Netlify Dev not loading headers from netlify.toml

I am trying to get setup with netlify dev so that I can troubleshoot my CSP policy via my local server.

When I run netlify dev it doesn’t deliver any custom headers it seems?

My netlify.toml atm:

publish = "public/"
command = "hugo"

HUGO_ENV = "production"
HUGO_VERSION = "0.74.3"
RUBY_VERSION = "2.6.2"
NODE_VERSION = "15.3.0"

command = "hugo server --cleanDestinationDir"

command = "hugo -D --buildFuture --buildDrafts -b $DEPLOY_PRIME_URL"

command = "hugo -b"

command = "hugo -b"

command = "hugo -b $DEPLOY_PRIME_URL"

from = "/donate/"
to = ""

from = "/resume"
to = "/caleb-jasik-resume.pdf"

from = "/resume.pdf"
to = "/caleb-jasik-resume.pdf"

from = "*"
to = ""
status = 301
force = true

from = "*"
to = ""
status = 301
force = true

for = "/*"
Content-Security-Policy-Report-Only = "default-src 'self'; report-uri; report-to default"
Referrer-Policy = "no-referrer, strict-origin-when-cross-origin"
Report-To = "{'group':'default','max_age':31536000,'endpoints':[{'url':''}],'include_subdomains':true}"
Strict-Transport-Security = "max-age=63072000; includeSubDomains; preload"
X-Content-Type-Options = "nosniff"
X-Frame-Options = "DENY"
X-XSS-Protection = "1; mode=block"

Hiya @jasikpark and thanks for linking this thread in the open bug report on this which I see you found:

I don’t see that we have a fix for that planned in the near future, so you may need to test CSP stuff on a netlify site we serve instead, as I suppose you probably came up with as a workaround.

I haven’t checked the headers when running Netlify Dev, but I had a similar issue with my deployed website. Netlify wasn’t responding with the Report-To, NEL and Content-Security-Policy I had configured in the netlify.toml.

I replaced for = "/*" with for = "*" and that did the trick.

Also, I noticed that you can configure the Report-To header with a multiline string, for better readability.

Report-To = '''
  "group": "default",
  "max_age": 31536000,
  "endpoints": [
    {"url": "my-reporting-url"}