HTTP¶
In order of preference, set these headers in:
project code
default.conf
file, if the project includes a Docker image running nginx_headers file, if hosting a static site on Cloudflare Pages
deploy repository, if the project runs third-party code, like WordPress
X-Content-Type-Options¶
If not already set (like via SECURE_CONTENT_TYPE_NOSNIFF in Django), set the header to:
nosniff
Strict-Transport-Security (HSTS)¶
If not already set (like via SECURE_HSTS_SECONDS in Django), set the header to:
max-age=31536000; includeSubdomains; preload