I’m setting up the option for hugo server
headers in dev mode.
It works well and it is really cool to see right away what is happening without going live.
But for Netlify, I use index.headers
and outputFormats.HEADERS
so I can use partials to generate my custom CSP.
But config/development/server.yaml
doesn’t seems to go thru the templating engine (wich make sense). So I get the literal template call and not the result.
Is there any possibility/workaround/tip to have my hugo server
dev headers evaluating my partial ?
config/development/server.yaml => do not evaluate my partial
headers:
- for: /**
values:
Referrer-Policy: strict-origin-when-cross-origin
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Content-Security-Policy: script-src localhost:1313 'self' {{ partial "plausible_csp.html" . }}; frame-src 'self' https://umap.openstreetmap.fr https://www.youtube.com; default-src 'self'; manifest-src 'self'; connect-src 'self' {{ partial "plausible_csp.html" . }}; font-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; form-action 'none'; base-uri 'none'; object-src 'none'
index.headers => evaluate correctly my partial
/*
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Frame-Options: SAMEORIGIN
Referrer-Policy: strict-origin
Feature-Policy: geolocation 'self'
Permissions-Policy: geolocation=(self), microphone=()
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Security-Policy: script-src 'self' {{ partial "plausible_csp.html" . }}; frame-src 'self' https://umap.openstreetmap.fr https://www.youtube.com; default-src 'self'; manifest-src 'self'; connect-src 'self' {{ partial "plausible_csp.html" . }}; font-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; form-action 'none'; base-uri 'none'; object-src 'none'