Security Policies # how to get a proper security with hugo

assa · May 27, 2023, 2:17pm

https://securityheaders.com is complaining that

Content-Security-Policy
X-Frame-Options
X-Content-Type-Options
Referrer-Policy
Permissions-Policy

are not available in my website.

I added

and

[[headers]]
  for = "/*"
  [headers.values]
    Content-Security-Policy = "default-src 'self' 'unsafe-eval' 'unsafe-inline' ;"

In the head of the site there is no " Content-Security-Policy"
I don’t use external source e.g. for tracking and all fonts are local.
How to get the (simplest) policies for such a use case (generated automatically by hugo)?

Arif · May 27, 2023, 2:57pm

This is not a Hugo issue per se, but the server you are using to host your website. Where are you hosting your site?

frjo · May 27, 2023, 6:19pm

The “headers” setting is only for the development server, see Configure Hugo | Hugo

You need to configure your web server as @Arif say.

Topic		Replies	Views
Hugo's content security policy.How does it work? support	5	1434	April 4, 2022
Trying to add a contact form to a hugo website recieving Content-Security-Policy warnings support	2	515	October 26, 2022
Dev, localhost and CORS support	11	6576	November 28, 2016
Hugo page not found support	1	1496	August 26, 2016
Can't make the local server use headers support	3	758	November 12, 2021

Security Policies # how to get a proper security with hugo

Related Topics