Headers in _headers not being honored

Hi,

For some strange reason some of the headers in my _headers file are not being honored in the browser. Any ideas?

/*
	access-control-allow-origin: *
	Alt-Svc: clear
	Content-Type: text/html; charset=utf-8
	Cache-Control: public, max-age=15768000
	Content-Security-Policy: default-src 'self'; form-action 'self'; frame-ancestors 'self'
	Expect-CT: enforce, max-age=15768000
	Permissions-Policy: accelerometer=()
	Referrer-Policy: strict-origin-when-cross-origin
	Strict-Transport-Security: max-age=15768000; includeSubDomains; preload
	X-Frame-Options: DENY
	X-Content-Type-Options: nosniff
	X-XSS-Protection: 1; mode=block

Can you give more info? Which headers? Why aren’t they working? Got a repro link?

I do see you’re trying to set everything to HTML though, that’ll break CSS/JS/other files.

1 Like

Hi,

Thank you for responding. I tried to include more debug information but this website insists I’m including links.

In any case, I only have HTML on it so I don’t mind breaking JS behaviors. CSS seems to be working fine.

According to security headers dot com the following headers are missing:

Strict-Transport-Security	
Content-Security-Policy	
X-Frame-Options	
Permissions-Policy

Thanks in advance for any insight!

Also,

The following headers are also missing:

Expect-CT
String-Transport-Security
X-XSS-Protection

Lastly, these headers are different from what’s in the file:

Cache-Control

Try visiting atirado dot net for reproducing.

I am using security headers to verify.

I also have the sit up at Github.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.