CSP Headers not showing up when using the CSP Integration

yves · February 14, 2024, 3:59pm

Hy there,

Site name: https://www.vorhall.com
Github Repo: GitHub - vorhall-org/vorhall-com

We activated the “CSP Integration” for our website with the following configuration, but the CSP headers will not show up:

We set “Report only” to false
We set “Unsafe eval” to true
The rest of the configuration is default (empty)

We did first a “Test on Deploy Preview”, but the CSP headers did not show up in the Network inspector (in Chrome 121.0.6167.160).

The we did Save the configuration and triggered a deploy manually. The CSP headers did still not show up.

We then had some dependency updates which we pushed to GitHub and then was build on Netlify. The CSP headers still did not show up.

We tried clearing the build cache and trigger a fresh build. Still no CSP headers.

When we switched the CSP integration config to “Report only” (true), the CSP report only headers did show up.

Do you have any idea what we could possibly doing wrong? Or is this a known issue?

Our page is build with Astro 4.3.6 and is automatically build and deployed on netlify via the connected GitHub Repo.

Thank you very much in advance for your help, we appreciate it,
Yves

audrey · February 16, 2024, 10:35pm

Welcome to the community @yves

The CSP Integration plugin doesn’t add CSP headers. That’s something you need to add yourself. The plugin will only set the CSP nonce to your assets: CSP Nonce ⟶ Script & Style Attribute (content-security-policy.com)

yves · February 20, 2024, 12:42pm

Hi @audrey thanks for the fast reply

ok, then i misunderstood the documentation of the integration.

nontheless, if you check the script and style tags on our integration, you’ll notice that the nonce is not set there. could there be a way to debug what’s going wrong?

hrishikesh · February 22, 2024, 1:39pm

Based on what I’m seeing here: Integrations | splendorous-pika-9446de | Netlify, the integration seems disabled. Have you enabled it?