nico
nico
Explore posts from servers
NNuxtCDCloudflare Developers
PostsComments
CDCloudflare Developers
Created by nico on 2/9/2025 in #pages-help
Missing Content-Security-Policy & Permissions-Policy Headers on Cloudflare Pages Deployment
Shown (and somehow duplicated) _headers content in Dashboard: 
/_scripts/*
  cache-control: public, max-age=31536000, immutable
/_nuxt/*
  cache-control: public, max-age=31536000, immutable
/*
  Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-{{nonce}}' https://static.cloudflareinsights.com https://challenges.cloudflare.com; frame-src 'self' https://challenges.cloudflare.com; img-src 'self' data: https://*.dashio.net; connect-src 'self' https://*.cloudflare.com https://cloudflareinsights.com https://*.dashio.net https://*.supabase.co; style-src 'self' 'unsafe-inline'; font-src 'self' data:; object-src 'none'; script-src-attr 'none'; base-uri 'none'; form-action 'self'; upgrade-insecure-requests
  Permissions-Policy: geolocation=(), microphone=(), camera=()
  Referrer-Policy: no-referrer
  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload;
  X-Content-Type-Options: nosniff
  X-Download-Options: noopen
  X-Frame-Options: DENY
  X-Permitted-Cross-Domain-Policies: none
  X-XSS-Protection: 0

/_scripts/*
  cache-control: public, max-age=31536000, immutable
/_nuxt/*
  cache-control: public, max-age=31536000, immutable
/*
  Referrer-Policy: no-referrer
  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload;
  X-Content-Type-Options: nosniff
  X-Download-Options: noopen
  X-Frame-Options: DENY
  X-Permitted-Cross-Domain-Policies: none
  X-XSS-Protection: 0
/_scripts/*
  cache-control: public, max-age=31536000, immutable
/_nuxt/*
  cache-control: public, max-age=31536000, immutable
/*
  Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-{{nonce}}' https://static.cloudflareinsights.com https://challenges.cloudflare.com; frame-src 'self' https://challenges.cloudflare.com; img-src 'self' data: https://*.dashio.net; connect-src 'self' https://*.cloudflare.com https://cloudflareinsights.com https://*.dashio.net https://*.supabase.co; style-src 'self' 'unsafe-inline'; font-src 'self' data:; object-src 'none'; script-src-attr 'none'; base-uri 'none'; form-action 'self'; upgrade-insecure-requests
  Permissions-Policy: geolocation=(), microphone=(), camera=()
  Referrer-Policy: no-referrer
  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload;
  X-Content-Type-Options: nosniff
  X-Download-Options: noopen
  X-Frame-Options: DENY
  X-Permitted-Cross-Domain-Policies: none
  X-XSS-Protection: 0

/_scripts/*
  cache-control: public, max-age=31536000, immutable
/_nuxt/*
  cache-control: public, max-age=31536000, immutable
/*
  Referrer-Policy: no-referrer
  Strict-Transport-Security: max-age=31536000; includeSubDomains; preload;
  X-Content-Type-Options: nosniff
  X-Download-Options: noopen
  X-Frame-Options: DENY
  X-Permitted-Cross-Domain-Policies: none
  X-XSS-Protection: 0
What I've Tried: 1. Verified that _headers is included in the deployment (it's visible in the Cloudflare Pages build logs and dashboard as shown above). 2. Checked the security headers report using securityheaders.com, which still shows missing CSP and Permissions-Policy headers. 3. Confirmed that Cloudflare Pages does apply other headers (e.g., Strict-Transport-Security, X-Frame-Options, etc.). 4. Cleared Cloudflare Cache and redeployed multiple times. 5. Checked Firefox DevToolsNetwork tab → Security headers are missing in the final response. Questions: 1. Does Cloudflare Pages override or ignore certain headers from _headers? 2. Are there any known limitations when using _headers for CSP and Permissions-Policy? 3. Is there a recommended way to debug why these specific headers are not applied, even though others are? Any guidance would be greatly appreciated! Thanks in advance.
2 replies
NNuxt
Created by nico on 3/29/2024 in #❓・help
Resolving TS2307 Error for Dynamic Component Imports in Nuxt 3
No description
14 replies
NNuxt
Created by nico on 3/29/2024 in #❓・help
Resolving TS2307 Error for Dynamic Component Imports in Nuxt 3
No description
14 replies
NNuxt
Created by nico on 3/29/2024 in #❓・help
Resolving TS2307 Error for Dynamic Component Imports in Nuxt 3
Nope still having trouble with this
14 replies
NNuxt
Created by nico on 3/29/2024 in #❓・help
Resolving TS2307 Error for Dynamic Component Imports in Nuxt 3
No description
14 replies
NNuxt
Created by nico on 3/29/2024 in #❓・help
Resolving TS2307 Error for Dynamic Component Imports in Nuxt 3
but thanks for trying to help anyway
14 replies
NNuxt
Created by nico on 3/29/2024 in #❓・help
Resolving TS2307 Error for Dynamic Component Imports in Nuxt 3
“Any idea how I could potentially fix my TS2307: Cannot find module […]”
14 replies
NNuxt
Created by nico on 3/29/2024 in #❓・help
Resolving TS2307 Error for Dynamic Component Imports in Nuxt 3
its webstorm and this error is there for like 2 months now (readded node modules and .nuxt like 100 times since), thats not the problem.
14 replies
NNuxt
Created by nico on 3/29/2024 in #❓・help
Resolving TS2307 Error for Dynamic Component Imports in Nuxt 3
nope, just added ts-ignores for now but I don’t know how to fix that
14 replies