Security Policies # how to get a proper security with hugo

assa · May 27, 2023, 2:17pm

https://securityheaders.com is complaining that

Content-Security-Policy
X-Frame-Options
X-Content-Type-Options
Referrer-Policy
Permissions-Policy

are not available in my website.

I added

and

[[headers]]
  for = "/*"
  [headers.values]
    Content-Security-Policy = "default-src 'self' 'unsafe-eval' 'unsafe-inline' ;"

In the head of the site there is no " Content-Security-Policy"
I don’t use external source e.g. for tracking and all fonts are local.
How to get the (simplest) policies for such a use case (generated automatically by hugo)?

Arif · May 27, 2023, 2:57pm

This is not a Hugo issue per se, but the server you are using to host your website. Where are you hosting your site?

frjo · May 27, 2023, 6:19pm

The “headers” setting is only for the development server, see Configure Hugo | Hugo

You need to configure your web server as @Arif say.

Topic		Replies	Views
Hugo's content security policy.How does it work? support	5	1781	April 4, 2022
I cannot find some terms on Hugo search index support	0	19	October 21, 2024
Content-Security-Policy vs Hugo's syntax highlighting in code blocks support	6	1261	February 25, 2021
About Hugo's security model Announcements	1	544	December 22, 2019
Hugo Data Input Validation Security support	2	906	July 18, 2019

Security Policies # how to get a proper security with hugo

Related topics