CSP Headers not showing up when using the CSP Integration

Hy there,

Site name: https://www.vorhall.com
Github Repo: GitHub - vorhall-org/vorhall-com

We activated the “CSP Integration” for our website with the following configuration, but the CSP headers will not show up:

  • We set “Report only” to false
  • We set “Unsafe eval” to true
  • The rest of the configuration is default (empty)

We did first a “Test on Deploy Preview”, but the CSP headers did not show up in the Network inspector (in Chrome 121.0.6167.160).

The we did Save the configuration and triggered a deploy manually. The CSP headers did still not show up.

We then had some dependency updates which we pushed to GitHub and then was build on Netlify. The CSP headers still did not show up.

We tried clearing the build cache and trigger a fresh build. Still no CSP headers.

When we switched the CSP integration config to “Report only” (true), the CSP report only headers did show up.

Do you have any idea what we could possibly doing wrong? Or is this a known issue?

Our page is build with Astro 4.3.6 and is automatically build and deployed on netlify via the connected GitHub Repo.

Thank you very much in advance for your help, we appreciate it,

Welcome to the community @yves :wave:

The CSP Integration plugin doesn’t add CSP headers. That’s something you need to add yourself. The plugin will only set the CSP nonce to your assets: CSP Nonce ⟶ Script & Style Attribute (content-security-policy.com)

Hi @audrey thanks for the fast reply :slight_smile:

ok, then i misunderstood the documentation of the integration.

nontheless, if you check the script and style tags on our integration, you’ll notice that the nonce is not set there. could there be a way to debug what’s going wrong?

Based on what I’m seeing here: Integrations | splendorous-pika-9446de | Netlify, the integration seems disabled. Have you enabled it?