How do I modify the _headers file generated by zola?

zolauser25 · February 6, 2025, 4:32pm

The _headers file generated by zola build command sets the headers as this :

# This _headers file is used to set headers on cloudflare pages: https://developers.cloudflare.com/pages/configuration/headers/
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy (disabled everything except autoplay, local-fonts, screen-wake-lock, speaker-selection)
# opt out of Federated Learning of Cohorts (aka "FLoC") - https://amifloced.org/
/*
  X-Frame-Options: DENY
  X-Content-Type-Options: nosniff
  X-XSS-Protection: 1; mode=block
  Referrer-Policy: strict-origin-when-cross-origin
  Strict-Transport-Security: max-age=63072000; includeSubdomains
  Permissions-Policy: interest-cohort=(), accelerometer=(), ambient-light-sensor=(), battery=(), bluetooth=(), browsing-topics=(), camera=(), display-capture=(), document-domain=(), encrypted-media=(), execution-while-not-rendered=(), execution-while-out-of-viewport=(), fullscreen=(), gamepad=(), geolocation=(), gyroscope=(), hid=(), identity-credentials-get=(), idle-detection=(), magnetometer=(), microphone=(), midi=(), otp-credentials=(), payment=(), picture-in-picture=(), publickey-credentials-create=(), publickey-credentials-get=(), serial=(), storage-access=(), sync-xhr=(), usb=(), web-share=(), window-management=(), xr-spatial-tracking=()
  Content-Security-Policy: default-src 'none'; img-src 'self'; object-src 'none'; script-src 'none'; style-src 'sha256-fRIhJpIVCZvcu+zebWbMe6B0A='; form-action 'none'; base-uri 'self'; frame-ancestors 'none'
  Cross-Origin-Resource-Policy: same-site
  Cache-Control: max-age=300, s-maxage=86400, stale-while-revalidate

The Cross-Origin-Resource-Policy set to same-site is causing me a lot of trouble.

How do I prevent this from happening? Else I can’t load external .js files. The files are built using zola build on Cloudflare Pages.

I have set webserver_sends_csp_headers = false in my config.toml.

Also I see the following line in the _headers file:

# This _headers file is used to set headers on cloudflare pages: https://developers.cloudflare.com/pages/configuration/headers/
# https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Permissions-Policy (disabled everything except autoplay, local-fonts, screen-wake-lock, speaker-selection)
# opt out of Federated Learning of Cohorts (aka "FLoC") - https://amifloced.org/

My question is how is this generated? How does zola build know on my local system that I use cloudflare?

dustinknopoff · February 6, 2025, 4:49pm

Are you sure Zola build is doing that? I’ve just run it and have 0 files in my public directory named _header

zolauser25 · February 6, 2025, 4:56pm

I am using Bear | Zola as a theme. Pretty sure it is doing that.

Weird thing is _headers file is generated locally as well. Not in the cloud by Cloudflare.

dustinknopoff · February 6, 2025, 5:20pm

Looks like it’s part of the theme zola-bearblog/static/_headers at main - alanpearce/zola-bearblog - Codeberg.org

zolauser25 · February 11, 2025, 9:27am

Thank you!

I removed the _headers file from within themes/zola-bearblog/static and I noticed that when I built it locally there was no _headers file in the public directory. When I tried to push to github with this modified code, it worked fine but the Cloudflare Pages builds failed. This was fully expected by me but I just wanted to try and see how this worked out.

So, my question is very generic, what is the normal workflow of using Zola with a third-party theme where you have to modify said third-party-theme’s code within the submodule directory?

I can’t just gitignore the themes/third-party-theme since my cloud build will use the submodule code contained in its original repo.

As a temporary workaround, I have copied over the pages that I need from the theme and completely removed the submodule from my local git repo and build locally and direct Cloudflare Pages to publish from the /public directory only.

dustinknopoff · February 11, 2025, 11:38am

That’s a great question. I’m not sure, as I’ve never used someone else’s theme

roblesch · February 18, 2025, 6:27am

I’d recommend forking the theme and using your fork as the submodule in your main repository. Then you can commit any changes you make to your fork. I’m not totally tracking what’s happening in this thread - but if you think it may be a bug, or if the change could be useful to others, the maintainer of the theme would likely appreciate a PR from your fork with the fix/improvement.

adrianboston · February 25, 2025, 8:21am

Servers (nginx, apache, etc) typically create headers in the response. Static page generators zola) cannot create headers.

Cloudflare, Amazon S3 and similar services also create headers because they are essentially servers whether a http server, proxy server, file server, caching server, CDN or whatever else.

Zola however can create a file that can instruct a Cloudflare service to place the headers into the response when served. And often per file or resource.

Perhaps instead of removing the file, edit it that _headers file to produce the headers you need such as

Cross-Origin-Resource-Policy: cross-origin

As outlined in Mozilla docs

Topic		Replies	Views
Generating Pages At Build Time Feature requests	6	1706	July 30, 2020
I am missing something to start using the product Support	12	3627	February 16, 2021
Debugging zola building problems/config Support	5	1013	December 22, 2020
Difference in behaviour between zola build and zola serve related to 404 pages Support	0	556	October 9, 2020
How do I duplicate an old directory structure with pages ending in .html? Support	6	903	June 2, 2019

How do I modify the _headers file generated by zola?

Related topics