Skip to content

Added note to "Add security headers" managed transform rules #22342

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 2 commits into from
Aug 8, 2025
Merged

Added note to "Add security headers" managed transform rules #22342

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
265e018
Added note to "Add security headers" managed transform rules
keefetangcf May 12, 2025
e321e7c
PCX review
pedrosousa Aug 8, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 10 additions & 5 deletions src/content/docs/rules/transform/managed-transforms/reference.mdx
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,11 +14,12 @@ This page lists the available Managed Transforms. They can modify HTTP request h
file="snippets-alternative"
params={{ suffix: "and customized header modifications" }}
/>
<br />

:::caution
The names of HTTP headers are case-insensitive. Cloudflare may use a capitalization different from the one presented in this page. Make sure that your origin server can handle HTTP request headers regardless of the exact capitalization of their names.
:::
## Important remarks

- Enabling a Managed Transform may cause issues in your website. You should test any changes in a staging environment. If you detect any undesired or unexpected behavior, consider disabling the Managed Transform and creating a partial implementation using your own transform rule.

- The names of HTTP headers are case-insensitive. Cloudflare may use a capitalization different from the one presented in this page. Make sure that your origin server can handle HTTP request headers regardless of the exact capitalization of their names.

## HTTP request headers

Expand Down Expand Up @@ -72,7 +73,7 @@ Adds HTTP headers with location information for the visitor's IP address to the
- `cf-postal-code`: The visitor's postal code (value from the [`ip.src.postal_code`](/ruleset-engine/rules-language/fields/reference/ip.src.postal_code/) field).
- `cf-timezone`: The name of the visitor's timezone (value from the [`ip.src.timezone.name`](/ruleset-engine/rules-language/fields/reference/ip.src.timezone.name/) field).

:::caution
:::note
Turning on [IP geolocation](/network/ip-geolocation/) will send a `cf-ipcountry` HTTP header to your origin server even when **Add visitor location headers** is turned off.
:::

Expand Down Expand Up @@ -153,6 +154,10 @@ Removes the `X-Powered-By` HTTP response header that provides information about

### Add security headers

:::note
Adding the following security headers may have an impact on your website, such as blocking resources or triggering certificate errors. If you find any issues, try disabling the Managed Transform to isolate the possible cause.
:::

Adds several security-related HTTP response headers. The added response headers and values are the following:

- `x-content-type-options: nosniff`
Expand Down
Loading