We are using apache2 on our server, which is behind cloudflare (free plan).
I am currently implementing googles recaptcha, which requires me to make changes to our CSP headers. What I did:
- Change CSP in Apache VHOST
apachectl configtest- all OK
- Restart apache
- Check if CSP is working & recaptcha gets loaded → for the first 1-2 page visits it did work, but then I got the error:
Refused to load https://www.gstatic.com/recaptcha/releases/2Mfykwl2mlvyQZQ3PEgoH710/recaptcha__en.js because it does not appear in the script-src directive of the Content Security Policy.Browser: Safari without any Addons. I reloaded a few more times and got the error every 2-3 page reloads.
- To see if my CSP are the issue, I removed the CSP headers completely & restarted apache
- Reloaded the page, but every 2 or 3 reloads I get the above error message again.
- I checked the response headers and saw that every few page reloads the old CSP headers are returned, which I have deleted before.
What could be the issue? I assume that this issue is related to cloudflare. I already purged cloudflare caches and set the TTL to “Respect existing headers”, but no change. I also tried it on Chrome and FF, no luck. I bypassed caching for all URLs and cleared the browsers cache but still the same. Am I missing something here? Or does it take some time for the changes to appear?
Left wrong response, right correct response: