I’ve deployed s22-2.netlify.app on netlify, a simple site, and I’ve added a _headers plain text file with basic CSR code:
/*
Content-Security-Policy: default-src ‘self’;
(I have tried a couple of different CSR versions and neither worked.)
It’s in the same folder as the files for the website, which, other than this, runs as expected. The encoding is UTF-8. It feels like the file is simply not being read - but you’ll know better than me.
I’ve checked the site through securityheaders.com, pagespeed insights and the developer tools, all of which indicate an issue: there is no CSR.
The file is named _headers.txt which is the reason it isn’t being processed. If you rename it to just _headers (with no .txt file extension) it will work. However, if that doesn’t resolve the issue, please let us know.
Please could you take a quick look at tester1558.netlify.app ? I believe I’ve got the _headers file as it should be (without extension), but it doesn’t seem to be gathering any data, and when I do the external site checks, they indicate there is no CSR.
It looks the same as s22-2.netlify.app from the other day, which has effective CSR. I note that the s22-2 _headers file is 50b in size, whereas the one on the tester site is 0b.
I’m sorry to be a pain; I’m learning to build websites as I want to run a business in time to come, so I really have to work out where I’m going wrong.
Okay, another update, just to say I’ve fixed it, and the detail.
I thought, I wonder if I can download the _headers file that I know works, delete the extension and replace the bad one with the good one in the folder, and finally redeploy. It worked! The tester site has effective CSR.
I don’t know why the other one didn’t; if you’ve any idea why the _headers file, plain text and no extension, might not have worked, please let me know. I’d like to understand this.