Cloudflare Docs
Edit this page on GitHub
Set theme to dark (⇧+D)


​​ Attach a header

To attach headers to Cloudflare Pages responses, create a _headers plain text file in the output folder of your project. It is usually the folder that contains the deploy-ready HTML files and assets generated by the build, such as favicons. Changes to headers will be updated to your website at build time. Make sure you commit and push the file to trigger a new build each time you update headers.

Header rules are defined in multi-line blocks. The first line of a block is the URL or URL pattern where the rule’s headers should be applied. On the next line, an indented list of header names and header values must be written:

[name]: [value]

Using absolute URLs is supported, though be aware that absolute URLs must begin with https and specifying a port is not supported. Cloudflare Pages ignores the incoming request’s port and protocol when matching against an incoming request. For example, a rule like would match against requests to other://

You can define as many [name]: [value] pairs as you require on subsequent lines. For example:

# This is a comment
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: no-referrer
Access-Control-Allow-Origin: *
X-Robots-Tag: nosnippet*
X-Robots-Tag: noindex

An incoming request which matches multiple rules’ URL patterns will inherit all rules’ headers. Using the previous _headers file, the following requests will have the following headers applied:

Request URLHeaders
https://custom.domain/secure/pageX-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: no-referrer
https://custom.domain/static/image.jpgAccess-Control-Allow-Origin: *
X-Robots-Tag: nosnippet noindex DENY
X-Content-Type-Options: nosniff
Referrer-Policy: no-referrer
X-Robots-Tag: noindex *
X-Robots-Tag: nosnippet, noindex

A project is limited to 100 header rules. Each line in the _headers file has a 2,000 character limit. The entire line, including spacing, header name, and value, counts towards this limit.

If a header is applied twice in the _headers file, the values are joined with a comma separator. Headers defined in the _headers file override what Cloudflare Pages ordinarily sends, so be aware when setting security headers. Cloudflare reserves the right to attach new headers to Pages projects at any time in order to improve performance or harden the security of your deployments.

​​ Detach a header

You may wish to remove a header which has been added by a more pervasive rule. This can be done by prepending an exclamation mark !.

Content-Security-Policy: default-src 'self';
! Content-Security-Policy

​​ Match a path

The same URL matching features that _redirects offers is also available to the _headers file. Note, however, that redirects are applied before headers, when a request matches both a redirect and a header, the redirect takes priority.

​​ Splats

When matching, a splat pattern — signified by an asterisk (*) — will greedily match all characters. You may only include a single splat in the URL.

The matched value can be referenced within the header value as the :splat placeholder.

​​ Placeholders

A placeholder can be defined with :placeholder_name. A colon (:) followed by a letter indicates the start of a placeholder and the placeholder name that follows must be composed of alphanumeric characters and underscores (:[A-Za-z]\w*). Every named placeholder can only be referenced once. Placeholders match all characters apart from the delimiter, which when part of the host, is a period (.) or a forward-slash (/) and may only be a forward-slash (/) when part of the path.

Similarly, the matched value can be used in the header values with :placeholder_name.

x-movie-name: You are watching ":title"

​​ Examples

​​ Cross-Origin Resource Sharing (CORS)

To enable other domains to fetch every asset from your Pages project, the following can be added to the _headers file:

Access-Control-Allow-Origin: *

This applies the Access-Control-Allow-Origin header to any incoming URL. To be more restrictive, you can define a URL pattern that applies to a * subdomain, which then only allows access from its staging branch’s subdomain:


​​ Prevent your deployments showing in search results

Google and other search engines often support the X-Robots-Tag header to instruct its crawlers how your website should be indexed.

For example, to prevent your * deployment from being indexed, add the following to your _headers file:

X-Robots-Tag: noindex

​​ Harden security for an application

You can prevent click-jacking by informing browsers not to embed your application inside another (for example, with an <iframe>) with a X-Frame-Options header.

X-Content-Type-Options: nosniff prevents browsers from interpreting a response as any other content-type than what is defined with the Content-Type header.

Referrer-Policy allows you to customize how much information visitors give about where they are coming from when they navigate away from your page.

Browser features can be disabled to varying degrees with the Permissions-Policy header (recently renamed from Feature-Policy).

If you need fine-grained control over your application’s content, the Content-Security-Policy header allows you to configure a number of security settings, including similar controls to the X-Frame-Options header.

X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: no-referrer
Permissions-Policy: document-domain=()
Content-Security-Policy: script-src 'self'; frame-ancestors 'none';