_headers ignored

I’ve set _headers file in my project and it seems like the rules I’ve set are not applied at all.

Here is the site:

I’ve put the file inside /public directory and it’s Next.js project.

My _headers file looks like this:
/*
Content-Security-Policy: default-src ‘self’; base-uri ‘none’; form-action ‘self’; script-src ‘unsafe-inline’ https://copyologia.pl https://googletagmanager.com; style-src ‘unsafe-inline’; font-src https://fonts.googleapis.com; img-src ‘self’ data: https://googletagmanager.com; frame-ancestors ‘none’; upgrade-insecure-requests; block-all-mixed-content
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: accelerometer ‘none’; ambient-light-sensor ‘none’; autoplay ‘none’; battery ‘none’; camera ‘none’; display-capture ‘none’; document-domain ‘none’; encrypted-media ‘none’; execution-while-not-rendered ‘none’; execution-while-out-of-viewport ‘none’; fullscreen ‘none’; geolocation ‘none’; gyroscope ‘none’; layout-animations ‘none’; legacy-image-formats ‘none’; magnetometer ‘none’; microphone ‘none’; midi ‘none’; navigation-override ‘none’; oversized-images ‘none’; payment ‘none’; picture-in-picture ‘none’; publickey-credentials-get ‘none’; sync-xhr ‘none’; usb ‘none’; vr ‘none’; screen-wake-lock ‘none’; web-share ‘none’; xr-spatial-tracking ‘none’;
Cache-Control: public, max-age=31536000

When you say inside the /public directory, is this the directory that is published? As per Custom headers | Netlify Docs _header file must reside in the publish directory.

I copied/pasted your header into a test site and received (using curl -IL <site>)

HTTP/2 200
content-length: 0
content-security-policy: default-src ‘self’; base-uri ‘none’; form-action ‘self’; script-src ‘unsafe-inline’ https://copyologia.pl https://googletagmanager.com; style-src ‘unsafe-inline’; font-src https://fonts.googleapis.com; img-src ‘self’ data: https://googletagmanager.com; frame-ancestors ‘none’; upgrade-insecure-requests; block-all-mixed-content
content-type: text/html; charset=UTF-8
date: Sun, 30 May 2021 22:06:49 GMT
etag: "af87f2ca3c1cf46c82bb8fb5646c2853-ssl"
permissions-policy: accelerometer ‘none’; ambient-light-sensor ‘none’; autoplay ‘none’; battery ‘none’; camera ‘none’; display-capture ‘none’; document-domain ‘none’; encrypted-media ‘none’; execution-while-not-rendered ‘none’; execution-while-out-of-viewport ‘none’; fullscreen ‘none’; geolocation ‘none’; gyroscope ‘none’; layout-animations ‘none’; legacy-image-formats ‘none’; magnetometer ‘none’; microphone ‘none’; midi ‘none’; navigation-override ‘none’; oversized-images ‘none’; payment ‘none’; picture-in-picture ‘none’; publickey-credentials-get ‘none’; sync-xhr ‘none’; usb ‘none’; vr ‘none’; screen-wake-lock ‘none’; web-share ‘none’; xr-spatial-tracking ‘none’;
referrer-policy: strict-origin-when-cross-origin
strict-transport-security: max-age=31536000; includeSubDomains; preload
cache-control: public,max-age=31536000
x-frame-options: DENY
x-nf-request-id: 5786bc16-0c76-4969-abc9-3f99caa19e4e
x-content-type-options: nosniff
age: 0
x-xss-protection: 1; mode=block
server: Netlify

Yes, that is the one. For example favicon that’s placed in this directory works as expected.

I wonder if that could be because I was playing with Netlify config file and removed it afterwards and right now Netlify is not reading my _headers file because it’s trying to find the config file.

Script execution continues after setting a Location: header (or any other call to header() , for that matter). If you want the redirect to happen immediately, without the rest of the script executing, return; or die; immediately after you call header() .

if you could clarify cause I completely don’t understand your answer. I don’t need required (I think) and I’m not calling any header functions. I have my _header file which is not applied by the Netlify :frowning:

I’ve moved the file to the root directory and it seems like it works now. Thanks for all your answers.

2 Likes

Thank you so much for coming back and letting us know, @Patryk_Kwapis. This will be beneficial for future Forums members who encounter something similar.