I’m setting up the option for hugo server headers in dev mode.
It works well and it is really cool to see right away what is happening without going live.
But for Netlify, I use index.headers and outputFormats.HEADERS so I can use partials to generate my custom CSP.
But config/development/server.yaml doesn’t seems to go thru the templating engine (wich make sense). So I get the literal template call and not the result.
Is there any possibility/workaround/tip to have my hugo server dev headers evaluating my partial ?
config/development/server.yaml => do not evaluate my partial
headers:
- for: /**
values:
Referrer-Policy: strict-origin-when-cross-origin
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-XSS-Protection: 1; mode=block
Content-Security-Policy: script-src localhost:1313 'self' {{ partial "plausible_csp.html" . }}; frame-src 'self' https://umap.openstreetmap.fr https://www.youtube.com; default-src 'self'; manifest-src 'self'; connect-src 'self' {{ partial "plausible_csp.html" . }}; font-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; form-action 'none'; base-uri 'none'; object-src 'none'
index.headers => evaluate correctly my partial
/*
Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
X-Frame-Options: SAMEORIGIN
Referrer-Policy: strict-origin
Feature-Policy: geolocation 'self'
Permissions-Policy: geolocation=(self), microphone=()
X-Content-Type-Options: nosniff
X-XSS-Protection: 1; mode=block
Content-Security-Policy: script-src 'self' {{ partial "plausible_csp.html" . }}; frame-src 'self' https://umap.openstreetmap.fr https://www.youtube.com; default-src 'self'; manifest-src 'self'; connect-src 'self' {{ partial "plausible_csp.html" . }}; font-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; form-action 'none'; base-uri 'none'; object-src 'none'