Hugo's content security policy.How does it work?

Hi there,

In my project, I utilized the custom headers from Hugo docs. However, no code appears to have been uploaded to the webpage. Is the code below supposed to add an html element to the head, or is it just for netlify-style hosting?

  - for: /**
      Content-Security-Policy: script-src localhost:1313
      Referrer-Policy: strict-origin-when-cross-origin
      X-Content-Type-Options: nosniff
      X-Frame-Options: DENY
      X-XSS-Protection: 1; mode=block

An html tag, like shown below, is what I’m expecting to see. Is it possible that I’m imagining things incorrectly?

<meta http-equiv=“Content-Security-Policy” content=”default-src ‘self’; img-src *”>

thanks for taking the time



set HTTP headers during development

An HTTP header is not the same thing as an HTML element within your document’s <head> section.

See, specifically response headers.


thanks @jmooring

Now I see where my uncertainty stemmed from. The CSP only affects the Hugo server and does not export any configuration files such as .htaccess. Keeping the header setting in the Hugo setup is quite convenient. Can I create an .htaccess file from layouts in the same way that I can a sitemap and a robot.txt file? Is there an existing example of such a layout that I could use as a starting point?

Thank you once more for taking the time to read and help.

1 Like

I can add that the server config syntax closely mimics Netlify’s. You get some duplication, but you at least remove some of the surprises in this area when you go from dev to “production” and suddenly see lots of CSP errors etc. in the browser.


This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.