How to Add Security Headers in Cloudflare (Step-by-Step)

Security headers are one of the most effective ways to protect your website from Clickjacking, Cross-Site Scripting (XSS), and downgrade attacks. But modifying your origin server's `.htaccess` or Nginx config can be terrifying.

If you use Cloudflare, you don't have to touch your origin server at all. You can inject these headers directly at the Edge using Transform Rules.

Which Headers Should You Add?

Before we build the rule, here are the core headers every small business website should enforce:

• X-Frame-Options: SAMEORIGIN (Prevents Clickjacking by stopping other sites from embedding yours in an iframe).
• X-Content-Type-Options: nosniff (Stops browsers from guessing MIME types, mitigating some XSS vectors).
• Referrer-Policy: strict-origin-when-cross-origin (Protects user privacy when they click outbound links).
• Strict-Transport-Security: max-age=31536000; includeSubDomains (Forces HTTPS. *Note: Only add this if you are 100% sure your site fully supports HTTPS*).

Step-by-Step Instructions

1. Navigate to Transform Rules

Log into your Cloudflare dashboard, select your domain, and look at the left-hand sidebar. Click on Rules, and then select Transform Rules.

2. Create an HTTP Response Header Rule

Click on the HTTP Response Header Modification tab. Click the blue "Create rule" button.

3. Configure the Matching Criteria

Name the rule something memorable, like "Security Headers". Under the matching criteria, select "All incoming requests".

4. Inject the Headers

Under "Modify response header", select "Set dynamic" or "Set static" depending on the option shown. Choose "Set static" for these.

• Header name: X-Frame-Options | Value: SAMEORIGIN
• Header name: X-Content-Type-Options | Value: nosniff
• Header name: Referrer-Policy | Value: strict-origin-when-cross-origin

Click Deploy.

You can instantly check if your new rule is working using our Free Security Header Scanner.