Setting response headers only on documents

I also would like to add CSP and other headers only to HTML resources, most of which are loaded with URL ending with ‘/’, not ‘.html’, so I hope there will be a solution soon.

I also tried to unset the Etag header, it’s not possible. :disappointed_relieved:

We’ve added all of your views to an open feature request. If/when this is evaluated, we’ll let you know!

Why it is not working in my case. `[[headers]]
for = “/*.js”
[headers.values]
cache-control = “max-age=31536000”

for = "/*.css"
[headers.values]
    cache-control = "max-age=31536000"

for = "/*.woff"
[headers.values]
    cache-control = "max-age=31536000"

for = "/*.png"
[headers.values]
    cache-control = "max-age=31536000"
`

Here only the .js file gets bundled but in the network tab, I see for: “/*.png” on bundle.js header. That means bundle.js is getting the header for “/*png”. Why? And why other are not working.

Hi, @Nakib, would you please send us the URL where the header isn’t working? If you do so, we’ll be happy to take a look to see what is happening and why.

I have changed the .toml file a little and now it is working for all files except .html files. My site: https://tender-ramanujan-0bcb6d.netlify.app/. So please check why it is not working for .html files.

Hey @Nakib,
I believe we answered your above question over here:

As for the *.html files, you will not be able to accomplish what you want today. This comment explains:

We’ve opened a feature request and have added your +1 to it. We’ll definitely update here if there’s any movement on that!

As for the *.html files, you will not be able to accomplish what you want today.

so… are we there yet? :nerd_face:

lighthouse complains about a malformed robots.txt due to preload headers with a /* rule.

Unfortunately not! Though, you may be able to circumvent the error by specifying more specific paths (assuming not all .html files are in your root directory).

then you should allow for _headers templating.

correct me if i’m wrong but, your documentation says you will look in the publish dir for the _headers file, but if i template it, let’s say with jekyll, i get syntax errors, because you are looking in the root dir instead of the processed /site/_headers file.

Not too sure what you’re templating, I’m afraid! Feels a little bit redundant however maybe I’m missing a part of your workflow?

My suggestion was that, in your _headers file, you could have something like:

/:paths/index.html
  [not the /* rule]

[...existing rules]

or

/pages/*
  [not the /* rule]

[... existing rules]

Depending on your site’s hierarchy :slight_smile: If you’re looking for dynamic header creation, perhaps a build plugin would be more practical, with inspiration from a plugin like this perhaps?

i added a blank line and it seems to be working now…

the root _headers file looks like this:

---
layout: null
---
{%- assign urls = site.pages | map: 'url' | sort -%}
{%- for url in urls %}
{%- if url == '/404' -%}{% continue %}{%- endif -%}
{{url}}
  X-Frame-Options: DENY
  X-XSS-Protection: 1; mode=block
  Referrer-Policy: strict-origin-when-cross-origin
  Permissions-Policy: microphone=(), camera=(), geolocation=(self "https://probely.com")
  Content-Security-Policy: default-src 'self' https: data: wss: blob: 'unsafe-inline'; script-src 'self' https: data: 'unsafe-inline' 'unsafe-eval'; report-uri https://probely.report-uri.com/r/d/csp/enforce
  Link: </assets/fonts/inter/Inter-Roman.var.woff2>; rel=preload; as=font; type="font/woff2"; crossorigin=anonymous

{% endfor %}

the build ran successfully

spoke too soon… it’s not working… although the generated /site/_headers seems fine.

and if i take the result of this template and paste it in the root _headers file it works.

Hi @cdeath,

Could you share the repo? As long as the headers file is getting correctly generated in the publish path, it should work fine.

i don’t have permissions for it… sorry…
but i’ll try to replicate this in another repo and invite you later.

This has become a major blocker on the project I’m working on (and a huge headache for our users) and I’m really hoping I’m just missing something obvious.

We have a SPA built using SvelteKit. All pages should have a no-cache header but all assets should not. Without the no-cache header, deploys break. It’s critical.

The problem is, I can’t figure out how to add this header on just the pages and not the assets.

The pages themselves don’t use the .html extension, so an *.html glob is not an option.

Pages deeper in the app, like /about, must also have this no-cache header, so / isn’t an option either.

URLs are dynamic and prerendered, so I can’t set headers manually on every single page in the configuration file.

How can I accomplish this? Any help would be so appreciated.

Hi @greyivy,

The only way at the moment that would work for you is to write a template that would generate the required headers for all the paths. So, your build command would generate the required _headers file.

I don’t have a better answer, but till the time the feature is not implemented, that’s the only workaround apart from manually typing all the paths.

Is there any progress on this?

Hi @okikio,

Unfortunately, no. The only solution is the one before your reply other than manually typing all the values.

I hope netlify implements this feature soon.

Any word on this? IIUC, it is still not possible to set headers specifically and only for requests that do not end in an extension, like .html, or a slash and do not have a common prefix to match against and without adding all (known) individual paths to _headers or netlify.toml.

Example:
I want to set a header on requests for “/contact”, “/about”, “/privacy”, etc., but not for “/images/logo.png”, “/favicon.ico”, “/styles/common.css”.