A step-by-step guide to implementing secure HTTP headers on websites powered by Cloudflare using Cloudflare Workers.
There are many ways to implement HTTP response headers to secure sites from common vulnerabilities, such as XSS, Clickjacking, MIMI sniffing, cross-site injection, and many more. Its widely adopted practice and recommended by OWASP.
The implementation is very straightforward and flexible. It gives you the flexibility to apply the headers on the entire site, including the subdomain or specific URI with a matching pattern using Regex.
For this demonstration, I’ll be using the code by Scott Helme.
Let’s get it started…👨💻
Log in to Cloudflare and click on Workers (direct link)
Click Create a Worker
Copy the worker.js code from GitHub and paste to Script editor
I don’t know why the Server header is not reflected. I guess Cloudflare is overriding this.
You see, the overall implementation takes ~15 minutes, and no downtime or restart is required like Apache or Nginx. If you are planning to apply this to a production site, I would suggest first testing on a lower environment, or with the help of a route, you can apply on the test pages to verify the results. Once satisfied, push to wherever you want.
Chandan Kumar is the founder of Geekflare. He’s helped millions to excel in the digital realm. Passionate about technology, He’s on a mission to explore the world and amplify growth for professionals and businesses.