Unable to add security headers to website with transform rules!

I tried adding security headers via navigating to rules>transform rules>modify response header> adding headers but then also not reflecting on when checked ny securityheaders
42 Replies
detectiveConan
detectiveConanOP5mo ago
@Community Champion anybody can help me out for it
Peps
Peps5mo ago
?pings
Flare
Flare5mo ago
Please do not ping community members for non-moderation reasons. Doing so will not solve your issue faster and will make people less likely to want to help you.
detectiveConan
detectiveConanOP5mo ago
what does it means?
Peps
Peps5mo ago
That the Community Champion role should not be pinged/tagged for non-moderation related reasons. It's normally only meant to be used if someone in the server is breaking the rules or being problematic in another way that requires the attention of the mods
detectiveConan
detectiveConanOP5mo ago
Oh, I see as I am new to server so not aware of it! dude, can you help me out in my issue if possible! will be very helpful of you of this favor @Peps
Chaika
Chaika5mo ago
I told you the two things that would be needed to debug this: Screenshot of the transform rule you made URL of the website where the headers should be
detectiveConan
detectiveConanOP5mo ago
No description
No description
Chaika
Chaika5mo ago
That website isn't proxied in Cloudflare (under DNS -> Records), needs to be proxied to go through the cdn and have any rules/etc apply probably would want to proxy both your apex and the www subdomain, just make sure under ssl/tls -> overview your ssl/tls setting is Full (Strict) first and not Flexible to avoid that proxy issue
detectiveConan
detectiveConanOP5mo ago
Ok! I am deploying it and let you know dude once it's done! now the traffic is proxied in cloudflare! can you tell me further steps now @Chaika
Chaika
Chaika5mo ago
looks like apex is proxied but www isn't
detectiveConan
detectiveConanOP5mo ago
do you mean this one dude?
No description
Chaika
Chaika5mo ago
yup
detectiveConan
detectiveConanOP5mo ago
done but still now also same!
detectiveConan
detectiveConanOP5mo ago
No description
Chaika
Chaika5mo ago
see that ip address? When it switches to 104.x.x/172.x.x/188.x.x that's when dns cache will have expired and you're hitting the Cloudflare proxy
detectiveConan
detectiveConanOP5mo ago
No description
Chaika
Chaika5mo ago
dns is very slow to update, gotta give it time for all the caches to expire < referrer-policy: no-referrer < x-content-type-options: nosniff < server: cloudflare I see those two headers
detectiveConan
detectiveConanOP5mo ago
can you also tell me other security headers too that will be also be added in order to have maxium protection for website! you mean it will take time to propogate?
Chaika
Chaika5mo ago
yes that security headers website does a decent job of showing a few you're missing there like Permissions Policy
Chaika
Chaika5mo ago
HTTP Headers - OWASP Cheat Sheet Series
Website with the collection of all the cheat sheets of the project.
detectiveConan
detectiveConanOP5mo ago
I've added others can you pls check it once is it ok?
No description
Chaika
Chaika5mo ago
you don't need to set access control allowed origin
detectiveConan
detectiveConanOP5mo ago
and also can you check is it ok?
No description
detectiveConan
detectiveConanOP5mo ago
my bad just forgot to skip!
Chaika
Chaika5mo ago
not sure what that's meant to accomplish
detectiveConan
detectiveConanOP5mo ago
I want that if any body try to pass long string to website after / path it will block it so that's what I was looking for ?
Chaika
Chaika5mo ago
you don't want to set X-XSS-Protection there either, you're actually relaxing protections If you want to set Strict-Transport-Security (HSTS) I would remove it there and enable it under SSL/TLS -> Edge
detectiveConan
detectiveConanOP5mo ago
didn't get it can you elaborate it a bit dude! as I have already enable edge certificate SSL/TLS for it! so you mean I needn't to mention it again in headers? just correct me if I am wrong dude!
Chaika
Chaika5mo ago
under ssl/tls -> edge certificates you can configure hsts
No description
Chaika
Chaika5mo ago
that sets the strict-transport-security header for your entire zone and is the better way of setting it
detectiveConan
detectiveConanOP5mo ago
btw what's the use of it if I would get to know it?
Chaika
Chaika5mo ago
once clients see the hsts header they will refuse to fallback to http (plaintext) with preload enabled you can submit your site to hsts preload and be embedded in browsers and always use it
Chaika
Chaika5mo ago
detectiveConan
detectiveConanOP5mo ago
what I need to enable from it, all? in it max-age needs to be set
63072000
63072000
?
No description
detectiveConan
detectiveConanOP5mo ago
and also if i se no sniff header above, so I think there is no needs to add it into rules too, just correct me if I am wrong? there ser @Chaika as almost on the verge of completion! Actually, I am looking for long string DDOS protection so for it will this work?
detectiveConan
detectiveConanOP5mo ago
SerpWorx
HTTP Security Headers Check Tool - Security Headers Response
Security Header Response checker. Easily test & check your Security Response Headers. Check your site's Security headers & see what you score!
Chaika
Chaika5mo ago
you'd want all the settings checked and 12/mo max age, the no sniff part of strict-secure-transport is different then x-content-type-options if that's what you're saying there's already sane path limits in cf and web servers like nginx and such, that's not how you would get ddosed
detectiveConan
detectiveConanOP5mo ago
and is it cool!
Chaika
Chaika5mo ago
yea looks fine to me, just make sure the content security policy doesn't break your site
detectiveConan
detectiveConanOP5mo ago
and btw can I also set below headers
'Expect-CT', 'max-age=86400, enforce'
'Expect-CT', 'max-age=86400, enforce'
additionally?
Chaika
Chaika5mo ago
MDN Web Docs
Expect-CT - HTTP | MDN
The Expect-CT header lets sites opt in to reporting and/or enforcement of Certificate Transparency requirements. Certificate Transparency (CT) aims to prevent the use of misissued certificates for that site from going unnoticed.
Want results from more Discord servers?
Add your server