How do I modify the _headers file generated by zola?

The _headers file generated by zola build command sets the headers as this :

# This _headers file is used to set headers on cloudflare pages: https://developers.cloudflare.com/pages/configuration/headers/
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy (disabled everything except autoplay, local-fonts, screen-wake-lock, speaker-selection)
# opt out of Federated Learning of Cohorts (aka "FLoC") - https://amifloced.org/
/*
  X-Frame-Options: DENY
  X-Content-Type-Options: nosniff
  X-XSS-Protection: 1; mode=block
  Referrer-Policy: strict-origin-when-cross-origin
  Strict-Transport-Security: max-age=63072000; includeSubdomains
  Permissions-Policy: interest-cohort=(), accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), browsing-topics=(), camera=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), identity-credentials-get=(), idle-detection=(), magnetometer=(), microphone=(), midi=(), otp-credentials=(), payment=(), picture-in-picture=(), publickey-credentials-create=(), publickey-credentials-get=(), serial=(), storage-access=(), sync-xhr=(), usb=(), web-share=(), window-management=(), xr-spatial-tracking=()
  Content-Security-Policy: default-src 'none'; img-src 'self'; object-src 'none'; script-src 'none'; style-src 'sha256-fRIhJpIVCZvcu+zebWbMe6B0A='; form-action 'none'; base-uri 'self'; frame-ancestors 'none'
  Cross-Origin-Resource-Policy: same-site
  Cache-Control: max-age=300, s-maxage=86400, stale-while-revalidate

The Cross-Origin-Resource-Policy set to same-site is causing me a lot of trouble.

How do I prevent this from happening? Else I can’t load external .js files. The files are built using zola build on Cloudflare Pages.

I have set webserver_sends_csp_headers = false in my config.toml.

Also I see the following line in the _headers file:

# This _headers file is used to set headers on cloudflare pages: https://developers.cloudflare.com/pages/configuration/headers/
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy (disabled everything except autoplay, local-fonts, screen-wake-lock, speaker-selection)
# opt out of Federated Learning of Cohorts (aka "FLoC") - https://amifloced.org/

My question is how is this generated? How does zola build know on my local system that I use cloudflare?

Are you sure Zola build is doing that? I’ve just run it and have 0 files in my public directory named _header

I am using Bear | Zola as a theme. Pretty sure it is doing that.

Weird thing is _headers file is generated locally as well. Not in the cloud by Cloudflare.

Looks like it’s part of the theme zola-bearblog/static/_headers at main - alanpearce/zola-bearblog - Codeberg.org

Thank you!

I removed the _headers file from within themes/zola-bearblog/static and I noticed that when I built it locally there was no _headers file in the public directory. When I tried to push to github with this modified code, it worked fine but the Cloudflare Pages builds failed. This was fully expected by me but I just wanted to try and see how this worked out.

So, my question is very generic, what is the normal workflow of using Zola with a third-party theme where you have to modify said third-party-theme’s code within the submodule directory?

I can’t just gitignore the themes/third-party-theme since my cloud build will use the submodule code contained in its original repo.

As a temporary workaround, I have copied over the pages that I need from the theme and completely removed the submodule from my local git repo and build locally and direct Cloudflare Pages to publish from the /public directory only.

That’s a great question. I’m not sure, as I’ve never used someone else’s theme

I’d recommend forking the theme and using your fork as the submodule in your main repository. Then you can commit any changes you make to your fork. I’m not totally tracking what’s happening in this thread - but if you think it may be a bug, or if the change could be useful to others, the maintainer of the theme would likely appreciate a PR from your fork with the fix/improvement.

Servers (nginx, apache, etc) typically create headers in the response. Static page generators zola) cannot create headers.

Cloudflare, Amazon S3 and similar services also create headers because they are essentially servers whether a http server, proxy server, file server, caching server, CDN or whatever else.

Zola however can create a file that can instruct a Cloudflare service to place the headers into the response when served. And often per file or resource.

Perhaps instead of removing the file, edit it that _headers file to produce the headers you need such as

Cross-Origin-Resource-Policy: cross-origin

As outlined in Mozilla docs