10 Comments

  1. Thank you for the well explained article. I was able to implement the same and got the expected result. However, if I uncheck unfollow Redirect checkbox It gives me rating R (which is fare as i have setup for the http to https redirect) but all the headers apart from HSTS and CSP shows missing. Was not able to find enough on the same, if you could help with same, it will be a big help. Thank you.

    Best,
    Mohit

  2. “By leveraging Cloudflare, you can add an extra layer of security to your website, protecting it from various threats.”
    To be clear, most of these will protect your visitors more than the site itself.
    Thanks for the great guide.

  3. Thanks Great Information. Kindly Provide More valuable Insight on Cloudflare features that enhance website security and performance.

  4. Thank you very helpful. I managed to replace all the rules added by a leading security headers plugin using this. They are below for others reference

    Header set Access-Control-Allow-Methods “GET,POST”
    Header set Access-Control-Allow-Headers “Content-Type, Authorization”
    Header set Content-Security-Policy “upgrade-insecure-requests;”
    Header set Cross-Origin-Embedder-Policy “unsafe-none; report-to=’default'”
    Header set Cross-Origin-Embedder-Policy-Report-Only “unsafe-none; report-to=’default'”
    Header set Cross-Origin-Opener-Policy “unsafe-none”
    Header set Cross-Origin-Opener-Policy-Report-Only “unsafe-none; report-to=’default'”
    Header set Cross-Origin-Resource-Policy “cross-origin”
    Header set Permissions-Policy “accelerometer=(), autoplay=(), camera=(), cross-origin-isolated=(), display-capture=(self), encrypted-media=(), fullscreen=*, geolocation=(self), gyroscope=(), keyboard-map=(), magnetometer=(), microphone=(), midi=(), payment=*, picture-in-picture=(), publickey-credentials-get=(), screen-wake-lock=(), sync-xhr=(), usb=(), xr-spatial-tracking=(), gamepad=(), serial=()”
    Header set Referrer-Policy “strict-origin-when-cross-origin”
    Header set Strict-Transport-Security “max-age=63072000; includeSubDomains; preload”
    Header set X-Content-Security-Policy “default-src ‘self’; img-src *; media-src * data:;”
    Header set X-Content-Type-Options “nosniff”
    Header set X-Frame-Options “SAMEORIGIN”
    Header set X-Permitted-Cross-Domain-Policies “none”

  5. I have added 3 rules in Cloudflare Transform Rules:
    Strict-Transport-Security “max-age=63072000; includeSubDomains; preload”
    X-Content-Type-Options “nosniff”
    X-Frame-Options “SAMEORIGIN”

    and after clearing cache when i hit the domain name from google chrome it shows me error in console
    “X-Frame-Options may only be set via an HTTP header sent along with a document. It may not be set inside”

    Why is it so?

Leave a Reply

Your email address will not be published. Required fields are marked *