Netlify Dev not loading headers from netlify.toml

I am trying to get setup with netlify dev so that I can troubleshoot my CSP policy via my local server.

When I run netlify dev it doesn’t deliver any custom headers it seems?

My netlify.toml atm:

[build]
publish = "public/"
command = "hugo"

[build.environment]
HUGO_ENV = "production"
HUGO_VERSION = "0.74.3"
RUBY_VERSION = "2.6.2"
NODE_VERSION = "15.3.0"

[dev]
command = "hugo server --cleanDestinationDir"

[context.branch-deploy]
command = "hugo -D --buildFuture --buildDrafts -b $DEPLOY_PRIME_URL"

[context.v1]
command = "hugo -b https://v1.jasik.xyz"

[context.v2]
command = "hugo -b https://v2.jasik.xyz"

[context.deploy-preview]
command = "hugo -b $DEPLOY_PRIME_URL"

[[redirects]]
from = "/donate/"
to = "https://ko-fi.com/calebjasik/"

[[redirects]]
from = "/resume"
to = "/caleb-jasik-resume.pdf"

[[redirects]]
from = "/resume.pdf"
to = "/caleb-jasik-resume.pdf"

[[redirects]]
from = "https://jasik-xyz.netlify.com/*"
to = "https://jasik.xyz/:splat"
status = 301
force = true

[[redirects]]
from = "https://jasik-xyz.netlify.app/*"
to = "https://jasik.xyz/:splat"
status = 301
force = true

[[headers]]
for = "/*"
[headers.values]
Content-Security-Policy-Report-Only = "default-src 'self'; report-uri https://jasikxyz.report-uri.com/r/d/csp/wizard; report-to default"
Referrer-Policy = "no-referrer, strict-origin-when-cross-origin"
Report-To = "{'group':'default','max_age':31536000,'endpoints':[{'url':'https://jasikxyz.report-uri.com/a/d/g'}],'include_subdomains':true}"
Strict-Transport-Security = "max-age=63072000; includeSubDomains; preload"
X-Content-Type-Options = "nosniff"
X-Frame-Options = "DENY"
X-XSS-Protection = "1; mode=block"

Hiya @jasikpark and thanks for linking this thread in the open bug report on this which I see you found: https://github.com/netlify/cli/issues/1198

I don’t see that we have a fix for that planned in the near future, so you may need to test CSP stuff on a netlify site we serve instead, as I suppose you probably came up with as a workaround.

I haven’t checked the headers when running Netlify Dev, but I had a similar issue with my deployed website. Netlify wasn’t responding with the Report-To, NEL and Content-Security-Policy I had configured in the netlify.toml.

I replaced for = "/*" with for = "*" and that did the trick.

Also, I noticed that you can configure the Report-To header with a multiline string, for better readability.

Report-To = '''
{
  "group": "default",
  "max_age": 31536000,
  "endpoints": [
    {"url": "my-reporting-url"}
  ],
  "include_subdomains":true
}
'''
2 Likes