CD
Cloudflare Developers5d ago
flayks

_headers with SvelteKit not applied?

heya, on my SvelteKit site using the cloudflare-pages adapter, I have a _headers file with this content and these show in the Headers tab of my CF deployment but the headers don't show in my network tab requests, any idea why? 🤔 
/*
  X-Content-Type-Options: nosniff
  X-Frame-Options: SAMEORIGIN
  X-XSS-Protection: 1; mode=block
  Referrer-Policy: no-referrer-when-downgrade
  Permissions-Policy: document-domain=()
  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
  Feature-Policy: geolocation 'self'
  Content-Security-Policy: default-src 'self'; [...and more stuff];

/:all*(woff2?|jpe?g|png|gif|svg|js|xml|txt|json|css|mp4|webm|avif)
  Cache-Control: public, max-age=31536000, immutable
/*
  X-Content-Type-Options: nosniff
  X-Frame-Options: SAMEORIGIN
  X-XSS-Protection: 1; mode=block
  Referrer-Policy: no-referrer-when-downgrade
  Permissions-Policy: document-domain=()
  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
  Feature-Policy: geolocation 'self'
  Content-Security-Policy: default-src 'self'; [...and more stuff];

/:all*(woff2?|jpe?g|png|gif|svg|js|xml|txt|json|css|mp4|webm|avif)
  Cache-Control: public, max-age=31536000, immutable
4 Replies
flayks
flayksOP4d ago
curious to know why if any of you have an idea ✌️
Chaika
Chaika4d ago
If you are server-side rendering (SSR) or using Pages Functions to generate responses, they won't be applied
Chaika
Chaika4d ago
https://svelte.dev/docs/kit/adapter-cloudflare#Headers-and-redirects
The _headers and _redirects files, specific to Cloudflare, can be used for static asset responses (like images) by putting them into the project root folder. However, they will have no effect on responses dynamically rendered by SvelteKit, which should return custom headers or redirect responses from server endpoints or with the handle hook.
Cloudflare Pages • Docs • Svelte
Cloudflare Pages • Svelte documentation
flayks
flayksOP4d ago
@Chaika yes I use SvelteKit with SSR but this worked before 🤔 did this changed recently? I've literally had the same file for months and it added these headers to every request I ended up using the csp option in the svelte config and a handle in my hooks file, works fine but still curious of why this changed

Did you find this page helpful?