11ty HTTP Header Hardening
I'm not sure if I should be asking this here, or with the 11ty crew, but I'm trying to add HTTP headers to harden my site's security. I copied the headers from Cloudflare's guide, and they appear to be referenced in the logs, but they're not applying when I scan the headers. Any pointers would be appreciated!
https://683c83ed.ccna-definitions.pages.dev/
https://securityheaders.com/?q=https%3A%2F%2Fccnadefinitions.com%2F&followRedirects=on
https://github.com/WiseGuru/ccna-definitions/blob/main/src/site/_headers
GitHub
ccna-definitions/src/site/_headers at main · WiseGuru/ccna-definiti...
Contribute to WiseGuru/ccna-definitions development by creating an account on GitHub.
8 Replies
Does the
_headers file appear in the output directory?I'm sorry, I'm not sure where to check that, or where to run things like "npm audit fix"
Run your build command locally then check the output directory to make sure the
_headers file is there.I'm having trouble with that; for some reason, the build is failing locally when it's fine on Cloudflare. I'm troubleshooting the error, but in the meantime, is there a way to check the output directory on Cloudflare?
I'm still running into issues with the local deployment that are unrelated to the headers issue; it looks like a version dependency issue between Sharp and Node.js, and I've tried a couple versions (including 18.17.1, which is what Cloudflare appears to use), but no luck. If we can just use Cloudflare information, as the modules seem pretty picky, that would be great.
You can see a list of files for the deployment as well as the headers detected under the deployment logs.
Ok, thanks; when I check there, I only see example headers (as opposed to "Assets Uploaded" which shows a list. Where do I need to put the _headers file in my GitHub repo so it gets added to the output folder on build?
I just found this guide on adding _headers files to Eleventy sites built on Cloudflare, and I'm going to give it a try. https://jonkuperman.com/custom-headers-eleventy-cloudflare-pages/
How to add custom headers to Eleventy with Cloudflare Pages
Cloudflare pages just announced support for custom headers. Here's how to add them to your Eleventy site.
That fixed it; I had previously made the passthrough to the eleventy.js, but I didn't give the full path to the headers file. I still need to tweak the headers to do what I want, but the main issue is resolved. Thank you!