Attach a header
To attach headers to Cloudflare Pages responses, create a
_headers plain text file in the output folder of your project. It is usually the folder that contains the deploy-ready HTML files and assets generated by the build, such as favicons. Changes to headers will be updated to your website at build time. Make sure you commit and push the file to trigger a new build each time you update headers.
Header rules are defined in multi-line blocks. The first line of a block is the URL or URL pattern where the rule’s headers should be applied. On the next line, an indented list of header names and header values must be written:
You can define as many
[name]: [value] pairs as you require on subsequent lines. For example:
# This is a comment/secure/pageX-Frame-Options: DENYX-Content-Type-Options: nosniffReferrer-Policy: no-referrer/static/*Access-Control-Allow-Origin: *X-Robots-Tag: nosnippethttps://myproject.pages.dev/*X-Robots-Tag: noindex
An incoming request which matches multiple rules’ URL patterns will inherit all rules’ headers. Using the previous
_headers file, the following requests will have the following headers applied:
A project is limited to 100 header rules. Each line in the
_headers file has a 1,000 character limit. The entire line, including spacing, header name, and value, counts towards this limit.
If a header is applied twice in the
_headers file, the values are joined with a comma separator. Headers defined in the
_headers file override what Cloudflare Pages ordinarily sends, so be aware when setting security headers. Cloudflare reserves the right to attach new headers to Pages projects at any time in order to improve performance or harden the security of your deployments.
Detach a header
You may wish to remove a header which has been added by a more pervasive rule. This can be done by prepending an exclamation mark
/*Content-Security-Policy: default-src 'self';/*.jpg! Content-Security-Policy
Match a path
The same URL matching features that
_redirects offers is also available to the
_headers file. Note, however, that redirects are applied before headers, when a request matches both a redirect and a header, the redirect takes priority.
When matching, a splat pattern — signified by an asterisk (
*) — will greedily match all characters. You may only include a single splat in the URL.
The matched value can be referenced within the header value as the
A placeholder can be defined with
:placeholder_name. A colon (
:) indicates the start of a placeholder and the name that follows must be composed of alphanumeric characters and underscores (
:\w+). Every named placeholder can only be referenced once. Placeholders match all characters apart from the delimiter, which when part of the host, is a period (
.) or a forward-slash (
/) and may only be a forward-slash (
/) when part of the path.
Similarly, the matched value can be used in the header values with
/movies/:titlex-movie-name: You are watching ":title"
Cross-Origin Resource Sharing (CORS)
To enable other domains to fetch every asset from your Pages project, the following can be added to the
This applies the
Access-Control-Allow-Origin header to any incoming URL. To be more restrictive, you can define a URL pattern that applies to a
*.pages.dev subdomain, which then only allows access from its
staging branch’s subdomain:
Prevent your pages.dev deployments showing in search results
Google and other search engines often support the
X-Robots-Tag header to instruct its crawlers how your website should be indexed.
For example, to prevent your
*.pages.dev deployment from being indexed, add the following to your
Harden security for an application
You can prevent click-jacking by informing browsers not to embed your application inside another (for example, with an
<iframe>) with a
X-Content-Type-Options: nosniff prevents browsers from interpreting a response as any other content-type than what is defined with the
Referrer-Policy allows you to customize how much information visitors give about where they are coming from when they navigate away from your page.
Browser features can be disabled to varying degrees with the
Permissions-Policy header (recently renamed from
If you need fine-grained control over your application’s content, the
Content-Security-Policy header allows you to configure a number of security settings, including similar controls to the
/app/*X-Frame-Options: DENYX-Content-Type-Options: nosniffReferrer-Policy: no-referrerPermissions-Policy: document-domain=()Content-Security-Policy: script-src 'self'; frame-ancestors 'none';