Objective
Improve the security of my static website and verify it using Nikto, OWASP ZAP, curl, and header analysis services. The aim was to learn how real tools see my site and to achieve an A+ rating by applying proper web security headers.
Setup
- Local development environment for previewing changes before pushing to Cloudflare Pages.
-
Two local servers were used during testing:
- Python’s built-in HTTP server (
python3 -m http.server) — for quick local previewing of HTML/CSS/JS changes. - Nginx (Homebrew install) — simulating production to test header behaviour before moving everything to Cloudflare.
- Python’s built-in HTTP server (
- Cloudflare Pages deployment configured with custom
_headersand_redirectsfiles to enforce strict browser-level protections. -
Tools used for validation and baseline mapping:
- Nikto — to identify missing security headers and general scanner visibility.
- OWASP ZAP (Passive Scan Mode) — to observe metadata leaks, header issues, and how the site appears to automated tools.
curl -I— for direct inspection of Cloudflare’s applied response headers.- SecurityHeaders.com — for external grading and final verification (A+).
- All changes tested locally before deployment to ensure nothing broke visually or functionally.
Methodology
1. Baseline Scan on Python Local Server
Hosted the site with Python’s simple HTTP server (python3 -m http.server) and ran Nikto.
The server lacked every critical header (CSP, clickjacking, MIME protection), which set a clear baseline
for what an unhardened static site looks like to a scanner.
2. Moving to Nginx for Realistic Testing
Switched to a Homebrew-installed Nginx instance to mimic production. Applied fixes directly in
nginx.conf and reran scans to confirm improvements.
- X-Frame-Options
- X-Content-Type-Options
- Referrer-Policy
- Permissions-Policy
- Strict Content-Security-Policy rules
The follow-up scan against Nginx returned a much cleaner surface, validating the hardening steps before migrating everything to Cloudflare Pages.
3. Migrating Hardening to Cloudflare Pages
After validating the headers on Nginx, I replicated the configuration with a custom _headers
file in Cloudflare Pages so the hardening is enforced directly at the CDN edge.
4. Final Validation
Verified Cloudflare’s applied headers with curl -I https://www.syraxops.com and reran Nikto
plus OWASP ZAP. The only remaining headers were Cloudflare informational ones, confirming a minimal surface.
Observations
Initial scans clearly showed the behaviour of an unsecured static surface — missing CSP, no frame protections, and no MIME-type enforcement. Testing incrementally on Nginx allowed me to verify each header’s impact and ensure nothing broke visually or functionally. Once deployed to Cloudflare Pages, Nikto and OWASP ZAP returned only Cloudflare-specific informational headers, confirming the attack surface had been reduced to a minimal footprint.
Next Steps
Now that the browser-facing layer is hardened, the next phase is to explore Cloudflare’s edge capabilities. Focus areas include:
- Bot Management & Bot Fight Mode — observing how Cloudflare challenges tools like Nikto, ZAP, and curl.
- WAF Managed Rules — enabling the OWASP ruleset and testing responses to simulated malicious requests.
- Rate Limiting — setting request thresholds to see how scanners behave when Cloudflare throttles probes.
- Custom Firewall Rules — restricting methods, sensitive routes, or targeted IP ranges/ASNs.
- Security Analytics — reviewing Cloudflare logs to understand what activity gets challenged or blocked.
- TLS & HTTP/3 Configuration — examining TLS management and protocol behaviour.
- CSP Reporting — adding a reporting endpoint to monitor violations and browser enforcement.
These will shape future experiments to further strengthen the edge security posture.