{"id":21340244,"url":"https://github.com/mnestorov/security-headers-cloudflare-worker","last_synced_at":"2026-01-24T17:01:07.691Z","repository":{"id":111493917,"uuid":"376535373","full_name":"mnestorov/security-headers-cloudflare-worker","owner":"mnestorov","description":"Cloudflare Worker script to dynamically add, modify, and remove HTTP headers for enhancing the security of any website.","archived":false,"fork":false,"pushed_at":"2024-08-16T08:51:52.000Z","size":13,"stargazers_count":2,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-04-19T09:53:23.266Z","etag":null,"topics":["clickjacking","cloudflare","code","codeinjection","cors","headers","http","security-headers","workers","wrangler","xss","xss-filter"],"latest_commit_sha":null,"homepage":"","language":null,"has_issues":false,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mnestorov.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2021-06-13T12:15:59.000Z","updated_at":"2024-08-16T08:54:32.000Z","dependencies_parsed_at":null,"dependency_job_id":"877426b9-736d-4350-aaf1-9870ffdc6051","html_url":"https://github.com/mnestorov/security-headers-cloudflare-worker","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/mnestorov/security-headers-cloudflare-worker","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mnestorov%2Fsecurity-headers-cloudflare-worker","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mnestorov%2Fsecurity-headers-cloudflare-worker/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mnestorov%2Fsecurity-headers-cloudflare-worker/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mnestorov%2Fsecurity-headers-cloudflare-worker/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mnestorov","download_url":"https://codeload.github.com/mnestorov/security-headers-cloudflare-worker/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mnestorov%2Fsecurity-headers-cloudflare-worker/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28732216,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-24T10:24:43.181Z","status":"ssl_error","status_checked_at":"2026-01-24T10:24:36.112Z","response_time":89,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["clickjacking","cloudflare","code","codeinjection","cors","headers","http","security-headers","workers","wrangler","xss","xss-filter"],"created_at":"2024-11-22T00:49:50.018Z","updated_at":"2026-01-24T17:01:07.675Z","avatar_url":"https://github.com/mnestorov.png","language":null,"funding_links":[],"categories":[],"sub_categories":[],"readme":"# Security Headers for Cloudflare Worker\n\n[![Licence](https://img.shields.io/github/license/Ileriayo/markdown-badges?style=for-the-badge)](./LICENSE)\n\n## Overview\n\nWeb security headers are crucial in protecting your site and its visitors from various types of attacks such as **cross-site scripting (XSS)**, **clickjacking**, and other **code injection** attacks. This repository provides a **Cloudflare Worker** script to dynamically add, modify, and remove HTTP headers for enhancing the security of any website.\n\nThere are headers like **[Content Security Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP)**, **[Strict Transport Security](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security)**, **[Referrer Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy)** and several more. \n\nEach of them serve a specific function and allow you as a website operator to ensure a safer browsing experience for your visitors.\n\n## Description\n\nAdjusting security headers typically requires access to server configurations or direct insertion via application code, which might not be feasible on all hosting platforms. Cloudflare Workers offers a flexible and powerful way to manipulate HTTP responses at the edge, close to your users, without needing traditional server access.\n\nThis project demonstrates how to utilize Workers to improve your site's security posture significantly by implementing recommended security practices through HTTP headers.\n\n## Setup and Usage with Wrangler\n\n### Installing Wrangler\n\nTo manage Cloudflare Workers, you first need to install [Wrangler](https://developers.cloudflare.com/workers/wrangler/), Cloudflare's official CLI for working with Workers:\n\n```bash\nnpm install -g @cloudflare/wrangler\n```\n### Authenticating Wrangler\n\nAuthenticate Wrangler with your Cloudflare account by running:\n\n```bash\nwrangler login\n```\nThis command will open a web browser asking you to log in with your Cloudflare account and authorize Wrangler.\n\n### Creating a Worker\n\nCreate a new Worker project by running:\n\n```bash\nwrangler generate my-security-headers-worker\ncd my-security-headers-worker\n```\n\n### Developing the Worker\n\nEdit the `index.js` and potentially the `wrangler.toml` to configure your project and specify deployment settings.\n\n### Publishing the Worker\n\nOnce your script is ready, you can publish it to Cloudflare's edge using:\n\n```bash\nwrangler publish\n```\n\n## Examples\n\n### Simplified example of a Cloudflare Worker script that applies several security headers\n\nThis basic setup can be expanded based on specific security needs.\n\n```javascript\nlet securityHeaders = {\n    'Content-Security-Policy': 'upgrade-insecure-requests',\n    'Strict-Transport-Security': 'max-age=31536000; includeSubDomains; preload',\n    'X-Frame-Options': 'DENY',\n    'X-Content-Type-Options': 'nosniff',\n    'Referrer-Policy': 'strict-origin-when-cross-origin',\n}\n\nlet sanitiseHeaders = {\n    Server: 'My Custom Server',\n}\n\nlet removeHeaders = ['Server', 'X-Powered-By', 'X-AspNet-Version']\n\naddEventListener('fetch', event =\u003e {\n    event.respondWith(handleRequest(event.request))\n})\n\nasync function handleRequest(request) {\n    let response = await fetch(request)\n    let newHeaders = new Headers(response.headers)\n\n    // Apply security headers\n    Object.entries(securityHeaders).forEach(([name, value]) =\u003e {\n        newHeaders.set(name, value)\n    });\n\n    // Modify or add specific headers\n    Object.entries(sanitiseHeaders).forEach(([name, value]) =\u003e {\n        newHeaders.set(name, value)\n    });\n\n    // Remove headers that disclose sensitive information\n    removeHeaders.forEach(header =\u003e {\n        newHeaders.delete(header)\n    });\n\n    return new Response(response.body, {\n        status: response.status,\n        statusText: response.statusText,\n        headers: newHeaders,\n    });\n}\n```\n### Enforcing Content Security Policy for Script Sources\n\nThis example demonstrates how to **enforce a strict CSP** by specifying allowed script sources:\n\n```\nsecurityHeaders['Content-Security-Policy'] = \"default-src 'self'; script-src 'self' https://trustedscripts.example.com\";\n```\n\n### Customizing the Server Header\n\nInstead of revealing the server type, replace it with a generic description to obscure potential targets for attacks:\n\n```\nsanitiseHeaders['Server'] = 'SecureServer';\n```\n\n## Useful links\n\n- [More information about Security Headers](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers#security)\n- [Content Security Policy (CSP)](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP)\n- [Strict-Transport-Security](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Strict-Transport-Security)\n- [Referrer-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Referrer-Policy)\n- [Introducing Cloudflare Workers: Run JavaScript Service Workers at the Edge](https://blog.cloudflare.com/introducing-cloudflare-workers/)\n- [Cloudflare Docs - Workers](https://developers.cloudflare.com/workers/)\n\n---\n\n## License\n\nThis project is released under the MIT License.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmnestorov%2Fsecurity-headers-cloudflare-worker","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmnestorov%2Fsecurity-headers-cloudflare-worker","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmnestorov%2Fsecurity-headers-cloudflare-worker/lists"}