Direct Upload Project _headers File Ignored

When I upload a _headers file using the project direct upload, it does not show up in the _headers dashboard. I did some googling and I assumed per this post (https://community.cloudflare.com/t/bug-direct-uploads-failed-to-parse-redirects-and-headers-files/390733) and that perhaps it just wasn’t showing in the dashboard. However, I scanned my website with Wapiti, Nikto, and some browser-based security scanner and they all said my website did not have a X-Frame-Options header or Content-Security-Policy. This is bothersome because I would like my website to be visible to those who use antivirus programs, and its being blocked by Kaspersky antivirus (I assume for this reason).

What else can I do to fix this while still using direct upload? I put the _headers.txt file in my root folder, should I move it?

Here is the current format of my _headers.txt file:

https://url.com/*
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: no-referrer

https://url.com/assets/*
X-Robots-Tag: nosnippet

https://url.pages.dev/
X-Frame-Options: DENY
X-Content-Type-Options: nosniff
Referrer-Policy: no-referrer
X-Robots-Tag: noindex

It’s just _headers not _headers.txt

Per the _headers page (https://developers.cloudflare.com/pages/configuration/headers/)

To attach headers to Cloudflare Pages responses, create a _headers plain text file in the output
folder of your project. It is usually the folder that contains the deploy-ready HTML files and assets
generated by the build, such as favicons. Changes to headers will be updated to your website at
build time. Make sure you commit and push the file to trigger a new build each time you update
headers.

Am I misinterpreting the “plain text file” in this case? My _headers file is a .txt file.
(soz I had to fix the blockquote)

“Plain text file” is just to say it’s plain text, not something like a JSON, TOML, JS, etc

File extensions don’t determine the content type (confusingly but that’s how files work), you can have a JSON file called test.dat if you wanted.

Either way, yeah there’s no extension required here. It’s just _headers
I’ll look at clarifying the docs.

1 Like

Thank you!! I didn’t realize I could enter a file name without an extension on VS code. :smiling_face: I appreciate your quick response!

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.