Fix Missing Security Headers on Cloudflare

Last updated: April 2026

Cloudflare does not add security headers by default. Add them using Transform Rules (no code) or Workers (full control). Transform Rules is the recommended approach for most sites.

Transform Rules — no code required

Cloudflare Dashboard → Your domain → Rules → Transform Rules → Modify Response Header → Create rule.

Add each header as a Set action:

Header: Strict-Transport-Security
Value:  max-age=31536000; includeSubDomains

Header: X-Frame-Options
Value:  SAMEORIGIN

Header: X-Content-Type-Options
Value:  nosniff

Header: Referrer-Policy
Value:  strict-origin-when-cross-origin

Header: Permissions-Policy
Value:  camera=(), microphone=(), geolocation=()

Cloudflare Worker — full control

export default {
  async fetch(request, env) {
    const response = await fetch(request);
    const newHeaders = new Headers(response.headers);

    newHeaders.set('Strict-Transport-Security', 'max-age=31536000; includeSubDomains');
    newHeaders.set('X-Frame-Options', 'SAMEORIGIN');
    newHeaders.set('X-Content-Type-Options', 'nosniff');
    newHeaders.set('Referrer-Policy', 'strict-origin-when-cross-origin');
    newHeaders.set('Permissions-Policy', 'camera=(), microphone=(), geolocation=()');
    newHeaders.set('Content-Security-Policy',
      "default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; frame-ancestors 'none'; object-src 'none'");

    return new Response(response.body, {
      status: response.status,
      statusText: response.statusText,
      headers: newHeaders,
    });
  }
};

HSTS — Cloudflare built-in toggle

Cloudflare Dashboard → SSL/TLS → Edge Certificates → HTTP Strict Transport Security (HSTS). Enable and set max-age. Start with 5 minutes before increasing to 1 year.

Verify your headers

curl -sI https://yoursite.com | grep -iE "strict|x-frame|x-content|referrer|permissions|content-security"