Fix Missing Security Headers on Cloudflare

Cloudflare terminates TLS for many sites, so it’s the right place to enforce Strict-Transport-Security and a baseline Content-Security-Policy before traffic hits your origin. Transform Rules can set static response headers per hostname or path without origin changes.

Edge headers apply globally and propagate quickly, which also means mistakes affect every user—roll out in report-only CSP mode first when migrating policies. Pair with Page Rules or Cache Rules only where they do not strip security headers.

See also Cloudflare provider hub. HeadersFixer detects your current header gaps from a live fetch.