Netlify Dev not loading headers from netlify.toml

jasikpark · January 12, 2021, 11:31pm

I am trying to get setup with netlify dev so that I can troubleshoot my CSP policy via my local server.

When I run netlify dev it doesn’t deliver any custom headers it seems?

My netlify.toml atm:

[build]
publish = "public/"
command = "hugo"

[build.environment]
HUGO_ENV = "production"
HUGO_VERSION = "0.74.3"
RUBY_VERSION = "2.6.2"
NODE_VERSION = "15.3.0"

[dev]
command = "hugo server --cleanDestinationDir"

[context.branch-deploy]
command = "hugo -D --buildFuture --buildDrafts -b $DEPLOY_PRIME_URL"

[context.v1]
command = "hugo -b https://v1.jasik.xyz"

[context.v2]
command = "hugo -b https://v2.jasik.xyz"

[context.deploy-preview]
command = "hugo -b $DEPLOY_PRIME_URL"

[[redirects]]
from = "/donate/"
to = "https://ko-fi.com/calebjasik/"

[[redirects]]
from = "/resume"
to = "/caleb-jasik-resume.pdf"

[[redirects]]
from = "/resume.pdf"
to = "/caleb-jasik-resume.pdf"

[[redirects]]
from = "https://jasik-xyz.netlify.com/*"
to = "https://jasik.xyz/:splat"
status = 301
force = true

[[redirects]]
from = "https://jasik-xyz.netlify.app/*"
to = "https://jasik.xyz/:splat"
status = 301
force = true

[[headers]]
for = "/*"
[headers.values]
Content-Security-Policy-Report-Only = "default-src 'self'; report-uri https://jasikxyz.report-uri.com/r/d/csp/wizard; report-to default"
Referrer-Policy = "no-referrer, strict-origin-when-cross-origin"
Report-To = "{'group':'default','max_age':31536000,'endpoints':[{'url':'https://jasikxyz.report-uri.com/a/d/g'}],'include_subdomains':true}"
Strict-Transport-Security = "max-age=63072000; includeSubDomains; preload"
X-Content-Type-Options = "nosniff"
X-Frame-Options = "DENY"
X-XSS-Protection = "1; mode=block"

fool · January 22, 2021, 9:51pm

Hiya @jasikpark and thanks for linking this thread in the open bug report on this which I see you found: Headers in netlify.toml ignored by netlify dev · Issue #1198 · netlify/cli · GitHub

I don’t see that we have a fix for that planned in the near future, so you may need to test CSP stuff on a netlify site we serve instead, as I suppose you probably came up with as a workaround.

jackdbd · March 28, 2021, 5:59pm

I haven’t checked the headers when running Netlify Dev, but I had a similar issue with my deployed website. Netlify wasn’t responding with the Report-To, NEL and Content-Security-Policy I had configured in the netlify.toml.

I replaced for = "/*" with for = "*" and that did the trick.

Also, I noticed that you can configure the Report-To header with a multiline string, for better readability.

Report-To = '''
{
  "group": "default",
  "max_age": 31536000,
  "endpoints": [
    {"url": "my-reporting-url"}
  ],
  "include_subdomains":true
}
'''

ehmicky · August 18, 2021, 6:47pm

Hi @jasikpark,

We’ve got some great news! This bug has been fixed as of netlify-cli@6.6.1

Topic		Replies	Views
Custom headers in netlify.toml not working Support headers	7	2526	December 15, 2021
Attempting to add CSP headers to my site Support headers	6	1252	September 18, 2020
Netlify.toml headers don't work, but _headers do Support headers	3	2256	June 13, 2020
NextJS build ignoring headers set in netlify.toml Support deployment , security	28	4505	February 1, 2024
I can build and deploy my website with CLI, but not w/ Netlify: fixed it, error in netlify.toml Support deployment , netlify-cli , hugo , netlify-cms	2	698	May 19, 2023

Netlify Dev not loading headers from netlify.toml

Related topics