_headers file not affecting the site

I’m trying to change my referrer-policy to allow my analytics scripts to work. I changed the _headers file to the following:

  Referrer-Policy: origin-when-cross-origin
  Cache-Control: "public, max-age=360000"

However, the referrer-policy is still coming through as strict-origin-when-cross-origin (it’s been over a day so time shouldn’t be an issue)

Site name: https://sleepy-meitner-536466.netlify.app

Any advice? My analytics isn’t working due to this, it would be really nice to get it solved.

Hey @ajhurliman!

Are you sure that Netlify is processing the header rules? You can check by visiting the page for your most recent deploy, at the top there’s a section that says if header rules were processed.

You can also verify whether or not the _headers file was deployed by clicking the download button on the page for any of your your builds. This downloads a copy of the build directory that Netlify pushed live.

If the _headers file is missing, its possible that your build tools omitted it. Make sure they’re configured to move it to the build directory when building.

Hope this helps!

More info here: https://docs.netlify.com/routing/headers/#syntax-for-the-headers-file

Hi, @ajhurliman. This is the currently published deploy:


That deploy contains a file named _headers which contains this at the beginning:

## Created with gatsby-plugin-netlify

  X-Frame-Options: DENY
  X-XSS-Protection: 1; mode=block
  X-Content-Type-Options: nosniff
  Referrer-Policy: same-origin

A test with curl validates that these are the rules used:

$ curl -svo /dev/null https://sleepy-meitner-536466.netlify.app/  2>&1 | egrep "< "
< HTTP/2 200
< cache-control: public, max-age=0, must-revalidate
< content-type: text/html; charset=UTF-8
< date: Mon, 12 Oct 2020 06:34:15 GMT
< etag: "19addf8b799a9d2465ee96e70b57f470-ssl"
< link: </webpack-runtime-6e242495596d76cffbf3.js>; rel=preload; as=script, </framework-02fcab78320a77685ff9.js>; rel=preload; as=script, </532a2f07-36c395669df4dc0275d8.js>; rel=preload; as=script, </app-6284c9182add0fdae8df.js>; rel=preload; as=script, </styles-c2fe8482057191dca484.js>; rel=preload; as=script, </commons-cdb963a5c5719b034a42.js>; rel=preload; as=script, </6856248c00fc7a17368c03e2cf9f4280bd8891ff-110c592fe79404d46a8d.js>; rel=preload; as=script, </component---src-templates-index-page-js-c44ed2ef6ebd8438c7d6.js>; rel=preload; as=script, </page-data/app-data.json>; rel=preload; as=fetch; crossorigin, </page-data/index/page-data.json>; rel=preload; as=fetch; crossorigin
< referrer-policy: same-origin
< strict-transport-security: max-age=31536000; includeSubDomains; preload
< x-content-type-options: nosniff
< x-frame-options: DENY
< x-xss-protection: 1; mode=block
< age: 0
< server: Netlify
< x-nf-request-id: d4dbdd14-3307-421e-ad07-999292447852-3582476

There are no other “Referrer-Policy” lines in the _headers file in that deploy. Please do download the deploy as @noelforte suggested and you can see exactly what the build produced. Note, the first line says “Created with gatsby-plugin-netlify” so it could be that this Gatsby plugin is overwriting your custom file. Did you add the custom rules using the plugin as described at the URL below?