Security Policies # how to get a proper security with hugo is complaining that

  • Content-Security-Policy
  • X-Frame-Options
  • X-Content-Type-Options
  • Referrer-Policy
  • Permissions-Policy

are not available in my website.

I added


  for = "/*"
    Content-Security-Policy = "default-src 'self' 'unsafe-eval' 'unsafe-inline' ;"

In the head of the site there is no " Content-Security-Policy"
I don’t use external source e.g. for tracking and all fonts are local.
How to get the (simplest) policies for such a use case (generated automatically by hugo)?

This is not a Hugo issue per se, but the server you are using to host your website. Where are you hosting your site?

The “headers” setting is only for the development server, see Configure Hugo | Hugo

You need to configure your web server as @Arif say.