Web security headers are crucial in protecting your site and its visitors from various types of attacks such as cross-site scripting (XSS), clickjacking, and other code injection attacks. This repository provides a Cloudflare Worker script to dynamically add, modify, and remove HTTP headers for enhancing the security of any website.
There are headers like Content Security Policy, Strict Transport Security, Referrer Policy and several more.
Each of them serve a specific function and allow you as a website operator to ensure a safer browsing experience for your visitors.
Adjusting security headers typically requires access to server configurations or direct insertion via application code, which might not be feasible on all hosting platforms. Cloudflare Workers offers a flexible and powerful way to manipulate HTTP responses at the edge, close to your users, without needing traditional server access.
This project demonstrates how to utilize Workers to improve your site's security posture significantly by implementing recommended security practices through HTTP headers.
To manage Cloudflare Workers, you first need to install Wrangler, Cloudflare's official CLI for working with Workers:
npm install -g @cloudflare/wranglerAuthenticate Wrangler with your Cloudflare account by running:
wrangler loginThis command will open a web browser asking you to log in with your Cloudflare account and authorize Wrangler.
Create a new Worker project by running:
wrangler generate my-security-headers-worker
cd my-security-headers-workerEdit the index.js and potentially the wrangler.toml to configure your project and specify deployment settings.
Once your script is ready, you can publish it to Cloudflare's edge using:
wrangler publishThis basic setup can be expanded based on specific security needs.
let securityHeaders = {
'Content-Security-Policy': 'upgrade-insecure-requests',
'Strict-Transport-Security': 'max-age=31536000; includeSubDomains; preload',
'X-Frame-Options': 'DENY',
'X-Content-Type-Options': 'nosniff',
'Referrer-Policy': 'strict-origin-when-cross-origin',
}
let sanitiseHeaders = {
Server: 'My Custom Server',
}
let removeHeaders = ['Server', 'X-Powered-By', 'X-AspNet-Version']
addEventListener('fetch', event => {
event.respondWith(handleRequest(event.request))
})
async function handleRequest(request) {
let response = await fetch(request)
let newHeaders = new Headers(response.headers)
// Apply security headers
Object.entries(securityHeaders).forEach(([name, value]) => {
newHeaders.set(name, value)
});
// Modify or add specific headers
Object.entries(sanitiseHeaders).forEach(([name, value]) => {
newHeaders.set(name, value)
});
// Remove headers that disclose sensitive information
removeHeaders.forEach(header => {
newHeaders.delete(header)
});
return new Response(response.body, {
status: response.status,
statusText: response.statusText,
headers: newHeaders,
});
}This example demonstrates how to enforce a strict CSP by specifying allowed script sources:
securityHeaders['Content-Security-Policy'] = "default-src 'self'; script-src 'self' https://trustedscripts.example.com";
Instead of revealing the server type, replace it with a generic description to obscure potential targets for attacks:
sanitiseHeaders['Server'] = 'SecureServer';
- More information about Security Headers
- Content Security Policy (CSP)
- Strict-Transport-Security
- Referrer-Policy
- Introducing Cloudflare Workers: Run JavaScript Service Workers at the Edge
- Cloudflare Docs - Workers
This project is released under the MIT License.