Missing Content-Security-Policy & Permissions-Policy Headers on Cloudflare Pages Deployment
Hi everyone,
I'm experiencing an issue where my Content-Security-Policy (CSP) and Permissions-Policy headers are not being applied correctly when deploying my site on Cloudflare Pages. (https://securityheaders.com/?q=dashio.net&followRedirects=on)
Context:
My project is built using Nuxt with the nuxt-security module. I was not able to use Nuxt Security itself to define my headers because I walked into issues with the following logs:
So the exceeding characters were the reason why I just switched to a manually created _headers file instead of letting the Security module create them for me.
I'm using a _headers file inside the public/ directory to define security headers.
The _headers file is structured like this:
Scan results for dashio.net
These are the scan results for dashio.net which scored the grade B.
Nuxt Security
undefined - Nuxt Security
1 Reply
Shown (and somehow duplicated) _headers content in Dashboard:
What I've Tried:
1. Verified that
_headers is included in the deployment (it's visible in the Cloudflare Pages build logs and dashboard as shown above).
2. Checked the security headers report using securityheaders.com, which still shows missing CSP and Permissions-Policy headers.
3. Confirmed that Cloudflare Pages does apply other headers (e.g., Strict-Transport-Security, X-Frame-Options, etc.).
4. Cleared Cloudflare Cache and redeployed multiple times.
5. Checked Firefox DevTools → Network tab → Security headers are missing in the final response.
Questions:
1. Does Cloudflare Pages override or ignore certain headers from _headers?
2. Are there any known limitations when using _headers for CSP and Permissions-Policy?
3. Is there a recommended way to debug why these specific headers are not applied, even though others are?
Any guidance would be greatly appreciated! Thanks in advance.