Next, in the Create Transform Rule dropdown, select Modify Response Header to create a new HTTP Response Header Modification rule:
And give your rule a meaningful name:
Rules require a condition to be set that defines when the rule is applied. However, Security Headers should be sent with each response.
There isn’t a catch-all condition per se, so we’ll use the condition for SSL/TLS, which specifies that the rule be applied for any HTTPS connection to the site:
It goes without saying that your site should be served over HTTPS at all times. In the Cloudflare Dashboard, under Dashboard > SSL/TLS > Edge Certificates, this is a great time to re-check that the following settings are enabled:
Cloudflare also has the option to enable HTTP Strict Transport Security (HSTS) under Dashboard > SSL/TLS as a standalone option.
This is a type of Security Header that enforces HTTPS exclusively, so for the purposes of this guide HSTS will be specified under Transform Rules.
Once the conditions are set, you can now add individual response headers as needed. The following types of headers should be added based on best-practices:
The header definitions above are garnered and paraphrased from securityheaders.com, and each header is linked to an article by Scott Helme (the website’s creator) that goes into greater detail.
Here’s an example of some sane defaults I would recommend:
Content-Security-Policy is heavily tied to your website’s domain, asset locations, third-party integrations, Content Delivery Networks, etc.
It’s recommended to add a very lax CSP at first, then proceed to inspect what resources your site requests (via the browser console’s Network tab) before implementing stricter directives, so as to not break your site.
When dealing directly with a web server or CI/CD pipeline, Security Headers are usually stored in a configuration file. However, Cloudflare requires that you manually add each header and its corresponding value one by one.
It’s a bit time-consuming, but the following is an example of what the end result will look like:
Thanks for reading, and I hope you can quickly secure and test your website’s Security Headers using Cloudflare’s new feature.
Generalist. Edgerunner. Riding the wave of consciousness in this treacherous mortal sea.Technology Design Strategy Literature Personal Blogs
Results are from Blog, Link Dumps, and #99Problems