Forward CSP Headers set with HelmetJS

brainlulz · January 22, 2020, 8:13pm

Hello,

I’m deploying my SapperJs website on Netlify.

I wanted to apply good security practices by settings headers but the framework is using inline js and eval. To set headers, they recommend to use HelmetJs and add a nonce: https://sapper.svelte.dev/docs#Content_Security_Policy_CSP

After doing that, it was working on local but saw that Netlify block my configuration for his own configuration: https://docs.netlify.com/routing/headers/

I was wondering how to bypass the Netlify configuration and allow it to forward was I set with HelmetJS.

Thanks for your help !

futuregerald · January 22, 2020, 8:13pm

Hi @brainlulz, you can pass your own custom headers by setting them in a _headers file or a netlify.toml. You can’t set headers from within your site’s JS. The example on the sapper site is using express.js to set the header, but that isn’t the case here.