[Security] Configure Security Headers in Cloudflare #44
Description
Problem
Missing security headers expose site to XSS, clickjacking, and protocol downgrade attacks.
Current status:
- ❌ Strict-Transport-Security (HSTS) - Missing
- ❌ Content-Security-Policy - Missing
- ❌ X-Content-Type-Options - Missing
- ❌ X-XSS-Protection - Missing
- ✅ X-Frame-Options: SAMEORIGIN - Present
Solution
Configure in Cloudflare Dashboard → Rules → Transform Rules → Modify Response Header
Add these headers:
Strict-Transport-Security: max-age=31536000; includeSubDomains
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: geolocation=(), microphone=(), camera=()
Testing
curl -I https://entethalliance.org/ | grep -iE 'strict-transport|x-content|x-xss|referrer'Rollback
Delete the rules in Cloudflare dashboard (1 minute)
No code changes required
This is purely Cloudflare configuration.