Implementing Cloudflare Transform Rules for Custom Security Headers

Implementing Cloudflare transform rules for custom security headers requires precise edge-level configuration to enforce HTTP response policies before traffic reaches clients. Unlike legacy Cloudflare Page Rules & Headers architectures, modern deployments utilize the http_response_headers_modify phase for deterministic, rule-based injection. This approach operates post-origin, guaranteeing header persistence regardless of backend stack limitations or misconfigurations.

Direct Answer: How Transform Rules Inject Headers

Cloudflare Transform Rules execute at the edge to modify HTTP responses before delivery to the client. The architecture relies on the HTTP Response Headers phase for deterministic, rule-based header injection. This method operates post-origin, ensuring headers persist regardless of backend stack limitations or misconfigurations.

• Edge execution model & phase precedence: Rules trigger in the http_response_headers_modify phase, executing after origin response generation but before client delivery.
• Deprecation of legacy methods: Legacy header manipulation via Page Rules is deprecated. Transform Rules provide deterministic evaluation order and JSON-based configuration.
• Conditional routing: Leverage Cloudflare’s rule language (http.request.uri.path, cf.tls_version, http.request.uri.query) to apply headers conditionally based on traffic patterns or client fingerprints.

Exact Configuration Syntax & Deployment

Deploy headers via the Cloudflare API or dashboard using the Modify Response Header action. The rule evaluates against a specified expression and applies operations (set, add, remove, append) to the response payload. For enterprise deployments, reference the broader Server & Platform Implementation Guides to align edge rules with origin security baselines.

API Endpoint & Payload:

PUT /zones/{zone_id}/rulesets/{ruleset_id}/rules
Content-Type: application/json
Authorization: Bearer {API_TOKEN}

{
 "action": "set_response_headers",
 "expression": "true",
 "description": "Inject strict security headers",
 "parameters": {
 "headers": [
 {"name": "Strict-Transport-Security", "operation": "set", "value": "max-age=31536000; includeSubDomains; preload"},
 {"name": "Content-Security-Policy", "operation": "set", "value": "default-src 'self'; script-src 'self'; object-src 'none'"},
 {"name": "X-Frame-Options", "operation": "set", "value": "DENY"},
 {"name": "X-Content-Type-Options", "operation": "set", "value": "nosniff"},
 {"name": "Referrer-Policy", "operation": "set", "value": "strict-origin-when-cross-origin"}
 ]
 }
}

Security Implications:

• Using set overwrites origin headers; use add to preserve application-specific directives.
• CSP must exclude unsafe-inline and unsafe-eval to prevent XSS bypass.
• HSTS preload requires a valid certificate chain and HTTPS-only origin traffic.

Verification & Diagnostic Commands

Validate rule execution using cache-bypass requests and header parsing. Confirm propagation before enabling production caching.

Diagnostic Commands:

curl -sI https://example.com/path -H 'Cache-Control: no-cache' | grep -iE 'strict-transport|content-security|x-frame|x-content-type|referrer-policy'
curl -sI -o /dev/null -w 'HTTP_CODE:%{http_code} REDIRECTS:%{num_redirects}' https://example.com
cloudflare-cli ruleset list --zone-id <ZONE_ID> --phase http_response_headers_modify

Validation Steps:

• Confirm HTTP 200 with exact header casing and values.
• Verify zero duplicate headers via curl -sI | grep -c <header-name>.
• Check Cloudflare dashboard Transform Rules audit log for rule execution count and error flags.

Edge Cases, Conflicts & Rollback Procedures

Address common failure modes including origin header collisions, cached stale responses, and API rate limits during bulk updates.

Edge Cases:

• Origin sends conflicting headers: Cloudflare evaluates rules sequentially; prepend a Remove action before Set to prevent duplication.
• Cached responses bypass edge rules: Purge cache via API or dashboard before validation.
• Rule evaluation limits: Max 100 rules per ruleset; consolidate multiple headers into a single Modify Response Header action.

Rollback Procedure:

1. Disable rule via API: PATCH /zones/{zone_id}/rulesets/{ruleset_id}/rules/{rule_id} {"enabled": false}
2. Or delete rule: DELETE /zones/{zone_id}/rulesets/{ruleset_id}/rules/{rule_id}
3. Verify origin fallback headers are intact using diagnostic curl command.
4. Monitor error rates in Cloudflare Analytics for 15 minutes post-rollback.