Appending Content-Security-Policy-Report-Only Header to All Responses
I'm looking for some troubleshooting help/guidance regarding attempts to add a Content Security Policy (CSP) header to all responses.
To level-set:
- Transform Rules are not an option because we use Pages
- I'm not able to use
_headers
because our CSP exceeds the 2,000 character limit imposed by Cloudflare
My latest attempt at appending the CSP header is through deploying a worker that looks like this:
I added a Routes
trigger that targets the route https://domain.com/*
and zone domain.com
, but the script has registered 0 events. And in the "Edit Code" console, the "Send" button is disabled.
With that as background:
- Am I on the right track with respect to using Workers to add the CSP?
- Why is my worker not registering events?
Happy to provide additional context, as requested.0 Replies