Debugging HTTP headers in Hugo

Hugo can add all headers, including security headers, on the local server ( when you type hugo server in the terminal). It’s pretty helpful for the debug, as some can break your website.

I had a problem setting them at first, but it occurred to me it was a small typo in the documentation, as it does not work well if you target .html only:

read the thread

The documentation has been updated since then, and you can test headers locally with a few lines in config.toml, for example:

        for = '/**'
            Permissions-Policy = "interest-cohort=()"
            Strict-Transport-Security = "max-age=31536000; includeSubDomains"
            X-Frame-Options = "SAMEORIGIN"
            X-Content-Type-Options = "nosniff"

See complete documentation