arclight
arclight
PostsComments
CDCloudflare Developers
Created by arclight on 4/5/2024 in #workers-help
Appending Content-Security-Policy-Report-Only Header to All Responses
I'm looking for some troubleshooting help/guidance regarding attempts to add a Content Security Policy (CSP) header to all responses. To level-set: - Transform Rules are not an option because we use Pages - I'm not able to use _headers because our CSP exceeds the 2,000 character limit imposed by Cloudflare My latest attempt at appending the CSP header is through deploying a worker that looks like this: 
import { minifiedContentSecurityPolicy } from "./content-security-policy";

export default {
  async fetch(request: Request) {
    const response = await fetch(request);

    // Clone the response so that it's no longer immutable
    const newResponse = new Response(response.body, response);

    if (!newResponse.headers.has("Content-Security-Policy-Report-Only")) {
      newResponse.headers.append(
        "Content-Security-Policy-Report-Only",
        minifiedContentSecurityPolicy,
      );
    }

    return newResponse;
  },
};
import { minifiedContentSecurityPolicy } from "./content-security-policy";

export default {
  async fetch(request: Request) {
    const response = await fetch(request);

    // Clone the response so that it's no longer immutable
    const newResponse = new Response(response.body, response);

    if (!newResponse.headers.has("Content-Security-Policy-Report-Only")) {
      newResponse.headers.append(
        "Content-Security-Policy-Report-Only",
        minifiedContentSecurityPolicy,
      );
    }

    return newResponse;
  },
};
I added a Routes trigger that targets the route https://domain.com/* and zone domain.com, but the script has registered 0 events. And in the "Edit Code" console, the "Send" button is disabled. With that as background: - Am I on the right track with respect to using Workers to add the CSP? - Why is my worker not registering events? Happy to provide additional context, as requested.
1 replies