one’d have to explicitly set said header in the _headers file for it to appear in the reponse:

To enable other domains to fetch every asset from your Pages project, the following can be added to the _headers:


 Access-Control-Allow-Origin: *

This applies the Access-Control-Allow-Origin header to any incoming URL.

Headers · Cloudflare Pages docs

Is this a bug? Is there a way to remove the Access-Control-Allow-Origin header from the responses?

Thank you!

You can remove it with the _headers file like so:

  ! Access-Control-Allow-Origin

Hey! Sorry for the delay (topic was hidden temporarily) and thank you for the response.

I tried as you suggested but I didn’t work, it seems it broke the _headers file, as it continued to send the Access-Control-Allow-Origin header and stopped sending the other headers. Maybe I did something wrong in the process :thinking:

What I done for now was create a Transform Rule on the dashboard to remove the header, but ideally the header shouldn’t be sent at all.


If you can send your _headers I can take a look at what may have gone wrong.

It seems it had stopped working altogether because I had put it in the wrong folder. I’m using direct uploads and the ZIP structure was as follows

├─ _headers
└─ public/
   └─ ...

I tried now with all files at the zip root and the headers were sent again. Including the Access-Control-Allow-Origin header.

The _headers file is as follows:

  Content-Type: text/plain

  Strict-Transport-Security: max-age=31536000
  X-Robots-Tag: noindex
  X-Frame-Options: SAMEORIGIN
  ! Access-Control-Allow-Origin

I don’t know if I did something wrong while trying to remove the Access-Control-Allow-Origin header or if Cloudflare changed something in their end since this topic, but it seems prepending the header directive with ! to remove a header is now working as intended.

I also noticed there’s now a “Detach a header” section in the docs.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.