-
Notifications
You must be signed in to change notification settings - Fork 62
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Too many header rules - Cloudflare Pages #504
Comments
Hey there, are you using the http meta equiv for CSP or do you use SSR to send generated response headers? I honestly don't have that much experience with Cloudflare Pages nor the headers limit. Maybe @pi0 would be able to share some light on it? :) |
Hi @Vahagn-Zaqaryan Maybe a better alternative, if you want to keep CSP in headers, is to use the |
@Vahagn-Zaqaryan have you tried the recommendation from @vejja ? :) |
+1 |
I apologize for the delayed response; I've been caught up with some releases! 🎉 I’d like to provide some additional context that might help. My current project is a Nuxt 3 application integrated with a Diectus headless CMS. The route structure mirrors the various content types I’m managing, as outlined below:
I used the method @vejja suggested and it worked! However, it appears that For reference, here is my current security: {
nonce: true,
headers: {
xFrameOptions: 'ALLOWALL',
permissionsPolicy:
'accelerometer=(), camera=(), geolocation=(), gyroscope=(), magnetometer=(), microphone=(), payment=(), usb=()',
contentSecurityPolicy: {
'img-src': ["'self'"],
'script-src': ["'self'", "'nonce-{{nonce}}'", process.env.NUXT_PUBLIC_APP_URL, 'https://*.cloudflare.com'],
},
},
}, Additionally, I’ve taken a closer look at my _headers file this is a part of it. The differences are primarily in the script hashes, especially the first hash, while the remaining headers are the same. I tried to find the scripts that are causing the discrepancies in the generated headers, but I couldn't, It’s possible these are inline scripts or styles with hashes calculated dynamically during browser execution. Please let me know if there’s anything else I can provide to help you guys improve the module 🚀 |
@vejja thanks for your great tip. Can we get anything from @Vahagn-Zaqaryan comments and improve the module based on it? |
@vejja when you have time :) |
Hi guys, I'd love to find a solution for this one but it doesn't seem like there is an obvious solution. @Vahagn-Zaqaryan I looked at your _headers file, and there is no common set between the routes that you extracted. I suppose that when you looked at the subfolders and sub-subfolders, there was no common pattern either. So in your case, the headers would be unique for each of the 1,000 pages - which at the end of the day means that we cannot reduce the number of header rules. With hindsight I think the solution would be to introduce a new value for |
Thanks for your insight Sebastien. Looking at the description I think this is quite a lot of work for an edge case so I would recommend not implementing it. Every new code added to the module needs to be maintained by us and maintaining a big and complex code that is used to solve an edge case is not worth for me. I am up for your comments here as well. Please let me know :) |
We might not need an AST parser after all |
This issue occurred to me as well. I may have a solution, and I'll try to clean it up for release, hopefully today. |
Try this proof of concept code from https://github.com/IO-Fire/nitro/compare/v2..feat/cf-gen-headers It creates proxy Cloudflare (CF) workers at build time. Workers for large / advanced headers rules are the recommended solution from the CF Pages limits documentation. Workers apply the headers then return the upstream response. It enables SSG on CF Pages with 100+ header rules. It prioritises the header file until it is full. Set your {
// ... the rest of package.json
"pnpm": {
"overrides": {
"nitropack": "github:IO-Fire/nitro#feat/cf-gen-headers"
}
}
} Use See initial commit for commit message: IO-Fire/nitro@cbb89ee. Reproduction repo coming soon. TODO: Parse existing |
Hi there,
I'm new to the
nuxt-security
module and started using it just yesterday. I have a blog with over 1,000 articles, and I use SSG to statically generate the pages, which I then upload to Cloudflare Pages for hosting. Initially, I was testing the configuration in my development environment without any issues. However, upon switching to production, I noticed that the security headers were not being applied.After checking the logs, I discovered that Cloudflare Pages has a limit of 100 headers, as mentioned on their Limits page.
Here is the error message I encountered:
I currently have about 1,300 header rules, which exceeds the limit.
What can I do to fix this issue?
The text was updated successfully, but these errors were encountered: