This guide explains how to configure security headers in Cloudflare using response header modification rules. These headers enhance security by preventing attacks such as clickjacking, MIME-type sniffing, and unauthorized resource loading.
Creating a Rule to Modify Response Headers
1. Log in to Cloudflare
2. Select your domain.
3. Navigate to Rules → Transform Rules → Modify Response Header.
4. Click Create Rule and name it (e.g., Security Headers).
Define Conditions for Incoming Requests
Under If incoming requests match…, use the following expressions:
For a specific domain:
(http.request.full_uri contains "yourdomain.com")
For all requests (recommended):
(http.request.full_uri wildcard "*")
This ensures the rule applies to every incoming request.
Adding Security Headers
Under Modify response header, configure the following headers:
Strict-Transport-Security (HSTS)
Header Name: Strict-Transport-Security
max-age=31536000; includeSubDomains; preload
Content-Security-Policy (CSP)
Header Name: Content-Security-Policy
default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'
Permissions-Policy
Header Name: Permissions-Policy
geolocation=(), microphone=(), camera=()
X-Content-Type-Options
Header Name: X-Content-Type-Options
nosniff
X-Frame-Options
Header Name: X-Frame-Options
SAMEORIGIN
Referrer-Policy
Header Name: Referrer-Policy
same-origin
Example Screenshot :
Deploy and Verify
1. Save & Deploy the rule.
2. Purge Cloudflare Cache
3. Navigate to Cloudflare Dashboard → Caching → Purge Everything.
4. Verify Headers Using CURL:
curl -I https://yourdomain.com
Test Headers at Security Headers Scanner:
Visit Security Headers and enter your domain.
Troubleshooting
– If headers are missing, check:
– Caching Issues:Purge Cloudflare cache.
– Other Rules Conflicts: Ensure no other rules override your headers.
– DNS Proxying: The domain should be proxied (orange cloud enabled) in Cloudflare.
Conclusion
By implementing these security headers, you enhance your site’s protection against various web-based attacks. 🚀 Now your Cloudflare-protected website is more secure!