Are Cloudflare Page Rules still working?

Yes — existing Page Rules still work. But Cloudflare deprecated them in 2024 and recommends migrating to the new rule types. New accounts have limited Page Rules.

What replaced Page Rules for adding security headers?

Transform Rules (Modify Response Headers) replace the header modification functionality of Page Rules. They are more powerful and support more operators.

Can I add CORS headers with Transform Rules?

Yes — add Access-Control-Allow-Origin and other CORS headers as response header modifications in Transform Rules.

Headers

Cloudflare Page Rules vs Transform Rules — Which to Use for Headers

Updated April 2026

 Reading this? Verify your fix live. Scan your headers → HeadersFixer

Cloudflare deprecated Page Rules in 2024. If you have security headers or CORS headers configured in Page Rules, they still work — but the migration path is Transform Rules, and new features are only in the newer system.

What replaced Page Rules

Old (Page Rules)	New equivalent
Add response headers	Transform Rules → Modify Response Headers
Redirect	Redirect Rules
Cache level / TTL	Cache Rules
Browser integrity check	Configuration Rules
Forwarding URL	Redirect Rules

Add security headers with Transform Rules

# Cloudflare Dashboard:
# Rules → Transform Rules → Modify Response Headers → Create Rule

# Example: Add X-Frame-Options to all pages
Rule name: Security Headers
When: Hostname equals yourapp.com
Then: Set header: X-Frame-Options = SAMEORIGIN Set header: X-Content-Type-Options = nosniff Set header: Referrer-Policy = strict-origin-when-cross-origin

Transform Rules — Set vs Add

# SET: overwrites existing header value (use to avoid duplicates)
# ADD: appends to existing header (use only if no existing value)

# For security headers — always use SET
# This prevents duplicate headers if your origin also sends them

Add CORS headers with Transform Rules

# Rule for CORS
When: Hostname equals api.yourapp.com
Then: Set header: Access-Control-Allow-Origin = https://yourapp.com Set header: Access-Control-Allow-Methods = GET, POST, PUT, DELETE, OPTIONS Set header: Access-Control-Allow-Headers = Authorization, Content-Type Set header: Vary = Origin

Add Cache-Control with Cache Rules

# Rules → Cache Rules → Create Rule
When: File extension is in [js, css, png, jpg, woff2]
Cache settings: Eligible for cache: Yes Edge TTL: 1 year Browser TTL: 1 year Serve stale: Yes (while revalidating)

Page Rules migration checklist

1. Identify all existing Page Rules: Dashboard → Rules → Page Rules

2. For each rule, identify its type: - Header modification → Transform Rules - Redirect → Redirect Rules - Cache settings → Cache Rules

3. Recreate in the new system
4. Test with HeadersFixer and curl
5. Disable (not delete) old Page Rules
6. After 30 days with no issues — delete old Page Rules

Why Transform Rules are better

Support for more operators (regex, complex conditions)
Can be ordered — rules process in sequence
Wildcard and regex URL matching
No limit on the number of rules (Page Rules were limited)
Works with Workers (Page Rules did not interact cleanly with Workers)

Scan your headers → HeadersFixer

Check if your domain is on the HSTS preload list → HSTS Preload Checker