To make the management of CSP easier while working with hugo how can i add the hash in csp taken from script tag
<script> some code here</script>
# the above code minified by hugo like this
Content-Security-Policy: script-src 'sha256-somethingsomethin'
how can i make use of the hash to match the exported code in _headers file?
i try to minify some scripts in advance but hugo still manage to change somethings which result in the end code not matching exactly which fails the hash check by CSP
This really helped solve the issue, hugo does have an _header file which can be used while using hugo server is it possible to use the hugo partials in the server.yaml file and export it as the _headers file?
Since all the setup is already done in the server.yaml file. for netlify there seems to be an easy management of _headers but other hosts like cloudflare need an _headers file to read and apply rules.
Well… I usually generate _headers and _redirects files using Hugo’s output formats but I read my own settings in site.Params.
Now your suggestion would be great, as those could be set for local and deploy… But… I don’t know of a way to retrieve the server config with Hugo… site.Config is very limited and does not return the server config.
Not exactly related to the thread (and if someone finds this thread in the future) … just a heads-up if you plan on extending support to Cloudflare Pages, their _header file has a limitation on the number of characters per line.
So for CSP, where hashes are usually included, it will eventually reach that limit and the CSP line will be ignored. The only way around it is to use Cloudflare Workers where there is no limit.
I don’t know who marked the solution. But I wouldn’t call that a solution. I was following this thread hoping that it concludes with a link to a Hugo component repo that I can mount as a module in my site and automatically start getting the CSP headers updated .
Regis did provide a really good workaround, so I marked it as a solution. The marking solution was an act of disappointment as, normally, when Hugo managers mark a post not related to Hugo, it is almost impossible to get them onboard or convince.
I wonder as I can use CSP when running hugo server why that policy cannot be simply copied when running hugo? Also, I wonder if there was a method to use hugo partials as suggested by @regis previously
what i am currently doing is after each build i will look in the code to find the hash and then edit the _header file manually but this need to be done after each build. I cannot use hugo partial in _header file, so i am thinking may be create an extra html file with all the hashes using partial and then simply copy all hashes at once to _header file.
But that also make things complicated as to make sure the extra page doesnt show up in sitemap etc.
I just need to put in time to develop a custom output format for netlify.toml and corresponding layout that updates only the hashes. I haven’t found time for that. If I get to implementing this, I will share that solution.