Unable to add security headers to website with transform rules!
I tried adding security headers via navigating to rules>transform rules>modify response header> adding headers
but then also not reflecting on when checked ny securityheaders
42 Replies
@Community Champion anybody can help me out for it
?pings
Please do not ping community members for non-moderation reasons. Doing so will not solve your issue faster and will make people less likely to want to help you.
what does it means?
That the Community Champion role should not be pinged/tagged for non-moderation related reasons.
It's normally only meant to be used if someone in the server is breaking the rules or being problematic in another way that requires the attention of the mods
Oh, I see as I am new to server so not aware of it!
dude, can you help me out in my issue if possible!
will be very helpful of you of this favor @Peps
I told you the two things that would be needed to debug this:
Screenshot of the transform rule you made
URL of the website where the headers should be
That website isn't proxied in Cloudflare (under DNS -> Records), needs to be proxied to go through the cdn and have any rules/etc apply
probably would want to proxy both your apex and the www subdomain, just make sure under ssl/tls -> overview your ssl/tls setting is Full (Strict) first and not Flexible to avoid that proxy issue
Ok!
I am deploying it and let you know dude once it's done!
now the traffic is proxied in cloudflare!
can you tell me further steps now @Chaika
looks like apex is proxied but www isn't
do you mean this one dude?
yup
done but still now also same!
see that ip address?
When it switches to 104.x.x/172.x.x/188.x.x that's when dns cache will have expired and you're hitting the Cloudflare proxy
dns is very slow to update, gotta give it time for all the caches to expire
< referrer-policy: no-referrer
< x-content-type-options: nosniff
< server: cloudflare
I see those two headers
can you also tell me other security headers too that will be also be added in order to have maxium protection for website!
you mean it will take time to propogate?
yes
that security headers website does a decent job of showing a few you're missing there like Permissions Policy
HTTP Headers - OWASP Cheat Sheet Series
Website with the collection of all the cheat sheets of the project.
I've added others can you pls check it once is it ok?
you don't need to set access control allowed origin
and also can you check is it ok?
my bad just forgot to skip!
not sure what that's meant to accomplish
I want that if any body try to pass long string to website after / path it will block it so that's what I was looking for ?
you don't want to set X-XSS-Protection there either, you're actually relaxing protections
If you want to set Strict-Transport-Security (HSTS) I would remove it there and enable it under SSL/TLS -> Edge
didn't get it can you elaborate it a bit dude!
as I have already enable edge certificate SSL/TLS for it!
so you mean I needn't to mention it again in headers?
just correct me if I am wrong dude!
under ssl/tls -> edge certificates you can configure hsts
that sets the strict-transport-security header for your entire zone and is the better way of setting it
btw what's the use of it if I would get to know it?
once clients see the hsts header they will refuse to fallback to http (plaintext)
with preload enabled you can submit your site to hsts preload and be embedded in browsers and always use it
this all is explained in https://cheatsheetseries.owasp.org/cheatsheets/HTTP_Headers_Cheat_Sheet.html#strict-transport-security-hsts
HTTP Headers - OWASP Cheat Sheet Series
Website with the collection of all the cheat sheets of the project.
what I need to enable from it, all?
in it max-age needs to be set ?
and also if i se no sniff header above, so I think there is no needs to add it into rules too, just correct me if I am wrong?
there ser @Chaika
as almost on the verge of completion!
Actually, I am looking for long string DDOS protection so for it will this work?
https://www.serpworx.com/check-security-headers/?url=aarc.xyz
@Chaika is it good?
SerpWorx
HTTP Security Headers Check Tool - Security Headers Response
Security Header Response checker. Easily test & check your Security Response Headers. Check your site's Security headers & see what you score!
you'd want all the settings checked and 12/mo max age, the no sniff part of strict-secure-transport is different then x-content-type-options if that's what you're saying
there's already sane path limits in cf and web servers like nginx and such, that's not how you would get ddosed
and is it cool!
yea looks fine to me, just make sure the content security policy doesn't break your site
and btw
can I also set below headers
additionally?
MDN Web Docs
Expect-CT - HTTP | MDN
The Expect-CT header lets sites opt in to reporting and/or enforcement of Certificate Transparency requirements. Certificate Transparency (CT) aims to prevent the use of misissued certificates for that site from going unnoticed.