Add custom HTTP headers
More advanced customization of HTTP headers is available through Cloudflare Workers serverless functions ↗.
If you have not deployed a Worker before, get started with our tutorial. For the purpose of this tutorial, accomplish steps one (Sign up for a Workers account) through four (Generate a new project) before returning to this page.
Before continuing, ensure that your Cloudflare Pages project is connected to a custom domain.
Workers functions are written in JavaScript ↗. When a Worker makes a request to a Cloudflare Pages application, it will receive a response. The response a Worker receives is immutable, meaning it cannot be changed. In order to add, delete, or alter headers, clone the response and modify the headers on a new Response instance. Return the new response to the browser with your desired header changes. An example of this is shown below:
export default {  async fetch(request) {    // This proxies your Pages application under the condition that your Worker script is deployed on the same custom domain as your Pages project    const response = await fetch(request);
    // Clone the response so that it is no longer immutable    const newResponse = new Response(response.body, response);
    // Add a custom header with a value    newResponse.headers.append(      "x-workers-hello",      "Hello from Cloudflare Workers",    );
    // Delete headers    newResponse.headers.delete("x-header-to-delete");    newResponse.headers.delete("x-header2-to-delete");
    // Adjust the value for an existing header    newResponse.headers.set("x-header-to-change", "NewValue");
    return newResponse;  },};The easiest way to start deploying your Workers function is by typing workers.new ↗ in the browser. Log in to your account to be automatically directed to the Workers & Pages dashboard. From the Workers & Pages dashboard, write your function or use one of the examples from the Workers documentation.
Select Save and Deploy when your script is ready and set a route in your domain's zone settings.
For example, here is a Workers script you can copy and paste into the Workers dashboard that sets common security headers whenever a request hits your Pages URL, such as X-XSS-Protection, X-Frame-Options, X-Content-Type-Options, Strict-Transport-Security, Content-Security-Policy (CSP), and more.
If you would like to skip writing this file yourself, you can use our custom-headers-example template ↗ to generate a new Workers function with wrangler, the Workers CLI tool.
git clone https://github.com/cloudflare/custom-headers-examplecd custom-headers-examplenpm installTo operate your Workers function alongside your Pages application, deploy it to the same custom domain as your Pages application. To do this, update the Wrangler file in your project with your account and zone details:
{  "name": "custom-headers-example",  "account_id": "FILL-IN-YOUR-ACCOUNT-ID",  "workers_dev": false,  "route": "FILL-IN-YOUR-WEBSITE.com/*",  "zone_id": "FILL-IN-YOUR-ZONE-ID"}name = "custom-headers-example"
account_id = "FILL-IN-YOUR-ACCOUNT-ID"workers_dev = falseroute = "FILL-IN-YOUR-WEBSITE.com/*"zone_id = "FILL-IN-YOUR-ZONE-ID"If you do not know how to find your Account ID and Zone ID, refer to our guide.
Once you have configured your Wrangler configuration file , run npx wrangler deploy in your terminal to deploy your Worker:
npx wrangler deployAfter you have deployed your Worker, your desired HTTP header adjustments will take effect. While the Worker is deployed, you should continue to see the content from your Pages application as normal.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark