Setting custom headers on domain alias doesn't seem to work

Site name:
Deploys as:
Domain alias:

I’m trying to set custom headers on the responses sent from

  for = "*"

    Cross-Origin-Opener-Policy = "same-origin"
    Cross-Origin-Embedder-Policy = "require-corp"

The resources at are served via a 200 redirect elsewhere on the main domain:

  from = "*"
  to = ""
  status = 200

Right now:

  • the deploy succeeds
  • the resources are found and served
  • however, the responses are lacking the headers I need — so the page ends up not working correctly

I expected either:

  • a deploy error causing a failed deploy, because I’m attempting to do something that isn’t supported, or
  • all this to work properly: my resources to be delivered with the custom headers I specified.

Things I’ve tried:

  • I’ve added a [[headers]] block with the custom headers for the redirect destination*. This didn’t have any noticeable effect – the headers were still not present.
  • Reading the docs on headers, redirects, and domain aliases. The headers page doesn’t mention anything about subdomains or domain aliases, and the redirects and domain aliases pages don’t mention anything about headers.

So far I’ve really been enjoying using Netlify for my side projects! This is the first time I’ve found myself really blocked, and I hope someone more experienced with Netlify might be able to help. Thanks!

Hello there!

Before I start diving into this, I would like just a little bit more info. You have outlined everything very well so far, but just to be thorough, could I see your _headers file or at least the part where you are setting the paths available for your headers? This way I will be able to rule out any obvious syntax errs, and investigate properly.


1 Like

Ah, I found the likely misconfiguration – a typo in the path field of a [[headers]] block. Oof. Sorry about that. Expectation bias can get you even when you know it’s a thing :sweat_smile:

It might be good to tweak the docs along the lines of your post, to help future users find this problem. Right now, the docs aren’t explicit nor clear about which headers are end-user-visible when a request is redirected with status 200: are they the headers of the redirected-from path, or the headers of the redirected-to path.

Based on your question, I figured out that the answer must have been “the headers served by the redirected-to path.” Otherwise, you wouldn’t have asked to see the other headers as I included the redirected-from headers in the original post.

And knowing that I really needed to look closely at just that one headers rule made the typo obvious, whereas looking at multiple headers and redirects blocks at once made it anything-but.

Thanks again for the speedy help — it’s much appreciated!

Thanks for coming back and letting us know! Glad you found a solution :netliconfetti: