Why use Cloudflare Transform Rules instead of origin headers?

Transform Rules apply at the edge — every Cloudflare data centre globally adds the headers without round-tripping to your origin. They work even if your origin is offline. They survive origin migrations. And you can roll them out and roll them back instantly without server access.

Does Cloudflare HSTS preload submit me to the browser preload list automatically?

No. Enabling preload in Cloudflare's HSTS settings only adds the preload directive to your HSTS header. To get on the actual browser preload list you must submit your domain at hstspreload.org separately. The Cloudflare toggle is a prerequisite but not a submission.

Do Transform Rules count against my Cloudflare plan limits?

Free plan: 10 Modify Response Header rules. Pro: 25. Business: 50. Enterprise: 125+. One rule with multiple Set actions counts as one rule, so you can fit all six security headers in a single rule across all plans.

What if my origin also sets X-Frame-Options? Which wins?

With Transform Rules using Set, Cloudflare overwrites whatever the origin sent. If the origin sets a stricter X-Frame-Options DENY and you want to keep it, use Append action instead of Set, or remove the origin header. Most setups use Set at Cloudflare and remove origin equivalents to avoid confusion.

How to Fix Security Headers via Cloudflare

If your site is behind Cloudflare, you can add every security header our Security Audit checks for at the edge — without touching your origin server. Cloudflare Transform Rules apply the headers at every PoP globally; Cloudflare's SSL/TLS dashboard handles HSTS and TLS configuration. This guide covers the full set: six HTTP security headers, modern TLS, security.txt, all configured from the Cloudflare dashboard.

1. Enable HSTS via the SSL/TLS dashboard

Cloudflare has a dedicated HSTS toggle that handles the header globally — don't add HSTS via Transform Rules, use the dedicated control.

Step 1

Navigate to HSTS settings

Cloudflare dashboard → your domain → SSL/TLS → Edge Certificates → HTTP Strict Transport Security (HSTS). Click Enable HSTS.

Step 2

Configure HSTS values

Recommended:

Max-Age Header: 12 months (the preload-list requirement)
Apply HSTS policy to subdomains (includeSubDomains): On
Preload: On
No-Sniff Header: On (adds X-Content-Type-Options at no extra cost)

Save. The change propagates within seconds.

⚠️ HSTS preload is a one-way commitment. Once browsers cache the preload, removing HTTPS for any subdomain breaks everything. Test with 6-month max-age first; only enable preload after you're confident.

2. Add the other five headers via Transform Rules

X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy and Content-Security-Policy all go into a single Transform Rule for clean management.

Step 1

Create the rule

Dashboard → your domain → Rules → Transform Rules → Modify Response Header → Create rule.

Rule name: Security headers
When incoming requests match: All incoming requests (or scope to hostname eq "yourdomain.com" for tighter control)
Then:

Step 2

Add Set actions for each header

Click + Add modification five times. Each gets:

Action: Set static
Header name: (one of below)
Value: (corresponding value)

X-Frame-Options              SAMEORIGIN
X-Content-Type-Options       nosniff
Referrer-Policy              strict-origin-when-cross-origin
Permissions-Policy           geolocation=(), microphone=(), camera=()
Content-Security-Policy      default-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:; frame-ancestors 'self'

Click Deploy. Headers apply globally within seconds.

💡 Cloudflare Free plan limit is 10 Modify Response Header rules. One rule with 5 modifications counts as ONE rule — you have room for 9 more rules on Free.

3. Configure minimum TLS version

Step 1

Set TLS minimum

Dashboard → SSL/TLS → Edge Certificates → Minimum TLS Version. Pick:

TLS 1.2 — recommended default; supports ~99% of clients
TLS 1.3 — stricter; supports ~95% of clients; consider for high-security needs

SSL/TLS Recommender (above the Minimum TLS Version setting) auto-suggests the safest setting based on your traffic. Trust it.

Step 2

Verify with SSL Labs

Run SSL Labs SSL Test. With Cloudflare + HSTS preload + TLS 1.2 minimum, you should hit A+ without further work.

4. Serve security.txt

Cloudflare doesn't have a dedicated security.txt feature. Two clean options:

Option A: Origin file

Create /.well-known/security.txt on your origin server (see the nginx or Apache guides for the file content and Content-Type configuration). Cloudflare proxies it through.

Option B: Cloudflare Worker (no origin needed)

Step 1

Create a Worker

Dashboard → Workers & Pages → Create application → Create Worker. Name it security-txt. Paste:

export default {
  async fetch(request) {
    const url = new URL(request.url);
    if (url.pathname === "/.well-known/security.txt") {
      return new Response(
        "Contact: mailto:security@yourdomain.com\n" +
        "Expires: 2027-05-18T00:00:00.000Z\n" +
        "Preferred-Languages: en\n" +
        "Canonical: https://yourdomain.com/.well-known/security.txt\n",
        { headers: { "content-type": "text/plain; charset=utf-8" } }
      );
    }
    return fetch(request);
  }
};

Deploy.

Step 2

Add a route

Worker settings → Triggers → Routes → Add route:
Route: yourdomain.com/.well-known/security.txt
Zone: your domain

5. Verify

curl -sI https://yourdomain.com/ | grep -iE "strict-transport|x-frame|x-content|referrer|permissions|content-security"
curl -sI https://yourdomain.com/.well-known/security.txt

🛡 Re-run the audit

Verify every header is at the edge with a fresh scan.

Run Security Audit →