HTTP Headers (e.g. Content-Security-Policy) on Pages

[ThatBlockyPenguin]

Select Topic Area

Question

Body

Hi, I'm wondering if it's possible to set custom HTTP Headers on websites hosted on GitHub Pages? I know it's possible via the <meta> tag, which I am willing to use if it's the only way, but I'd rather use an actual header if possible.
Thanks!

[yoannchaudet]

We don't support this feature today so a meta tag unfortunately is the only way.

[ThatBlockyPenguin]

Ok, nevermind then. Thanks!

[nodeg]

@yoannchaudet Are there any plans to support his in the future? I find it quite important to be able to change/add those headers.

[yoannchaudet]

We want to get there eventually. No ETA unfortunately at the moment while this has not been prioritized.

[nodeg]

Alright. Thank you for the answer!

[TonioGela]

+1 on prioritizing this

[thboileau]

+1 as well

[david-ball]

+1 please prioritize

[JandaSec]

can I also please vote for this feature. I need to add security headers to my site. Any site created with Github pages gets a Grade F score on https://securityheaders.io/ which is abysmal. Is there any update on the timescale for having this available please?

[ramalhais]

Need to add:
Cross-Origin-Opener-Policy: same-origin
Cross-Origin-Embedder-Policy: require-corp

These are new security requirements for using SharedArrayBuffer in javascript.

[MeesJ]

This deserves much more attention. In the nowadays internet security headers are becoming more and more important. Currently GitHub Pages doesn't have the ability to add custom headers, making it impossible to adopt these security measures.

[TonioGela]

+1 again on this. Maybe adding a lot of comments will cause enough traffic for the feature to get prioritized.

[jobearrr]

+1 here!
I'm also facing some issues with CSP and need to configure headers for my website.

[bss-dmitry-shmakov]

+100500 ✔️

[TonioGela]

I wonder if this is ever gonna happen

[Jieiku]

I have been using cloudflare pages and netlify, both have free plans and support headers:

cloudflare pages:
https://abridge.pages.dev/
https://github.com/Jieiku/abridge/blob/master/static/_headers

netlify:
https://abridge.netlify.app/
https://github.com/Jieiku/abridge/blob/master/netlify.toml

would be great if github also supported them, would simplify things.

[TonioGela]

would be great if github also supported them, would simplify things.

Precisely. I don't wanna rely on external services. I migrated every static site from netlify to GH Pages and using a single platform to do everything is so much more practical

[sh1boot]

I think cloudflare offer something similar to GitHub Pages, but I since I'm too lazy to look into it I've instead relied on Cloudflare to rewrite GitHub headers in passing.

You make a good point. I should consolidate on one service and make the full move.

[TonioGela]

Sadly that's no possible though, right? :P

[sh1boot]

Sure it is. Cloudflare can host everything and update the headers at the same time.

[vitar]

To integrate my page, I'm required to have all that are in red: STS, CSP, XFO, XCTO, RP. That feature would be great!

[MaartenW]

This should be fixed by now. If it can't be custom headers, at least add the basic security headers! Please!

[TonioGela]

@yoannchaudet can we get some updates on this? Can this be prioritized?

[yoannchaudet]

This is not an area that is being prioritized at the moment unfortunately.

[mpetagara]

ngl, super disappointing to hear that the security of User's pages who elect to use Github Pages is still not a priority. Meanwhile Cloudflare Pages and Netlify support it. :/

[TonioGela]

Precisely this. Apparently Github's claim is that Pages security is not a priority.

[gossoudarev]

The GH Pages are of great help in education, I teach students with the aid of this service and it would be more than useful to be able to customize headers, especially security/CORS

[TonioGela]

The GH Pages are of great help in education, I teach students with the aid of this service and it would be more than useful to be able to customize headers, especially security/CORS

So bad that @yoannchaudet clearly told us that this is not a priority

[s4n-cz]

This feature would be really helpful.
If the task to support arbitrary headers is too complicated, I believe many people would be happy for now with at least some basic security headers like Content-Security-Policy, Referrer-Policy, ...

The suggested approach of using CSP through the meta element is only partial solution as for example the frame-ancestors directive is completely ignored.

[JandaSec]

GitHub don't take security seriously then?

 
Frankly I think it is appalling that this feature to add HTTP Security Headers is still not available. I posted about it missing back in February and have been tracking this thread since and watched all of the comments and support for it.
 
Why are GitHub not paying attention to security and the needs of their users?
 
In the meantime I've personally had to completely lift my website out of github pages and rehost it in an alternative platform, because I take security incredibly seriously and the lack of this feature is a complete show-stopper for me and not a 'nice to have'.
 
Disappointing… GitHub pages had such potential too…

[DNin01]

I'll add, I could even see a GH Pages CSP being a thing that you could enforce across all repositories in an organization as an admin.

Regardless, I think it would be very fitting for GitHub to add customization for content security, feature, and other policy headers in the near future, as the meta tag equivalents do have some limitations. I'd welcome either full control of the headers or just a checkbox to add a predetermined whitelist for only local resources within a Pages site (which would probably be simpler to implement than full customization).

I'd even be happy if there were some CSP rules you couldn't opt out of — if you want to host a fully-fledged website, you'll want to use services more powerful than GH Pages anyway. SourceHut sites have a default CSP. Only downside is this would be a breaking change.

[pljakobs]

so the need is still there, but no official message from github on it? I build my device firmware here and want the device front end (built in quasar) to go out and fetch updates - since the device is the webserver serving the app, the request going out to the firmware needs to be cors-allowed.
Funny enough github copilot suggests to just drop a _headers file into the gh-pages branch root - but I can't see any change.

[JenicaWoitowicz]

+1 this request! I would love to see something toggleable in the Settings -> Pages section of the repository.