Setting response headers only on documents

I’ve tried this as a test case:

[[headers]]
  for = "/*"
    [headers.values]
    X-Document-Only-1 = "true"
    X-Document-Only-2 = "true"
    X-Document-Only-3 = "true"
    X-Document-Only-4 = "true"

[[headers]]
  for = "/*.*"
    [headers.values]
    X-Document-Only-2 = "false"
    X-Document-Only-3 = false
    X-Document-Only-4 = " "

This results in the following on documents, as expected:

x-document-only-1: true
x-document-only-2: true
x-document-only-3: true
x-document-only-4: true

And these are the headers set on static objects, e.g. foobar.jpg:

x-document-only-1: true
x-document-only-2: false
x-document-only-3: true
x-document-only-4: true

This implies that it is not possible to set a header only on documents.

You could try for = "/*.html". This should make any headers defined for that only affect files with that extension and I think it should work for implicit files too (paths that end with a slash that has an index.html file). Could you give that a try?

Unfortunately that does not work (see https://app.netlify.com/sites/simonhearne/deploys/5e00e2e86a200d0007b165cf). Even if it did, there is still a ‘default headers’ issue here - can I set a for="*" header ruleset and override for specific paths / filetypes?

It does work. If you go to: https://5e00e2e86a200d0007b165cf--simonhearne.netlify.com/index.html, where the path includes the file name and extension, you’ll see the headers you defined. Note that header rules are cumulative so if you set the same header with different values than the ones our system sets, your values should override the default.

With regards to specific paths/ filetypes, what you see is what you get. The redirect rule I showed you is meant to make a rule apply only to the specific filetype. That said, I’m not sure what you mean for="*" but for that rule to only apply to certain paths/ filetypes. The for property is what you use to define what the rule applies to.

Perhaps I’m not understanding what your need is. If you can provide more specific details, like what you end goal is, I’ll try to provide better advice.

Hi,

I have one use case: adding Content Security Policy (CSP) headers to HTML pages.
As described here, adding such headers to non-HTML resources is contributing to header bloat: https://webhint.io/docs/user-guide/hints/hint-no-html-only-headers/

Ideally, I’d like the following URLs to have the CSP headers:

  • https://example.com/
  • https://example.com/about/
  • https://example.com/url-returning-a-404

And the following URLs to not have the CSP headers:

  • https://example.com/robots.txt
  • https://example.com/favicon.ico
  • https://example.com/assets/main.css
  • https://example.com/assets/main.js

IMHO, the cleanest way to do this would not be go via overrides, but to have an additional way to apply headers only to specific media types. It could be “additive”, allowing to apply headers only for a specific path and for a specific media type:

[[headers]]
  for = "/*"
  forMediaType = "text/html"
  [headers.values]
    Content-Security-Policy = "..."

Cheers,
Pablo

Yes, but my pages (like many folks’) are not served with a ‘.html’ extension, try https://5e00e2e86a200d0007b165cf--simonhearne.netlify.com/ instead of https://5e00e2e86a200d0007b165cf--simonhearne.netlify.com/index.html

So what I think you are saying is that it is impossible to set different headers for documents served at directory roots.

Yes this makes sense. I’m sure there are other use cases for this as well.

Hi, I filed the enhancement request referencing this post. We’ll update here if and when that request gets implemented. Thanks!

1 Like

Like @pablot I’m also after a way to target html pages so I can apply CSP and feature policy headers only to them. There’s no need for other files to have these headers (and probably many others) and they can be rather bulky. A media type matcher would be perfect for this.

Hi, @qubyte, and welcome to the Netlify community site. :smiley:

I added this as a +1 to the feature request and we’ll post an update here if/when this becomes possible.

1 Like

I’m watching too, because some headers on resource cause issues (if the issue is cached and served by a Service Worker, a “preload” HTTP Link Header can result in recursive fetch).

1 Like

I need to be able to do this as well. Webhint complain that CSP headers are being on unnecessary assets like CSS files, images etc, when all I need is for them to be on documents.

If you have a CDN in front of your Netlify deployment, you might be able to strip headers from static asset requests. E.g. here is a CloudFlare Worker which does this on simonhearne.com: https://gist.github.com/simonhearne/2715250eaccb911ebfff9e2315b2ffee

I also would like to add CSP and other headers only to HTML resources, most of which are loaded with URL ending with ‘/’, not ‘.html’, so I hope there will be a solution soon.

I also tried to unset the Etag header, it’s not possible. :disappointed_relieved:

We’ve added all of your views to an open feature request. If/when this is evaluated, we’ll let you know!

Why it is not working in my case. `[[headers]]
for = “/*.js”
[headers.values]
cache-control = “max-age=31536000”

for = "/*.css"
[headers.values]
    cache-control = "max-age=31536000"

for = "/*.woff"
[headers.values]
    cache-control = "max-age=31536000"

for = "/*.png"
[headers.values]
    cache-control = "max-age=31536000"
`

Here only the .js file gets bundled but in the network tab, I see for: “/*.png” on bundle.js header. That means bundle.js is getting the header for “/*png”. Why? And why other are not working.

Hi, @Nakib, would you please send us the URL where the header isn’t working? If you do so, we’ll be happy to take a look to see what is happening and why.

I have changed the .toml file a little and now it is working for all files except .html files. My site: https://tender-ramanujan-0bcb6d.netlify.app/. So please check why it is not working for .html files.

Hey @Nakib,
I believe we answered your above question over here:

As for the *.html files, you will not be able to accomplish what you want today. This comment explains:

We’ve opened a feature request and have added your +1 to it. We’ll definitely update here if there’s any movement on that!

As for the *.html files, you will not be able to accomplish what you want today.

so… are we there yet? :nerd_face:

lighthouse complains about a malformed robots.txt due to preload headers with a /* rule.