Implementing Security Headers with Cloudflare - An Administrator’s Guide

Implementing Security Headers with Cloudflare - An Administrator’s Guide
5 min read

Browser-enforced security headers remain a critical layer of defence, even when application and server hardening are in place. HTTP security headers mitigate common client-side risks such as clickjacking, referrer leakage, MIME sniffing, and excessive browser feature access.

Cloudflare enables administrators to apply these controls at the edge, removing the need to coordinate origin configuration changes across servers, applications, or teams.

This guide covers:

  • Edge-based deployment using Transform Rules and Cloudflare Workers
  • Operational considerations for administrators
  • Validation and rollback strategies
  • Introducing a default Content Security Policy (CSP) in environments where none currently exists

Why Enforce Security Headers at the Edge?

For administrators responsible for multiple applications or environments, origin-level header management introduces avoidable risk:

  • Configuration drift between servers
  • Application reloads or restarts
  • Delayed remediation due to development cycles
  • Inconsistent enforcement across environments

Cloudflare’s edge allows you to:

  • Centralise security policy independently of origin stacks
  • Deploy instantly without server changes
  • Override unsafe origin headers when remediation is pending
  • Scope enforcement by hostname, path, or request attributes
  • Maintain auditability through rule history and versioning

This approach is particularly valuable where origin access is restricted or shared.

Method 1: Transform Rules (Preferred Baseline)

Transform Rules are the lowest-risk and most predictable way to deploy security headers. They are declarative, static, and managed entirely through Cloudflare’s UI or API.

Implementation Workflow

  1. Navigate to Transform Rules dash.cloudflare.com → Select Zone → RulesTransform RulesModify Response Header (Response Header Transform Rules)

  2. Create a rule Use a consistent naming convention:

    SEC-HEADERS-GLOBAL-001

  3. Define scope

    • Use All incoming requests for site-wide enforcement
    • Or limit by hostname or path for staged rollout

  4. Set baseline headers

    Set static:
- Permissions-Policy: geolocation=(), microphone=(), camera=()
- Referrer-Policy: strict-origin-when-cross-origin
- X-Content-Type-Options: nosniff

  5. Deploy Changes propagate globally within seconds. No origin reloads or restarts are required.

Administrative Notes

  • Execution order Transform Rules run during the response phase and are evaluated sequentially. Ensure later rules do not overwrite security headers unintentionally.

  • Replacement behaviour Set static replaces origin headers with the same name. Always audit current origin output first:

    curl -I https://yourdomain.com | grep -E "Permissions-Policy|Referrer-Policy|X-Frame-Options|Content-Security-Policy"

  • Rule limits Consolidate related headers into a single rule to reduce rule count per zone.

Introducing Content Security Policy (CSP)

If your environment does not currently deploy a Content Security Policy, this represents a significant gap in browser-level protection. CSP governs where scripts, styles, images, frames, and other resources may load from, and provides stronger controls than legacy headers alone.

CSP can be introduced incrementally at the edge, without modifying application code.

Default CSP for Initial Deployment

For environments without an existing CSP, start with a conservative, non-breaking baseline:

Content-Security-Policy:
  default-src 'self';
  script-src 'self';
  style-src 'self';
  img-src 'self' data:;
  font-src 'self';
  connect-src 'self';
  frame-ancestors 'none';
  base-uri 'self';
  object-src 'none';

This policy:

  • Restricts all resources to the same origin by default
  • Blocks framing entirely (frame-ancestors 'none')
  • Disables legacy plugin content
  • Avoids inline script restrictions initially to reduce breakage risk

Deploying CSP via Transform Rules

Add CSP as an additional Set static header:

Set static:
- Content-Security-Policy: default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data:; font-src 'self'; connect-src 'self'; frame-ancestors 'none'; base-uri 'self'; object-src 'none'

This enforces framing control without relying on X-Frame-Options, which is now secondary when CSP is present.

CSP and X-Frame-Options Interaction

When CSP is deployed:

  • frame-ancestors takes precedence in modern browsers
  • X-Frame-Options becomes redundant

For clarity and audit simplicity:

  • Retain X-Frame-Options temporarily during rollout
  • Remove it once CSP behaviour is verified across environments

Method 2: Cloudflare Workers (Context-Aware Policies)

Use Workers only when CSP or other headers must vary by path, hostname, or request attributes.

Example Worker Snippet

export default {
  async fetch(request) {
    const response = await fetch(request);
    const secured = new Response(response.body, response);

    secured.headers.set(
      'Content-Security-Policy',
      "default-src 'self'; script-src 'self'; style-src 'self'; img-src 'self' data:; frame-ancestors 'none'; object-src 'none'"
    );

    secured.headers.set(
      'Referrer-Policy',
      'strict-origin-when-cross-origin'
    );

    return secured;
  }
};

Workers should be treated as code changes, with appropriate review and rollback procedures.

Validation and Monitoring

Validation

curl -sI https://staging.example.com | grep -iE "content-security-policy|permissions|referrer"

For CSP:

  • Monitor browser console for violations
  • Expect initial warnings in complex front-end applications

Cache Behaviour

Response headers are not part of Cloudflare’s cache key. However:

  • Cached responses generated before deployment may persist
  • New responses will include updated headers immediately

Purge only if previously cached HTML must be reissued with CSP applied.

Administrative Rollout Strategy

  1. Stage CSP on non-production hostname
  2. Deploy baseline CSP without inline restrictions
  3. Monitor browser console and error tracking
  4. Gradually tighten policy if required
  5. Remove redundant legacy headers once stable

Choosing the Right Enforcement Method

RequirementTransform RulesWorkers
Static CSP
Conditional CSP
Lowest operational risk
UI-managed rollout

Operational guidance: Start with Transform Rules. Introduce Workers only when CSP must vary by request context.

Further notes

Introducing CSP at the edge allows administrators to close a long-standing browser security gap without server-level change risk.

When combined with Permissions-Policy and Referrer-Policy, CSP provides a meaningful improvement in client-side protection while preserving operational control.

Related post