Not seeing CSP header using the CSP Integration plugin

We have published a test site consisting of some static html, js, css etc.
We’ve enabled the CSP Integration plugin and republished the site, but we cannot see the CSP stuff in the headers or in the html.

We’re obviously doing something wrong, so would appreciate any pointers?

Hi :wave:t6: thanks for reaching out and welcome back to the Netlify support forums!

Did you inspect your response headers? You should see a CSP with a value like this:

script-src 'nonce-6RIGit1eDC3GY0BRqEifv/dQ3OyKCZ8w' 'strict-dynamic' 'unsafe-inline' 'unsafe-eval' 'self' https: http:; report-uri /.netlify/functions/__csp-violations

If the inspection does not give you any clues perhaps you can read this blog post we wrote about CSP. Introducing the Dynamic Content Security Policy (CSP) Integration

Finally, it would help if you could provide a link to your site.

Thanks for the reply and info SamO. I am sorry I thought I had included the domain:

The CSP Integration is enabled, but I do not see the CSP value in the response header or indeed, the nonces on the site?
The site is upload as a static site.

Are you using drag-n-drop deploys? If yes, it won’t work for that. You’d have to deploy via Git or CLI.

Thanks hrishikesh, we are deploying a static site via netlify-cli, but there is no build process, it is pre-built. I was hoping it would work as we are deploying via netlify-cli rather than drag and drop, but maybe not?

If there’s no build step, deploying via CLI is no different than deploying via drag-n-drop. A build step is a requirement for plugins to work.

Thanks hrishikesh, disappointing but understandable :slight_smile:

You can even set a dummy build step by the way, something like echo Hi! also works.

hrishikesh how would I set up a ‘dummy build step’ ?

Add a netlify.toml:

[build]
  command = "echo Hi!"

Then run:

netlify deploy --build --prod

To make sure the CSP integration is used in CLI as well, simply run netlify link once.

Many thanks hrishikesh, I added the [build] section to our netlify.toml as suggested and all seems to works with the manual build command.

netlify deploy --build --prod

I am I right in thinking as this is a dummy build we only have to run it once? I did try it without the --build and the site seemed to update as expected and kept the CSP?
e.g.
netlify deploy --prod

It will work as the built artifacts would be saved locally, but I’d recommend running --build everytime to use the latest fixes always.

Thanks hrishikesh , understood.