I’ve set _headers file in my project and it seems like the rules I’ve set are not applied at all.
Here is the site:
I’ve put the file inside /public directory and it’s Next.js project.
My _headers file looks like this:
/*
Content-Security-Policy: default-src ‘self’; base-uri ‘none’; form-action ‘self’; script-src ‘unsafe-inline’ https://copyologia.pl https://googletagmanager.com; style-src ‘unsafe-inline’; font-src https://fonts.googleapis.com; img-src ‘self’ data: https://googletagmanager.com; frame-ancestors ‘none’; upgrade-insecure-requests; block-all-mixed-content
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Referrer-Policy: strict-origin-when-cross-origin
Permissions-Policy: accelerometer ‘none’; ambient-light-sensor ‘none’; autoplay ‘none’; battery ‘none’; camera ‘none’; display-capture ‘none’; document-domain ‘none’; encrypted-media ‘none’; execution-while-not-rendered ‘none’; execution-while-out-of-viewport ‘none’; fullscreen ‘none’; geolocation ‘none’; gyroscope ‘none’; layout-animations ‘none’; legacy-image-formats ‘none’; magnetometer ‘none’; microphone ‘none’; midi ‘none’; navigation-override ‘none’; oversized-images ‘none’; payment ‘none’; picture-in-picture ‘none’; publickey-credentials-get ‘none’; sync-xhr ‘none’; usb ‘none’; vr ‘none’; screen-wake-lock ‘none’; web-share ‘none’; xr-spatial-tracking ‘none’;
Cache-Control: public, max-age=31536000
When you say inside the /public directory, is this the directory that is published? As per Custom headers | Netlify Docs _header file must reside in the publish directory.
I copied/pasted your header into a test site and received (using curl -IL <site>)
HTTP/2 200
content-length: 0
content-security-policy: default-src ‘self’; base-uri ‘none’; form-action ‘self’; script-src ‘unsafe-inline’ https://copyologia.pl https://googletagmanager.com; style-src ‘unsafe-inline’; font-src https://fonts.googleapis.com; img-src ‘self’ data: https://googletagmanager.com; frame-ancestors ‘none’; upgrade-insecure-requests; block-all-mixed-content
content-type: text/html; charset=UTF-8
date: Sun, 30 May 2021 22:06:49 GMT
etag: "af87f2ca3c1cf46c82bb8fb5646c2853-ssl"
permissions-policy: accelerometer ‘none’; ambient-light-sensor ‘none’; autoplay ‘none’; battery ‘none’; camera ‘none’; display-capture ‘none’; document-domain ‘none’; encrypted-media ‘none’; execution-while-not-rendered ‘none’; execution-while-out-of-viewport ‘none’; fullscreen ‘none’; geolocation ‘none’; gyroscope ‘none’; layout-animations ‘none’; legacy-image-formats ‘none’; magnetometer ‘none’; microphone ‘none’; midi ‘none’; navigation-override ‘none’; oversized-images ‘none’; payment ‘none’; picture-in-picture ‘none’; publickey-credentials-get ‘none’; sync-xhr ‘none’; usb ‘none’; vr ‘none’; screen-wake-lock ‘none’; web-share ‘none’; xr-spatial-tracking ‘none’;
referrer-policy: strict-origin-when-cross-origin
strict-transport-security: max-age=31536000; includeSubDomains; preload
cache-control: public,max-age=31536000
x-frame-options: DENY
x-nf-request-id: 5786bc16-0c76-4969-abc9-3f99caa19e4e
x-content-type-options: nosniff
age: 0
x-xss-protection: 1; mode=block
server: Netlify
Yes, that is the one. For example favicon that’s placed in this directory works as expected.
I wonder if that could be because I was playing with Netlify config file and removed it afterwards and right now Netlify is not reading my _headers file because it’s trying to find the config file.
if you could clarify cause I completely don’t understand your answer. I don’t need required (I think) and I’m not calling any header functions. I have my _header file which is not applied by the Netlify 
I’ve moved the file to the root directory and it seems like it works now. Thanks for all your answers.
Thank you so much for coming back and letting us know, @Patryk_Kwapis. This will be beneficial for future Forums members who encounter something similar.