In this ancient post I was stated how security headers can be made through CF workers
However, workers have a limits
which in normal circumstances is not a problem,
because there is a 50,000 hit limit on hosting so you will lose it sooner than the workers,
but in the case of DDoS you will very easily lose the daily amount of workers, so it is problematic.
A few months ago, Cloudflare enabled free users to edit HTTP Response Headers in another way
Here are the instructions ( values should match your preferences - don’t just C/P )
-
Go to the Rules and choose Transform Rules
-
HTTP Response Header Modification rule
-
Name it
Rule code
And test
P.S. Be sure to open the browser console and of course press CTRL + F5 often and make sure there are no problems (if you write something wrong, the browser will report that it cannot parse - yellow exclamation mark).