Cloudflare pages _header file line limit?

Hi there,

Seems like Cloudflare _headers file totally ignore the csp if it is lengthy. what can i do to fix this i only 4-5 hashes sha512- what is the suggested and safe method to add a csp in clourdflare pages _header file which defines

  • default-src
  • script-src
  • style-src
  • img-src
  • font-src
  • connect-src
  • media-src
  • object-src
  • prefetch-src
  • child-src
  • frame-src
  • worker-src
  • frame-ancestors
  • form-action
  • upgrade-insecure-requests
  • block-all-mixed-content
  • base-uri
  • manifest-src
  • report-uri

usually this is all in 1 line, is there different format i can use in header for example instead of using

Content-Security-Policy: default-src 'none'; child-src 'none'; frame-src 'none'; worker-src 'none';

can i break this in multiple line to bypass the current Cloudflare issue:

Content-Security-Policy: 
                     default-src 'none'; 
                     child-src 'none'; 
                     frame-src 'none'; 
                     worker-src 'none';

thanks for taking the time to help

How long is your CSP header? I have long ones and they load fine

1 Like

Hi @Cyb3r-Jak3

the character length of 1 line starting with Content-Security-Policy: default-src 'none'; script-src 'report-sample' is: 1380

Thanks

can someone please tell what is the exact limit Cloudflare applies in the _header file as weeks are spent on creating the content security policy and the Cloudflare simply ignore it and does not ship in the _header file. I read somewhere that Cloudflare applies a limit but what is that limit?

thanks

Just tried 2000 characters and got this error in the build log

|16:34:45.133|    Ignoring line 8 as it exceeds the maximum allowed length of 1000.
4 Likes

thanks @Cyb3r-Jak3

so i suppose i need to get rid of 380 characters to make it under 1000.

If there is anyone here from official Cloudflare i wan to tell you that 1000 character for csp is too small with just a few hashes it will reach over 1000. please make the limit to 1380 :slight_smile:

Thanks

Dear Cloudflare team,

can i use csp like this to bypass your 1000 character limit, will this work or result in failure

thanks

That will not work, header are parsed per line.

What you can do is have multiple CSP policy headers. So if you manually split your CSP poilcy into two seperate headers they will be parsed by browsers as one header
example

Content-Security-Policy: <part 1 of header>
Content-Security-Policy: <part 2 of header>
2 Likes

Hey,

We’re are looking to increase this :slight_smile:

4 Likes

Thats how I would have done it aswell. If you do this, just pay attention, that you define each directive exclusive in each CSP header line. So don’t redefine it in another line.

With this trick, the limitation of 1000 characters would now apply to every csp directive, which pretty sure is more then enough.

So maybe the Cloudflare Pages team could:

  1. implement a solution, that would (if possible) split the header down on their own, into it’s separat directives
  2. instead of triggering a warning/info and ignore it, also append a link to the docs which describes how to solve it (Multiple content security policies), so users can do it manually.
  3. increase the limit, but I don’t know if it exists for good reasons. I at least am not aware of any IETF RFC limit of a response headers max characters, nor size.

This approach (Multiple content security policies), can be used at nearly all other header aswell. Just have a look at here: Scan results for https://www.heldmayer.com


where I used it for multiple link headers.

Question to @WalshyMVP:
if you guys alter the limit of header value length, will it be altered in general, or just for the CSP?

thanks @Cyb3r-Jak3

this does solve the issue you are a legend.

Hi @WalshyMVP I’m not sure if you’re a Cloudflare representative. But I’d want to complain to you because this limit is quite difficult to locate, at least for me, and I’ve had no idea why CSP isn’t being applied for about a month, so I’ve been altering the policy. Please indicate this limit in your docs where you describe how to use the header file so that users are aware of it and may avoid the annoyance of not knowing what’s going on.

Thank you all again for your efforts in resolving this problem.

Hi @Cyb3r-Jak3

this method doesnt work for me as for somereason the produced header CSP have wrong format

default-src 'none';, script-src 'report-sample'

you can see an additonal comma, after the ; and this make browser miss parts of CSP. when you seperate a policy line how you end the line with:

- default-src 'none';
- default-src 'none'
- default-src 'none',

the browser is expecting to get ; at the end of each policy type? for exmple

Content-Security-Policy: default-src 'none'; script-src 'self'

instead of how Cloudflare header is exporting currently

default-src 'none';, script-src 'report-sample'

Thanks

1 Like

@WalshyMVP is not, but his alter ego @Walshy is!

1 Like

I am unable to recreate the behavior you are seeing. When I was testing, I just cut and pasted policy sections from the first header to the second.

Here is an example:

Content-Security-Policy: default-src 'self' https://cloudflareinsights.com; script-src 'self' c.disquscdn.com https://ajax.cloudflare.com https://*.cloudflareinsights.com;
Content-Security-Policy: object-src 'none'; report-uri https://cyberjake.report-uri.com/r/d/csp/enforce

A modification has been requested here [Pages] Clarify individual header length limit by KianNH · Pull Request #4614 · cloudflare/cloudflare-docs · GitHub

1 Like

I increased this today, not sure if a release will go out this week or next week but the work is done.

Representative sounds so formal… I work on the Pages team :slight_smile:

This the whole line length being increased, so you can have a

/*
  X-Walshy-Is: awesomeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee

Header if you’d like (you should :wink: )

3 Likes

May we know to what length? This maybe even is worth adding to the docs :slight_smile:

Finally … I can use the header I ever wanted!

1 Like

2k and yep, we’ll doc it. Since @KianNH already has an open PR I pinged him to update that.

2 Likes

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.