Appending Content-Security-Policy-Report-Only Header to All Responses

I'm looking for some troubleshooting help/guidance regarding attempts to add a Content Security Policy (CSP) header to all responses. To level-set: - Transform Rules are not an option because we use Pages - I'm not able to use _headers because our CSP exceeds the 2,000 character limit imposed by Cloudflare My latest attempt at appending the CSP header is through deploying a worker that looks like this:
import { minifiedContentSecurityPolicy } from "./content-security-policy";

export default {
async fetch(request: Request) {
const response = await fetch(request);

// Clone the response so that it's no longer immutable
const newResponse = new Response(response.body, response);

if (!newResponse.headers.has("Content-Security-Policy-Report-Only")) {
newResponse.headers.append(
"Content-Security-Policy-Report-Only",
minifiedContentSecurityPolicy,
);
}

return newResponse;
},
};
import { minifiedContentSecurityPolicy } from "./content-security-policy";

export default {
async fetch(request: Request) {
const response = await fetch(request);

// Clone the response so that it's no longer immutable
const newResponse = new Response(response.body, response);

if (!newResponse.headers.has("Content-Security-Policy-Report-Only")) {
newResponse.headers.append(
"Content-Security-Policy-Report-Only",
minifiedContentSecurityPolicy,
);
}

return newResponse;
},
};
I added a Routes trigger that targets the route https://domain.com/* and zone domain.com, but the script has registered 0 events. And in the "Edit Code" console, the "Send" button is disabled. With that as background: - Am I on the right track with respect to using Workers to add the CSP? - Why is my worker not registering events? Happy to provide additional context, as requested.
0 Replies
No replies yetBe the first to reply to this messageJoin
Want results from more Discord servers?
Add your server