Headers not processed on branch deploy

I am moving my site and from manual deploys to deploying on a git push to the master branch. As part of this, I want to transition from using separate _headers and _redirects to just using TOML. Although my redirects are processed correctly, I see build errors in my headers for branch deploys - related to my CSP directives.

I know TOML is supposed to be simple, but the translation between what CSP expects and what Netlify’s playground says is valid isn’t always so clear.

Logs tell me that strings can’t have newlines, but this doesn’t line up with actual configurations I’ve seen people use.

Where might I be going wrong? - existing TOML file is below:

[[headers]]
  for = "/*
  [headers.values]  
    Cache-Control = "no-transform"
    Content-Security-Policy = "style-src 'self';
    default-src 'self';
    object-src 'none';
    img-src https:;
    script-src 'self'
    'unsafe-inline';
    frame-ancestors 'none';"
    Upgrade-Insecure-Requests = "1"
    X-Content-Type-Options = "nosniff"
    X-Frame-Options = "DENY"
    X-XSS-Protection = "1; mode=block""

[[Netlify]]
from = "https://relaxed-meninsky-6eca95.netlify.com"
to = "/chrisfinazzo.com"
status = 301
force = false

[[site]]
from = "/www.chrisfinazzo.com"
to = "/chrisfinazzo.com"
status = 301
force = false

Hi, @chrisfinazzo. There is a solution! :+1:

The documentation about this can be found here:

https://docs.netlify.com/configure-builds/file-based-configuration/#sample-file

Quoting from there:

[[headers]]
  # Define which paths this specific [[headers]] block will cover.
  for = "/*"

  [headers.values]
    X-Frame-Options = "DENY"
    X-XSS-Protection = "1; mode=block"
    Content-Security-Policy = "frame-ancestors https://www.facebook.com"

    # Multi-value headers are expressed with multi-line strings.
	cache-control = '''
	max-age=0,
	no-cache,
	no-store,
	must-revalidate'''

Translating that to the TOML file posted before this would be:

[[headers]]
  for = "/*"

  [headers.values]  
    Cache-Control = "no-transform"
    Content-Security-Policy = '''
    style-src 'self';
    default-src 'self';
    object-src 'none';
    img-src https:;
    script-src 'self'
    'unsafe-inline';
    frame-ancestors 'none';'''
    Upgrade-Insecure-Requests = "1"
    X-Content-Type-Options = "nosniff"
    X-Frame-Options = "DENY"
    X-XSS-Protection = "1; mode=block""

Note, I’m not sure about the syntax of that header but the multiline triple quote ''' syntax I am sure about. (The details inside those quotes is something I’ll leave to you.)

If there are other questions about this, please let us know.

Hi Luke, thanks for the reply. My configuration seems to be in good shape at this point, so that’s solved. However, I am still seeing errors related to the Ruby version I am using.

When i first migrated to deploying from Git, I was using 2.5.0, which isn’t included in Netlify’s environment AFAIK and things were indeed slower - but it worked.

Using 2.5.4 should have been faster, but now I am having compatibility issues. Is there a recommended Bundler version that is known to coexist well with 2.5.4 for Git builds? Currently running 1.16.1 on macOS 10.14.6.

Build log is below.

9:48:29 AM: Build ready to start
9:48:32 AM: build-image version: 8e315e54bc4032a32e73290be556cde4f8348c12
9:48:32 AM: build-image tag: v2.8.2
9:48:32 AM: buildbot version: 45cd00068410d70db72c9672cdd014995488e12a
9:48:32 AM: Fetching cached dependencies
9:48:32 AM: Starting to download cache of 137.4MB
9:48:32 AM: Finished downloading cache in 530.440274ms
9:48:32 AM: Starting to extract cache
9:48:36 AM: Finished extracting cache in 3.977683721s
9:48:36 AM: Finished fetching cache in 4.588305154s
9:48:36 AM: Starting to prepare the repo for build
9:48:37 AM: Preparing Git Reference refs/heads/master
9:48:37 AM: Found netlify.toml. Overriding site configuration
9:48:37 AM: Starting build script
9:48:37 AM: Installing dependencies
9:48:38 AM: Started restoring cached node version
9:48:40 AM: Finished restoring cached node version
9:48:41 AM: v10.18.1 is already installed.
9:48:42 AM: Now using node v10.18.1 (npm v6.13.4)
9:48:42 AM: Attempting ruby version 2.5.4, read from .ruby-version file
9:48:46 AM: Using ruby version 2.5.4
9:48:46 AM: Using PHP version 5.6
9:48:46 AM: Started restoring cached ruby gems
9:48:46 AM: Finished restoring cached ruby gems
9:48:46 AM: Installing gem bundle
9:48:46 AM: /opt/buildhome/.rvm/rubies/ruby-2.5.4/lib/ruby/2.5.0/rubygems.rb:284:in `find_spec_for_exe': Could not find 'bundler' (1.16.1) required by your /opt/build/repo/Gemfile.lock. (Gem::GemNotFoundException)
9:48:46 AM: To update to the latest version installed on your system, run `bundle update --bundler`.
9:48:46 AM: To install the missing version, run `gem install bundler:1.16.1`
9:48:46 AM: 	from /opt/buildhome/.rvm/rubies/ruby-2.5.4/lib/ruby/2.5.0/rubygems.rb:303:in `activate_bin_path'
9:48:46 AM: failed during stage 'building site': Build script returned non-zero exit code: 1
9:48:46 AM: 	from /opt/buildhome/.rvm/gems/ruby-2.5.4/bin/bundle:23:in `<main>'
9:48:46 AM: 	from /opt/buildhome/.rvm/gems/ruby-2.5.4/bin/ruby_executable_hooks:24:in `eval'
9:48:46 AM: 	from /opt/buildhome/.rvm/gems/ruby-2.5.4/bin/ruby_executable_hooks:24:in `<main>'
9:48:46 AM: Error during gem install
9:48:46 AM: Error running command: Build script returned non-zero exit code: 1
9:48:46 AM: Failing build: Failed to build site
9:48:47 AM: Finished processing build request in 14.989696264s

Hi, could you try specifying a newer Ruby version (2.6.0 maybe)? How to do this is mentioned here. Let me know if that helps.