Attempting to add CSP headers to my site

Here’s my netlify.toml

[build]
command = "hugo --gc"
publish = "public"

[build.environment]
HUGO_VERSION = "0.73.0"

[[redirects]]
from = "/login"
to = "#####"
status = 301

[[redirects]]
from = "/switch"
to = "#####"
status = 301

[[headers]]
for = "/*"
[[headers.values]]
Content-Security-Policy = "default-src 'self' 'unsafe-eval' 'unsafe-inline' cdn.jsdelivr.net www.google.com form.typeform.com/ embed.typeform.com"

The #####'s are valid urls that I have verified work. For some reason Netlify is still using the default headers for my site. Anyone have a guess why?

I’m trying to embed a typeform iframe in my site, but form.typeform.com and embed.typeform.com are blocked by the default CSP, so I’m trying to set it up to also allow those domains in addition to cdn.jsdeliver.com and google.com

hey there, i am not a headers expert. BUT, i did notice that you have double brackets around your headers.values when our sample file shows only single ones:

so i think the format should be this:

[[headers]]
  # Define which paths this specific [[headers]] block will cover.
  for = "/*"

  [headers.values] <---single bracket
1 Like

Oh! You make a great point — I’ll see if that fixes it. It’s infuriating that the build logs simply say “header rules written” rather than any errors.

Yup - that did it. I really wish there were actual errors for the fact that those headers failed.

1 Like

glad it is working now! Yes, what you are suggesting would be a great addition to our build logs. I’ll see if i can file an issue on that.

Awesome! Thanks a lot again

1 Like