set_security_headers: Agent-Applied Security Header Baseline

What the Get AI Traffic agent adds to your response headers, the safe baseline it applies via Cloudflare, why it leaves CSP to you, and how to roll it back.

Published on July 17, 2026

set_security_headers is the tool the Get AI Traffic agent uses to add a baseline of security headers to your site’s responses after you approve a fix. It applies them at the edge through Cloudflare, then captures what was there before so the change is reversible.

This page documents what the tool touches, what it refuses to touch, and how to undo it. For whether these headers are worth setting at all, and why they protect your users more than your rankings, read Security Headers Barely Touch SEO. That Is Not a Reason to Skip Them. This page is about the mechanics.

What it does

When you approve the fix, the tool applies a fixed, safe baseline as a Cloudflare response-header transform rule: Strict-Transport-Security (HSTS), X-Frame-Options, X-Content-Type-Options, and Referrer-Policy. These are the four that carry real protection with essentially no risk of breaking a working site, which is why they are the baseline and a Content-Security-Policy is not.

It runs at the edge rather than in your CMS, so the headers apply to every response Cloudflare serves for the site, not just pages a plugin touches.

What it will not touch

  • Content-Security-Policy. Deliberately excluded. A CSP controls what your pages are allowed to load, and a policy set blind blocks your own scripts, fonts, and embeds. That one needs to be shaped against your real traffic in report-only mode first, which is a decision, not a baseline. This tool will not set it for you.
  • A site with no Cloudflare connection. The headers are applied through Cloudflare, so a site without that integration returns a skipped status and nothing is changed. The fix has a hard dependency, and it tells you rather than half-applying.
  • Your existing transform rules, silently. The prior rules are captured before anything is written, so the change is recorded and reversible rather than overwriting blindly.

Timing

The transform rule takes effect at the edge, and Cloudflare rule changes typically propagate within a minute or so. After that every response carries the baseline headers. No crawl gates this one, unlike a content change: the headers are live as soon as the rule is.

Rolling back

Before applying, the tool captures your prior Cloudflare transform rules to the ledger under the header_config mechanism. roll_back re-applies exactly those captured rules, restoring whatever header configuration existed before, including none.

  • purge_cache runs after an apply, so cached responses pick up the new headers rather than serving old ones from the edge.
  • The edge caching and image tools also operate through the same Cloudflare connection. If a site has no Cloudflare integration, they all report skipped for the same reason.

Findings this tool resolves

  • missing_hsts_header: no Strict-Transport-Security header. The baseline adds it.
  • missing_content_type_options: no X-Content-Type-Options: nosniff. The baseline adds it.

One finding it does not resolve:

  • missing_csp: no Content-Security-Policy. This tool leaves CSP alone on purpose, because a policy applied without being tested against your traffic is the change most likely to break your site. Setting it is a deliberate, staged job, not part of a safe baseline.

Want this checked on your own site?

Get your free AI-visibility audit